[Serhelp] Re: [Serusers] Problem with Radius Auth, any hint?
Jan Janak
jan at iptel.org
Sat Oct 4 11:37:02 CEST 2003
I.e. if your message contains foo.bar in From/To (depending on the
message) then make sure you have either "foo.bar" as the first parameter
of *_authorize and *_challenge functions. Or you can also use empty
string, in that case the parameter will be extracted from the SIP
message.
Jan.
On 04-10 10:54, Jan Janak wrote:
> Hello,
>
> make sure that digest realm parameter and From/To domain are same.
>
> Jan.
>
> On 03-10 22:37, John Foster wrote:
> > Hi Jan,
> >
> > Already gone through this, did exactly the same, radiusclient is installed n configured, While m geting an error in debug of ser, that is
> >
> > 15(26965) check_nonce(): comparing [3f7e23177ff358f48050c11e7540943971b73f02] and [3f7e23177ff358f48050c11e7540943971b73f02]
> > 15(26965) authorize(): Credentials realm and URI host do not match
> > 15(26965) build_auth_hf(): 'WWW-Authenticate: Digest realm="cooking.com.pk", nonce="3f7e23177ff358f48050c11e7540943971b73f02"
> >
> > While ser conf is fine enough, pasted below.
> > alias="cooking.com.pk"
> > # ------------------ module loading ----------------------------------
> > # Uncomment this if you want to use SQL database
> > loadmodule "/usr/local/lib/ser/modules/mysql.so"
> > loadmodule "/usr/local/lib/ser/modules/sl.so"
> > loadmodule "/usr/local/lib/ser/modules/tm.so"
> > loadmodule "/usr/local/lib/ser/modules/rr.so"
> > loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> > loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> > loadmodule "/usr/local/lib/ser/modules/registrar.so"
> > # Uncomment this if you want digest authentication
> > # mysql.so must be loaded !
> > loadmodule "/usr/local/lib/ser/modules/auth.so"
> > loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> > # ----------------- setting module-specific parameters ---------------
> > # -- usrloc params --
> > #modparam("usrloc", "db_mode", 0)
> > # Uncomment this if you want to use SQL database
> > # for persistent storage and comment the previous line
> > modparam("usrloc", "db_mode", 2)
> > # -- auth params --
> > # Uncomment if you are using auth module
> > #
> > #modparam("auth_db", "calculate_ha1", yes)
> > modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
> > #
> > # If you set "calculate_ha1" parameter to yes (which true in this config),
> > # uncomment also the following parameter)
> > #
> > #modparam("auth_db", "password_column", "password")
> > modparam("auth_radius", "service_type", 15)
> > # -- rr params --
> > # add value to ;lr param to make some broken UAs happy
> > modparam("rr", "enable_full_lr", 1)
> > # ------------------------- request routing logic -------------------
> > # main routing logic
> > route{
> > # initial sanity checks -- messages with
> > # max_forwards==0, or excessively long requests
> > if (!mf_process_maxfwd_header("10")) {
> > sl_send_reply("483","Too Many Hops....:(");
> > break;
> > };
> > if (len_gt( max_len )) {
> > sl_send_reply("513", "Message too big");
> > break;
> > };
> > # we record-route all messages -- to make sure that
> > # subsequent messages will go through our proxy; that's
> > # particularly good if upstream and downstream entities
> > # use different transport protocol
> > record_route();
> > # loose-route processing
> > if (loose_route()) {
> > t_relay();
> > break;
> > };
> > # if the request is for other domain use UsrLoc
> > # (in case, it does not work, use the following command
> > # with proper names and addresses in it)
> > if (uri=~"voice.cooking.com.pk") {
> > if (method=="REGISTER") {
> > # Uncomment this if you want to use digest authentication
> > if (!radius_www_authorize("cooking.com.pk")) {
> > www_challenge("cooking.com.pk", "0");
> > break;
> > };
> > save("location");
> > break;
> > };
> > # native SIP destinations are handled using our USRLOC DB
> > if (!lookup("location")) {
> > sl_send_reply("404", "Not Found....!!!");
> > break;
> > };
> > };
> > # forward to current uri now; use stateful forwarding; that
> > # works reliably even if we forward from TCP to UDP
> > if (!t_relay()) {
> > sl_reply_error();
> > };
> > }
> >
> >
> > Seems some minor mistake.., As no request is being sent to radius, ngrep shows nothing for that....
