[Serusers] Re: Radius Authentication and group checking

Rafael J. Risco G.V. rafael.risco at gmail.com
Tue Mar 29 01:08:41 CEST 2005


Hi
ser.cfg I sent in my last email not include changes for radius auth ,
I am testing with prefix radius for is_user_in and www_authorize,
anyway this is the error I get when ser trying to check group:

ERROR: No Digest-Nonce: Cannot perform Digest authentication
  modcall[authenticate]: module "digest" returns invalid for request 13
modcall: group authenticate returns invalid for request 13
auth: Failed to validate the user.

any idea?

rafael


On Mon, 28 Mar 2005 15:11:03 -0500, Rafael J. Risco G.V.
<rafael.risco at gmail.com> wrote:
> Hi
> 2 problems:
> 
> 1.- Finally I have been able to register users and authenticate
> INVITEs using radius_www_authorize and proxy_www_authorize functions,
> but I can´t use "radius_is_user_in" (from group_radius module) for
> group checking before calling, does someone have done this before? I
> need this for "Request-URI" to verify if it belongs to a group
> "deactivated" in Register process or verify if user is in "voicemail"
> group, same for checking "from" or "credentials" (I can do it using
> group.so module) please see my ser.cfg and radiusd-X debug below.
> 
> 2.- There is no "check_to" or "check_from" functions in uri_radius
> module... Is there any other way to do this using radius?
> 
> regards
> Rafael
> 
> PS: freeradius user file:
> 
> 6604321 at 10.0.1.22      Auth-Type := Digest, User-Password == "4321"
>                       Auth-Type := Accept, Sip-Group = "mobile"
> 
> SER.cfg:
> 
>               if (method == "REGISTER") {
>                       log(1, "ANALYZING REGISTER REQUEST\n");
>                       # to use digest authentication
>                       if (is_user_in("Request-URI", "deactivated")) {
>                               sl_send_reply("403","deactivated");
>                               break;
>                       };
> 
>                       if (!www_authorize("mydomain.com.pe", "subscriber")) {
>                               www_challenge("mydomain.com.pe", "0");
>                               break;
>                       };
> 
>                       # only registered users are allowed
>                       #if (!check_to()) {
>                       #        log(1, "LOG: Hijack attempt\n");
>                       #        sl_send_reply("403", "Only registered users..");
>                       #        break;
>                       #};
>                       log(1,"      Registered!!! \n");
>                       if (!save("location")) {
>                               sl_reply_error();
>                       };
>                       break;
>               };
> 
>               if (method == "INVITE" || method== "CANCEL" ) {
>                       log(1, "ANALYZING INVITE||CANCEL REQUESTs\n");
>                       if (!proxy_authorize("mydomain.com.pe", "subscriber")) {
>                               proxy_challenge("mydomain.com.pe", "1");
>                               break;
>                       };
>                        #} else {
>                       #if (method == "INVITE" && !check_from()) {
>                       #        sl_send_reply("403", "Only registered
> users...");
>                       #        break;
>                       #};
>                       #};
> 
>              /* ******** Dial out to Local and PSTN logic ****** */
> 
>               # Forward n digit requests to gateway AS5350 (Celulares)
>                       if(uri=~"^sip:9" ){
>                               log(1," digit expression match - Celulares\n");
>                               if (!is_user_in("from", "mobile")) {
>                                       sl_send_reply("403", "forbidden...");
>                                       break;
>                               };
>                               rewritehostport("GW_IP:5060");
>                               route(1);  ## to nathelper...
>                               break;
>                       };
>                };
> 
> Radiusd -X log when trying radius_is_user_in:
> 
> rad_recv: Access-Request packet from host 127.0.0.1:36944, id=200, length=323
>        User-Name = "6604321 at 10.0.1.22"
>        Digest-Attributes = 0x0a0936363034333231
>        Digest-Attributes = 0x010b31302e302e312e3232
>        Digest-Attributes =
