[Serusers] Radius Authentication Help
Sean Lowry
Sean.Lowry at keycom.co.uk
Thu Jul 15 13:26:32 CEST 2004
Yes please i will take a copy of the dictionary.sip
i have however been testing different things that the list has been sending
and i'm getting a different error now the error is
7(16599) res: -1
7(16599) radius_authorize_sterman(): Failure
please find below some debug any help at all is always grealy appreciated
Sean
6(16595) SIP Request:
6(16595) method: <REGISTER>
6(16595) uri: <sip:sip.keycom.co.uk>
6(16595) version: <SIP/2.0>
6(16595) parse_headers: flags=1
6(16595) end of header reached, state=5
6(16595) parse_headers: Via found, flags=1
6(16595) parse_headers: this is the first via
6(16595) After parse_msg...
6(16595) preparing to run routing scripts...
6(16595) DEBUG : is_maxfwd_present: searching for max_forwards header
6(16595) parse_headers: flags=128
6(16595) end of header reached, state=9
6(16595) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean at sip.keycom.co.uk]
6(16595) DEBUG: to body [Sean <sip:sean at sip.keycom.co.uk>
]
6(16595) get_hdr_field: cseq <CSeq>: <131> <REGISTER>
6(16595) DEBUG: get_hdr_body : content_length=0
6(16595) found end of header
6(16595) DEBUG: is_maxfwd_present: max_forwards header not found!
6(16595) end of header reached, state=9
6(16595) parse_headers: flags=256
6(16595) find_first_route(): No Route headers found
6(16595) loose_route(): There is no Route HF
6(16595) check_self - checking if host==us: 16==9 && [sip.keycom.co.uk] ==
[127.0.0.1]
6(16595) check_self - checking if port 5060 matches port 5060
6(16595) check_self - checking if host==us: 16==12 && [sip.keycom.co.uk]
== [192.168.1.68]
6(16595) check_self - checking if port 5060 matches port 5060
6(16595) REGISTER: Authenticating user
6(16595) parse_headers: flags=4096
6(16595) pre_auth(): Credentials with given realm not found
6(16595) REGISTER: challenging user
6(16595) build_auth_hf(): 'WWW-Authenticate: Digest
realm="sip.keycom.co.uk", nonce="40f66c016fa9044424946dfc574f83781285a9cc"
'
6(16595) parse_headers: flags=-1
6(16595) check_via_address(192.168.1.91, 212.9.98.1, 0)
6(16595) receive_msg: cleaning up
7(16599) SIP Request:
7(16599) method: <REGISTER>
7(16599) uri: <sip:sip.keycom.co.uk>
7(16599) version: <SIP/2.0>
7(16599) parse_headers: flags=1
7(16599) end of header reached, state=5
7(16599) parse_headers: Via found, flags=1
7(16599) parse_headers: this is the first via
7(16599) After parse_msg...
7(16599) preparing to run routing scripts...
7(16599) DEBUG : is_maxfwd_present: searching for max_forwards header
7(16599) parse_headers: flags=128
7(16599) end of header reached, state=9
7(16599) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean at sip.keycom.co.uk]
7(16599) DEBUG: to body [Sean <sip:sean at sip.keycom.co.uk>
]
7(16599) get_hdr_field: cseq <CSeq>: <132> <REGISTER>
7(16599) DEBUG: get_hdr_body : content_length=0
7(16599) found end of header
7(16599) DEBUG: is_maxfwd_present: max_forwards header not found!
7(16599) end of header reached, state=9
7(16599) parse_headers: flags=256
7(16599) find_first_route(): No Route headers found
7(16599) loose_route(): There is no Route HF
7(16599) check_self - checking if host==us: 16==9 && [sip.keycom.co.uk] ==
[127.0.0.1]
7(16599) check_self - checking if port 5060 matches port 5060
7(16599) check_self - checking if host==us: 16==12 && [sip.keycom.co.uk]
== [192.168.1.68]
7(16599) check_self - checking if port 5060 matches port 5060
7(16599) REGISTER: Authenticating user
7(16599) check_nonce(): comparing
[40f66c016fa9044424946dfc574f83781285a9cc] and
[40f66c016fa9044424946dfc574f83781285a9cc]
7(16599) res: -1
7(16599) radius_authorize_sterman(): Failure
7(16599) REGISTER: challenging user
7(16599) build_auth_hf(): 'WWW-Authenticate: Digest
realm="sip.keycom.co.uk", nonce="40f66c016fa9044424946dfc574f83781285a9cc"
'
7(16599) parse_headers: flags=-1
7(16599) check_via_address(192.168.1.91, 212.9.98.1, 0)
7(16599) receive_msg: cleaning up
6(16595) SIP Request:
6(16595) method: <REGISTER>
6(16595) uri: <sip:sip.keycom.co.uk>
6(16595) version: <SIP/2.0>
6(16595) parse_headers: flags=1
6(16595) end of header reached, state=5
6(16595) parse_headers: Via found, flags=1
6(16595) parse_headers: this is the first via
6(16595) After parse_msg...
