[Serusers] Seruser - Radius authentication

Steven R. Bunin steve at solaas.com
Tue Sep 23 20:08:17 CEST 2003


Jan,

You were right.. I had updated the client's password in the client file and not the client.conf file..
WOW!!.. I can't believe I missed that one.

Thank yous soooo much.. your a genious.

Steve

Jan Janak wrote:

> Hello,
>
> the error message below comes from radiusclient library and means that
> the radiusclient library was unable to verify __digest of RADIUS message__
> (it is not related to SIP digest) because shared secrets of the client and
> server do not match.
>
>   Jan.
>
> On 23-09 13:50, Steven R. Bunin wrote:
> > Jan,
> >
> > Is there anything specific needed in the Freeradius configuartion for Digest Authentication. I ask this
> > because SER is reporting  "check_radius_reply: received invalid reply digest from RADIUS server".
> >
> > I ran the test with radclient as suggested in the Radius-howto and it worked as expected.
> >
> > steve
> >
> > Jan Janak wrote:
> >
> > > I really don't know what to tell you more, there simply must be some
> > > problem in your setup because I am pretty sure that the radius code in
> > > ser works. Read ser-radius howto carefully and double check every step.
> > >
> > > One last thing, you are running the server and client on the same host,
> > > double check that you don't have two entries for 127.0.0.1 or localhost
> > > in the configuration files of the server (one is there by default).
> > >
> > > Also, do the test using radclient as described in ser-radius howto.
> > >
> > >   Jan.
> > >
> > > On 23-09 13:25, Steven R. Bunin wrote:
> > > > Jan,
> > > >
> > > > Just checked that and both my client and server files match in terms of the secret. I also did a
> > > > test using XTradius on a different server. I need to update that XTradius with the ser dictionary
> > > > and it might work, as of now the XTradius is saying it is not receiving a password.
> > > >
> > > > Steve
> > > >
> > > > Jan Janak wrote:
> > > >
> > > > > Check that you really configured the same shared secret in the
> > > > > radiusclient library and the radius server. I remember I had the same
> > > > > problem when I accidentally misconfigured the secret.
> > > > >
> > > > >  Jan.
> > > > >
> > > > > On 23-09 13:11, Steven R. Bunin wrote:
> > > > > > Hi Jan,
> > > > > >
> > > > > > I am running freeradius with the -X and it is sending back whatever message I place in my
> > > > > > "Reply-message = ..." field.
> > > > > >
> > > > > > here is the output..
> > > > > >
> > > > > > rlm_eap: EAP-Message not found
> > > > > >     rlm_digest: Converting Digest-Attributes to something sane...
> > > > > >         Digest-User-Name = "17182681152"
> > > > > >         Digest-Realm = "sip2.solaas.com"
> > > > > >         Digest-Nonce = "3f70740aca7efa44e94e91a8df73c19d5c4318fc"
> > > > > >         Digest-URI = "sip:sip2.solaas.com"
> > > > > >         Digest-Method = "REGISTER"
> > > > > > rlm_digest: Adding Auth-Type = DIGEST
> > > > > > Sending Access-Accept of id 138 to 127.0.0.1:33966
> > > > > > rad_recv: Access-Request packet from host 127.0.0.1:33966, id=139,
> > > > > > length=227
> > > > > >         User-Name = "17182681152 at sip2.solaas.com"
> > > > > >         Digest-Attributes = 0x0a0d3137313832363831313532
> > > > > >         Digest-Attributes = 0x0111736970322e736f6c6161732e636f6d
> > > > > >         Digest-Attributes =
> > > > > > 0x022a33663730373434376537393537646530346662333637643335373333643436613631366435616564
> > > > > >         Digest-Attributes = 0x04157369703a736970322e736f6c6161732e636f6d
> > > > > >         Digest-Attributes = 0x030a5245474953544552
> > > > > >         Digest-Response = "1c54b2afbdd7ea6b401e20e056c22ebe"
> > > > > >         Service-Type = IAPP-Register
> > > > > >         X-Ascend-PW-Lifetime = 0x3137313832363831313532