> 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538
>        Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232
>        Digest-Attributes = 0x0308494e56495445
>        Digest-Attributes = 0x050661757468
>        Digest-Attributes = 0x090a3030303030353233
>        Digest-Attributes =
> 0x08223341394535413233394144323131443939334232303035304241373836433642
>        Digest-Response = "8c6af680ab513e39c16d38bc14c41fbc"
>        Service-Type = IAPP-Register
>        Sip-URI-User = "6604321"
>        Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B at 10.0.1.105"
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 5060
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 18
>  modcall[authorize]: module "preprocess" returns ok for request 18
>  modcall[authorize]: module "chap" returns noop for request 18
>  modcall[authorize]: module "mschap" returns noop for request 18
>    rlm_digest: Converting Digest-Attributes to something sane...
>        Digest-User-Name = "6604321"
>        Digest-Realm = "10.0.1.22"
>        Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8"
>        Digest-URI = "sip:99109990 at 10.0.1.22"
>        Digest-Method = "INVITE"
>        Digest-QOP = "auth"
>        Digest-Nonce-Count = "00000523"
>        Digest-CNonce = "3A9E5A239AD211D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
>  modcall[authorize]: module "digest" returns ok for request 18
>    rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
>    rlm_realm: No such realm "10.0.1.22"
>  modcall[authorize]: module "suffix" returns noop for request 18
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 18
>    users: Matched DEFAULT at 152
>    users: Matched 6604321 at 10.0.1.22 at 222
>  modcall[authorize]: module "files" returns ok for request 18
> modcall: group authorize returns ok for request 18
>  rad_check_password:  Found Auth-Type Digest
> auth: type "digest"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 18
> A1 = 6604321:10.0.1.22:4321
> A2 = INVITE:sip:99109990 at 10.0.1.22
> H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf
> H(A2) = 087a284409aebfedefbc657a6a55fc29
> KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A239AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29
> EXPECTED 8c6af680ab513e39c16d38bc14c41fbc
> RECEIVED 8c6af680ab513e39c16d38bc14c41fbc
>  modcall[authenticate]: module "digest" returns ok for request 18
> modcall: group authenticate returns ok for request 18
> Sending Access-Accept of id 200 to 127.0.0.1:36944
>        Sip-Group = "mobile"
> Finished request 18
> 
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:36944, id=201, length=65
>        User-Name = "6604321 at 10.0.1.22"
>        Sip-Group = "mobile"
>        Service-Type = Voice
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 0
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 19
>  modcall[authorize]: module "preprocess" returns ok for request 19
>  modcall[authorize]: module "chap" returns noop for request 19
>  modcall[authorize]: module "mschap" returns noop for request 19
>  modcall[authorize]: module "digest" returns noop for request 19
>    rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
>    rlm_realm: No such realm "10.0.1.22"
>  modcall[authorize]: module "suffix" returns noop for request 19
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 19
>    users: Matched DEFAULT at 152
>    users: Matched 6604321 at 10.0.1.22 at 222
>  modcall[authorize]: module "files" returns ok for request 19
> modcall: group authorize returns ok for request 19
>  rad_check_password:  Found Auth-Type Digest
> auth: type "digest"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 19
> ERROR: No Digest-Nonce: Cannot perform Digest authentication
>  modcall[authenticate]: module "digest" returns invalid for request 19
> modcall: group authenticate returns invalid for request 19
> auth: Failed to validate the user.
> Delaying request 19 for 1 seconds
> Finished request 19
> Going to the next request
> Waking up in 6 seconds...
> 
> rad_recv: Access-Request packet from host 127.0.0.1:36945, id=202, length=323
>        User-Name = "6604321 at 10.0.1.22"
>        Digest-Attributes = 0x0a0936363034333231
>        Digest-Attributes = 0x010b31302e302e312e3232
>        Digest-Attributes =
> 0x022a34323438363231313832363734333330343564643863363961336530393638353034363533356538
>        Digest-Attributes = 0x04187369703a39393130393939304031302e302e312e3232
