[Serusers] SER with Radius Authentication
Jan Janak
jan at iptel.org
Fri Mar 25 19:30:13 CET 2005
Try to change your users file according to the radius howto:
joe at iptel.org Auth-Type := Digest, User-Password == "heslo"
Reply-Message = "Authenticated",
Sip-Rpid = "1234"
Jan.
On 21-03 16:15, Rafael J. Risco G.V. wrote:
> Hi,
> I´ve configured freeradius and SER according to the Radius HOW TO
> document, Accounting works very well but now I am doing some tests
> trying to do user authentication however all the authentication
> requests coming to the freeradius fails and X-lite sipphone is
> receiving an Unauthorized message from SER, please some advice,
>
> thanks
> rafael
>
> PS: config files...
>
> in /usr/local/etc/raddb/users :
> ---------
> test Auth-Type := Digest, User-Password == "test"
> Reply-Message = "Hello, test with digest"
>
> 6609876 Auth-Type := Digest
> User-Password := "9876",
> Digest-Response = "lalalalala",
> Reply-Message = "Hello, ibm1"
>
> 6604321 Auth-Type := Digest
> User-Password := "4321",
> Digest-Response = "lalalalala",
> Reply-Message = "Hello, ibm2"
>
> ---------
> Some relevant data in ser.cfg:
> ...
> modparam("group_radius", "use_domain", 0)
> ....
>
> if (uri==myself) {
>
> if (method=="REGISTER") {
>
> # Uncomment this if you want to use digest authentication
> if (!radius_www_authorize("")) {
> www_challenge("", "1");
> break;
> };
>
> if (!save("location")) {
> sl_reply_error();
> };
> break;
> };
>
> lookup("aliases");
> if (!uri==myself) {
> append_hf("P-hint: outbound alias\r\n");
> route(1);
> break;
> };
>
> # does the user wish redirection on no availability?
> (i.e., is he
> # in the voicemail group?) -- determine it now and store it in
> # flag 4, before we rewrite the flag using UsrLoc
>
> if (radius_is_user_in("Request-URI", "voicemail")) {
> log(1, "requested user is in voicemail group");
> setflag(4);
> };
>
> # native SIP destinations are handled using our USRLOC DB
> if (!lookup("location")) {
> # sl_send_reply("404", "Not Found");
> log(1,"unable to locate user");
> route(4);
> break;
> };
>
> }; # End of "if(uri==myself)"
> ....
>
>
> ------------------RADIUSD -X Output ---------------------------:
>
> rad_recv: Access-Request packet from host 127.0.0.1:33187, id=79, length=311
> User-Name = "6604321 at 10.0.1.22"
> Digest-Attributes = 0x0a0936363034333231
> Digest-Attributes = 0x010b31302e302e312e3232
> Digest-Attributes =
> 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
> Digest-Attributes = 0x040f7369703a31302e302e312e3232
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030303162
> Digest-Attributes =
> 0x08224433343132424232394131453131443939334232303035304241373836433642
> Digest-Response = "a6a7812ac0331324f977453c228da2ed"
> Service-Type = IAPP-Register
> Sip-URI-User = "6604321"
> Cisco-AVPair = "call-id=D3412ADB9A1E11D993B20050BA786C6B at 10.0.1.22"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 8
> modcall[authorize]: module "preprocess" returns ok for request 8
> modcall[authorize]: module "chap" returns noop for request 8
> modcall[authorize]: module "mschap" returns noop for request 8
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "6604321"
> Digest-Realm = "10.0.1.22"
> Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
> Digest-URI = "sip:10.0.1.22"
> Digest-Method = "REGISTER"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "0000001b"
> Digest-CNonce = "D3412BB29A1E11D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 8
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 8
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 8
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 8
> modcall: group authorize returns ok for request 8
> rad_check_password: Found Auth-Type DIGEST
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 8
> rlm_digest: Configuration item "User-Password" is required for authentication.
