[Serusers] Problem authorizing with radius
Ricardo Martinez
rmartinez at redvoiss.net
Wed Jul 20 19:26:24 CEST 2005
Hello.
Mmmhh, are you sure you modified the de www_challenge for the
proxy_challenge in the ser.cfg file?. I use RADIATOR as my Radius Server so
i'm not very familiarized with freeRadius. But for the debug it seems to be
an error maybe with the configuration from the Radius Server?
For example , is normal this : Invalid operator for item Suffix: reverting
to '==' ?
Maybe somone that uses freeRadius could give you more details.
To accounting i use Radiator but working together with an Oracle Database, i
use the Start and Stop message from SER to bill the call.
Regards,
Ricardo Martinez.-
-----Mensaje original-----
De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
Enviado el: Miércoles, 20 de Julio de 2005 13:09
Para: Ricardo Martinez; serusers at lists.iptel.org
Asunto: RE: [Serusers] Problem authorizing with radius
Hi Ricardo,
Tried it. It still gives me the same error. Please let me know the version
of the radius server you are using.?? Also can you please let me know wht
did u do to make the accounting work...??
Best Regards,
Naresh
Ricardo Martinez <rmartinez at redvoiss.net> wrote:
Hello Naresh.
I guess there is an error in the way you call the authorization for the
INVITE. As far as i know for the REGISTER message (authentication) you need
the statement :
radius_www_authorize
But for the INVITE you need to call "radius_proxy_authorize". This is
what i have in my ser.cfg
if (method=="INVITE") {
if (!radius_proxy_authorize("")) {
proxy_challenge("","1");
break;
};
};
maybe you can try this and tell me how it works.
Good luck
Ricardo Martinez.-
-----Mensaje original-----
De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
Enviado el: Miércoles, 20 de Julio de 2005 12:10
Para: Ricardo Martinez; serusers at lists.iptel.org
Asunto: RE: [Serusers] Problem authorizing with radius
Hi Ricardo,
We are using freeradius server 0.9.1 and SER 0.9.3. The version of radius
client is radiusclient-ng-0.5.1. The users file in the radius server looks
like as below:
test at sip2.zone <mailto:test at sip2.zone> Auth-Type := Digest, User-Password
== "cisco1234"
Reply-Message = "Authenticated",
Sip-Rpid = "1970"
test at sip2.zone <mailto:test at sip2.zone> Auth-Type := Accept
Reply-Message = "Authorized",
Sip-Group == "ld"
The radius authentication and authorization parts in the ser.cfg file are
given below:
if (uri=~"^sip:9[0-9]*@") {
if (method=="INVITE"){
if (!radius_www_authorize("")) {
www_challenge("", "1");
break;
}else{
if (radius_is_user_in("Credentials",
"ld")){
forward(192.168.2.101,5060);
break;
}else{
break;
};
};
};
};
And finally the error is as below:
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "test"
Digest-Realm = "sip2.zone"
Digest-Nonce = "42de75b2e9e39194a286e8ccd284646ffa14bcc2"
Digest-URI = "sip:94161000 at sip2.zone"
Digest-Method = "INVITE"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000000a"
Digest-CNonce = "753F926DB8F5415D8D56EE7816410E33"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok
rlm_realm: Looking up realm "sip2.zone" for User-Name = " test at sip2.zone
<mailto:test at sip2.zone> "
rlm_realm: No such realm "sip2.zone"
modcall[authorize]: module "suffix" returns noop
users: Matched entry test at sip2.zone <mailto:test at sip2.zone> at line 226
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Digest
auth: type "digest"
modcall: entering group authenticate
A1 = test:sip2.zone:cisco1234
A2 = INVITE:sip:94161000 at sip2.zone
KD =
53d3b82970bada131a062103f553b8b8:42de75b2e9e39194a286e8ccd284646ffa14bcc2:00
00000a:753F926DB8F5415D8D56EE7816410E33:auth:18227b358ffe96049a3745eeb449fae
2
modcall[authenticate]: module "digest" returns ok
modcall: group authenticate returns ok
radius_xlat: 'Authenticated'
Login OK: [test at sip2.zone/<no User-Password attribute>] (from client proxy
port 5060)
Sending Access-Accept of id 203 to 192.168.2.1:32831
Reply-Message = "Authenticated"
Sip-Rpid = "1970"
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.1:32831, id=204,
length=53
User-Name = "test"
Sip-Group = "ld"
Service-Type = Group-Check
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
modcall: entering group authorize
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop
modcall[authorize]: module "digest" returns noop
rlm_realm: No '@' <mailto:'@'> in User-Name = "test", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
modcall[authorize]: module "files" returns notfound
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test/<no User-Password attribute>] (from client proxy port
0)
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
As you can see from the above configuration, the authentication works
perfect, its only in the authorization where it fails. Also can you please
let me know about the accounting configuration??
Thanks a lot..
Naresh
Ricardo Martinez <rmartinez at redvoiss.net> wrote:
Hello Naresh
I have authentication, authorization and accounting (AAA) through radius
working fine. What radius server are you using?, can you send us more
information about the configuration?
Cheers,
Ricardo.-
-----Mensaje original-----
De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
Enviado el: Miércoles, 20 de Julio de 2005 10:37
Para: serusers at lists.iptel.org
Asunto: [Serusers] Problem authorizing with radius
hi friends,
I am having problems while authorizing with the radius server. I am using
the same configuration as mentioned in the radius-howto. Authentication
works perfect as I am able to authenticate using the radius server. However
while authorizing against the radius server to make a call I get the
following error:
auth: No authenticate method (Auth-Type) configuration found for the user
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
When I authorize against the mysql database, it works fine. Any clue???
Best Regards,
Naresh
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_____
Start <http://us.rd.yahoo.com/evt=34442/*http://www.yahoo.com/r/hs> your
day with Yahoo! - make it your home page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20050720/5a90cd46/attachment.htm>
More information about the sr-users
mailing list