[Serusers] Re: Radius Authentication and group checking
Rafael J. Risco G.V.
rafael.risco at gmail.com
Tue Mar 29 01:08:41 CEST 2005
Hi
ser.cfg I sent in my last email not include changes for radius auth ,
I am testing with prefix radius for is_user_in and www_authorize,
anyway this is the error I get when ser trying to check group:
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 13
modcall: group authenticate returns invalid for request 13
auth: Failed to validate the user.
any idea?
rafael
On Mon, 28 Mar 2005 15:11:03 -0500, Rafael J. Risco G.V.
<rafael.risco at gmail.com> wrote:
> Hi
> 2 problems:
>
> 1.- Finally I have been able to register users and authenticate
> INVITEs using radius_www_authorize and proxy_www_authorize functions,
> but I can´t use "radius_is_user_in" (from group_radius module) for
> group checking before calling, does someone have done this before? I
> need this for "Request-URI" to verify if it belongs to a group
> "deactivated" in Register process or verify if user is in "voicemail"
> group, same for checking "from" or "credentials" (I can do it using
> group.so module) please see my ser.cfg and radiusd-X debug below.
>
> 2.- There is no "check_to" or "check_from" functions in uri_radius
> module... Is there any other way to do this using radius?
>
> regards
> Rafael
>
> PS: freeradius user file:
>
> 6604321 at 10.0.1.22 Auth-Type := Digest, User-Password == "4321"
> Auth-Type := Accept, Sip-Group = "mobile"
>
> SER.cfg:
>
> if (method == "REGISTER") {
> log(1, "ANALYZING REGISTER REQUEST\n");
> # to use digest authentication
> if (is_user_in("Request-URI", "deactivated")) {
> sl_send_reply("403","deactivated");
> break;
> };
>
> if (!www_authorize("mydomain.com.pe", "subscriber")) {
> www_challenge("mydomain.com.pe", "0");
> break;
> };
>
> # only registered users are allowed
> #if (!check_to()) {
> # log(1, "LOG: Hijack attempt\n");
> # sl_send_reply("403", "Only registered users..");
> # break;
> #};
> log(1," Registered!!! \n");
> if (!save("location")) {
> sl_reply_error();
> };
> break;
> };
>
> if (method == "INVITE" || method== "CANCEL" ) {
> log(1, "ANALYZING INVITE||CANCEL REQUESTs\n");
> if (!proxy_authorize("mydomain.com.pe", "subscriber")) {
> proxy_challenge("mydomain.com.pe", "1");
> break;
> };
> #} else {
> #if (method == "INVITE" && !check_from()) {
> # sl_send_reply("403", "Only registered
> users...");
> # break;
> #};
> #};
>
> /* ******** Dial out to Local and PSTN logic ****** */
>
> # Forward n digit requests to gateway AS5350 (Celulares)
> if(uri=~"^sip:9" ){
> log(1," digit expression match - Celulares\n");
> if (!is_user_in("from", "mobile")) {
> sl_send_reply("403", "forbidden...");
> break;
> };
> rewritehostport("GW_IP:5060");
> route(1); ## to nathelper...
> break;
> };
> };
>
> Radiusd -X log when trying radius_is_user_in:
>
> rad_recv: Access-Request packet from host 127.0.0.1:36944, id=200, length=323
> User-Name = "6604321 at 10.0.1.22"
> Digest-Attributes = 0x0a0936363034333231
> Digest-Attributes = 0x010b31302e302e312e3232
> Digest-Attributes =
> 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538
> Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232
> Digest-Attributes = 0x0308494e56495445
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030353233
> Digest-Attributes =
> 0x08223341394535413233394144323131443939334232303035304241373836433642
> Digest-Response = "8c6af680ab513e39c16d38bc14c41fbc"
> Service-Type = IAPP-Register
> Sip-URI-User = "6604321"
> Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B at 10.0.1.105"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 18
> modcall[authorize]: module "preprocess" returns ok for request 18
> modcall[authorize]: module "chap" returns noop for request 18
> modcall[authorize]: module "mschap" returns noop for request 18
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "6604321"
> Digest-Realm = "10.0.1.22"
> Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8"
> Digest-URI = "sip:99109990 at 10.0.1.22"
> Digest-Method = "INVITE"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "00000523"
> Digest-CNonce = "3A9E5A239AD211D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 18
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 18
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 18
> users: Matched DEFAULT at 152
> users: Matched 6604321 at 10.0.1.22 at 222
> modcall[authorize]: module "files" returns ok for request 18
> modcall: group authorize returns ok for request 18
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 18
> A1 = 6604321:10.0.1.22:4321
> A2 = INVITE:sip:99109990 at 10.0.1.22
> H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf
> H(A2) = 087a284409aebfedefbc657a6a55fc29
> KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A239AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29
> EXPECTED 8c6af680ab513e39c16d38bc14c41fbc
> RECEIVED 8c6af680ab513e39c16d38bc14c41fbc
> modcall[authenticate]: module "digest" returns ok for request 18
> modcall: group authenticate returns ok for request 18
> Sending Access-Accept of id 200 to 127.0.0.1:36944
> Sip-Group = "mobile"
> Finished request 18
>
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:36944, id=201, length=65
> User-Name = "6604321 at 10.0.1.22"
> Sip-Group = "mobile"
> Service-Type = Voice
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 19
> modcall[authorize]: module "preprocess" returns ok for request 19
> modcall[authorize]: module "chap" returns noop for request 19
> modcall[authorize]: module "mschap" returns noop for request 19
> modcall[authorize]: module "digest" returns noop for request 19
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 19
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 19
> users: Matched DEFAULT at 152
> users: Matched 6604321 at 10.0.1.22 at 222
> modcall[authorize]: module "files" returns ok for request 19
> modcall: group authorize returns ok for request 19
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 19
> ERROR: No Digest-Nonce: Cannot perform Digest authentication
> modcall[authenticate]: module "digest" returns invalid for request 19
> modcall: group authenticate returns invalid for request 19
> auth: Failed to validate the user.