> > > > > >         NAS-IP-Address = 127.0.0.1
> > > > > >         NAS-Port = 5060
> > > > > > rlm_eap: EAP-Message not found
> > > > > >     rlm_digest: Converting Digest-Attributes to something sane...
> > > > > >         Digest-User-Name = "17182681152"
> > > > > >         Digest-Realm = "sip2.solaas.com"
> > > > > >         Digest-Nonce = "3f707447e7957de04fb367d35733d46a616d5aed"
> > > > > >         Digest-URI = "sip:sip2.solaas.com"
> > > > > >         Digest-Method = "REGISTER"
> > > > > > rlm_digest: Adding Auth-Type = DIGEST
> > > > > > Sending Access-Accept of id 139 to 127.0.0.1:33966
> > > > > >
> > > > > > As you can see, there is an Access-Accept being sent.. but my Xten-Pro sipphone is receiving
> > > > > > an Unauthorized message from SER (based on my ethereal packet sniffer).
> > > > > >
> > > > > > Steve
> > > > > >
> > > > > >
> > > > > > Jan Janak wrote:
> > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > I suppose you are using freeradius server. Start it with -X option and
> > > > > > > see the output.
> > > > > > >
> > > > > > >   Jan.
> > > > > > >
> > > > > > > On 23-09 13:01, Steven R. Bunin wrote:
> > > > > > > > I am also using Ser with Radius and finally got the Radiusclient, Radius and
> > > > > > > > Ser to all talk together. The only issue I have is that the radius server is
> > > > > > > > not sending back what the radiusclient it looking for in order to tell Ser to
> > > > > > > > authenticate the user (I hope that isn't too confusing).
> > > > > > > >
> > > > > > > > The lines affecting radius in my ser.cfg are
> > > > > > > > modparam("auth_radius","radius_config","/usr/local/etc/radiusclient/radiusclient.conf")
> > > > > > > >
> > > > > > > > route{
> > > > > > > >      log(1,"logging so message came in");
> > > > > > > >
> > > > > > > >  if (uri=~"solaas.com") {
> > > > > > > >      log(1,"sip_2 ip came through");
> > > > > > > >
> > > > > > > >   if (method=="REGISTER") {
> > > > > > > >      log(1,"register go through");
> > > > > > > >
> > > > > > > > # Uncomment this if you want to use digest authentication
> > > > > > > >    if (!radius_www_authorize("")) {
> > > > > > > >     www_challenge("","0");
> > > > > > > >      log(1,"request came in");
> > > > > > > >     break;
> > > > > > > >    };
> > > > > > > >
> > > > > > > >    save("location");
> > > > > > > >    break;
> > > > > > > >   };
> > > > > > > > }
> > > > > > > >
> > > > > > > > I can add my radiusclient.conf file if it will help you..
> > > > > > > >
> > > > > > > > my users file for the radius server looks like this:
> > > > > > > >
> > > > > > > > xxxxxxxxxx at sip.server.com Auth-Type := Digest, User-Password == "1234"
> > > > > > > >     Reply-Message  = "Authenticated"
> > > > > > > >
> > > > > > > > Hope that helps and also let me know if anyone sees anything wrong with my
> > > > > > > > radius setup so I can finally authenticate.
> > > > > > > >
> > > > > > > > Steve
> > > > > > > >
> > > > > > > > >
> > > > > > > > > Message: 1
> > > > > > > > > Date: Tue, 23 Sep 2003 11:24:11 -0500
> > > > > > > > > From: "Steve Dolloff" <sdolloff at noc.dls.net>
> > > > > > > > > Subject: RE: [Serusers] Troubles setting up radius authentication
> > > > > > > > > To: "Jan Janak" <jan at iptel.org>
> > > > > > > > > Cc: Serusers <serusers at lists.iptel.org>
> > > > > > > > > Message-ID:
> > > > > > > > >         <ADCFA6B7CA0C754EB837B423E5A521D2543512 at mailbox.noc.dls.net>
> > > > > > > > > Content-Type: text/plain;       charset="us-ascii"
> > > > > > > > >
> > > > > > > > > Yes, I have added the SIP definitions to the radiusclient library.  It
> > > > > > > > > is the dictionary file defined in the radiusclient.conf file as
> > > > > > > > > /etc/sip_dictionary.  It was created using the dictionary file from
> > > > > > > > > radiusclient and adding the information from the link that you refered
