[Serusers] SER/SIP & RADIUS/Auth-Type = Digest

Steve Dolloff sdolloff at noc.dls.net
Wed Oct 1 18:45:30 CEST 2003 

OK, I figured out that I had messed up the digest file that I was using
with radclient.  I now get a correct response using radclient to test
against the freeradius server.  When I try to auth from ser though, I am
getting a failure.  Group authenticate returns reject.  I'm not
intending to do any group authentication.  I tried loading the
group_radius module instead of the group module and I also tried loading
no group modules, but I still get the same error.

Please see my radiusd-x output...


modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
modcall: entering group authenticate
A1 = sdolloff:voip2.test.net:test
A2 = REGISTER:sip:voip2.test.net
KD =
ad3c99a75e03ad3ead8254ce95a59a3b:3f7b05a030240eba31ec566b2d783170e9c9830
0:797c155d7796a9cb0be4154d07e88417
rlm_digest: FAILED authentication
  modcall[authenticate]: module "digest" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.

Stephen


-----Original Message-----
From: Daniel-Constantin Mierla
[mailto:Daniel-Constantin.Mierla at fokus.fraunhofer.de] 
Sent: Wednesday, October 01, 2003 3:39 AM
To: Steve Dolloff
Cc: Serusers
Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest

Hello,
comments inline.

On 9/30/2003 10:32 PM, Steve Dolloff wrote:

>I have installed freeradius according to the "HOW TO" for radius and
now
>I am seeing the following error.  I assume that since I am seeing
errors
>on both servers that it is a problem with either the dictionary or the
>client. Here are the new error logs... any ideas?
>
>rad_recv: Access-Request packet from host 209.242.100.153:33612,
id=103,
>length=148
>        User-Name = "sdolloff"
>        Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
>        Digest-Attributes = "\001\017voip2.test.net"
>        Digest-Attributes = "\002\006test"
>        Digest-Attributes = "\003\010INVITE"
>        Digest-Attributes = "\004\034sip:5555551212 at example.com"
>        Digest-Attributes = "\006\005MD5"
>        Digest-Attributes = "\n\nsdolloff"
>modcall: entering group authorize
>  modcall[authorize]: module "preprocess" returns ok
>  modcall[authorize]: module "chap" returns noop
>rlm_eap: EAP-Message not found
>  modcall[authorize]: module "eap" returns noop
>    rlm_digest: Converting Digest-Attributes to something sane...
>        Digest-Realm = "voip2.test.net"
>        Digest-Nonce = "test"
>        Digest-Method = "INVITE"
>        Digest-Uri = "sip:5555551212 at example.com"
>        Digest-Algorithm = "MD5"
>        Digest-User-Name = "sdolloff"
>rlm_digest: Adding Auth-Type = DIGEST
>  modcall[authorize]: module "digest" returns ok
>    rlm_realm: No '@' in User-Name = "sdolloff", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop
>    users: Matched DEFAULT at 152
>  modcall[authorize]: module "files" returns ok
>  modcall[authorize]: module "mschap" returns noop
>modcall: group authorize returns ok
>  rad_check_password:  Found Auth-Type DIGEST
>auth: type "digest"
>modcall: entering group authenticate
>rlm_digest: Configuration item "User-Password" is required for
>authentication.
>
It seems that the "User-Password" attribute is missing for user 
"sdolloff" in radius users file. It should look like the example from 
Radius HOW-TO:
http://iptel.org/ser/doc/ser_radius/ser_radius.html#AEN139.

Daniel

>  modcall[authenticate]: module "digest" returns invalid
>modcall: group authenticate returns invalid
>auth: Failed to validate the user.
>Delaying request 6 for 1 seconds
>Finished request 6
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 103 to 209.242.100.153:33612
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 6 ID 103 with timestamp 3f79e7dc
>Nothing to do.  Sleeping until we see a request.
>Subject: Re: [Serusers] SER/SIP & RADIUS/Auth-Type = Digest
>
>On (30.09.03 13:54), Steve Dolloff wrote:
>  
>
>>209.242.100.153 for 'sdolloff at voip2.test.net' is ignored;no password
>> or CHAP password is used
>>    
>>
>
>Your RADIUS server has to support Digest Authentication, and the line
>above seems to indicate that it does not do that.
>
>If you can change your Radius server software, give Freeradius or
>Radiator (commercial, but excellent) a try. If you can not, try to
>educate your existing server to do CHAP-Type authentication.
>
>hope that helps.
>
>Alex Mayrhofer
>nic.at
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers
>
>  
>

More information about the sr-users mailing list