[Serusers] problem with radius autentifacation
Darren Bentley
darren at bcgroup.net
Thu Sep 23 23:57:43 CEST 2004
On Thu, 2004-09-23 at 14:39, mike at yes.net.ua wrote:
> > I also have a similar problem.
> >
> > ------------------------------------------------------
> >
> > rlm_realm: Looking up realm "10.10.50.52" for User-Name =
> > "test at 10.10.50.52"
> > rlm_realm: Found realm "DEFAULT"
> > rlm_realm: Adding Stripped-User-Name = "test"
> > rlm_realm: Proxying request from user test to realm DEFAULT
> > rlm_realm: Adding Realm = "DEFAULT"
> > rlm_realm: Authentication realm is LOCAL.
> > modcall[authorize]: module "suffix" returns noop for request 52
> > modcall[authorize]: module "files" returns notfound for request 52
> > modcall[authorize]: module "mschap" returns noop for request 52
> > modcall: group authorize returns ok for request 52
> > rad_check_password: Found Auth-Type Digest
> > auth: type "digest"
> > modcall: entering group authenticate for request 52
> > A1 = test:10.10.50.52:test
> > A2 = REGISTER:sip:10.10.50.52
> > KD =
> > 4d384009e03edfce7bab0866e13fab7f:41533f845abad13f73f097a45a6abbf301a9f2ff:87ed77f9f0c3af1df63cd35c7ccd110c
> > modcall[authenticate]: module "digest" returns ok for request 52
> > modcall: group authenticate returns ok for request 52
> > Login OK: [test at 10.10.50.52/<no User-Password attribute>] (from client
> > localhost port 5060)
> > Sending Access-Accept of id 75 to 127.0.0.1:38542
> >
> > --------------
> >
> > Even though it says "Login OK" it's not..it just keeps doing this over
> > and over again. I can't figure out why it's saying "no User-Password
> > attribute" I've gone over the steps in the radius guide numerous times.
> > I'm stuck.
> >
> > - Darren
> >
> > On Fri, 2004-09-17 at 15:00, Gustavo Villegas wrote:
> >> Dear Users
> >> i have Fedora Core 1 intalled with a SER 8.0.14 working fine with
> >> accounting and autentification with MySql,
> >> but i 've been tried to configure with FreeRadius and RadiusClient 4.3
> >> and
> >> the next Error appears
> >>
> >> When i configure all like Ser_Radius like this
> >>
> >> /etc/raddb Dir
> >>
> >> ****************** file
> >> dictioary************************************************************
> >> $INCLUDE /usr/share/freeradius/dictionary
> >> $INCLUDE /usr/local/etc/radiusclient/dictionary.ser ### the
> >> dictionary
> >> thet cames with the source in ser_8.0.14
> >>
> >> ****************** File
> >> users************************************************
> >>
> >> test Auth-Type := Digest, User-Password == "test"
> >> Reply-Message = "Hello, test with digest"
> >>
> >> ******************* File Clients.conf******************************
> >>
> >> client 127.0.0.1 {
> >> #
> >> # The shared secret use to "encrypt" and "sign" packets between
> >> # the NAS and FreeRADIUS. You MUST change this secret from the
> >> # default, otherwise it's not a secret any more!
> >> #
> >> # The secret can be any string, up to 32 characters in length.
> >> #
> >> secret = xxxx
> >>
> >> #
> >> # The short name is used as an alias for the fully qualified
> >> # domain name, or the IP address.
> >> #
> >> shortname = localhost
> >>
> >> #
> >> # the following three fields are optional, but may be used by
> >> # checkrad.pl for simultaneous use checks
> >> #
> >>
> >> #
> >> # The nastype tells 'checkrad.pl' which NAS-specific method to
> >> # use to query the NAS for simultaneous use.
> >> #
> >> # Permitted NAS types are:
> >> #
> >> # cisco
> >> # computone
> >> # livingston
> >> # max40xx
> >> # multitech
> >> # netserver
> >> # pathras
> >> # patton
> >> # portslave
> >> # tc
> >> # usrhiper
> >> # other # for all other types
> >>
> >> #
> >> nastype = other # localhost isn't usually a NAS...
