[Serusers] SER with Radius Authentication
Rafael J. Risco G.V.
rafael.risco at gmail.com
Tue Mar 22 20:08:33 CET 2005
Thank you Alan
it works now, the operator for User-Password should be == .
Maybe you can help with other doubts, I am trying to use
"radius_is_user_in()" function from group_radius module to check if
the user has voicemail service and also to authorize pstn calls using
credentials, what attributes should I use in users file?
On Tue, 22 Mar 2005 13:36:06 -0000, Alan Litster
<alitster at telcoelectronics.co.uk> wrote:
> It's been a while since I've done any major work with FR though I have got
> it working and it's handling ~3000 users.
>
> Your entry for the test user is fine, copied from the original file? The
> others differ in that the User-Password attribute is on the other line where
> as it should follow the Auth-Type. The operator should be == and not :=, not
> too sure if that makes a difference when using the users file? We us MySQL
> for the backend and that doesn't seem to be quite so strick on the operators
> ==/:=. Also, don't specify the Digest-Response as the digest module does
> that. All you need is the following
>
> 6604321 Auth-Type := Digest, User-Password == "4321"
>
> > -----Original Message-----
> > From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org]On
> > Behalf Of Rafael J. Risco G.V.
> > Sent: 21 March 2005 21:15
> > To: serusers at lists.iptel.org
> > Subject: [Serusers] SER with Radius Authentication
> >
> >
> > Hi,
> > I´ve configured freeradius and SER according to the Radius HOW TO
> > document, Accounting works very well but now I am doing some tests
> > trying to do user authentication however all the authentication
> > requests coming to the freeradius fails and X-lite sipphone is
> > receiving an Unauthorized message from SER, please some advice,
> >
> > thanks
> > rafael
> >
> > PS: config files...
> >
> > in /usr/local/etc/raddb/users :
> > ---------
> > test Auth-Type := Digest, User-Password == "test"
> > Reply-Message = "Hello, test with digest"
> >
> > 6609876 Auth-Type := Digest
> > User-Password := "9876",
> > Digest-Response = "lalalalala",
> > Reply-Message = "Hello, ibm1"
> >
> > 6604321 Auth-Type := Digest
> > User-Password := "4321",
> > Digest-Response = "lalalalala",
> > Reply-Message = "Hello, ibm2"
> >
> > ---------
> > Some relevant data in ser.cfg:
> > ...
> > modparam("group_radius", "use_domain", 0)
> > ....
> >
> > if (uri==myself) {
> >
> > if (method=="REGISTER") {
> >
> > # Uncomment this if you want to use digest authentication
> > if (!radius_www_authorize("")) {
> > www_challenge("", "1");
> > break;
> > };
> >
> > if (!save("location")) {
> > sl_reply_error();
> > };
> > break;
> > };
> >
> > lookup("aliases");
> > if (!uri==myself) {
> > append_hf("P-hint: outbound alias\r\n");
> > route(1);
> > break;
> > };
> >
> > # does the user wish redirection on no availability?
> > (i.e., is he
> > # in the voicemail group?) -- determine it now
> > and store it in
> > # flag 4, before we rewrite the flag using UsrLoc
> >
> > if (radius_is_user_in("Request-URI", "voicemail")) {
> > log(1, "requested user is in voicemail group");
> > setflag(4);
> > };
> >
> > # native SIP destinations are handled using our USRLOC DB
> > if (!lookup("location")) {
> > # sl_send_reply("404", "Not Found");
> > log(1,"unable to locate user");
> > route(4);
> > break;
> > };
> >
> > }; # End of "if(uri==myself)"
> > ....