> Delaying request 19 for 1 seconds
> Finished request 19
> Going to the next request
> Waking up in 6 seconds...
>
> rad_recv: Access-Request packet from host 127.0.0.1:36945, id=202, length=323
> User-Name = "6604321 at 10.0.1.22"
> Digest-Attributes = 0x0a0936363034333231
> Digest-Attributes = 0x010b31302e302e312e3232
> Digest-Attributes =
> 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538
> Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232
> Digest-Attributes = 0x0308494e56495445
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030353233
> Digest-Attributes =
> 0x08223341394535413234394144323131443939334232303035304241373836433642
> Digest-Response = "f8421d39192c34c441a52f0a5f7c9939"
> Service-Type = IAPP-Register
> Sip-URI-User = "6604321"
> Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B at 10.0.1.105"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 5060
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 20
> modcall[authorize]: module "preprocess" returns ok for request 20
> modcall[authorize]: module "chap" returns noop for request 20
> modcall[authorize]: module "mschap" returns noop for request 20
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "6604321"
> Digest-Realm = "10.0.1.22"
> Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8"
> Digest-URI = "sip:99109990 at 10.0.1.22"
> Digest-Method = "INVITE"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "00000523"
> Digest-CNonce = "3A9E5A249AD211D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 20
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 20
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 20
> users: Matched DEFAULT at 152
> users: Matched 6604321 at 10.0.1.22 at 222
> modcall[authorize]: module "files" returns ok for request 20
> modcall: group authorize returns ok for request 20
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 20
> A1 = 6604321:10.0.1.22:4321
> A2 = INVITE:sip:99109990 at 10.0.1.22
> H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf
> H(A2) = 087a284409aebfedefbc657a6a55fc29
> KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A249AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29
> EXPECTED f8421d39192c34c441a52f0a5f7c9939
> RECEIVED f8421d39192c34c441a52f0a5f7c9939
> modcall[authenticate]: module "digest" returns ok for request 20
> modcall: group authenticate returns ok for request 20
> Sending Access-Accept of id 202 to 127.0.0.1:36945
> Sip-Group = "mobile"
> Finished request 20
> Going to the next request
>
> --- Walking the entire request list ---
> Sending Access-Reject of id 201 to 127.0.0.1:36944
> Waking up in 4 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:36945, id=203, length=65
> User-Name = "6604321 at 10.0.1.22"
> Sip-Group = "mobile"
> Service-Type = Voice
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 21
> modcall[authorize]: module "preprocess" returns ok for request 21
> modcall[authorize]: module "chap" returns noop for request 21
> modcall[authorize]: module "mschap" returns noop for request 21
> modcall[authorize]: module "digest" returns noop for request 21
> rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
> rlm_realm: No such realm "10.0.1.22"
> modcall[authorize]: module "suffix" returns noop for request 21
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 21
> users: Matched DEFAULT at 152
> users: Matched 6604321 at 10.0.1.22 at 222
> modcall[authorize]: module "files" returns ok for request 21
> modcall: group authorize returns ok for request 21
> rad_check_password: Found Auth-Type Digest
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 21
> ERROR: No Digest-Nonce: Cannot perform Digest authentication
> modcall[authenticate]: module "digest" returns invalid for request 21
> modcall: group authenticate returns invalid for request 21
> auth: Failed to validate the user.
> Delaying request 21 for 1 seconds
> Finished request 21
> Going to the next request
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 18 ID 200 with timestamp 424860e5
> Cleaning up request 19 ID 201 with timestamp 424860e5
> Sending Access-Reject of id 203 to 127.0.0.1:36945
> Waking up in 2 seconds...
>
--
rrgv
More information about the sr-users
mailing list