Trying to make the auth_radius module to work I ran into a peculiar issue.
For example if our UA were to try to register to server "sip.mydomain.com"
...and our ser.cfg had: if (!radius_www_authorize("mydomain.com")) { www_challenge("mydomain.com", "1"); }
...then the authentication is not even fired off to the radius. SER Debugs indicate the radius message is not even constructed.
If on the other hand our ser.cfg has: if (!radius_www_authorize("")) { www_challenge("", "1"); }
then the authentication is now fired off to the radius server but the REALM is sip.mydomain.com.
Why can't one make this work as it does with mysql authentication where the www_authorize does not need the host part? We need REAM to be simply the domain part.
The auth_radius readme even says that the realm is **usually** just the domain of the host. Does this mean something is broken here? -------------from readme----------------
* realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.
Example 1-3. radius_www_authorize usage ... if (!radius_www_authorize("iptel.org")) { www_challenge("iptel.org", "1"); };
Hi Andreas,
Maybe the realm you specify in script doesn't match the realm used by the client in credentials. If you are running in debug mode (debug>=6) try to sniff after logs like "pre_auth(): Credentials with given realm not found"
Anyhow, you could use no domain in script, but to set for "auth" module the "realm_prefix" to "sip."
Best regards, Marian
Andres wrote:
Trying to make the auth_radius module to work I ran into a peculiar issue.
For example if our UA were to try to register to server "sip.mydomain.com"
...and our ser.cfg had: if (!radius_www_authorize("mydomain.com")) { www_challenge("mydomain.com", "1"); }
...then the authentication is not even fired off to the radius. SER Debugs indicate the radius message is not even constructed.
If on the other hand our ser.cfg has: if (!radius_www_authorize("")) { www_challenge("", "1"); }
then the authentication is now fired off to the radius server but the REALM is sip.mydomain.com.
Why can't one make this work as it does with mysql authentication where the www_authorize does not need the host part? We need REAM to be simply the domain part.
The auth_radius readme even says that the realm is **usually** just the domain of the host. Does this mean something is broken here? -------------from readme----------------
* realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.Example 1-3. radius_www_authorize usage ... if (!radius_www_authorize("iptel.org")) { www_challenge("iptel.org", "1"); };
Marian Dumitru wrote:
Hi Andreas,
Maybe the realm you specify in script doesn't match the realm used by the client in credentials. If you are running in debug mode (debug>=6) try to sniff after logs like
It has always been like this with our SER servers. Client registers to "sip.mydomain.com", but in ser.cfg we have www_authorize("mydomain.com"). It has never posed a problem with MySQL, but it does not work with a Radius Config. For example on the Sipura devices there is a parameter called PROXY which we fill out with "sip.mydomain.com". I don't see how that PROXY parameter could be filled with just "mydomain.com", unless we were using SRV records.
"pre_auth(): Credentials with given realm not found"Anyhow, you could use no domain in script, but to set for "auth" module the "realm_prefix" to "sip."
I am not aware of the realm_prefix parameter. Were can I find a usage description of it? The auth module readme has noting on it. Thanks,
Best regards, Marian
Andres wrote:
Trying to make the auth_radius module to work I ran into a peculiar issue.
For example if our UA were to try to register to server "sip.mydomain.com"
...and our ser.cfg had: if (!radius_www_authorize("mydomain.com")) { www_challenge("mydomain.com", "1"); }
...then the authentication is not even fired off to the radius. SER Debugs indicate the radius message is not even constructed.
If on the other hand our ser.cfg has: if (!radius_www_authorize("")) { www_challenge("", "1"); }
then the authentication is now fired off to the radius server but the REALM is sip.mydomain.com.
Why can't one make this work as it does with mysql authentication where the www_authorize does not need the host part? We need REAM to be simply the domain part.
The auth_radius readme even says that the realm is **usually** just the domain of the host. Does this mean something is broken here? -------------from readme----------------
* realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.Example 1-3. radius_www_authorize usage ... if (!radius_www_authorize("iptel.org")) { www_challenge("iptel.org", "1"); };
Andres wrote:
Marian Dumitru wrote:
Hi Andreas,
Maybe the realm you specify in script doesn't match the realm used by the client in credentials. If you are running in debug mode (debug>=6) try to sniff after logs like
It has always been like this with our SER servers. Client registers to "sip.mydomain.com", but in ser.cfg we have www_authorize("mydomain.com"). It has never posed a problem with MySQL, but it does not work with a Radius Config. For example on the Sipura devices there is a parameter called PROXY which we fill out with "sip.mydomain.com". I don't see how that PROXY parameter could be filled with just "mydomain.com", unless we were using SRV records.
I'm not sure about the meaning of the SIPURA configuration parameters. What's important for authentication are the username, domain and password. Now, if you specify in the script a authentication domain, it should be the same as the one configured in the client devices. Just to doublecheck, look on the network in the authentication reply, what realm attribute the client used.
"pre_auth(): Credentials with given realm not found"Anyhow, you could use no domain in script, but to set for "auth" module the "realm_prefix" to "sip."
I am not aware of the realm_prefix parameter. Were can I find a usage description of it? The auth module readme has noting on it.
The "realm_prefix" parameter exists in 0.8.14, 0.9.0 and CVS head, but for all versions, the module documentation is outdated. Shortly you can define this realm prefix to be ignored (stripped) when the authentication is performed.
Best regards, Marian
I'm not sure about the meaning of the SIPURA configuration parameters. What's important for authentication are the username, domain and password. Now, if you specify in the script a authentication domain, it should be the same as the one configured in the client devices. Just to doublecheck, look on the network in the authentication reply, what realm attribute the client used.
The Authentication Reply **always** has the realm that SER tells the UA. The UA does not have a realm/domain config (this is true for all Cisco ATAs, Linksys, and Sipura devices we use). The UA only has: username, password, and proxy. SER extracts the "host.domain" from the proxy part and sends back the challenge with that as realm. What we want is to be able to tell SER to send back whatever realm we want, ie...mydomain.com. NOT sip.mydomain.com.
I tried setting the realm_prefix paramenter like you suggested but still get in the DEBUGs:
authorize(): Credentials realm and URI host do not match ...and the Radius is never queried.
So I went straight to authorize.c and took out: /* if (puri.host.len != cred->digest.realm.len) { DBG("authorize(): Credentials realm and URI host do not match\n"); return -1; } if (strncasecmp(puri.host.s, cred->digest.realm.s, puri.host.len) != 0) { DBG("authorize(): Credentials realm and URI host do not match\n"); return -1; } */ Now its all working fine.
Thanks Marian.
Hi Andres,
It's good it works now, but the fact that you had to strip out the verification if the credential domain is the same with To/From one, means there is something strange in your SIPURA configuration.
Probably the SIPURA uses sip.domain.com as account domain (used in From and To) and domain.com domain for authentication.
Best regards, Marian
Andres wrote:
I tried setting the realm_prefix paramenter like you suggested but still get in the DEBUGs:
authorize(): Credentials realm and URI host do not match ...and the Radius is never queried.
So I went straight to authorize.c and took out: /* if (puri.host.len != cred->digest.realm.len) { DBG("authorize(): Credentials realm and URI host do not match\n"); return -1; } if (strncasecmp(puri.host.s, cred->digest.realm.s, puri.host.len) != 0) { DBG("authorize(): Credentials realm and URI host do not match\n"); return -1; } */ Now its all working fine.
Thanks Marian.
-
Andres -
Marian Dumitru