[Serusers] radius accounting issue
Jan Janak
jan at iptel.org
Sat Jan 3 20:29:18 CET 2004
It looks ok, radius server authenticated the user sucessfully and send a
positive reply back to 192.168.1.94:38881, this is probably where
radiusclient library of ser is listening.
If ser didn't authorize the user then make sure that you have proper
shared secred, and that the secret is for the IP ser is running on.
Jan.
On 19-12 15:59, Anthony Law wrote:
> Hi,
>
> Here is the output from starting radius with -X, does it look good? I kind
> of notice that the NAS-IP-Address is form 127.0.0.1, shouldn't it come from
> 192.168.1.94, (my server running ser)?? I am still not able to get radius to
> report accounting records. I am without START or STOP record. I have re-read
> radius-how to again and I am sure I followed all steps mentioned. I have
> even gone back to recomplie acc.so again. Any more suggestions? Do you think
> my previous ser.cfg looks Ok?
>
>
> rad_recv: Access-Request packet from host 192.168.1.94:38881, id=122,
> length=191
> User-Name = "317 at abc.com"
> Digest-Attributes = 0x0a05333137
> Digest-Attributes = 0x010d616363657373762e636f6d
> Digest-Attributes =
> 0x022a3366653335653538396665373766653531613961323634386162323666613834656461
> 3031633732
> Digest-Attributes = 0x04117369703a616363657373762e636f6d
> Digest-Attributes = 0x030a5245474953544552
> Digest-Response = "e14e2d008b655cebbb738e38833003a1"
> Service-Type = IAPP-Register
> Sip-Uri-User = "317"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> modcall: entering group authorize for request 2
> modcall[authorize]: module "preprocess" returns ok for request 2
> modcall[authorize]: module "chap" returns noop for request 2
> modcall[authorize]: module "eap" returns noop for request 2
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "317"
> Digest-Realm = "abc.com"
> Digest-Nonce = "3fe35e589fe77fe51a9a2648ab26fa84eda01c72"
> Digest-URI = "sip:abc.com"
> Digest-Method = "REGISTER"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 2
> rlm_realm: Looking up realm "abc.com" for User-Name = "317 at abc.com"
> rlm_realm: No such realm "abc.com"
> modcall[authorize]: module "suffix" returns noop for request 2
> users: Matched 317 at abc.com at 1
> modcall[authorize]: module "files" returns ok for request 2
> modcall[authorize]: module "mschap" returns noop for request 2
> modcall: group authorize returns ok for request 2
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> modcall: entering group authenticate for request 2
> A1 = 317:abc.com:1234
> A2 = REGISTER:sip:abc.com
> KD =
> 456084ff9475e53e7dec297e96ff648d:3fe35e589fe77fe51a9a2648ab26fa84eda01c72:01
> de61682c4ba42a1136eb32515fa714
> modcall[authenticate]: module "digest" returns ok for request 2
> modcall: group authenticate returns ok for request 2
> radius_xlat: 'Authtnticated'
> Login OK: [317 at abc.com/<no User-Password attribute>] (from client sushi port
> 5060)
> Sending Access-Accept of id 122 to 192.168.1.94:38881
> Reply-Message = "Authtnticated"
> Finished request 2
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 122 with timestamp 3fe36696
> Nothing to do. Sleeping until we see a request.
>
>
>
> Regards,
>
>
>
> Anthony
>
>
> ----- Original Message -----
> From: "Jan Janak" <jan at iptel.org>
> To: "Anthony Law" <anthonyl at accessv.com>
> Cc: "Mailing List Ser" <serusers at lists.iptel.org>
> Sent: Thursday, December 18, 2003 3:36 PM
> Subject: Re: [Serusers] radius accounting issue
>
>
> > Hello,
> >
> > does your radius server gets any radius messages from ser ? Try to start
> > the radius server with -X parameter, the server will stay in foreground
> > and print a lot of debugging information.
> >
> > Try to make a call then to see if there is any communication between
> > radiusclient library and radius server.
> >
> > Also check the radius howto available at http://iptel.org/ser
> >
> > Jan.
> >
> > On 16-12 13:02, Anthony Law wrote:
> > > Hi,
> > >
> > > I am having problem getting radius accounting to work. My problem is
> that
> > > radius detail file is not written to /var/log/radius/radacct/ in fact
> there
> > > is no radius accounting at all, strangely I do have radius.log (radius
> setup
> > > seems to be fine as I could get detail accounting from my dialup NAS) I
> am
> > > running "ser-0.8.11, freeradius-0.9.3 & radiusclient-0.3.2".
