[Serusers] Problem authorizing with radius
Greger V. Teigre
greger at teigre.com
Thu Jul 21 07:22:38 CEST 2005
>auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
>auth: Failed to validate the user.
This is where it fails. SER does not send Auth-Type, freeRadius is configured to require an Auth-Type. I don't know how you change that, I don't use freeRadius.
g-)
---- Original Message ----
From: Naresh Parmar
To: Ricardo Martinez ; serusers at lists.iptel.org
Sent: Wednesday, July 20, 2005 07:09 PM
Subject: RE: [Serusers] Problem authorizing with radius
> Hi Ricardo,
>
> Tried it. It still gives me the same error. Please let me know the
> version of the radius server you are using.?? Also can you please let
> me know wht did u do to make the accounting work...??
>
> Best Regards,
> Naresh
>
> Ricardo Martinez <rmartinez at redvoiss.net> wrote:
> Hello Naresh.
> I guess there is an error in the way you call the authorization
> for the INVITE. As far as i know for the REGISTER message
> (authentication) you need the statement :
>
> radius_www_authorize
>
> But for the INVITE you need to call "radius_proxy_authorize".
> This is what i have in my ser.cfg
>
> if (method=="INVITE") {
>
> if (!radius_proxy_authorize("")) {
> proxy_challenge("","1");
> break;
> };
> };
>
> maybe you can try this and tell me how it works.
>
> Good luck
>
> Ricardo Martinez.-
>
> -----Mensaje original-----
> De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
> Enviado el: Miércoles, 20 de Julio de 2005 12:10
> Para: Ricardo Martinez; serusers at lists.iptel.org
> Asunto: RE: [Serusers] Problem authorizing with radius
>
>
> Hi Ricardo,
>
> We are using freeradius server 0.9.1 and SER 0.9.3. The version of
> radius client is radiusclient-ng-0.5.1. The users file in the radius
> server looks like as below:
>
> test at sip2.zone Auth-Type := Digest, User-Password == "cisco1234"
> Reply-Message = "Authenticated",
> Sip-Rpid = "1970"
> test at sip2.zone Auth-Type := Accept
> Reply-Message = "Authorized",
> Sip-Group == "ld"
>
> The radius authentication and authorization parts in the ser.cfg file
> are given below:
>
> if (uri=~"^sip:9[0-9]*@") {
> if (method=="INVITE"){
> if (!radius_www_authorize("")) {
> www_challenge("", "1");
> break;
> }else{
> if
> (radius_is_user_in("Credentials", "ld")){
>
> forward(192.168.2.101,5060);
> break;
> }else{
> break;
> };
> };
> };
> };
>
>
> And finally the error is as below:
>
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok
> modcall[authorize]: module "chap" returns noop
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "test"
> Digest-Realm = "sip2.zone"
> Digest-Nonce = "42de75b2e9e39194a286e8ccd284646ffa14bcc2"
> Digest-URI = "sip:94161000 at sip2.zone"
> Digest-Method = "INVITE"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "0000000a"
> Digest-CNonce = "753F926DB8F5415D8D56EE7816410E33"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok
> rlm_realm: Looking up realm "sip2.zone" for User-Name =
> "test at sip2.zone"
> rlm_realm: No such realm "sip2.zone"
> modcall[authorize]: module "suffix" returns noop
> users: Matched entry test at sip2.zone at line 226
> modcall[authorize]: module "files" returns ok
> modcall[authorize]: module "mschap" returns noop
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> modcall: entering group authenticate
> A1 = test:sip2.zone:cisco1234
> A2 = INVITE:sip:94161000 at sip2.zone
> KD =
> 53d3b82970bada131a062103f553b8b8:42de75b2e9e39194a286e8ccd284646ffa14bcc2:0000000a:753F926DB8F5415D8D56EE7816410E33:auth:18227b358ffe96049a3745eeb
> 449fae2
> modcall[authenticate]: module "digest" returns ok
> modcall: group authenticate returns ok
> radius_xlat: 'Authenticated'
> Login OK: [test at sip2.zone/<no User-Password attribute>] (from client
> proxy port 5060)
> Sending Access-Accept of id 203 to 192.168.2.1:32831
> Reply-Message = "Authenticated"
> Sip-Rpid = "1970"
> Finished request 6
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.2.1:32831, id=204,
> length=53
> User-Name = "test"
> Sip-Group = "ld"
> Service-Type = Group-Check
> NAS-IP-Address = 192.168.2.1
> NAS-Port = 0
> modcall: ent ering group authorize
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok
> modcall[authorize]: module "chap" returns noop
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop
> modcall[authorize]: module "digest" returns noop
> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop
> modcall[authorize]: module "files" returns notfound
> modcall[authorize]: module "mschap" returns noop
> modcall: group authorize returns ok
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [test/<no User-Password attribute>] (from client
> proxy port 0)
> Delaying request 7 for 1 seconds
> Finished request 7
> Going to the next request
> Waking up in 6 seconds...
>
> As you can see from the above configuration, the authentication works
> perfect, its only in the authorization where it fails. Also can you
> please let me know about the accounting configuration??
>
> Thanks a lot..
> Naresh
>
>
> Ricardo Martinez <rmartinez at redvoiss.net> wrote:
> Hello Naresh
> I have authentication, authorization and accounting (AAA) through
> radius working fine. What radius server are you using?, can you send
> us more information about the configuration?
>
> Cheers,
> Ricardo.-
>
> -----Mensaje original-----
> De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
> Enviado el: Miércoles, 20 de Julio de 2005 10:37
> Para: serusers at lists.iptel.org
> Asunto: [Serusers] Problem authorizing with radius
>
>
> hi friends,
>
> I am having problems while authorizing with the radius server. I am
> using the same configuration as mentioned in the radius-howto.
> Authentication works perfect as I am able to authenticate using the
> radius server. However while authorizing against the radius server to
> make a call I get the following error:
>
> auth: No authenticate method (Auth-Type) configuration found for the
> user
> request: Rejecting the user
> auth: Failed to validate the user.
> Delaying request 2 for 1 seconds
> Finished request 2
>
> When I authorize against the mysql database, it works fine. Any
> clue???
>
> Best Regards,
> Naresh
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
> Start your day with Yahoo! - make it your home page
>
>
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20050721/4b603d70/attachment.htm>
More information about the sr-users
mailing list