[Serusers] Radius Authentication and group checking
Rafael J. Risco G.V.
rafael.risco at gmail.com
Mon Mar 28 22:11:03 CEST 2005
Hi
2 problems:
1.- Finally I have been able to register users and authenticate
INVITEs using radius_www_authorize and proxy_www_authorize functions,
but I can´t use "radius_is_user_in" (from group_radius module) for
group checking before calling, does someone have done this before? I
need this for "Request-URI" to verify if it belongs to a group
"deactivated" in Register process or verify if user is in "voicemail"
group, same for checking "from" or "credentials" (I can do it using
group.so module) please see my ser.cfg and radiusd-X debug below.
2.- There is no "check_to" or "check_from" functions in uri_radius
module... Is there any other way to do this using radius?
regards
Rafael
PS: freeradius user file:
6604321 at 10.0.1.22 Auth-Type := Digest, User-Password == "4321"
Auth-Type := Accept, Sip-Group = "mobile"
SER.cfg:
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
# to use digest authentication
if (is_user_in("Request-URI", "deactivated")) {
sl_send_reply("403","deactivated");
break;
};
if (!www_authorize("mydomain.com.pe", "subscriber")) {
www_challenge("mydomain.com.pe", "0");
break;
};
# only registered users are allowed
#if (!check_to()) {
# log(1, "LOG: Hijack attempt\n");
# sl_send_reply("403", "Only registered users..");
# break;
#};
log(1," Registered!!! \n");
if (!save("location")) {
sl_reply_error();
};
break;
};
if (method == "INVITE" || method== "CANCEL" ) {
log(1, "ANALYZING INVITE||CANCEL REQUESTs\n");
if (!proxy_authorize("mydomain.com.pe", "subscriber")) {
proxy_challenge("mydomain.com.pe", "1");
break;
};
#} else {
#if (method == "INVITE" && !check_from()) {
# sl_send_reply("403", "Only registered
users...");
# break;
#};
#};
/* ******** Dial out to Local and PSTN logic ****** */
# Forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9" ){
log(1," digit expression match - Celulares\n");
if (!is_user_in("from", "mobile")) {
sl_send_reply("403", "forbidden...");
break;
};
rewritehostport("GW_IP:5060");
route(1); ## to nathelper...
break;
};
};
Radiusd -X log when trying radius_is_user_in:
rad_recv: Access-Request packet from host 127.0.0.1:36944, id=200, length=323
User-Name = "6604321 at 10.0.1.22"
Digest-Attributes = 0x0a0936363034333231
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538
Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232
Digest-Attributes = 0x0308494e56495445
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030353233
Digest-Attributes =
0x08223341394535413233394144323131443939334232303035304241373836433642
Digest-Response = "8c6af680ab513e39c16d38bc14c41fbc"
Service-Type = IAPP-Register
Sip-URI-User = "6604321"
Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B at 10.0.1.105"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
modcall[authorize]: module "preprocess" returns ok for request 18
modcall[authorize]: module "chap" returns noop for request 18
modcall[authorize]: module "mschap" returns noop for request 18
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6604321"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8"
Digest-URI = "sip:99109990 at 10.0.1.22"
Digest-Method = "INVITE"
Digest-QOP = "auth"
Digest-Nonce-Count = "00000523"
Digest-CNonce = "3A9E5A239AD211D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 18
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 18
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 18
users: Matched DEFAULT at 152
users: Matched 6604321 at 10.0.1.22 at 222
modcall[authorize]: module "files" returns ok for request 18
modcall: group authorize returns ok for request 18
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
A1 = 6604321:10.0.1.22:4321
A2 = INVITE:sip:99109990 at 10.0.1.22
H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf
H(A2) = 087a284409aebfedefbc657a6a55fc29
KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A239AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29
EXPECTED 8c6af680ab513e39c16d38bc14c41fbc
RECEIVED 8c6af680ab513e39c16d38bc14c41fbc
modcall[authenticate]: module "digest" returns ok for request 18
modcall: group authenticate returns ok for request 18
Sending Access-Accept of id 200 to 127.0.0.1:36944
Sip-Group = "mobile"
Finished request 18
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:36944, id=201, length=65
User-Name = "6604321 at 10.0.1.22"
Sip-Group = "mobile"
Service-Type = Voice
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module "preprocess" returns ok for request 19
modcall[authorize]: module "chap" returns noop for request 19
modcall[authorize]: module "mschap" returns noop for request 19
modcall[authorize]: module "digest" returns noop for request 19
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 19
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 19
users: Matched DEFAULT at 152
users: Matched 6604321 at 10.0.1.22 at 222
modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns ok for request 19
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 19
modcall: group authenticate returns invalid for request 19
auth: Failed to validate the user.
