[Serusers] SER and IC-RADIUS

Lucas Aimaretto lucas at cyneric.com
Tue Nov 16 23:22:55 CET 2004


Bruno,

Firstly, thanx for answering ...

> I'm playing with this right now, so I'll try to comment a bit
> 
> Lucas Aimaretto wrote:
> > ... And this is the radclient OUTPUT ...
> > 
> > Received response ID 86, code 2, length = 52
> >         Vendor-9-Attr-102 = 
> > 0x683332332d6372656469742d616d6f756e743d31392e3030
> 
> the correct response should be
> 
> Login OK: [test] (from client localhost port 0)
> Sending Access-Accept of id 188 to 127.0.0.1:32769
>          Reply-Message = "Hello, test with digest"
> 
> if I recall correctly, IC-RADIUS is based on Cistron
> RADIUS. Cistron RADIUS don't have digest auth support,
> and it seems never will. Cistron's author recommend
> to use FreeRADIUS instead, which has the Digest
> support and correctly give the result shown above

You know, after searching at
http://icradius.sourceforge.net/modules.php?name=Web_Links&l_op=viewlink
&cid=7 found that ...

"Description: icradius "REQUIRES" the following Perl Modules all of
which are available at the link above:

- Authen::RADIUS
- Digest::MD5
- Date::Calc
- Bit::Vector
- DBI
- DBD::mysql"

... So I believe, Icradius does support digest Authentication. In fact,
I have an utility for radius testing called NT-RADPING (really cool!!)
and did a test again user 1992005 ... Whatch out the RADIUS OUTPUT and
look at the CHAP-Password attribute ...

radrecv: Access Request from host c0a801b2 code=1, id=1, length=62
    User-Name = "110"
    CHAP-Password = "xt\265\256ohy\257xY\034\214x_X$\277"
Username is now 110
Calling station Id is now (null)
credit_amount (215.49)
Sending Access Ack of id 1 to c0a801b2 (nas lucas)
    Credit-Amount =
"V9:T102:L27:683332332d6372656469742d616d6f756e743d3231352e3439"
Sending Access Accept of id 1 to c0a801b2 (nas lucas)
SQL: Socket 0 used for 0.48 seconds
SQL: Released socket 0

So you see, that I got an access-accept. In the utility I wrote down the
password as plain-text, but you see, at the radius output it is
encrypted.

> > Questions:
> > 
> > 1) Although I sent to radius diferent ATTRIBUTES, RADIUS recognized 
> > all of them (except for one, Digest-Response) as Digest-Attributes. 
> > Why is that?
> 
> may be because IC-RADIUS doesn't have digest support?

I don't think digest support has to do with the attributes not being
recognized. I think it is something else ... But do not know what is it.
 
And I believe icradius supports digest auth, cause I made a test ... I
called from user 1992005 to user 1992003 ... Radius authenticated user
1992005 and called was established, so, SER also understood RADIUS
respones ... Look at radius output ...

radrecv: Access Request from host c0a801fd code=1, id=17, length=215
    User-Name = "1992005 at 192.168.1.253"
    Digest-Attributes = "\012\0111992005"
    Digest-Attributes = "\001\017192.168.1.253"
    Digest-Attributes = "\002*419a7a30c9fe08ae43336232e7b687fb633edbd6"
    Digest-Attributes = "\004\033sip:1992003 at 192.168.1.253"
    Digest-Attributes = "\003\010INVITE"
    Digest-Response = "afae2bb3cf9dfb3a3d2dd10f5fd29132"
    Service-Type = Sip-Session
    Sip-Uri-User = "1992005"
    NAS-IP-Address = 192.168.1.253
    NAS-Port-Id = 5060
Username is now 1992005 at 192.168.1.253
Calling station Id is now (null)
credit_amount (19.00)
Sending Access Ack of id 17 to c0a801fd (nas linux)
    Credit-Amount =
"V9:T102:L26:683332332d6372656469742d616d6f756e743d31392e3030"
Sending Access Accept of id 17 to c0a801b2 (nas lucas)
SQL: Socket 0 used for 0.75 seconds
SQL: Released socket 0

The thing here is why some attributes are recognized and other not. For
example: digest-respones, Sip-Uri-user (which are new attributes that I
added myself to the general dictionary, and got them from the
dictionary.ser) and are recognized. Some others not (digest-realm,
digest-nonce, etc, taken out from the same dictionary.ser) and are only
recognized as Digest-Attributes ... :S ... No idea ...

Any ideas ???

> hope this helps

Thanx!

>Cheers

Regards,

>!3runo

Lucas

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.786 / Virus Database: 532 - Release Date: 29/10/2004
 




More information about the sr-users mailing list