> > > Here is my ser.cfg
> > >
> > > #
> > > # $Id: ser.cfg,v 1.21.2.1 2003/07/30 16:46:18 andrei Exp $
> > > #
> > > # simple quick-start config script
> > > #
> > >
> > > # ----------- global configuration parameters ------------------------
> > >
> > > debug=9 # debug level (cmd line: -dddddddddd)
> > > fork=yes
> > > log_stderror=no # (cmd line: -E)
> > >
> > > /* Uncomment these lines to enter debugging mode
> > > debug=9
> > > fork=no
> > > log_stderror=yes
> > > */
> > >
> > > check_via=no # (cmd. line: -v)
> > > dns=no # (cmd. line: -r)
> > > rev_dns=no # (cmd. line: -R)
> > > #port=5060
> > > #children=4
> > > fifo="/tmp/ser_fifo"
> > >
> > > # ------------------ module loading ----------------------------------
> > >
> > > # Uncomment this if you want to use SQL database
> > > #loadmodule "/usr/local/lib/ser/modules/mysql.so"
> > >
> > > loadmodule "/usr/local/lib/ser/modules/sl.so"
> > > loadmodule "/usr/local/lib/ser/modules/tm.so"
> > > loadmodule "/usr/local/lib/ser/modules/rr.so"
> > > loadmodule "/usr/local/lib/ser/modules/acc.so"
> > > loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> > > loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> > > loadmodule "/usr/local/lib/ser/modules/registrar.so"
> > >
> > > # Uncomment this if you want digest authentication
> > > # mysql.so must be loaded !
> > > #loadmodule "/usr/local/lib/ser/modules/auth.so"
> > > #loadmodule "/usr/local/lib/ser/modules/auth_db.so"
> > > loadmodule "/usr/local/lib/ser/modules/auth.so"
> > > loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
> > >
> > > # ----------------- setting module-specific parameters ---------------
> > >
> > > # -- usrloc params --
> > >
> > > modparam("usrloc", "db_mode", 0)
> > >
> > > # Uncomment this if you want to use SQL database
> > > # for persistent storage and comment the previous line
> > > #modparam("usrloc", "db_mode", 2)
> > >
> > > # -- auth params --
> > > # Uncomment if you are using auth module
> > > #
> > > #modparam("auth_db", "calculate_ha1", yes)
> > > modparam("auth_radius", "radius_config",
> > > "/usr/local/etc/radiusclient/radiusclient.conf")
> > > modparam("acc", "radius_config",
> > > "/usr/local/etc/radiusclient/radiusclient.conf")
> > >
> > > # If you set "calculate_ha1" parameter to yes (which true in this
> config),
> > > # uncomment also the following parameter)
> > > #
> > > #modparam("auth_db", "password_column", "password")
> > > modparam("auth_radius", "service_type", 15)
> > >
> > > # -- rr params --
> > > # add value to ;lr param to make some broken UAs happy
> > > modparam("rr", "enable_full_lr", 1)
> > >
> > > # related to radius acct
> > > modparam("acc", "log_level", 1)
> > > modparam("acc", "radius_flag", 1)
> > > modparam("acc", "radius_missed_flag", 3)
> > >
> > > # ------------------------- request routing logic -------------------
> > >
> > > # main routing logic
> > >
> > > route{
> > >
> > > # initial sanity checks -- messages with
> > > # max_forwards==0, or excessively long requests
> > > if (!mf_process_maxfwd_header("10")) {
> > > sl_send_reply("483","Too Many Hops");
> > > break;
> > > };
> > > if (len_gt( max_len )) {
> > > sl_send_reply("513", "Message too big");
> > > break;
> > > };
> > >
> > > # we record-route all messages -- to make sure that
> > > # subsequent messages will go through our proxy; that's
> > > # particularly good if upstream and downstream entities
> > > # use different transport protocol
> > > record_route();
> > > # loose-route processing
> > > if (loose_route()) {
> > > t_relay();
> > > break;
> > > };
> > >
> > > # if the request is for other domain use UsrLoc
> > > # (in case, it does not work, use the following command
> > > # with proper names and addresses in it)
> > > # if (uri==myself) {
> > > if (uri=~"") {
> > > if (method=="REGISTER") {
> > > log(1, "Register: Authenticating user\n");
> > > # Uncomment this if you want to use digest authentication
> > > if (!radius_www_authorize("")) {
> > > log(1, "Register: Challenging user\n");
> > > www_challenge("", "0");
> > > break;
> > > };
> > >
> > > save("location");
> > > break;
> > > };
> > >
> > > if (method=="INVITE") {
> > >
> > > log(1, "INVITE\n");
> > > setflag(1); /* set for accounting (the same value as in
> > > log_flag!) */
> > > };
> > >
> > > if (method=="MESSAGE") {
> > > log(1, "MESSAGE\n");
> > > setflag(1); /* set for accounting (the same value as in
> > > log_flag!) */
> > > };
> > >
> > > if (method=="BYE" || method=="CANCEL") {
> > > log (1, "BYE or CANCEL\n");
> > > setflag(1);
> > > };
> > > # native SIP destinations are handled using our USRLOC
> DB
> > > if (!lookup("location")) {
> > > sl_send_reply("404", "Not Found");
> > > break;
> > > };
> > > };
> > > # forward to current uri now; use stateful forwarding; that
> > > # works reliably even if we forward from TCP to UDP
> > > if (!t_relay()) {
> > > sl_reply_error();
> > > };
> > >
> > > }
> > >
> > > Suggestions anyone??
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Anthony
> > >
> > > _______________________________________________
> > > Serusers mailing list
> > > serusers at lists.iptel.org
> > > http://lists.iptel.org/mailman/listinfo/serusers
> >
>
More information about the sr-users
mailing list