[Serusers] Ser with Radius/Mysql - digest problem?

Zeus Ng zeus.ng at isquare.com.au
Thu Sep 9 14:39:23 CEST 2004


Hi Darren,

You don't have to put the information in digest file if mysql is used to
store the information. Make sure you have "sql" within the authorize{}
section of radiusd.conf file. 


If this doesn't work, try put the following in your radcheck table.

UserName          Attribute        op         Value
--------          ---------        -----      -------
test at yourdomain   User-Password    ==         test
test at yourdomain   Auth-Type        :=         Digest



Zeus

> -----Original Message-----
> From: serusers-bounces at lists.iptel.org 
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Darren Bentley
> Sent: Thursday, 9 September 2004 8:22 AM
> To: serusers at lists.iptel.org
> Subject: [Serusers] Ser with Radius/Mysql - digest problem?
> 
> 
> Hello,
> 
> I'm using radius for auth with a mysql backend. I'm a little 
> confused about Digest. I've read the radius howto and the mysql guide
> (http://www.frontios.com/freeradius.html) but it doesn't 
> really explain digest.
> 
> When I add new users I'm putting them in the mysql table 
> "radcheck". Do I then always have to enter the user in the 
> /etc/raddb/digest file as well?
> 
> I'm trying to run a basic test. Here's what I have in the digest file:
> 
> User-Name = "test", Digest-Response = 
> "631d6d73147add2f9e437f59bbc3aeb7", Digest-Realm = 
> "testrealm", User-Password = "test", Digest-Nonce = "test" , 
> Digest-Method = "INVITE", Digest-URI = 
> "sip:5555551212 at example.com", Digest-Algorithm = "MD5", 
> Digest-User-Name = "test"
> 
> "radcheck" table:
> 
> UserName = test
> Attribute = Password
> Value = test
> 
> "radgroupcheck" table:
> 
> GroupName = phone
> Attribute = Auth-Type
> Value = Digest
> 
> "usergroup" table:
> UserName = test
> GroupName = phone
> 
> When I run:
> [root at scratch raddb]# radclient -f digest localhost auth 
> qwerty Received response ID 81, code 3, length = 20
> 
> Here's the debug output:
> 
> rad_recv: Access-Request packet from host 127.0.0.1:38061, 
> id=91, length=154
>         User-Name = "test"
>         Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
>         Digest-Attributes = "\001\013testrealm"
>         User-Password = "test"
>         Digest-Attributes = "\002\006test"
>         Digest-Attributes = "\003\010INVITE"
>         Digest-Attributes = "\004\034sip:5555551212 at example.com"
>         Digest-Attributes = "\006\005MD5"
>         Digest-Attributes = "\n\006test"
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "eap" returns noop for request 0
>     rlm_digest: Converting Digest-Attributes to something sane...
>         Digest-Realm = "testrealm"
>         Digest-Nonce = "test"
>         Digest-Method = "INVITE"
>         Digest-Uri = "sip:5555551212 at example.com"
>         Digest-Algorithm = "MD5"
>         Digest-User-Name = "test"
> rlm_digest: Adding Auth-Type = DIGEST
>   modcall[authorize]: module "digest" returns ok for request 0
> radius_xlat:  'test'
> rlm_sql (sql): sql_set_user escaped user --> 'test'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM 
> radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): 
> Reserving sql socket id: 4
> radius_xlat:  'SELECT 
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribu
> te,radgroupcheck.Value,radgroupcheck.op  FROM 
> radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND 
> usergroup.GroupName = radgroupcheck.GroupName ORDER BY 
> radgroupcheck.id'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM 
> radreply WHERE Username = 'test' ORDER BY id'
> radius_xlat:  'SELECT 
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribu
> te,radgroupreply.Value,radgroupreply.op  FROM 
> radgroupreply,usergroup WHERE usergroup.Username = 'test' AND 
> usergroup.GroupName = radgroupreply.GroupName ORDER BY 
> radgroupreply.id' rlm_sql (sql): Released sql socket id: 4
>   modcall[authorize]: module "sql" returns ok for request 0
>     rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>     users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type DIGEST
>   rad_check_password:  Found Auth-Type Digest
> Warning:  Found 2 auth-types on request for user 'test'
> auth: type "digest"
> modcall: entering group authenticate for request 0
> A1 = test:testrealm:test
> A2 = INVITE:sip:5555551212 at example.com
> KD = 
> 1e00d6dbd30441265df6064b9d9b7da9:test:675b8c827b388805aa252ea38bfb6804
> rlm_digest: FAILED authentication
>   modcall[authenticate]: module "digest" returns reject for request 0
> modcall: group authenticate returns reject for request 0
> auth: Failed to validate the user.
> Login incorrect: [test/test] (from client localhost port 0) 
> Delaying request 0 for 1 seconds Finished request 0 Going to 
> the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 91 to 127.0.0.1:38061
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 91 with timestamp 413f842e
> Nothing to do.  Sleeping until we see a request.
> 
> -------------------------
> 
> The username is "test" and the password is "test". I'm stumped.
> 
> I'm using FreeRadius 0.9.3 / SER 0.8.12 / radiusclient 0.3.2
> 
> Any help is appreciated.
> 
> Thanks,
> 
> - Darren
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
> 




More information about the sr-users mailing list