> >
> >
> > ------------------RADIUSD -X Output ---------------------------:
> >
> > rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79,
> > length=311
> > User-Name = "6604321 at 10.0.1.22"
> > Digest-Attributes = 0x0a0936363034333231
> > Digest-Attributes = 0x010b31302e302e312e3232
> > Digest-Attributes =
> > 0x022a343233663331633730623366316432616433303838336332383034343166
> > 32663133643136613830
> > Digest-Attributes = 0x040f7369703a31302e302e312e3232
> > Digest-Attributes = 0x030a5245474953544552
> > Digest-Attributes = 0x050661757468
> > Digest-Attributes = 0x090a3030303030303162
> > Digest-Attributes =
> > 0x08224433343132424232394131453131443939334232303035304241373836433642
> > Digest-Response = "a6a7812ac0331324f977453c228da2ed"
> > Service-Type = IAPP-Register
> > Sip-URI-User = "6604321"
> > Cisco-AVPair =
> > "call-id=D3412ADB9A1E11D993B20050BA786C6B at 10.0.1.22"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 5060
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 8
> > modcall[authorize]: module "preprocess" returns ok for request 8
> > modcall[authorize]: module "chap" returns noop for request 8
> > modcall[authorize]: module "mschap" returns noop for request 8
> > rlm_digest: Converting Digest-Attributes to something sane...
> > Digest-User-Name = "6604321"
> > Digest-Realm = "10.0.1.22"
> > Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
> > Digest-URI = "sip:10.0.1.22"
> > Digest-Method = "REGISTER"
> > Digest-QOP = "auth"
> > Digest-Nonce-Count = "0000001b"
> > Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B"
> > rlm_digest: Adding Auth-Type = DIGEST
> > modcall[authorize]: module "digest" returns ok for request 8
> > rlm_realm: Looking up realm "10.0.1.22" for User-Name =
> > "6604321 at 10.0.1.22"
> > rlm_realm: No such realm "10.0.1.22"
> > modcall[authorize]: module "suffix" returns noop for request 8
> > rlm_eap: No EAP-Message, not doing EAP
> > modcall[authorize]: module "eap" returns noop for request 8
> > users: Matched DEFAULT at 152
> > modcall[authorize]: module "files" returns ok for request 8
> > modcall: group authorize returns ok for request 8
> > rad_check_password: Found Auth-Type DIGEST
> > auth: type "digest"
> > Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 8
> > rlm_digest: Configuration item "User-Password" is required for
> > authentication.
> > modcall[authenticate]: module "digest" returns invalid for request 8
> > modcall: group authenticate returns invalid for request 8
> > auth: Failed to validate the user.
> > Delaying request 8 for 1 seconds
> > Finished request 8
> > Going to the next request
> > --- Walking the entire request list ---
> > Waking up in 1 seconds...
> > rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80,
> > length=311
> > User-Name = "6609876 at 10.0.1.22"
> > Digest-Attributes = 0x0a0936363039383736
> > Digest-Attributes = 0x010b31302e302e312e3232
> > Digest-Attributes =
> > 0x022a343233663331633730623366316432616433303838336332383034343166
> > 32663133643136613830
> > Digest-Attributes = 0x040f7369703a31302e302e312e3232
> > Digest-Attributes = 0x030a5245474953544552
> > Digest-Attributes = 0x050661757468
> > Digest-Attributes = 0x090a3030303030303163
> > Digest-Attributes =
> > 0x08224433343132424235394131453131443939334232303035304241373836433642
> > Digest-Response = "50fa695654b20e2eec54a1003fe15d9f"
> > Service-Type = IAPP-Register
> > Sip-URI-User = "6609876"
> > Cisco-AVPair =
> > "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 5060
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 9
> > modcall[authorize]: module "preprocess" returns ok for request 9
> > modcall[authorize]: module "chap" returns noop for request 9
> > modcall[authorize]: module "mschap" returns noop for request 9
> > rlm_digest: Converting Digest-Attributes to something sane...
> > Digest-User-Name = "6609876"
> > Digest-Realm = "10.0.1.22"
> > Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
> > Digest-URI = "sip:10.0.1.22"
> > Digest-Method = "REGISTER"
> > Digest-QOP = "auth"
> > Digest-Nonce-Count = "0000001c"
> > Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B"
> > rlm_digest: Adding Auth-Type = DIGEST
> > modcall[authorize]: module "digest" returns ok for request 9
> > rlm_realm: Looking up realm "10.0.1.22" for User-Name =
> > "6609876 at 10.0.1.22"
> > rlm_realm: No such realm "10.0.1.22"
> > modcall[authorize]: module "suffix" returns noop for request 9
> > rlm_eap: No EAP-Message, not doing EAP
> > modcall[authorize]: module "eap" returns noop for request 9
> > users: Matched DEFAULT at 152
> > modcall[authorize]: module "files" returns ok for request 9
> > modcall: group authorize returns ok for request 9
> > rad_check_password: Found Auth-Type DIGEST
> > auth: type "digest"
> > Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 9
> > rlm_digest: Configuration item "User-Password" is required for
> > authentication.
