[Serusers] Problem authorizing with radius
Naresh Parmar
naresh_parmar14 at yahoo.com
Thu Jul 21 17:05:12 CEST 2005
Folks,
i changed the flag in the sip_router/modules/acc/Makefile to LIBS=-L$(LOCALBASE)/lib and it works fine now.....i.e. the acc module compiles fine...... Thanks Ricardo and Greger...your advise really helped me out....now i m using radius authentication and mysql authorization......user credentials are stored in the mysql database only after the user is authenticated against radius server........
Thanks Ricardo and Greger...your advise really helped me out....now i m using radius authentication and mysql authorization......i'll be back with the queries on accounting now :)
cheers,
naresh
"Greger V. Teigre" <greger at teigre.com> wrote:>auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
>auth: Failed to validate the user.
This is where it fails. SER does not send Auth-Type, freeRadius is configured to require an Auth-Type. I don't know how you change that, I don't use freeRadius.
g-)
---- Original Message ----
From: Naresh Parmar
To: Ricardo Martinez ; serusers at lists.iptel.org
Sent: Wednesday, July 20, 2005 07:09 PM
Subject: RE: [Serusers] Problem authorizing with radius
> Hi Ricardo,
>
> Tried it. It still gives me the same error. Please let me know the
> version of the radius server you are using.?? Also can you please let
> me know wht did u do to make the accounting work...??
>
> Best Regards,
> Naresh
>
> Ricardo Martinez <rmartinez at redvoiss.net> wrote:
> Hello Naresh.
> I guess there is an error in the way you call the authorization
> for the INVITE. As far as i know for the REGISTER message
> (authentication) you need the statement :
>
> radius_www_authorize
>
> But for the INVITE you need to call "radius_proxy_authorize".
> This is what i have in my ser.cfg
>
> if (method=="INVITE") {
>
> if (!radius_proxy_authorize("")) {
> proxy_challenge("","1");
> break;
> };
> };
>
> maybe you can try this and tell me how it works.
>
> Good luck
>
> Ricardo Martinez.-
>
> -----Mensaje original-----
> De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
> Enviado el: Miércoles, 20 de Julio de 2005 12:10
> Para: Ricardo Martinez; serusers at lists.iptel.org
> Asunto: RE: [Serusers] Problem authorizing with radius
>
>
> Hi Ricardo,
>
> We are using freeradius server 0.9.1 and SER 0.9.3. The version of
> radius client is radiusclient-ng-0.5.1. The users file in the radius
> server looks like as below:
>
> test at sip2.zone Auth-Type := Digest, User-Password == "cisco1234"
> Reply-Message = "Authenticated",
> Sip-Rpid = "1970"
> test at sip2.zone Auth-Type := Accept
> Reply-Message = "Authorized",
> Sip-Group == "ld"
>
> The radius authentication and authorization parts in the ser.cfg file
> are given below:
>
> if (uri=~"^sip:9[0-9]*@") {
> if (method=="INVITE"){
> if (!radius_www_authorize("")) {
> www_challenge("", "1");
> break;
> }else{
> if
> (radius_is_user_in("Credentials", "ld")){
>
> forward(192.168.2.101,5060);
> break;
> }else{
> break;
> };
> };
> };
> };
>
>
> And finally the error is as below:
>
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok
> modcall[authorize]: module "chap" returns noop
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "test"
> Digest-Realm = "sip2.zone"
> Digest-Nonce = "42de75b2e9e39194a286e8ccd284646ffa14bcc2"
> Digest-URI = "sip:94161000 at sip2.zone"
> Digest-Method = "INVITE"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "0000000a"
> Digest-CNonce = "753F926DB8F5415D8D56EE7816410E33"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok
> rlm_realm: Looking up realm "sip2.zone" for User-Name =
> "test at sip2.zone"
> rlm_realm: No such realm "sip2.zone"
> modcall[authorize]: module "suffix" returns noop
> users: Matched entry test at sip2.zone at line 226
> modcall[authorize]: module "files" returns ok
> modcall[authorize]: module "mschap" returns noop
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> modcall: entering group authenticate
> A1 = test:sip2.zone:cisco1234
> A2 = INVITE:sip:94161000 at sip2.zone
> KD =
> 53d3b82970bada131a062103f553b8b8:42de75b2e9e39194a286e8ccd284646ffa14bcc2:0000000a:753F926DB8F5415D8D56EE7816410E33:auth:18227b358ffe96049a3745eeb
> 449fae2
> modcall[authenticate]: module "digest" returns ok
> modcall: group authenticate returns ok
> radius_xlat: 'Authenticated'
> Login OK: [test at sip2.zone/<no User-Password attribute>] (from client
> proxy port 5060)
> Sending Access-Accept of id 203 to 192.168.2.1:32831
> Reply-Message = "Authenticated"
> Sip-Rpid = "1970"
> Finished request 6
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.2.1:32831, id=204,
> length=53
> User-Name = "test"
> Sip-Group = "ld"
> Service-Type = Group-Check
> NAS-IP-Address = 192.168.2.1
> NAS-Port = 0
> modcall: ent ering group authorize
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok
> modcall[authorize]: module "chap" returns noop
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop
> modcall[authorize]: module "digest" returns noop
> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop
> modcall[authorize]: module "files" returns notfound
> modcall[authorize]: module "mschap" returns noop
> modcall: group authorize returns ok
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [test/<no User-Password attribute>] (from client
> proxy port 0)
> Delaying request 7 for 1 seconds
> Finished request 7
> Going to the next request
> Waking up in 6 seconds...
>
> As you can see from the above configuration, the authentication works
> perfect, its only in the authorization where it fails. Also can you
> please let me know about the accounting configuration??
>
> Thanks a lot..
> Naresh
>
>
> Ricardo Martinez <rmartinez at redvoiss.net> wrote:
> Hello Naresh
> I have authentication, authorization and accounting (AAA) through
> radius working fine. What radius server are you using?, can you send
> us more information about the configuration?
>
> Cheers,
> Ricardo.-
>
> -----Mensaje original-----
> De: Naresh Parmar [mailto:naresh_parmar14 at yahoo.com]
> Enviado el: Miércoles, 20 de Julio de 2005 10:37
> Para: serusers at lists.iptel.org
> Asunto: [Serusers] Problem authorizing with radius
>
>
> hi friends,
>
> I am having problems while authorizing with the radius server. I am
> using the same configuration as mentioned in the radius-howto.
> Authentication works perfect as I am able to authenticate using the
> radius server. However while authorizing against the radius server to
> make a call I get the following error:
>
> auth: No authenticate method (Auth-Type) configuration found for the
> user
> request: Rejecting the user
> auth: Failed to validate the user.
> Delaying request 2 for 1 seconds
> Finished request 2
>
> When I authorize against the mysql database, it works fine. Any
> clue???
>
> Best Regards,
> Naresh
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
> Start your day with Yahoo! - make it your home page
>
>
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
---------------------------------
Start your day with Yahoo! - make it your home page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20050721/39222dbf/attachment.htm>
More information about the sr-users
mailing list