[Serusers] Problem with Radius Auth, any hint?

John Foster jfoste2003 at yahoo.com
Sat Oct 4 07:37:00 CEST 2003 

Hi Jan,
 
Already gone through this, did exactly the same, radiusclient is installed n configured, While m geting an error in debug of ser, that is 
 
15(26965) check_nonce(): comparing [3f7e23177ff358f48050c11e7540943971b73f02] and [3f7e23177ff358f48050c11e7540943971b73f02]
15(26965) authorize(): Credentials realm and URI host do not match
15(26965) build_auth_hf(): 'WWW-Authenticate: Digest realm="cooking.com.pk", nonce="3f7e23177ff358f48050c11e7540943971b73f02"

While ser conf is fine enough, pasted below.
alias="cooking.com.pk"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_mode",   0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
#modparam("auth_db", "calculate_ha1", yes)
modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
#modparam("auth_db", "password_column", "password")
modparam("auth_radius", "service_type", 15)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -------------------------  request routing logic -------------------
# main routing logic
route{
        # initial sanity checks -- messages with
        # max_forwards==0, or excessively long requests
        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483","Too Many Hops....:(");
                break;
        };
        if (len_gt( max_len )) {
                sl_send_reply("513", "Message too big");
                break;
        };
        # we record-route all messages -- to make sure that
        # subsequent messages will go through our proxy; that's
        # particularly good if upstream and downstream entities
        # use different transport protocol
        record_route();
        # loose-route processing
        if (loose_route()) {
                t_relay();
                break;
        };
        # if the request is for other domain use UsrLoc
        # (in case, it does not work, use the following command
        # with proper names and addresses in it)
        if (uri=~"voice.cooking.com.pk") {
                if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
                        if (!radius_www_authorize("cooking.com.pk")) {
                                www_challenge("cooking.com.pk", "0");
                                break;
                        };
                        save("location");
                        break;
                };
                # native SIP destinations are handled using our USRLOC DB
                if (!lookup("location")) {
                        sl_send_reply("404", "Not Found....!!!");
                        break;
                };
        };
        # forward to current uri now; use stateful forwarding; that
        # works reliably even if we forward from TCP to UDP
        if (!t_relay()) {
                sl_reply_error();
        };
}

 
Seems some minor mistake.., As no request is being sent to radius, ngrep shows nothing for that.... 
 
JF


Jan Janak <jan at iptel.org> wrote:
See http://iptel.org/ser/ser_radius.html

Jan.

On 03-10 03:47, John Foster wrote:
> Hi 
> 
> I m using RADIATOR with ser0.8.11, while ser is running it doesnt send req to radius, following are snapd of log generated at ser (ngrep o/p)
> 
> #
> U 202.133.64.66:5060 -> 202.133.64.71:5060
> REGISTER sip:voice.cooking.com.pk SIP/2.0..Via: SIP/2.0/UDP 202.133.64.66;branch=z9hG4bKnp1730137267-43b5a45e202.133.64.6
> 6..From: ;tag=671fccba..To: ..Call-ID: 1969536413-43c1d03
> a at 1969536416-43c1d037..Contact: ;expires=600;q=0.500..Expires: 600..CSeq: 22 REGISTER..Content-
> Length: 0..User-Agent: Ahead SIPPS IP Phone Version 2.0.42.13....
> #
> U 202.133.64.71:5060 -> 202.133.64.66:5060
> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 202.133.64.66;branch=z9hG4bKnp1730137267-43b5a45e202.133.64.66..From: > ;tag=671fccba..To">21 at voice.cooking.com.pk>;tag=671fccba..To: ;tag=b27e1a1d33761e85846fc98f5f3a7e58.bdca..Ca
> ll-ID: 1969536413-43c1d03a at 1969536416-43c1d037..CSeq: 22 REGISTER..WWW-Authenticate: Digest realm="cooking.com.pk", nonce
> ="3f7d19d62902cb25358e2c666df77d1369d90974"..Server: Sip EXpress router (0.8.11 (i386/linux))..Content-Length: 0..Warning
> : 392 202.133.64.71:5060 "Noisy feedback tells: pid=13339 req_src_ip=202.133.64.66 req_src_port=5060 in_uri=sip:voice.co
> oking.com.pk out_uri=sip:voice.cooking.com.pk via_cnt==1"....
> 
> 
> While here is my ser.cfg
> 
> # mysql.so must be loaded !
> loadmodule "/usr/local/lib/ser/modules/auth.so"
> loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> # ----------------- setting module-specific parameters ---------------
> # -- usrloc params --
> #modparam("usrloc", "db_mode", 0)
> # Uncomment this if you want to use SQL database
> # for persistent storage and comment the previous line
> modparam("usrloc", "db_mode", 2)
> # -- auth params --
> # Uncomment if you are using auth module
> #
> #modparam("auth_dbs", "calculate_ha1", yes)
> modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
> #
> # If you set "calculate_ha1" parameter to yes (which true in this config),
> # uncomment also the following parameter)
> #
> #modparam("auth_db", "password_column", "password")
> modparam("auth_radius", "service_type", 15)
> :
> :
> :
> :
> # Uncomment this if you want to use digest authentication
> if (!radius_www_authorize("cooking.com.pk")) {
> www_challenge("cooking.com.pk", "0");
> break;
> };
> 
> 
> Any hint?
> JF
> 
> 
> 
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers


---------------------------------
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20031003/d3826116/attachment.htm>

More information about the sr-users mailing list