> > modcall[authenticate]: module "digest" returns invalid for request 9
> > modcall: group authenticate returns invalid for request 9
> > auth: Failed to validate the user.
> > Delaying request 9 for 1 seconds
> > Finished request 9
> > Going to the next request
> > --- Walking the entire request list ---
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Sending Access-Reject of id 79 to 127.0.0.1:33187
> > Waking up in 1 seconds...
> > rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81,
> > length=311
> > User-Name = "6609876 at 10.0.1.22"
> > Digest-Attributes = 0x0a0936363039383736
> > Digest-Attributes = 0x010b31302e302e312e3232
> > Digest-Attributes =
> > 0x022a343233663331633730623366316432616433303838336332383034343166
> > 32663133643136613830
> > Digest-Attributes = 0x040f7369703a31302e302e312e3232
> > Digest-Attributes = 0x030a5245474953544552
> > Digest-Attributes = 0x050661757468
> > Digest-Attributes = 0x090a3030303030303163
> > Digest-Attributes =
> > 0x08224433343132424236394131453131443939334232303035304241373836433642
> > Digest-Response = "e4f68760f2b3eed0ad45942b32542c92"
> > Service-Type = IAPP-Register
> > Sip-URI-User = "6609876"
> > Cisco-AVPair =
> > "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 5060
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 10
> > modcall[authorize]: module "preprocess" returns ok for request 10
> > modcall[authorize]: module "chap" returns noop for request 10
> > modcall[authorize]: module "mschap" returns noop for request 10
> > rlm_digest: Converting Digest-Attributes to something sane...
> > Digest-User-Name = "6609876"
> > Digest-Realm = "10.0.1.22"
> > Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
> > Digest-URI = "sip:10.0.1.22"
> > Digest-Method = "REGISTER"
> > Digest-QOP = "auth"
> > Digest-Nonce-Count = "0000001c"
> > Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B"
> > rlm_digest: Adding Auth-Type = DIGEST
> > modcall[authorize]: module "digest" returns ok for request 10
> > rlm_realm: Looking up realm "10.0.1.22" for User-Name =
> > "6609876 at 10.0.1.22"
> > rlm_realm: No such realm "10.0.1.22"
> > modcall[authorize]: module "suffix" returns noop for request 10
> > rlm_eap: No EAP-Message, not doing EAP
> > modcall[authorize]: module "eap" returns noop for request 10
> > users: Matched DEFAULT at 152
> > modcall[authorize]: module "files" returns ok for request 10
> > modcall: group authorize returns ok for request 10
> > rad_check_password: Found Auth-Type DIGEST
> > auth: type "digest"
> > Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 10
> > rlm_digest: Configuration item "User-Password" is required for
> > authentication.
> > modcall[authenticate]: module "digest" returns invalid for request 10
> > modcall: group authenticate returns invalid for request 10
> > auth: Failed to validate the user.
> > Delaying request 10 for 1 seconds
> > Finished request 10
> > Going to the next request
> > Sending Access-Reject of id 80 to 127.0.0.1:33188
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Sending Access-Reject of id 81 to 127.0.0.1:33189
> > Waking up in 2 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 8 ID 79 with timestamp 423f309b
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 9 ID 80 with timestamp 423f309c
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 10 ID 81 with timestamp 423f309d
> > Nothing to do. Sleeping until we see a request.
> >
> >
> >
> >
> >
> >
> > --
> >
> > rrgv
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
>
> -------------------------------------------------------------------------------------------------------
> This email, and any files transmitted with it, is copyright and may contain confidential information.
> The contents are intended for the use of the addressee(s) only.
> Unauthorized use may be unlawful.
> If you receive this email by mistake, please advise sender immediately.
> The views of the author may not necessarily constitute the views of Telco Electronics Limited.
> Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
>
> Telco Electronics Limited
> 6-8 Oxford Court
> Brackley
> Northants
> NN13 7XY
>
> Tel 01280 761600
> Fax 01280 841174
>
--
rrgv
More information about the sr-users
mailing list