> >
> > JF
> >
> >
> > Jan Janak <jan at iptel.org> wrote:
> > See http://iptel.org/ser/ser_radius.html
> >
> > Jan.
> >
> > On 03-10 03:47, John Foster wrote:
> > > Hi
> > >
> > > I m using RADIATOR with ser0.8.11, while ser is running it doesnt send req to radius, following are snapd of log generated at ser (ngrep o/p)
> > >
> > > #
> > > U 202.133.64.66:5060 -> 202.133.64.71:5060
> > > REGISTER sip:voice.cooking.com.pk SIP/2.0..Via: SIP/2.0/UDP 202.133.64.66;branch=z9hG4bKnp1730137267-43b5a45e202.133.64.6
> > > 6..From: ;tag=671fccba..To: ..Call-ID: 1969536413-43c1d03
> > > a at 1969536416-43c1d037..Contact: ;expires=600;q=0.500..Expires: 600..CSeq: 22 REGISTER..Content-
> > > Length: 0..User-Agent: Ahead SIPPS IP Phone Version 2.0.42.13....
> > > #
> > > U 202.133.64.71:5060 -> 202.133.64.66:5060
> > > SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 202.133.64.66;branch=z9hG4bKnp1730137267-43b5a45e202.133.64.66..From: > ;tag=671fccba..To">21 at voice.cooking.com.pk>;tag=671fccba..To: ;tag=b27e1a1d33761e85846fc98f5f3a7e58.bdca..Ca
> > > ll-ID: 1969536413-43c1d03a at 1969536416-43c1d037..CSeq: 22 REGISTER..WWW-Authenticate: Digest realm="cooking.com.pk", nonce
> > > ="3f7d19d62902cb25358e2c666df77d1369d90974"..Server: Sip EXpress router (0.8.11 (i386/linux))..Content-Length: 0..Warning
> > > : 392 202.133.64.71:5060 "Noisy feedback tells: pid=13339 req_src_ip=202.133.64.66 req_src_port=5060 in_uri=sip:voice.co
> > > oking.com.pk out_uri=sip:voice.cooking.com.pk via_cnt==1"....
> > >
> > >
> > > While here is my ser.cfg
> > >
> > > # mysql.so must be loaded !
> > > loadmodule "/usr/local/lib/ser/modules/auth.so"
> > > loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> > > # ----------------- setting module-specific parameters ---------------
> > > # -- usrloc params --
> > > #modparam("usrloc", "db_mode", 0)
> > > # Uncomment this if you want to use SQL database
> > > # for persistent storage and comment the previous line
> > > modparam("usrloc", "db_mode", 2)
> > > # -- auth params --
> > > # Uncomment if you are using auth module
> > > #
> > > #modparam("auth_dbs", "calculate_ha1", yes)
> > > modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient/radiusclient.conf")
> > > #
> > > # If you set "calculate_ha1" parameter to yes (which true in this config),
> > > # uncomment also the following parameter)
> > > #
> > > #modparam("auth_db", "password_column", "password")
> > > modparam("auth_radius", "service_type", 15)
> > > :
> > > :
> > > :
> > > :
> > > # Uncomment this if you want to use digest authentication
> > > if (!radius_www_authorize("cooking.com.pk")) {
> > > www_challenge("cooking.com.pk", "0");
> > > break;
> > > };
> > >
> > >
> > > Any hint?
> > > JF
> > >
> > >
> > >
> > > ---------------------------------
> > > Do you Yahoo!?
> > > The New Yahoo! Shopping - with improved product search
> > > _______________________________________________
> > > Serusers mailing list
> > > serusers at lists.iptel.org
> > > http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
>
> _______________________________________________
> Serhelp mailing list
> serhelp at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serhelp
More information about the sr-users
mailing list