6(16595) preparing to run routing scripts...
6(16595) DEBUG : is_maxfwd_present: searching for max_forwards header
6(16595) parse_headers: flags=128
6(16595) end of header reached, state=9
6(16595) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean at sip.keycom.co.uk]
6(16595) DEBUG: to body [Sean <sip:sean at sip.keycom.co.uk>
]
6(16595) get_hdr_field: cseq <CSeq>: <133> <REGISTER>
6(16595) DEBUG: get_hdr_body : content_length=0
6(16595) found end of header
6(16595) DEBUG: is_maxfwd_present: max_forwards header not found!
6(16595) end of header reached, state=9
6(16595) parse_headers: flags=256
6(16595) find_first_route(): No Route headers found
6(16595) loose_route(): There is no Route HF
6(16595) check_self - checking if host==us: 16==9 && [sip.keycom.co.uk] ==
[127.0.0.1]
6(16595) check_self - checking if port 5060 matches port 5060
6(16595) check_self - checking if host==us: 16==12 && [sip.keycom.co.uk]
== [192.168.1.68]
6(16595) check_self - checking if port 5060 matches port 5060
6(16595) REGISTER: Authenticating user
6(16595) check_nonce(): comparing
[40f66c016fa9044424946dfc574f83781285a9cc] and
[40f66c016fa9044424946dfc574f83781285a9cc]
6(16595) res: -1
6(16595) radius_authorize_sterman(): Failure
6(16595) REGISTER: challenging user
6(16595) build_auth_hf(): 'WWW-Authenticate: Digest
realm="sip.keycom.co.uk", nonce="40f66c038f1b06eb1345a6f925a274094c66039a"
'
6(16595) parse_headers: flags=-1
6(16595) check_via_address(192.168.1.91, 212.9.98.1, 0)
6(16595) receive_msg: cleaning up
7(16599) SIP Request:
7(16599) method: <REGISTER>
7(16599) uri: <sip:sip.keycom.co.uk>
7(16599) version: <SIP/2.0>
7(16599) parse_headers: flags=1
7(16599) end of header reached, state=5
7(16599) parse_headers: Via found, flags=1
7(16599) parse_headers: this is the first via
7(16599) After parse_msg...
7(16599) preparing to run routing scripts...
7(16599) DEBUG : is_maxfwd_present: searching for max_forwards header
7(16599) parse_headers: flags=128
7(16599) end of header reached, state=9
7(16599) DEBUG: get_hdr_field: <To> [34]; uri=[sip:sean at sip.keycom.co.uk]
7(16599) DEBUG: to body [Sean <sip:sean at sip.keycom.co.uk>
> -----Original Message-----
> From: Zeus Ng [SMTP:zeus.ng at isquare.com.au]
> Sent: 15 July 2004 12:10
> To: 'Sean Lowry'
> Cc: serusers at lists.iptel.org
> Subject: RE: [Serusers] Radius Authentication Help
>
> I do remember that I need both dictionary.ser and dictionary.sip to work.
> Can't remember where I get the dictionary.sip from. I can email you a copy
> of you want.
>
> Zeus
>
> > -----Original Message-----
> > From: Sean Lowry [mailto:Sean.Lowry at keycom.co.uk]
> > Sent: Thursday, 15 July 2004 8:25 PM
> > To: 'Zeus Ng'
> > Subject: RE: [Serusers] Radius Authentication Help
> >
> >
> > it's inside the dictionary.ser that i had to go and download
> > (wasn't included in the module). it contains
> >
> > i put an include statment into the dictionary to include
> > dictionary.ser
> >
> > this then gets me a different attribute error
> >
> >
> > Maxfwd module- initializing
> > .