> modcall[authenticate]: module "digest" returns invalid for request 8
> modcall: group authenticate returns invalid for request 8
> auth: Failed to validate the user.
> Delaying request 8 for 1 seconds
> Finished request 8
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:33188, id=80, length=311
> User-Name = "6609876 at 10.0.1.22"
> Digest-Attributes = 0x0a0936363039383736
> Digest-Attributes = 0x010b31302e302e312e3232
> Digest-Attributes =
> 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
> Digest-Attributes = 0x040f7369703a31302e302e312e3232
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030303163
> Digest-Attributes =
> 0x08224433343132424235394131453131443939334232303035304241373836433642
> Digest-Response = "50fa695654b20e2eec54a1003fe15d9f"
> Service-Type = IAPP-Register
> Sip-URI-User = "6609876"
> Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 9
> modcall[authorize]: module "preprocess" returns ok for request 9
> modcall[authorize]: module "chap" returns noop for request 9
> modcall[authorize]: module "mschap" returns noop for request 9
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "6609876"
> Digest-Realm = "10.0.1.22"
> Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
> Digest-URI = "sip:10.0.1.22"
> Digest-Method = "REGISTER"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "0000001c"
> Digest-CNonce = "D3412BB59A1E11D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 9
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 9
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 9
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 9
> modcall: group authorize returns ok for request 9
> rad_check_password: Found Auth-Type DIGEST
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 9
> rlm_digest: Configuration item "User-Password" is required for authentication.
> modcall[authenticate]: module "digest" returns invalid for request 9
> modcall: group authenticate returns invalid for request 9
> auth: Failed to validate the user.
> Delaying request 9 for 1 seconds
> Finished request 9
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 79 to 127.0.0.1:33187
> Waking up in 1 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:33189, id=81, length=311
> User-Name = "6609876 at 10.0.1.22"
> Digest-Attributes = 0x0a0936363039383736
> Digest-Attributes = 0x010b31302e302e312e3232
> Digest-Attributes =
> 0x022a34323366333163373062336631643261643330383833633238303434316632663133643136613830
> Digest-Attributes = 0x040f7369703a31302e302e312e3232
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030303163
> Digest-Attributes =
> 0x08224433343132424236394131453131443939334232303035304241373836433642
> Digest-Response = "e4f68760f2b3eed0ad45942b32542c92"
> Service-Type = IAPP-Register
> Sip-URI-User = "6609876"
> Cisco-AVPair = "call-id=D3412ADE9A1E11D993B20050BA786C6B at 10.0.1.22"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 10
> modcall[authorize]: module "preprocess" returns ok for request 10
> modcall[authorize]: module "chap" returns noop for request 10
> modcall[authorize]: module "mschap" returns noop for request 10
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "6609876"
> Digest-Realm = "10.0.1.22"
> Digest-Nonce = "423f31c70b3f1d2ad30883c280441f2f13d16a80"
> Digest-URI = "sip:10.0.1.22"
> Digest-Method = "REGISTER"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "0000001c"
> Digest-CNonce = "D3412BB69A1E11D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 10
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6609876 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 10
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 10
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 10
> modcall: group authorize returns ok for request 10
> rad_check_password: Found Auth-Type DIGEST
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 10
> rlm_digest: Configuration item "User-Password" is required for authentication.
> modcall[authenticate]: module "digest" returns invalid for request 10
> modcall: group authenticate returns invalid for request 10
> auth: Failed to validate the user.
> Delaying request 10 for 1 seconds
> Finished request 10
> Going to the next request
> Sending Access-Reject of id 80 to 127.0.0.1:33188
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 81 to 127.0.0.1:33189
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Cleaning up request 8 ID 79 with timestamp 423f309b
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 9 ID 80 with timestamp 423f309c
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 10 ID 81 with timestamp 423f309d
> Nothing to do. Sleeping until we see a request.
>
>
>
>
>
>
> --
>
> rrgv
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list