[Serusers] Radius Authentication Help

Martin Koenig martin.koenig at toplink-plannet.de
Thu Jul 15 11:38:11 CEST 2004 

Try to set your radius server in radiusclient.conf with portnumber.

I.e.:

authserver	localhost:1645

Greetings,
Martin

Sean Lowry wrote:
> running on debian
> ser verion = 0.8.12
> ser-radius-module = 0.8.12
> 
> 
> Ser.cfg
> 
> #
> # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $
> #
> # simple quick-start config script
> #
> 
> # ----------- global configuration parameters ------------------------
> 
> 
> #debug=4         # debug level (cmd line: -dddddddddd)
> #fork=yes
> log_stderror=yes # (cmd line: -E)
> 
> /* Uncomment these lines to enter debugging mode 
> #debug=7
> fork=no
> log_stderror=yes
> */
> 
> 
> 
> 
> # ----------------- setting module-specific parameters ---------------
> 
> # -- usrloc params --
> 
> #modparam("usrloc", "db_url", "mysql://ser:heslo@hosthost/ser")
> modparam("usrloc", "db_mode",   1)
> 
> # Uncomment this if you want to use SQL database 
> # for persistent storage and comment the previous line
> 
> # -- auth params --
> # Uncomment if you are using auth module
> #
> #modparam("auth_db", "calculate_ha1", yes)
> #
> # If you set "calculate_ha1" parameter to yes (which true in this config), 
> # uncomment also the following parameter)
> #
> #modparam("auth_db", "password_column", "password")
> 
> modparam("auth_radius", "radius_config",
> "/etc/radiusclient/radiusclient.conf")
> #modparam("auth_radius", "service_type", 15)
> 
> 
> #group radius
> modparam("group_radius", "radius_config",
> "/etc/radiusclient/radiusclient.conf")
> modparam("group_radius", "use_domain", 1)
> 
> 
> # -- rr params --
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
> modparam("registrar", "default_expires", 120) #sets default for expiry if
> registrant doesn't specify
> modparam("registrar", "default_q", 1000)# sets default q value in
> registration
> 
> 
> # -------------------------  request routing logic -------------------
> 
> # main routing logic
> 
> 
> 
> route{
> 
>         # initial sanity checks -- messages with
>         # max_forwards==0, or excessively long requests
>         if (!mf_process_maxfwd_header("10")) {
>                 sl_send_reply("483","Too Many Hops");
>                 break;
>         };
>         if ( msg:len > max_len ) {
>                 sl_send_reply("513", "Message too big");
>                 break;
>         };
> 
>         # we record-route all messages -- to make sure that
>         # subsequent messages will go through our proxy; that's
>         # particularly good if upstream and downstream entities
>         # use different transport protocol
>         record_route(); 
>         # loose-route processing
>         if (loose_route()) {
>                 t_relay();
>                 break;
>         };
> 
>         # if the request is for other domain use UsrLoc
>         # (in case, it does not work, use the following command
>         # with proper names and addresses in it)
>         if (uri==myself) {
> 
>                 if (method=="REGISTER") {
> 
>                       if (search("^(Contact|m):
> .*@(--private--information)")) {
>                       log("LOG: alert: someone trying to set
> aor==contact\n");
>                       sl_send_reply("476", "No Server Address in Contacts
> Allowed" );
>                       break;
>                       };
> 
>                 # Uncomment this if you want to use digest authentication
>                 
>                       log(1, "REGISTER: Authenticating user\n");
> 
>                         if (!radius_www_authorize("")) {
>                          log(1, "REGISTER: challenging user\n");
>                          www_challenge("", "1");
>                          break;
>                         };
>                         
>                         save("location");
>                         break;
>                 };
>                 
>                  if (uri=~"^sip:71[0-9]{2}@.*")
>                  {
>                  #xlog("L_ERR", "LOG - method<%rm> uri<%ru> from<%fu>
> to<%tu>\n");
>                  rewritehostport("192.168.1.252");
>                  forward(uri:host, uri:port);
>                  xlog("L_ERR", "LOG - method<%rm> uri<%ru> from<%fu>
> to<%tu>\n");
>                  break;
>                  };
> 
>                 
>                 # native SIP destinations are handled using our USRLOC DB
>                 if (!lookup("location")) {
>                         sl_send_reply("404", "Not Found");
>                         break;
>                 };
>         };
>         # forward to current uri now; use stateful forwarding; that
>         # works reliably even if we forward from TCP to UDP
>         if (!t_relay()) {
>                 sl_reply_error();
>         };
> 
> }
> 
> 
> 
> 
> Error when running this configuration
