[Serusers] SER with Radius Authentication
Alberto Cruz
acruz at tekbrain.com
Thu Jun 23 00:24:30 CEST 2005
Hi
How can I check if a user is registered if I'm using radius
authentication and persistent storage without adding users at the usrloc DB?
The following section only works if you have added the users at the
usrloc DB
if (!lookup("location")) {
# sl_send_reply("404", "Not Found");
log(1,"unable to locate user");
route(4);
break;
};
But If I have my users in the Radius Server DB I'm going to receive the
message that "Not Found" when I try to place a call.
Regards
Alberto Cruz
Jan Janak wrote:
>Try to change your users file according to the radius howto:
>
>joe at iptel.org Auth-Type := Digest, User-Password == "heslo"
> Reply-Message = "Authenticated",
> Sip-Rpid = "1234"
>
> Jan.
>
>On 21-03 16:15, Rafael J. Risco G.V. wrote:
>
>
>>Hi,
>>I´ve configured freeradius and SER according to the Radius HOW TO
>>document, Accounting works very well but now I am doing some tests
>>trying to do user authentication however all the authentication
>>requests coming to the freeradius fails and X-lite sipphone is
>>receiving an Unauthorized message from SER, please some advice,
>>
>>thanks
>>rafael
>>
>>PS: config files...
>>
>>in /usr/local/etc/raddb/users :
>>---------
>>test Auth-Type := Digest, User-Password == "test"
>> Reply-Message = "Hello, test with digest"
>>
>>6609876 Auth-Type := Digest
>> User-Password := "9876",
>> Digest-Response = "lalalalala",
>> Reply-Message = "Hello, ibm1"
>>
>>6604321 Auth-Type := Digest
>> User-Password := "4321",
>> Digest-Response = "lalalalala",
>> Reply-Message = "Hello, ibm2"
>>
>>---------
>>Some relevant data in ser.cfg:
>>...
>>modparam("group_radius", "use_domain", 0)
>>....
>>
>> if (uri==myself) {
>>
>> if (method=="REGISTER") {
>>
>> # Uncomment this if you want to use digest authentication
>> if (!radius_www_authorize("")) {
>> www_challenge("", "1");
>> break;
>> };
>>
>> if (!save("location")) {
>> sl_reply_error();
>> };
>> break;
>> };
>>
>> lookup("aliases");
>> if (!uri==myself) {
>> append_hf("P-hint: outbound alias\r\n");
>> route(1);
>> break;
>> };
>>
>> # does the user wish redirection on no availability?
>>(i.e., is he
>> # in the voicemail group?) -- determine it now and store it in
>> # flag 4, before we rewrite the flag using UsrLoc
>>
>> if (radius_is_user_in("Request-URI", "voicemail")) {
>> log(1, "requested user is in voicemail group");
>> setflag(4);
>> };
>>
>> # native SIP destinations are handled using our USRLOC DB
>> if (!lookup("location")) {
>> # sl_send_reply("404", "Not Found");
>> log(1,"unable to locate user");
>> route(4);
>> break;
>> };
>>
>> }; # End of "if(uri==myself)"
>>....
>>
>>
>>------------------RADIUSD -X Output ---------------------------:
>>
>>rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311
>> User-Name = "6604321 at 10.0.1.22"
>> Digest-Attributes = 0x0a0936363034333231
>> Digest-Attributes = 0x010b31302e302e312e3232
>> Digest-Attributes =
>>0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
>> Digest-Attributes = 0x040f7369703a31302e302e312e3232
>> Digest-Attributes = 0x030a5245474953544552
>> Digest-Attributes = 0x050661757468
>> Digest-Attributes = 0x090a3030303030303162
>> Digest-Attributes =
>>0x08224433343132424232394131453131443939334232303035304241373836433642
>> Digest-Response = "a6a7812ac0331324f977453c228da2ed"
>> Service-Type = IAPP-Register
>> Sip-URI-User = "6604321"
>> Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B at 10.0.1.22"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 5060
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 8
>> modcall[authorize]: module "preprocess" returns ok for request 8
>> modcall[authorize]: module "chap" returns noop for request 8
>> modcall[authorize]: module "mschap" returns noop for request 8
>> rlm_digest: Converting Digest-Attributes to something sane...
>> Digest-User-Name = "6604321"
>> Digest-Realm = "10.0.1.22"
>> Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
>> Digest-URI = "sip:10.0.1.22"
>> Digest-Method = "REGISTER"
>> Digest-QOP = "auth"
>> Digest-Nonce-Count = "0000001b"
>> Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B"
>>rlm_digest: Adding Auth-Type = DIGEST
>> modcall[authorize]: module "digest" returns ok for request 8
>> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
>> rlm_realm: No such realm "10.0.1.22"
>> modcall[authorize]: module "suffix" returns noop for request 8
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 8
>> users: Matched DEFAULT at 152
>> modcall[authorize]: module "files" returns ok for request 8
>>modcall: group authorize returns ok for request 8
>> rad_check_password: Found Auth-Type DIGEST
>>auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 8
>>rlm_digest: Configuration item "User-Password" is required for authentication.