> > sip:/etc/radiusclient# acc - initializing
> > exec - initializing
> > print - initializing
> > textops - initializing
> > voicemail - initializing
> > 7(15981) REGISTER: Authenticating user
> > 7(15981) REGISTER: challenging user
> > 5(15976) REGISTER: Authenticating user
> > 5(15976) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
> > 5(15976) REGISTER: challenging user
> > 7(15981) REGISTER: Authenticating user
> > 7(15981) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
> > 7(15981) REGISTER: challenging user
> > 5(15976) REGISTER: Authenticating user
> > 5(15976) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
> >
> >
> > normally it's PW_USER_NAME attribute
> >
> > Sean
> >
> >
> >
> > > -----Original Message-----
> > > From: Zeus Ng [SMTP:zeus.ng at isquare.com.au]
> > > Sent: 15 July 2004 11:25
> > > To: 'Sean Lowry'
> > > Cc: serusers at lists.iptel.org
> > > Subject: RE: [Serusers] Radius Authentication Help
> > >
> > > Look at your /etc/radiusclient/dictionary* files and see if the
> > > following line exist.
> > >
> > > ATTRIBUTE Digest-User-Name 1072 string
> > >
> > > If not, your are missing the attributes for SIP specific dictionary
> > > translation. There are more attributes for sip. The above
> > is just one
> > > of them.
> > >
> > > Zeus
> > >
> > > > -----Original Message-----
> > > > From: serusers-bounces at lists.iptel.org
> > > > [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Sean Lowry
> > > > Sent: Thursday, 15 July 2004 7:26 PM
> > > > To: serusers at lists.iptel.org
> > > > Subject: [Serusers] Radius Authentication Help
> > > >
> > > >
> > > > running on debian
> > > > ser verion = 0.8.12
> > > > ser-radius-module = 0.8.12
> > > >
> > > >
> > > > Ser.cfg
> > > >
> > > > #
> > > > # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ #
> > > > # simple quick-start config script
> > > > #
> > > >
> > > > # ----------- global configuration parameters
> > > > ------------------------
> > > >
> > > >
> > > > #debug=4 # debug level (cmd line: -dddddddddd)
> > > > #fork=yes
> > > > log_stderror=yes # (cmd line: -E)
> > > >
> > > > /* Uncomment these lines to enter debugging mode
> > > > #debug=7
> > > > fork=no
> > > > log_stderror=yes
> > > > */
> > > >
> > > >
> > > >
> > > >
> > > > # ----------------- setting module-specific parameters
> > > > ---------------
> > > >
> > > > # -- usrloc params --
> > > >
> > > > #modparam("usrloc", "db_url", "mysql://ser:heslo@hosthost/ser")
> > > > modparam("usrloc", "db_mode", 1)
> > > >
> > > > # Uncomment this if you want to use SQL database
> > > > # for persistent storage and comment the previous line
> > > >
> > > > # -- auth params --
> > > > # Uncomment if you are using auth module
> > > > #
> > > > #modparam("auth_db", "calculate_ha1", yes)
> > > > #
> > > > # If you set "calculate_ha1" parameter to yes (which true in
> > > > this config),
> > > > # uncomment also the following parameter)
> > > > #
> > > > #modparam("auth_db", "password_column", "password")
> > > >
> > > > modparam("auth_radius", "radius_config",
> > > > "/etc/radiusclient/radiusclient.conf")
> > > > #modparam("auth_radius", "service_type", 15)
> > > >
> > > >
> > > > #group radius
> > > > modparam("group_radius", "radius_config",
> > > > "/etc/radiusclient/radiusclient.conf")
> > > > modparam("group_radius", "use_domain", 1)
> > > >
> > > >
> > > > # -- rr params --
> > > > # add value to ;lr param to make some broken UAs happy
> > > > modparam("rr", "enable_full_lr", 1) modparam("registrar",
> > > > "default_expires", 120) #sets default for expiry if
> > > > registrant doesn't specify modparam("registrar", "default_q",
> > > > 1000)# sets default q value in registration
> > > >
> > > >
> > > > # ------------------------- request routing logic
> > > > -------------------
> > > >
> > > > # main routing logic
> > > >
> > > >
> > > >
> > > > route{
> > > >
> > > > # initial sanity checks -- messages with
> > > > # max_forwards==0, or excessively long requests
> > > > if (!mf_process_maxfwd_header("10")) {
> > > > sl_send_reply("483","Too Many Hops");
> > > > break;
> > > > };
> > > > if ( msg:len > max_len ) {
> > > > sl_send_reply("513", "Message too big");
> > > > break;
> > > > };
> > > >