> > > > > > > > > to.
> > > > > > > > >
> > > > > > > > > -----------------------
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > if there is no radius traffic then radiusclient library has some
> > > > > > > > > problems when buiding the request. Did you extend your radius dictionary
> > > > > > > > > as described in http://iptel.org/ser/ser_radius.html ?
> > > > > > > > >
> > > > > > > > >   Jan.
> > > > > > > > >
> > > > > > > > > On 23-09 10:38, Steve Dolloff wrote:
> > > > > > > > > > I am trying to switch from database authentication to radius
> > > > > > > > > > authentication.
> > > > > > > > > >
> > > > > > > > > > I have compiled and installed the module.
> > > > > > > > > >
> > > > > > > > > > I have added the following to my ser.cfg
> > > > > > > > > >
> > > > > > > > > > modparam("auth_radius", "radius_config", "/etc/ser/radiusclient.conf")
> > > > > > > > > > modparam("auth_radius", "service_type",15)
> > > > > > > > > >
> > > > > > > > > >                         if (method=="REGISTER") {
> > > > > > > > > >                                 log(1,"authenticating");
> > > > > > > > > >                                 if (!radius_www_authorize("test.net"))
> > > > > > > > > {
> > > > > > > > > >                                         log(1,"radius auth failure");
> > > > > > > > > >                                         www_challenge("test.net",
> > > > > > > > > "0");
> > > > > > > > > >                                         break;
> > > > > > > > > >                                 };
> > > > > > > > > >
> > > > > > > > > > I have configured the following in /etc/ser/radiusclient.conf
> > > > > > > > > > authserver      radius1.test.net:1812
> > > > > > > > > > authserver      radius2.test.net:1812
> > > > > > > > > > servers         /etc/servers
> > > > > > > > > > dictionary      /etc/sip_dictionary
> > > > > > > > > >
> > > > > > > > > > I have configured the following in /etc/servers
> > > > > > > > > >
> > > > > > > > > > Radius1.test.net      secret
> > > > > > > > > > Radius2.test.net      secret2
> > > > > > > > > >
> > > > > > > > > > I get the following in my messages log.
> > > > > > > > > >
> > > > > > > > > > Sep 23 10:39:03 voip2 /usr/sbin/ser[25945]: authenticating
> > > > > > > > > > Sep 23 10:39:03 voip2 /usr/sbin/ser[25945]: radius auth failure
> > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25947]: authenticating
> > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25947]: radius auth failure
> > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25949]: authenticating
> > > > > > > > > > Sep 23 10:39:30 voip2 /usr/sbin/ser[25949]: radius auth failure
> > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25948]: authenticating
> > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25948]: radius auth failure
> > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25945]: authenticating
> > > > > > > > > > Sep 23 10:39:34 voip2 /usr/sbin/ser[25945]: radius auth failure
> > > > > > > > > >
> > > > > > > > > > And ngrep port 1812 shows no traffic at all.  Where are these auth
> > > > > > > > > > request going?  How can I get more debug info?
> > > > > > > > > >
> > > > > > > > > > Thanks for your help.
> > > > > > > > > >
> > > > > > > > > > Stephen
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Serusers mailing list
> > > > > > > > > > serusers at lists.iptel.org
> > > > > > > > > > http://lists.iptel.org/mailman/listinfo/serusers
> > > > > > > > >
> >

--
Steven R. Bunin - Managing Partner

SOLAAS LLC
10 East 39th Street
Suite 1125
New York, NY 10016
(+001) 212-532-6700
Cellular: 646-739-7000
Fax (+001) 212-532-6776

http://www.solaas.com

--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or
have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.





More information about the sr-users mailing list