[Serusers] Whats the problem with realm in auth_radius module?

Andres andres at telesip.net
Tue Mar 22 22:05:12 CET 2005 

Marian Dumitru wrote:

> Hi Andreas,
>
> Maybe the realm you specify in script doesn't match the realm used by 
> the client in credentials. If you are running in debug mode (debug>=6) 
> try to sniff after logs like

It has always been like this with our SER servers.  Client registers to 
"sip.mydomain.com", but in ser.cfg we have 
www_authorize("mydomain.com").  It has never posed a problem with MySQL, 
but it does not work with a Radius Config.  For example on the Sipura 
devices there is a parameter called PROXY which we fill out with 
"sip.mydomain.com".  I don't see how that PROXY parameter could be 
filled with just "mydomain.com", unless we were using SRV records.

>     "pre_auth(): Credentials with given realm not found"
>
> Anyhow, you could use no domain in script, but to set for "auth" 
> module the "realm_prefix" to "sip."

I am not aware of the realm_prefix parameter.  Were can I find a usage 
description of it?  The auth module readme has noting on it.
Thanks,

>
> Best regards,
> Marian
>
> Andres wrote:
>
>> Trying to make the auth_radius module to work I ran into a peculiar 
>> issue.
>>
>> For example if our UA were to try to register to server 
>> "sip.mydomain.com"
>>
>> ...and our ser.cfg had:
>> if (!radius_www_authorize("mydomain.com")) {
>>    www_challenge("mydomain.com", "1");
>> }
>>
>> ...then the authentication is not even fired off to the radius.  SER 
>> Debugs indicate the radius message is not even constructed.
>>
>> If on the other hand our ser.cfg has:
>> if (!radius_www_authorize("")) {
>>    www_challenge("", "1");
>> }
>>
>> then the authentication is now fired off to the radius server but the 
>> REALM is sip.mydomain.com.
>>
>> Why can't one make this work as it does with mysql authentication 
>> where the www_authorize does not need the host part?  We need REAM to 
>> be simply the domain part.
>>
>> The auth_radius readme even says that the realm is **usually** just 
>> the domain of the host.  Does this mean something is broken here?
>> -------------from readme----------------
>>
>>     * realm - Realm is a opaque string that the user agent
>>       should present to the user so he can decide what username
>>       and password to use. Usually this is domain of the host
>>       the server is running on.
>>
>>   Example 1-3. radius_www_authorize usage
>> ...
>> if (!radius_www_authorize("iptel.org")) {
>>    www_challenge("iptel.org", "1");
>> };
>>
>

-- 
Andres
Network Admin
http://www.telesip.net

More information about the sr-users mailing list