[Serusers] SER with Radius Authentication
Rafael J. Risco G.V.
rafael.risco at gmail.com
Mon Mar 21 22:15:06 CET 2005
Hi,
I´ve configured freeradius and SER according to the Radius HOW TO
document, Accounting works very well but now I am doing some tests
trying to do user authentication however all the authentication
requests coming to the freeradius fails and X-lite sipphone is
receiving an Unauthorized message from SER, please some advice,
thanks
rafael
PS: config files...
in /usr/local/etc/raddb/users :
---------
test Auth-Type := Digest, User-Password == "test"
Reply-Message = "Hello, test with digest"
6609876 Auth-Type := Digest
User-Password := "9876",
Digest-Response = "lalalalala",
Reply-Message = "Hello, ibm1"
6604321 Auth-Type := Digest
User-Password := "4321",
Digest-Response = "lalalalala",
Reply-Message = "Hello, ibm2"
---------
Some relevant data in ser.cfg:
...
modparam("group_radius", "use_domain", 0)
....
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!radius_www_authorize("")) {
www_challenge("", "1");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# does the user wish redirection on no availability?
(i.e., is he
# in the voicemail group?) -- determine it now and store it in
# flag 4, before we rewrite the flag using UsrLoc
if (radius_is_user_in("Request-URI", "voicemail")) {
log(1, "requested user is in voicemail group");
setflag(4);
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# sl_send_reply("404", "Not Found");
log(1,"unable to locate user");
route(4);
break;
};
}; # End of "if(uri==myself)"
....
------------------RADIUSD -X Output ---------------------------:
rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311
User-Name = "6604321 at 10.0.1.22"
Digest-Attributes = 0x0a0936363034333231
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
Digest-Attributes = 0x040f7369703a31302e302e312e3232
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303162
Digest-Attributes =
0x08224433343132424232394131453131443939334232303035304241373836433642
Digest-Response = "a6a7812ac0331324f977453c228da2ed"
Service-Type = IAPP-Register
Sip-URI-User = "6604321"
Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B at 10.0.1.22"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6604321"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
Digest-URI = "sip:10.0.1.22"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000001b"
Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 8
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 8
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns ok for request 8
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_digest: Configuration item "User-Password" is required for authentication.
modcall[authenticate]: module "digest" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311
User-Name = "6609876 at 10.0.1.22"
Digest-Attributes = 0x0a0936363039383736
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
Digest-Attributes = 0x040f7369703a31302e302e312e3232
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303163
Digest-Attributes =
0x08224433343132424235394131453131443939334232303035304241373836433642
Digest-Response = "50fa695654b20e2eec54a1003fe15d9f"
Service-Type = IAPP-Register
Sip-URI-User = "6609876"
Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "chap" returns noop for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6609876"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
Digest-URI = "sip:10.0.1.22"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000001c"
Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 9
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 9
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 9
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns ok for request 9
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_digest: Configuration item "User-Password" is required for authentication.
modcall[authenticate]: module "digest" returns invalid for request 9
modcall: group authenticate returns invalid for request 9
auth: Failed to validate the user.
Delaying request 9 for 1 seconds
Finished request 9
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 79 to 127.0.0.1:33187
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311
User-Name = "6609876 at 10.0.1.22"
Digest-Attributes = 0x0a0936363039383736
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
Digest-Attributes = 0x040f7369703a31302e302e312e3232
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303163
Digest-Attributes =
0x08224433343132424236394131453131443939334232303035304241373836433642
Digest-Response = "e4f68760f2b3eed0ad45942b32542c92"
Service-Type = IAPP-Register
Sip-URI-User = "6609876"
Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "chap" returns noop for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6609876"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
Digest-URI = "sip:10.0.1.22"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "0000001c"
Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 10
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 10
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 10
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 10
modcall: group authorize returns ok for request 10
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
rlm_digest: Configuration item "User-Password" is required for authentication.
modcall[authenticate]: module "digest" returns invalid for request 10
modcall: group authenticate returns invalid for request 10
auth: Failed to validate the user.
Delaying request 10 for 1 seconds
Finished request 10
Going to the next request
Sending Access-Reject of id 80 to 127.0.0.1:33188
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 81 to 127.0.0.1:33189
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 79 with timestamp 423f309b
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 80 with timestamp 423f309c
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 10 ID 81 with timestamp 423f309d
Nothing to do. Sleeping until we see a request.
--
rrgv
More information about the sr-users
mailing list