[Serusers] Setting up radius with ser

jaime at umtstrial.co.uk jaime at umtstrial.co.uk
Mon Aug 4 15:03:40 CEST 2003


Madan,

These are some instructions. I copy to the list so that it can be of use
for more people:

1. You need to download and install radiusclient from
http://www.mcs.de/~lf/radius/.

2. Compile ser and modules (make sure to compile auth_radius module too).

3. Download the latest version of freeradius (0.9.0). The previous one,
0.8.1, crashed when performing digest authentication. You can find it in:
http://www.freeradius.org/

4. Don't be confused with the radius client and the radius server side.
SER only uses the client side (radiusclient) to build radius requests.
Therefore, the line

modparam("auth_radius", "radius_config","/usr/local/etc/raddb/clients.conf")

is incorrect and should be something like this (depending on where you
installed radiusclient)

modparam("auth_radius", "radius_config",
"/usr/local/etc/radiusclient/radiusclient.conf")

5. Authenticate users from all realms:

Instead of...

if (radius_www_authorize("mydomain", "subscriber")) {
www_challenge("mydomain", "0");
break;
};

do not specify domain name....


        if (method=="REGISTER") {

                log(1, "REGISTER: Authenticating user\n");

                if (!radius_www_authorize("")) {
                        log(1, "REGISTER: challenging user\n");
                        www_challenge("", "0");
                        break;
                };
                save("location");
                break;
        };

6. With these changes, you should see RADIUS messages being generated to
your radius server. You then only need to have something like this in your
"users" file (radius server):

jaime   Auth-Type := Digest, User-Password = "jaime"
        Reply-Message = "Hello!"

The server will have to be configured to know what "Digest" authentication
is. Read rlm_digest in docs to find out how to do it.

In your config, you have 2 if (method==REGISTER). I think you should avoid
the 2nd and merge the 2 conditions somehow, since the 2nd
if(method==REGISTER) does never get called???

7. For accounting, compile acc module with radius support. For that,
uncomment one of the lines in the Makefile.

8. You will probably need to change some "#includes" in
<ser_directory>/sip_router/modules/acc/dict.h, to be the same than
<ser_directory>/sip_router/etc/radiusclient.h.

9. In SER config file, set accounting flags for INVITE and BYE/CANCEL, and
you should be able to see logs generated in your radius server.


This is my ser config file:


# ----------- global configuration parameters ------------------------

debug=3         # debug level (cmd line: -dddddddddd)
fork=no
log_stderror=yes        # (cmd line: -E)

/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/

check_via=no    # (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
port=5060
children=4
fifo="/tmp/ser_fifo"

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database
loadmodule "./modules/mysql/mysql.so"

loadmodule "./modules/sl/sl.so"
loadmodule "./modules/tm/tm.so"
loadmodule "./modules/rr/rr.so"
loadmodule "./modules/maxfwd/maxfwd.so"
loadmodule "./modules/usrloc/usrloc.so"
loadmodule "./modules/registrar/registrar.so"
loadmodule "./modules/uri/uri.so"

# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "./modules/auth/auth.so"
loadmodule "./modules/auth_db/auth_db.so"

loadmodule "modules/acc/acc.so"

loadmodule "./modules/auth_radius/auth_radius.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

modparam("usrloc", "db_mode",   2)


modparam("auth_radius", "radius_config",
"/usr/local/etc/radiusclient/radiusclient.conf")

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

modparam("acc", "log_level", 1)
modparam("acc", "radius_flag", 1)


# -------------------------  request routing logic -------------------

alias=domain.com


# main routing logic

route{

        # initial sanity checks -- messages with
        # max_forwards==0, or excessively long requests
        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483","Too Many Hops");
                break;
        };
        if (len_gt( max_len )) {
                sl_send_reply("513", "Message too big");
                break;
        };

        # we record-route all messages -- to make sure that
        # subsequent messages will go through our proxy; that's
        # particularly good if upstream and downstream entities
        # use different transport protocol
        record_route();
        # loose-route processing
#       if (loose_route()) {
#               t_relay();
#               break;
#       };

        # if the request is for other domain use UsrLoc
        # (in case, it does not work, use the following command
        # with proper names and addresses in it)

        if (method=="REGISTER") {

                log(1, "REGISTER: Authenticating user\n");

                if (!radius_www_authorize("")) {
                        log(1, "REGISTER: challenging user\n");
                        www_challenge("", "0");
                        break;
                };
                save("location");
                break;
        };


        if (method=="INVITE") {

                log(1, "INVITE\n");
                setflag(1); /* set for accounting (the same value as in
log_flag!) */
        };

        if (method=="MESSAGE") {
                log(1, "MESSAGE\n");
                setflag(1); /* set for accounting (the same value as in
log_flag!) */
        };

        if (method=="BYE" || method=="CANCEL") {
                log (1, "BYE or CANCEL\n");
                setflag(1);
        };

        # native SIP destinations are handled using our USRLOC DB
        if (!lookup("location")) {
                sl_send_reply("404", "Not Found");
                break;
        };
        if (!t_relay()) {
                sl_reply_error();
                break;
        };