Delaying request 19 for 1 seconds
Finished request 19
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:36945, id=202, length=323
User-Name = "6604321 at 10.0.1.22"
Digest-Attributes = 0x0a0936363034333231
Digest-Attributes = 0x010b31302e302e312e3232
Digest-Attributes =
0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538
Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232
Digest-Attributes = 0x0308494e56495445
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030353233
Digest-Attributes =
0x08223341394535413234394144323131443939334232303035304241373836433642
Digest-Response = "f8421d39192c34c441a52f0a5f7c9939"
Service-Type = IAPP-Register
Sip-URI-User = "6604321"
Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B at 10.0.1.105"
NAS-IP-Address = 127.0.0.1
NAS-Port = 5060
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 20
modcall[authorize]: module "preprocess" returns ok for request 20
modcall[authorize]: module "chap" returns noop for request 20
modcall[authorize]: module "mschap" returns noop for request 20
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "6604321"
Digest-Realm = "10.0.1.22"
Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8"
Digest-URI = "sip:99109990 at 10.0.1.22"
Digest-Method = "INVITE"
Digest-QOP = "auth"
Digest-Nonce-Count = "00000523"
Digest-CNonce = "3A9E5A249AD211D993B20050BA786C6B"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 20
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 20
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 20
users: Matched DEFAULT at 152
users: Matched 6604321 at 10.0.1.22 at 222
modcall[authorize]: module "files" returns ok for request 20
modcall: group authorize returns ok for request 20
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 20
A1 = 6604321:10.0.1.22:4321
A2 = INVITE:sip:99109990 at 10.0.1.22
H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf
H(A2) = 087a284409aebfedefbc657a6a55fc29
KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A249AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29
EXPECTED f8421d39192c34c441a52f0a5f7c9939
RECEIVED f8421d39192c34c441a52f0a5f7c9939
modcall[authenticate]: module "digest" returns ok for request 20
modcall: group authenticate returns ok for request 20
Sending Access-Accept of id 202 to 127.0.0.1:36945
Sip-Group = "mobile"
Finished request 20
Going to the next request
--- Walking the entire request list ---
Sending Access-Reject of id 201 to 127.0.0.1:36944
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:36945, id=203, length=65
User-Name = "6604321 at 10.0.1.22"
Sip-Group = "mobile"
Service-Type = Voice
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 21
modcall[authorize]: module "preprocess" returns ok for request 21
modcall[authorize]: module "chap" returns noop for request 21
modcall[authorize]: module "mschap" returns noop for request 21
modcall[authorize]: module "digest" returns noop for request 21
rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
rlm_realm: No such realm "10.0.1.22"
modcall[authorize]: module "suffix" returns noop for request 21
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 21
users: Matched DEFAULT at 152
users: Matched 6604321 at 10.0.1.22 at 222
modcall[authorize]: module "files" returns ok for request 21
modcall: group authorize returns ok for request 21
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 21
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 21
modcall: group authenticate returns invalid for request 21
auth: Failed to validate the user.
Delaying request 21 for 1 seconds
Finished request 21
Going to the next request
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 18 ID 200 with timestamp 424860e5
Cleaning up request 19 ID 201 with timestamp 424860e5
Sending Access-Reject of id 203 to 127.0.0.1:36945
Waking up in 2 seconds...
More information about the sr-users
mailing list