> > > > # we record-route all messages -- to make sure that
> > > > # subsequent messages will go through our proxy; that's
> > > > # particularly good if upstream and downstream entities
> > > > # use different transport protocol
> > > > record_route();
> > > > # loose-route processing
> > > > if (loose_route()) {
> > > > t_relay();
> > > > break;
> > > > };
> > > >
> > > > # if the request is for other domain use UsrLoc
> > > > # (in case, it does not work, use the following command
> > > > # with proper names and addresses in it)
> > > > if (uri==myself) {
> > > >
> > > > if (method=="REGISTER") {
> > > >
> > > > if (search("^(Contact|m):
> > > > .*@(--private--information)")) {
> > > > log("LOG: alert: someone trying to set
> > > > aor==contact\n");
> > > > sl_send_reply("476", "No Server Address
> > > > in Contacts Allowed" );
> > > > break;
> > > > };
> > > >
> > > > # Uncomment this if you want to use digest
> > > > authentication
> > > >
> > > > log(1, "REGISTER: Authenticating user\n");
> > > >
> > > > if (!radius_www_authorize("")) {
> > > > log(1, "REGISTER: challenging user\n");
> > > > www_challenge("", "1");
> > > > break;
> > > > };
> > > >
> > > > save("location");
> > > > break;
> > > > };
> > > >
> > > > if (uri=~"^sip:71[0-9]{2}@.*")
> > > > {
> > > > #xlog("L_ERR", "LOG - method<%rm> uri<%ru>
> > > > from<%fu> to<%tu>\n");
> > > > rewritehostport("192.168.1.252");
> > > > forward(uri:host, uri:port);
> > > > xlog("L_ERR", "LOG - method<%rm> uri<%ru>
> > > > from<%fu> to<%tu>\n");
> > > > break;
> > > > };
> > > >
> > > >
> > > > # native SIP destinations are handled using
> > > > our USRLOC DB
> > > > if (!lookup("location")) {
> > > > sl_send_reply("404", "Not Found");
> > > > break;
> > > > };
> > > > };
> > > > # forward to current uri now; use stateful
> > forwarding; that
> > > > # works reliably even if we forward from TCP to UDP
> > > > if (!t_relay()) {
> > > > sl_reply_error();
> > > > };
> > > >
> > > > }
> > > >
> > > >
> > > >
> > > >
> > > > Error when running this configuration
> > > >
> > > > stateless - initializing
> > > > Maxfwd module- initializing
> > > > .
> > > > sip:/etc/ser# acc - initializing
> > > > exec - initializing
> > > > print - initializing
> > > > textops - initializing
> > > > voicemail - initializing
> > > > 5(14802) REGISTER: Authenticating user
> > > > 5(14802) REGISTER: challenging user
> > > > 6(14806) REGISTER: Authenticating user
> > > > 6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
> > > > 6(14806) REGISTER: challenging user
> > > > 5(14802) REGISTER: Authenticating user
> > > > 5(14802) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
> > > > 5(14802) REGISTER: challenging user
> > > > 6(14806) REGISTER: Authenticating user
> > > > 6(14806) sterman(): Unable to add PW_DIGEST_USER_NAME attribute
> > > > 6(14806) REGISTER: challenging user
> > > >
> > > >
> > > > now if i uncomment out the radius service type
> > > >
> > > > #modparam("auth_radius", "service_type", 15)
> > > >
> > > >
> > > > sip:/etc/ser# stateless - initializing
> > > > Maxfwd module- initializing
> > > > acc - initializing
> > > > exec - initializing
> > > > print - initializing
> > > > textops - initializing
> > > > voicemail - initializing
> > > > 7(14958) REGISTER: Authenticating user
> > > > 7(14958) REGISTER: challenging user
> > > > 8(14959) REGISTER: Authenticating user
> > > > 8(14959) sterman(): Unable to add PW_USER_NAME attribute
> > > > 8(14959) REGISTER: challenging user
> > > > 7(14958) REGISTER: Authenticating user
> > > > 7(14958) sterman(): Unable to add PW_USER_NAME attribute
> > > > 7(14958) REGISTER: challenging user
> > > > 8(14959) REGISTER: Authenticating user
> > > > 8(14959) sterman(): Unable to add PW_USER_NAME attribute
> > > > 8(14959) REGISTER: challenging user
> > > > 7(14958) REGISTER: Authenticating user
> > > > 7(14958) sterman(): Unable to add PW_USER_NAME attribute
> > > > 7(14958) REGISTER: challenging user
> > > > 8(14959) REGISTER: Authenticating user
> > > > 8(14959) sterman(): Unable to add PW_USER_NAME attribute
> > > > 8(14959) REGISTER: challenging user
> > > >
> > > >
> > > >
> > > > now i have freeradius running in debug so i can see if
> > > > anything it talking to it and i see nothing at all from
> > freeradius.