> 
> stateless - initializing
> Maxfwd module- initializing
> .
> sip:/etc/ser# acc - initializing
> exec - initializing
> print - initializing
> textops - initializing
> voicemail - initializing
>  5(14802) REGISTER: Authenticating user
>  5(14802) REGISTER: challenging user
>  6(14806) REGISTER: Authenticating user
>  6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
>  6(14806) REGISTER: challenging user
>  5(14802) REGISTER: Authenticating user
>  5(14802) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
>  5(14802) REGISTER: challenging user
>  6(14806) REGISTER: Authenticating user
>  6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
>  6(14806) REGISTER: challenging user
> 
> 
> now if i uncomment out the radius service type
> 
> #modparam("auth_radius", "service_type", 15)
> 
> 
> sip:/etc/ser# stateless - initializing
> Maxfwd module- initializing
> acc - initializing
> exec - initializing
> print - initializing
> textops - initializing
> voicemail - initializing
>  7(14958) REGISTER: Authenticating user
>  7(14958) REGISTER: challenging user
>  8(14959) REGISTER: Authenticating user
>  8(14959) sterman(): Unable to add PW_USER_NAME attribute
>  8(14959) REGISTER: challenging user
>  7(14958) REGISTER: Authenticating user
>  7(14958) sterman(): Unable to add PW_USER_NAME attribute
>  7(14958) REGISTER: challenging user
>  8(14959) REGISTER: Authenticating user
>  8(14959) sterman(): Unable to add PW_USER_NAME attribute
>  8(14959) REGISTER: challenging user
>  7(14958) REGISTER: Authenticating user
>  7(14958) sterman(): Unable to add PW_USER_NAME attribute
>  7(14958) REGISTER: challenging user
>  8(14959) REGISTER: Authenticating user
>  8(14959) sterman(): Unable to add PW_USER_NAME attribute
>  8(14959) REGISTER: challenging user
> 
> 
> 
> now i have freeradius running in debug so i can see if anything it talking
> to it and i see nothing at all from freeradius.
> 
> sip:/home/sean# freeradius -x
> Starting - reading configuration files ...
> Using deprecated naslist file.  Support for this will go away soon.
> Using deprecated clients file.  Support for this will go away soon.
> Using deprecated realms file.  Support for this will go away soon.
> Module: Loaded expr 
> Module: Instantiated expr (expr) 
> Module: Loaded PAP 
> Module: Instantiated pap (pap) 
> Module: Loaded CHAP 
> Module: Instantiated chap (chap) 
> Module: Loaded MS-CHAP 
> Module: Instantiated mschap (mschap) 
> Module: Loaded DIGEST 
> Module: Instantiated digest (digest) 
> Module: Loaded System 
> Module: Instantiated unix (unix) 
> Module: Loaded eap 
> rlm_eap: Loaded and initialized the type md5
> rlm_eap: Loaded and initialized the type leap
> Module: Instantiated eap (eap) 
> Module: Loaded preprocess 
> Module: Instantiated preprocess (preprocess) 
> Module: Loaded realm 
> Module: Instantiated realm (suffix) 
> Module: Loaded SQL 
> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
> rlm_sql (sql): Attempting to connect to radius at localhost:/radius
> rlm_sql (sql): starting 0
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
> rlm_sql_mysql: Starting connect to MySQL server for #0
> rlm_sql (sql): Connected new DB handle, #0
> rlm_sql (sql): starting 1
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> rlm_sql_mysql: Starting connect to MySQL server for #1
> rlm_sql (sql): Connected new DB handle, #1
> rlm_sql (sql): starting 2
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> rlm_sql_mysql: Starting connect to MySQL server for #2
> rlm_sql (sql): Connected new DB handle, #2
> rlm_sql (sql): starting 3
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> rlm_sql_mysql: Starting connect to MySQL server for #3
> rlm_sql (sql): Connected new DB handle, #3
> rlm_sql (sql): starting 4
> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> rlm_sql_mysql: Starting connect to MySQL server for #4
> rlm_sql (sql): Connected new DB handle, #4
> Module: Instantiated sql (sql) 
> Module: Loaded Acct-Unique-Session-Id 
> Module: Instantiated acct_unique (acct_unique) 
> Module: Loaded detail 
> Module: Instantiated detail (detail) 
> Module: Loaded radutmp 
> Module: Instantiated radutmp (radutmp) 
> Initializing the thread pool...
> Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
> 1814/udp.
> Ready to process requests.
> 
> 
> 
> 
> i have tested the raidus server to see if it's authenticating.
> 
> 
> Sending Access-Request of id 7 to 127.0.0.1:1812
>         User-Name = "bob"
>         User-Password = "bob"
>         NAS-IP-Address = ~~~changed private~~~
>         NAS-Port = 1814
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=7, length=20
> 
> 
> everything is working as you would expect does anyone have any ideas at all
> as to where i'm going wrong.
> 
> 
> Thanks in advance
> 
> Sean
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list