> >>
> >> #
> >> # The following two configurations are for future use.
> >> # The 'naspasswd' file is currently used to store the NAS
> >> # login name and password, which is used by checkrad.pl
> >> # when querying the NAS for simultaneous use.
> >> #
> >> # login = !root
> >> # password = someadminpas
> >> }
> >> ***********************File
> >> Radiusd.conf***********************************
> >>
> >> i've been uncoment the line with diget in "Autentication" and
> >> "Authorize"
> >>
> >> ****************************************************************************
> >> ****
> >>
> >> And i've been included the dictionary.ser in
> >> /usr/local/etc/radiusclient/dictionary
> >> so when i make a test like the ser_radius.txt
> >> radclient -f digest localhost auth xxxxx
> >>
> >>
> >> in the radius log apears :
> >>
> >> rad_recv: Access-Request packet from host 127.0.0.1:32769, id=138,
> >> length=140
> >> User-Name = "test"
> >> Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
> >> Digest-Attributes = "\001\013testrealm"
> >> Digest-Attributes = "\002\n1234abcd"
> >> Digest-Attributes = "\003\010INVITE"
> >> Digest-Attributes = "\004\034sip:5555551212 at example.com"
> >> Digest-Attributes = "\006\005MD5"
> >> Digest-Attributes = "\n\006test"
> >> modcall: entering group authorize
> >> modcall[authorize]: module "preprocess" returns ok
> >> modcall[authorize]: module "chap" returns noop
> >> rlm_eap: EAP-Message not found
> >> modcall[authorize]: module "eap" returns noop
> >> rlm_digest: Converting Digest-Attributes to something sane...
> >> Digest-Realm = "testrealm"
> >> Digest-Nonce = "1234abcd"
> >> Digest-Method = "INVITE"
> >> Digest-URI = "sip:5555551212 at example.com"
> >> Digest-Algorithm = "MD5"
> >> Digest-User-Name = "test"
> >> rlm_digest: Adding Auth-Type = DIGEST
> >> modcall[authorize]: module "digest" returns ok
> >> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> >> rlm_realm: No such realm "NULL"
> >> modcall[authorize]: module "suffix" returns noop
> >> users: Matched DEFAULT at 152
> >> modcall[authorize]: module "files" returns ok
> >> modcall[authorize]: module "mschap" returns noop
> >> modcall: group authorize returns ok
> >> rad_check_password: Found Auth-Type DIGEST
> >> auth: type "digest"
> >> modcall: entering group authenticate
> >> rlm_digest: Configuration item "User-Password" is required for
> >> authentication. ##############this is my problem..................
> >> modcall[authenticate]: module "digest" returns invalid
> >> modcall: group authenticate returns invalid
> >> auth: Failed to validate the user.
> >> Delaying request 0 for 1 seconds
> >> Finished request 0
> >> Going to the next request
> >> --- Walking the entire request list ---
> >> Waking up in 1 seconds...
> >> --- Walking the entire request list ---
> >> Waking up in 1 seconds...
> >> --- Walking the entire request list ---
> >> Sending Access-Reject of id 138 to 127.0.0.1:32769
> >> Waking up in 4 seconds...
> >>
> >>
> >> ****************************************************************************
> >> ******************
> >> then if i change the dictionary.ser for dictionary.sip that comes with
> >> the
> >> source in radiusClient4.3.................the test works well.......
> >> but if i try to autenticate an UA like a ATA-186, the same message
> >> appears
> >>
> >> rlm_digest: Configuration item "User-Password" is required for
> >> authentication. ##############this is my problem..................
> >>
> >>
> >>
> >> Best Regards
> >>
> >> Gustaf
> >>
>
> Have you tried to put User-Password := "test" instead of User-Password ==
> "test" ?
Just tried that, no luck. I'm using MySQL for the radius backend.
Here's my tables:
radcheck:
UserName: test at 10.10.50.52
Attribute: User-Password
op: ==
Value: test
radgroupcheck:
GroupName: phone
Attribute: Auth-Type
op: :=
Value: Digest
usergroup:
UserName: test at 10.10.50.52
GroupName: phone
So does it that look ok?
Thanks,
- Darren
More information about the sr-users
mailing list