[Serusers] Problem with Radius Auth, any hint?

Jan Janak jan at iptel.org
Sat Oct 4 10:54:35 CEST 2003 

Hello,

make sure that digest realm parameter and From/To domain are same.

  Jan.

On 03-10 22:37, John Foster wrote:
> Hi Jan,
>  
> Already gone through this, did exactly the same, radiusclient is installed n configured, While m geting an error in debug of ser, that is 
>  
> 15(26965) check_nonce(): comparing [3f7e23177ff358f48050c11e7540943971b73f02] and [3f7e23177ff358f48050c11e7540943971b73f02]
> 15(26965) authorize(): Credentials realm and URI host do not match
> 15(26965) build_auth_hf(): 'WWW-Authenticate: Digest realm="cooking.com.pk", nonce="3f7e23177ff358f48050c11e7540943971b73f02"
> 
> While ser conf is fine enough, pasted below.
> alias="cooking.com.pk"
> # ------------------ module loading ----------------------------------
> # Uncomment this if you want to use SQL database
> loadmodule "/usr/local/lib/ser/modules/mysql.so"
> loadmodule "/usr/local/lib/ser/modules/sl.so"
> loadmodule "/usr/local/lib/ser/modules/tm.so"
> loadmodule "/usr/local/lib/ser/modules/rr.so"
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "/usr/local/lib/ser/modules/auth.so"
> loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> # ----------------- setting module-specific parameters ---------------
> # -- usrloc params --
> #modparam("usrloc", "db_mode",   0)
> # Uncomment this if you want to use SQL database
> # for persistent storage and comment the previous line
> modparam("usrloc", "db_mode", 2)
> # -- auth params --
> # Uncomment if you are using auth module
> #
> #modparam("auth_db", "calculate_ha1", yes)
> modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
> #
> # If you set "calculate_ha1" parameter to yes (which true in this config),
> # uncomment also the following parameter)
> #
> #modparam("auth_db", "password_column", "password")
> modparam("auth_radius", "service_type", 15)
> # -- rr params --
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
> # -------------------------  request routing logic -------------------
> # main routing logic
> route{
>         # initial sanity checks -- messages with
>         # max_forwards==0, or excessively long requests
>         if (!mf_process_maxfwd_header("10")) {
>                 sl_send_reply("483","Too Many Hops....:(");
>                 break;
>         };
>         if (len_gt( max_len )) {
>                 sl_send_reply("513", "Message too big");
>                 break;
>         };
>         # we record-route all messages -- to make sure that
>         # subsequent messages will go through our proxy; that's
>         # particularly good if upstream and downstream entities
>         # use different transport protocol
>         record_route();
>         # loose-route processing
>         if (loose_route()) {
>                 t_relay();
>                 break;
>         };
>         # if the request is for other domain use UsrLoc
>         # (in case, it does not work, use the following command
>         # with proper names and addresses in it)
>         if (uri=~"voice.cooking.com.pk") {
>                 if (method=="REGISTER") {
> # Uncomment this if you want to use digest authentication
>                         if (!radius_www_authorize("cooking.com.pk")) {
>                                 www_challenge("cooking.com.pk", "0");
>                                 break;
>                         };
>                         save("location");
>                         break;
>                 };
>                 # native SIP destinations are handled using our USRLOC DB
>                 if (!lookup("location")) {
>                         sl_send_reply("404", "Not Found....!!!");
>                         break;
>                 };
>         };
>         # forward to current uri now; use stateful forwarding; that
>         # works reliably even if we forward from TCP to UDP
>         if (!t_relay()) {
>                 sl_reply_error();
>         };
> }
> 
>  
> Seems some minor mistake.., As no request is being sent to radius, ngrep shows nothing for that.... 
>  
> JF
> 
> 
> Jan Janak <jan at iptel.org> wrote:
> See http://iptel.org/ser/ser_radius.html
> 
> Jan.
> 
> On 03-10 03:47, John Foster wrote:
> > Hi 
> > 
> > I m using RADIATOR with ser0.8.11, while ser is running it doesnt send req to radius, following are snapd of log generated at ser (ngrep o/p)
> > 
> > #
> > U 202.133.64.66:5060 -> 202.133.64.71:5060
> > REGISTER sip:voice.cooking.com.pk SIP/2.0..Via: SIP/2.0/UDP 202.133.64.66;branch=z9hG4bKnp1730137267-43b5a45e202.133.64.6
> > 6..From: ;tag=671fccba..To: ..Call-ID: 1969536413-43c1d03
> > a at 1969536416-43c1d037..Contact: ;expires=600;q=0.500..Expires: 600..CSeq: 22 REGISTER..Content-
> > Length: 0..User-Agent: Ahead SIPPS IP Phone Version 2.0.42.13....
> > #
> > U 202.133.64.71:5060 -> 202.133.64.66:5060
> > SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 202.133.64.66;branch=z9hG4bKnp1730137267-43b5a45e202.133.64.66..From: > ;tag=671fccba..To">21 at voice.cooking.com.pk>;tag=671fccba..To: ;tag=b27e1a1d33761e85846fc98f5f3a7e58.bdca..Ca
> > ll-ID: 1969536413-43c1d03a at 1969536416-43c1d037..CSeq: 22 REGISTER..WWW-Authenticate: Digest realm="cooking.com.pk", nonce
> > ="3f7d19d62902cb25358e2c666df77d1369d90974"..Server: Sip EXpress router (0.8.11 (i386/linux))..Content-Length: 0..Warning
> > : 392 202.133.64.71:5060 "Noisy feedback tells: pid=13339 req_src_ip=202.133.64.66 req_src_port=5060 in_uri=sip:voice.co
> > oking.com.pk out_uri=sip:voice.cooking.com.pk via_cnt==1"....
> > 
> > 
> > While here is my ser.cfg
> > 
> > # mysql.so must be loaded !
> > loadmodule "/usr/local/lib/ser/modules/auth.so"
> > loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> > # ----------------- setting module-specific parameters ---------------
> > # -- usrloc params --
> > #modparam("usrloc", "db_mode", 0)
> > # Uncomment this if you want to use SQL database
> > # for persistent storage and comment the previous line
> > modparam("usrloc", "db_mode", 2)
> > # -- auth params --
> > # Uncomment if you are using auth module
> > #
> > #modparam("auth_dbs", "calculate_ha1", yes)
> > modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
> > #
> > # If you set "calculate_ha1" parameter to yes (which true in this config),
> > # uncomment also the following parameter)
> > #
> > #modparam("auth_db", "password_column", "password")
> > modparam("auth_radius", "service_type", 15)
> > :
> > :
> > :
> > :
> > # Uncomment this if you want to use digest authentication
> > if (!radius_www_authorize("cooking.com.pk")) {
> > www_challenge("cooking.com.pk", "0");
> > break;
> > };
> > 
> > 
> > Any hint?
> > JF
> > 
> > 
> > 
> > ---------------------------------
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
> 
> 
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search

More information about the sr-users mailing list