> > > >
> > > > sip:/home/sean# freeradius -x
> > > > Starting - reading configuration files ...
> > > > Using deprecated naslist file. Support for this will go away
> > > > soon. Using deprecated clients file. Support for this will
> > > > go away soon. Using deprecated realms file. Support for this
> > > > will go away soon.
> > > > Module: Loaded expr
> > > > Module: Instantiated expr (expr)
> > > > Module: Loaded PAP
> > > > Module: Instantiated pap (pap)
> > > > Module: Loaded CHAP
> > > > Module: Instantiated chap (chap)
> > > > Module: Loaded MS-CHAP
> > > > Module: Instantiated mschap (mschap)
> > > > Module: Loaded DIGEST
> > > > Module: Instantiated digest (digest)
> > > > Module: Loaded System
> > > > Module: Instantiated unix (unix)
> > > > Module: Loaded eap
> > > > rlm_eap: Loaded and initialized the type md5
> > > > rlm_eap: Loaded and initialized the type leap
> > > > Module: Instantiated eap (eap)
> > > > Module: Loaded preprocess
> > > > Module: Instantiated preprocess (preprocess)
> > > > Module: Loaded realm
> > > > Module: Instantiated realm (suffix)
> > > > Module: Loaded SQL
> > > > rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql)
> > > > loaded and linked rlm_sql (sql): Attempting to connect to
> > > > radius at localhost:/radius rlm_sql (sql): starting 0 rlm_sql
> > > > (sql): Attempting to connect rlm_sql_mysql #0
> > > > rlm_sql_mysql: Starting connect to MySQL server for #0
> > > > rlm_sql (sql): Connected new DB handle, #0
> > > > rlm_sql (sql): starting 1
> > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
> > > > rlm_sql_mysql: Starting connect to MySQL server for #1
> > > > rlm_sql (sql): Connected new DB handle, #1
> > > > rlm_sql (sql): starting 2
> > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
> > > > rlm_sql_mysql: Starting connect to MySQL server for #2
> > > > rlm_sql (sql): Connected new DB handle, #2
> > > > rlm_sql (sql): starting 3
> > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
> > > > rlm_sql_mysql: Starting connect to MySQL server for #3
> > > > rlm_sql (sql): Connected new DB handle, #3
> > > > rlm_sql (sql): starting 4
> > > > rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
> > > > rlm_sql_mysql: Starting connect to MySQL server for #4
> > > > rlm_sql (sql): Connected new DB handle, #4
> > > > Module: Instantiated sql (sql)
> > > > Module: Loaded Acct-Unique-Session-Id
> > > > Module: Instantiated acct_unique (acct_unique)
> > > > Module: Loaded detail
> > > > Module: Instantiated detail (detail)
> > > > Module: Loaded radutmp
> > > > Module: Instantiated radutmp (radutmp)
> > > > Initializing the thread pool...
> > > > Listening on IP address *, ports 1812/udp and 1813/udp, with
> > > > proxy on 1814/udp. Ready to process requests.
> > > >
> > > >
> > > >
> > > >
> > > > i have tested the raidus server to see if it's authenticating.
> > > >
> > > >
> > > > Sending Access-Request of id 7 to 127.0.0.1:1812
> > > > User-Name = "bob"
> > > > User-Password = "bob"
> > > > NAS-IP-Address = ~~~changed private~~~
> > > > NAS-Port = 1814
> > > > rad_recv: Access-Accept packet from host 127.0.0.1:1812,
> > > > id=7, length=20
> > > >
> > > >
> > > > everything is working as you would expect does anyone have
> > > > any ideas at all as to where i'm going wrong.
> > > >
> > > >
> > > > Thanks in advance
> > > >
> > > > Sean
> > > >
> > > > _______________________________________________
> > > > Serusers mailing list
> > > > serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
> > > >
> >
More information about the sr-users
mailing list