[Users] How can I send radius authentication packet with openser
Arda Tekin
arda at nicivr.com
Mon Nov 28 01:18:53 CET 2005
OK. I have found the problem:
First I made some modifiacations:
in the radiusclient.conf
auth_order radius
authserver 192.168.1.3:1812
acctserver 192.168.1.3:1813
dictionary /usr/local/etc/radiusclient-ng/dictionary (this files is
the modified. dictionary.radius+dictionary = dictionary)
in the openser.cfg
if (!radius_www_authorize("")) {
www_challenge("", "1");
exit;
};
http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good reference
But there is still the same problem. rc_auth fails. Because when I check
radiusclient-ng.0.5.2 release notes, I see that
"Change default bindaddr from localhost to *, this is better default choice;
"
When I replaced "bindaddr *" with "bindaddr localhost" then openser could
send the radius authentication packet successfully.
But I have a new problem. I get access-reject from radius server. Because
Radius server does not like the authentication packet parameters.
Radius Access-Request packet
---------------------------------
Frame 4 (285 bytes on wire, 285 bytes captured)
Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26
Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr:
192.168.1.3 (192.168.1.3)
User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x82 (130)
Length: 243
Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935
Attribute value pairs
t:User Name(1) l:21, Value:"openser at 192.168.1.5"
User-Name: openser at 192.168.1.5
t:Unknown Type(207) l:11, Value:Unknown Value Type
t:Unknown Type(207) l:15, Value:Unknown Value Type
t:Unknown Type(207) l:44, Value:