[Serusers] Existing Radius Authentication
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Aug 1 12:59:23 CEST 2005
What is "System" authentication? Does it use the unix user accounts
(passwd)? If yes, it can't work, as the sytem does not store the
passwords in clear text.
regards,
klaus
Ryan Pagquil wrote:
> Ah ok. BTW I'm testing radius authentication now, and i can't get
> authenticated. I use ser-0.9.3 and freeradius. Here are the information
> about my test and setup:
>
> On Users file of freeradius i have these:
>
> rpagquil at server4all Auth-Type := Digest, User-Password == "test123"
> Reply-Message = "Authenticated"
>
> rpagquil at server4all Auth-Type := Accept
> Reply-Message = "Authorized"
>
> On ser.cfg i have these:
>
> modparam("auth_radius", "radius_config",
> "/usr/local/etc/radiusclient/radiusclient.conf")
> modparam("auth_radius", "service_type", 15)
>
> if (!radius_www_authorize("server4all")){
> www_challenge("", "1");
> break;
> };
>
> save("location");
> break;
>
> and this is my radius log with radiusd -X:
>
> rad_recv: Access-Request packet from host 127.0.0.1:1733, id=95, length=318
> User-Name = "rpagquil at server4all"
> Digest-Attributes = "\n\nrpagquil"
> Digest-Attributes = "\001\014server4all"
> Digest-Attributes = "\002*42ee018773f7ef0ca37028652e16deef71bdc6e9"
> Digest-Attributes = "\004\020sip:server4all"
> Digest-Attributes = "\003\nREGISTER"
> Digest-Attributes = "\005\006auth"
> Digest-Attributes = "\t\n00000002"
> Digest-Attributes = "\010"D845A10802BC11DABFB500E04CAB4AB4"
> Digest-Response = "67c537d0fb13d95416e2bb973b3caa4a"
> Service-Type = Sip-Session
> Sip-URI-User = "rpagquil"
> Cisco-AVPair = "call-id=D845A10302BC11DABFB500E04CAB4AB4 at server4all"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> rlm_realm: Looking up realm "server4all" for User-Name =
> "rpagquil at server4all"
> rlm_realm: Found realm "DEFAULT"
> rlm_realm: Adding Stripped-User-Name = "rpagquil"
> rlm_realm: Proxying request from user rpagquil to realm DEFAULT
> rlm_realm: Adding Realm = "DEFAULT"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 0
> users: Matched DEFAULT at 162
> modcall[authorize]: module "files" returns ok for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_unix: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "unix" returns invalid for request 0
> modcall: group authenticate returns invalid for request 0
> auth: Failed to validate the user.
> Login incorrect: [rpagquil at server4all] (from client server port 5060)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:1734, id=96, length=318
> User-Name = "rpagquil at server4all"
> Digest-Attributes = "\n\nrpagquil"
> Digest-Attributes = "\001\014server4all"
> Digest-Attributes = "\002*42ee018773f7ef0ca37028652e16deef71bdc6e9"
> Digest-Attributes = "\004\020sip:server4all"
> Digest-Attributes = "\003\nREGISTER"
> Digest-Attributes = "\005\006auth"
> Digest-Attributes = "\t\n00000002"
> Digest-Attributes = "\010"D845A10902BC11DABFB500E04CAB4AB4"
> Digest-Response = "4c7a54f5710a95dc6c7620ac04271c28"
> Service-Type = Sip-Session
> Sip-URI-User = "rpagquil"
> Cisco-AVPair = "call-id=D845A10302BC11DABFB500E04CAB4AB4 at server4all"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 1
> rlm_realm: Looking up realm "server4all" for User-Name =
> "rpagquil at server4all"
> rlm_realm: Found realm "DEFAULT"
> rlm_realm: Adding Stripped-User-Name = "rpagquil"
> rlm_realm: Proxying request from user rpagquil to realm DEFAULT
> rlm_realm: Adding Realm = "DEFAULT"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 1
> users: Matched DEFAULT at 162
> modcall[authorize]: module "files" returns ok for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> modcall: group authorize returns ok for request 1
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_unix: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "unix" returns invalid for request 1
> modcall: group authenticate returns invalid for request 1
> auth: Failed to validate the user.
> Login incorrect: [rpagquil at server4all] (from client server port 5060)
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> Sending Access-Reject of id 95 to 127.0.0.1:1733
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 96 to 127.0.0.1:1734
> Waking up in 3 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 95 with timestamp 42ee005c
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 96 with timestamp 42ee005d
> Nothing to do. Sleeping until we see a request.
>
>
> Please help.
>
> Thanks,
>
>
>
> Klaus Darilion wrote:
>
>> The users need not to be in the users file. You can store your users
>> anywhere (file, database, ...). The imporating thing however is: the
>> radius server has to support digest authentication. Thus, the
>> passwords must be stored in cleartext.
>>
>> regards
>> klaus
>>
>> Ryan Pagquil wrote:
>>
>>> So it means that the System authentication that we are using now for
>>> radius will be ignored? Every users must exists in the users file of
>>> the freeradius?
>>>
>>> Thanks,
>>>
>>>
>>> Klaus Darilion wrote:
>>>
>>>>
>>>>
>>>> Greger V. Teigre wrote:
>>>>
>>>>> Ryan,
>>>>> Only if it supports the http digest authentication mechanism.
>>>>> g-)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> This means, you need the user passwords in clear text.
>>>>
>>>> regards,
>>>> klaus
>>>>
>>>>
>>>>>
>>>>> Ryan Pagquil wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Can I use my existing radius server as my login authentication for
>>>>>> ser? The existing radius uses the system to read the user accounts,
>>>>>> but explained on the radius howto i must create the user accounts on
>>>>>> users file of the freeradius.
>>>>>> Please help.
>>>>>>
>>>>>> Thanks,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Serusers mailing list
>>>>> serusers at lists.iptel.org
>>>>> http://lists.iptel.org/mailman/listinfo/serusers
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
More information about the sr-users
mailing list