}

---------------------------------------------------------------


I hope it helps,

Jaime




> ah! finally i got somebody who can help me, Jaime you know what i was
> thinking to drop this and move to another :-) because i had enough of
> it..its been week on this stuff
>
> so i have done plane vanilla freeradius configuration with default
> database/structure , i know this has to be changed but problem is ser
> does nt even communicate with radius :-(
>
> i have compiled ser latest from cvs
> but when i use radius_www_authorise i got lot of errors on same config
> line where radius comes into picture like missing load module etc
> etc..once it worked as well without any errors but with that any user
> was able to register...i.e no auth
>
> to make my life easier i would need your help right from the scratch
>
> what all i need to do with ser
>
> need config file wrt radius
>
> need freeradius config with wrt ser like table/db structures, sql.conf
> etc
>  i know i m asking a lot , but please help me out :-)
> i would really oblige your help
>
> regards,
> Madan
>
> P.S:- if you ever need help on dns/webservers/mail server please let me
> know :-)
>
>
> log-
>
> Aug  4 16:33:29 sip ser: parse error (106,62-63): unknown command,
> missing loadmodule?
>
>
>
> here is my ser.cfg file
> -------------------------------------------------------
>
> #
> # $Id: ser.cfg,v 1.21 2003/06/04 13:47:36 jiri Exp $
> #
> # simple quick-start config script
> #
>
> # ----------- global configuration parameters ------------------------
>
> #debug=3         # debug level (cmd line: -dddddddddd)
> #fork=yes
> #log_stderror=no # (cmd line: -E)
>
> /* Uncomment these lines to enter debugging mode
> debug=7
> fork=no
> log_stderror=yes
> */
>
> check_via=no # (cmd. line: -v)
> dns=no           # (cmd. line: -r)
> rev_dns=no      # (cmd. line: -R)
> port=5060
> children=4
> fifo="/tmp/ser_fifo"
>
> # ------------------ module loading ----------------------------------
>
> # Uncomment this if you want to use SQL database
> loadmodule "/usr/local/lib/ser/modules/mysql.so"
> loadmodule "/usr/local/lib/ser/modules/sl.so"
> loadmodule "/usr/local/lib/ser/modules/tm.so"
> loadmodule "/usr/local/lib/ser/modules/rr.so"
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
> loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> #loadmodule "/usr/local/lib/ser/modules/uri_radius.so"
> loadmodule "/usr/local/lib/ser/modules/uri.so"
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "/usr/local/lib/ser/modules/auth.so"
> loadmodule "/usr/local/lib/ser/modules/auth_db.so"
>
> # ----------------- setting module-specific parameters ---------------
>
> # -- usrloc params --
>
> #modparam("usrloc", "db_mode",   0)
>
> # Uncomment this if you want to use SQL database
> # for persistent storage and comment the previous line
> modparam("usrloc", "db_mode", 1)
> modparam("auth_radius",
> "radius_config","/usr/local/etc/raddb/clients.conf")
> #modparam("uri_radius", "service_type", 11)
> # -- auth params --
> # Uncomment if you are using auth module
> #
> modparam("auth_db", "calculate_ha1", yes)
>
> # If you set "calculate_ha1" parameter to yes (which true in this
> config), # uncomment also the following parameter)
> #
> modparam("auth_db", "password_column", "password")
> modparam("usrloc", "db_url", "sql://root:heslo@localhost/ser")
> # -- rr params --
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
>
> # -------------------------  request routing logic -------------------
>
> # main routing logic
>
> route{
>
> # initial sanity checks -- messages with
> # max_forwards==0, or excessively long requests
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> break;
> };
> if (len_gt( max_len )) {
> sl_send_reply("513", "Message too big");
> break;
> };
>
> # we record-route all messages -- to make sure that
> # subsequent messages will go through our proxy; that's
> # particularly good if upstream and downstream entities
> # use different transport protocol
> record_route();
> # loose-route processing
> if (loose_route()) {
> t_relay();
> break;
> };
>
> # if the request is for other domain use UsrLoc
> # (in case, it does not work, use the following command
> # with proper names and addresses in it)
> if (uri=~"sip.net4india.com") {
>
> if (method=="REGISTER") {
>
> # Uncomment this if you want to use digest authentication
> # if (!www_authorize("mydomain", "subscriber")) {
> if (radius_www_authorize("mydomain", "subscriber")) {
> www_challenge("mydomain", "0");
> break;
> };
>
> save("location");
> break;
> };
>
> ##LOGGING FOR TESTING
> if (method=="REGISTER") {
>
>
>       log(1, "REGISTER received\n");
>         } else {
>                 log(1, "non-REGISTER received\n");
>         };
>         if (uri=~"sip:.*[@:]mydomain") {
>                 log(1, "request for mydomain\n");
>         } else {
>                 log(1, "request for other domain received\n");
>         };
>
>
> # native SIP destinations are handled using our USRLOC DB
> if (!lookup("location")) {
> sl_send_reply("404", "Not Found");
> break;
> };
> #};
> # forward to current uri now; use stateful forwarding; that
> # works reliably even if we forward from TCP to UDP
> if (!t_relay()) {
> sl_reply_error();
> };
>
> };
> }
>
>
>
>
>
>
> ----- Original Message -----
> From: <jaime at umtstrial.co.uk>
> To: <madan.r at net4india.net>
> Sent: Monday, August 04, 2003 3:50 PM
> Subject: Re: ser radius conf
>
>
>> Hi Madan,
>>
>> I was able to use FreeRadius for authentication and accounting. Let me
>> know how far you are with your config and I'll try to guide you.
>>
>> Jaime
>>
>> > Hi Jaime
>> > got ur email id from ser mailing lsit
>> > need ur help if you were able to configure the ser sip with free
>> radius
>> >
>> > regards,
>> > madan






More information about the sr-users mailing list