>        Digest-Attributes = 0x0308494e56495445
>        Digest-Attributes = 0x050661757468
>        Digest-Attributes = 0x090a3030303030353233
>        Digest-Attributes =
> 0x08223341394535413234394144323131443939334232303035304241373836433642
>        Digest-Response = "f8421d39192c34c441a52f0a5f7c9939"
>        Service-Type = IAPP-Register
>        Sip-URI-User = "6604321"
>        Cisco-AVPair = "call-id=3A9E5A1E-9AD2-11D9-93B2-0050BA786C6B at 10.0.1.105"
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 5060
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 20
>  modcall[authorize]: module "preprocess" returns ok for request 20
>  modcall[authorize]: module "chap" returns noop for request 20
>  modcall[authorize]: module "mschap" returns noop for request 20
>    rlm_digest: Converting Digest-Attributes to something sane...
>        Digest-User-Name = "6604321"
>        Digest-Realm = "10.0.1.22"
>        Digest-Nonce = "424862118267433045dd8c69a3e09685046535e8"
>        Digest-URI = "sip:99109990 at 10.0.1.22"
>        Digest-Method = "INVITE"
>        Digest-QOP = "auth"
>        Digest-Nonce-Count = "00000523"
>        Digest-CNonce = "3A9E5A249AD211D993B20050BA786C6B"
> rlm_digest: Adding Auth-Type = DIGEST
>  modcall[authorize]: module "digest" returns ok for request 20
>    rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
>    rlm_realm: No such realm "10.0.1.22"
>  modcall[authorize]: module "suffix" returns noop for request 20
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 20
>    users: Matched DEFAULT at 152
>    users: Matched 6604321 at 10.0.1.22 at 222
>  modcall[authorize]: module "files" returns ok for request 20
> modcall: group authorize returns ok for request 20
>  rad_check_password:  Found Auth-Type Digest
> auth: type "digest"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 20
> A1 = 6604321:10.0.1.22:4321
> A2 = INVITE:sip:99109990 at 10.0.1.22
> H(A1) = 65f1515ce902a1b9dc7886ddc77c96bf
> H(A2) = 087a284409aebfedefbc657a6a55fc29
> KD = 65f1515ce902a1b9dc7886ddc77c96bf:424862118267433045dd8c69a3e09685046535e8:00000523:3A9E5A249AD211D993B20050BA786C6B:auth:087a284409aebfedefbc657a6a55fc29
> EXPECTED f8421d39192c34c441a52f0a5f7c9939
> RECEIVED f8421d39192c34c441a52f0a5f7c9939
>  modcall[authenticate]: module "digest" returns ok for request 20
> modcall: group authenticate returns ok for request 20
> Sending Access-Accept of id 202 to 127.0.0.1:36945
>        Sip-Group = "mobile"
> Finished request 20
> Going to the next request
> 
> --- Walking the entire request list ---
> Sending Access-Reject of id 201 to 127.0.0.1:36944
> Waking up in 4 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:36945, id=203, length=65
>        User-Name = "6604321 at 10.0.1.22"
>        Sip-Group = "mobile"
>        Service-Type = Voice
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 0
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 21
>  modcall[authorize]: module "preprocess" returns ok for request 21
>  modcall[authorize]: module "chap" returns noop for request 21
>  modcall[authorize]: module "mschap" returns noop for request 21
>  modcall[authorize]: module "digest" returns noop for request 21
>    rlm_realm: Looking up realm "10.0.1.22" for User-Name = "6604321 at 10.0.1.22"
>    rlm_realm: No such realm "10.0.1.22"
>  modcall[authorize]: module "suffix" returns noop for request 21
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 21
>    users: Matched DEFAULT at 152
>    users: Matched 6604321 at 10.0.1.22 at 222
>  modcall[authorize]: module "files" returns ok for request 21
> modcall: group authorize returns ok for request 21
>  rad_check_password:  Found Auth-Type Digest
> auth: type "digest"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 21
> ERROR: No Digest-Nonce: Cannot perform Digest authentication
>  modcall[authenticate]: module "digest" returns invalid for request 21
> modcall: group authenticate returns invalid for request 21
> auth: Failed to validate the user.
> Delaying request 21 for 1 seconds
> Finished request 21
> Going to the next request
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 18 ID 200 with timestamp 424860e5
> Cleaning up request 19 ID 201 with timestamp 424860e5
> Sending Access-Reject of id 203 to 127.0.0.1:36945
> Waking up in 2 seconds...
> 


-- 

rrgv




More information about the sr-users mailing list