>> modcall[authenticate]: module "digest" returns invalid for request 8
>>modcall: group authenticate returns invalid for request 8
>>auth: Failed to validate the user.
>>Delaying request 8 for 1 seconds
>>Finished request 8
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311
>> User-Name = "6609876 at 10.0.1.22"
>> Digest-Attributes = 0x0a0936363039383736
>> Digest-Attributes = 0x010b31302e302e312e3232
>> Digest-Attributes =
>>0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
>> Digest-Attributes = 0x040f7369703a31302e302e312e3232
>> Digest-Attributes = 0x030a5245474953544552
>> Digest-Attributes = 0x050661757468
>> Digest-Attributes = 0x090a3030303030303163
>> Digest-Attributes =
>>0x08224433343132424235394131453131443939334232303035304241373836433642
>> Digest-Response = "50fa695654b20e2eec54a1003fe15d9f"
>> Service-Type = IAPP-Register
>> Sip-URI-User = "6609876"
>> Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 5060
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 9
>> modcall[authorize]: module "preprocess" returns ok for request 9
>> modcall[authorize]: module "chap" returns noop for request 9
>> modcall[authorize]: module "mschap" returns noop for request 9
>> rlm_digest: Converting Digest-Attributes to something sane...
>> Digest-User-Name = "6609876"
>> Digest-Realm = "10.0.1.22"
>> Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
>> Digest-URI = "sip:10.0.1.22"
>> Digest-Method = "REGISTER"
>> Digest-QOP = "auth"
>> Digest-Nonce-Count = "0000001c"
>> Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B"
>>rlm_digest: Adding Auth-Type = DIGEST
>> modcall[authorize]: module "digest" returns ok for request 9
>> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876 at 10.0.1.22"
>> rlm_realm: No such realm "10.0.1.22"
>> modcall[authorize]: module "suffix" returns noop for request 9
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 9
>> users: Matched DEFAULT at 152
>> modcall[authorize]: module "files" returns ok for request 9
>>modcall: group authorize returns ok for request 9
>> rad_check_password: Found Auth-Type DIGEST
>>auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 9
>>rlm_digest: Configuration item "User-Password" is required for authentication.
>> modcall[authenticate]: module "digest" returns invalid for request 9
>>modcall: group authenticate returns invalid for request 9
>>auth: Failed to validate the user.
>>Delaying request 9 for 1 seconds
>>Finished request 9
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 79 to 127.0.0.1:33187
>>Waking up in 1 seconds...
>>rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311
>> User-Name = "6609876 at 10.0.1.22"
>> Digest-Attributes = 0x0a0936363039383736
>> Digest-Attributes = 0x010b31302e302e312e3232
>> Digest-Attributes =
>>0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
>> Digest-Attributes = 0x040f7369703a31302e302e312e3232
>> Digest-Attributes = 0x030a5245474953544552
>> Digest-Attributes = 0x050661757468
>> Digest-Attributes = 0x090a3030303030303163
>> Digest-Attributes =
>>0x08224433343132424236394131453131443939334232303035304241373836433642
>> Digest-Response = "e4f68760f2b3eed0ad45942b32542c92"
>> Service-Type = IAPP-Register
>> Sip-URI-User = "6609876"
>> Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 5060
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 10
>> modcall[authorize]: module "preprocess" returns ok for request 10
>> modcall[authorize]: module "chap" returns noop for request 10
>> modcall[authorize]: module "mschap" returns noop for request 10
>> rlm_digest: Converting Digest-Attributes to something sane...
>> Digest-User-Name = "6609876"
>> Digest-Realm = "10.0.1.22"
>> Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
>> Digest-URI = "sip:10.0.1.22"
>> Digest-Method = "REGISTER"
>> Digest-QOP = "auth"
>> Digest-Nonce-Count = "0000001c"
>> Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B"
>>rlm_digest: Adding Auth-Type = DIGEST
>> modcall[authorize]: module "digest" returns ok for request 10
>> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876 at 10.0.1.22"
>> rlm_realm: No such realm "10.0.1.22"
>> modcall[authorize]: module "suffix" returns noop for request 10
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 10
>> users: Matched DEFAULT at 152
>> modcall[authorize]: module "files" returns ok for request 10
>>modcall: group authorize returns ok for request 10
>> rad_check_password: Found Auth-Type DIGEST
>>auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 10
>>rlm_digest: Configuration item "User-Password" is required for authentication.
>> modcall[authenticate]: module "digest" returns invalid for request 10
>>modcall: group authenticate returns invalid for request 10
>>auth: Failed to validate the user.
>>Delaying request 10 for 1 seconds
>>Finished request 10
>>Going to the next request
>>Sending Access-Reject of id 80 to 127.0.0.1:33188
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 81 to 127.0.0.1:33189
>>Waking up in 2 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 8 ID 79 with timestamp 423f309b
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 9 ID 80 with timestamp 423f309c
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 10 ID 81 with timestamp 423f309d
>>Nothing to do. Sleeping until we see a request.
>>
>>
>>
>>
>>
>>
>>--
>>
>>rrgv
>>
>>_______________________________________________
>>Serusers mailing list
>>serusers at lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20050622/d3ab3fb3/attachment.htm>
More information about the sr-users
mailing list