[Serusers] Radius Authentication Help
Sean Lowry
Sean.Lowry at keycom.co.uk
Thu Jul 15 11:26:03 CEST 2004
running on debian
ser verion = 0.8.12
ser-radius-module = 0.8.12
Ser.cfg
#
# $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters ------------------------
#debug=4 # debug level (cmd line: -dddddddddd)
#fork=yes
log_stderror=yes # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
#debug=7
fork=no
log_stderror=yes
*/
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc", "db_url", "mysql://ser:heslo@hosthost/ser")
modparam("usrloc", "db_mode", 1)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
# -- auth params --
# Uncomment if you are using auth module
#
#modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
#modparam("auth_db", "password_column", "password")
modparam("auth_radius", "radius_config",
"/etc/radiusclient/radiusclient.conf")
#modparam("auth_radius", "service_type", 15)
#group radius
modparam("group_radius", "radius_config",
"/etc/radiusclient/radiusclient.conf")
modparam("group_radius", "use_domain", 1)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
modparam("registrar", "default_expires", 120) #sets default for expiry if
registrant doesn't specify
modparam("registrar", "default_q", 1000)# sets default q value in
registration
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if ( msg:len > max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
record_route();
# loose-route processing
if (loose_route()) {
t_relay();
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
if (search("^(Contact|m):
.*@(--private--information)")) {
log("LOG: alert: someone trying to set
aor==contact\n");
sl_send_reply("476", "No Server Address in Contacts
Allowed" );
break;
};
# Uncomment this if you want to use digest authentication
log(1, "REGISTER: Authenticating user\n");
if (!radius_www_authorize("")) {
log(1, "REGISTER: challenging user\n");
www_challenge("", "1");
break;
};
save("location");
break;
};
if (uri=~"^sip:71[0-9]{2}@.*")
{
#xlog("L_ERR", "LOG - method<%rm> uri<%ru> from<%fu>
to<%tu>\n");
rewritehostport("192.168.1.252");
forward(uri:host, uri:port);
xlog("L_ERR", "LOG - method<%rm> uri<%ru> from<%fu>
to<%tu>\n");
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
# forward to current uri now; use stateful forwarding; that
# works reliably even if we forward from TCP to UDP
if (!t_relay()) {
sl_reply_error();
};
}
Error when running this configuration
stateless - initializing
Maxfwd module- initializing
.
sip:/etc/ser# acc - initializing
exec - initializing
print - initializing
textops - initializing
voicemail - initializing
5(14802) REGISTER: Authenticating user
5(14802) REGISTER: challenging user
6(14806) REGISTER: Authenticating user
6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
6(14806) REGISTER: challenging user
5(14802) REGISTER: Authenticating user
5(14802) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
5(14802) REGISTER: challenging user
6(14806) REGISTER: Authenticating user
6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
6(14806) REGISTER: challenging user
now if i uncomment out the radius service type
#modparam("auth_radius", "service_type", 15)
sip:/etc/ser# stateless - initializing
Maxfwd module- initializing
acc - initializing
exec - initializing
print - initializing
textops - initializing
voicemail - initializing
7(14958) REGISTER: Authenticating user
7(14958) REGISTER: challenging user
8(14959) REGISTER: Authenticating user
8(14959) sterman(): Unable to add PW_USER_NAME attribute
8(14959) REGISTER: challenging user
7(14958) REGISTER: Authenticating user
7(14958) sterman(): Unable to add PW_USER_NAME attribute
7(14958) REGISTER: challenging user
8(14959) REGISTER: Authenticating user
8(14959) sterman(): Unable to add PW_USER_NAME attribute
8(14959) REGISTER: challenging user
7(14958) REGISTER: Authenticating user
7(14958) sterman(): Unable to add PW_USER_NAME attribute
7(14958) REGISTER: challenging user
8(14959) REGISTER: Authenticating user
8(14959) sterman(): Unable to add PW_USER_NAME attribute
8(14959) REGISTER: challenging user
now i have freeradius running in debug so i can see if anything it talking
to it and i see nothing at all from freeradius.
sip:/home/sean# freeradius -x
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Using deprecated clients file. Support for this will go away soon.
Using deprecated realms file. Support for this will go away soon.
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded DIGEST
Module: Instantiated digest (digest)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
i have tested the raidus server to see if it's authenticating.
Sending Access-Request of id 7 to 127.0.0.1:1812
User-Name = "bob"
User-Password = "bob"
NAS-IP-Address = ~~~changed private~~~
NAS-Port = 1814
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=7, length=20
everything is working as you would expect does anyone have any ideas at all
as to where i'm going wrong.
Thanks in advance
Sean
More information about the sr-users
mailing list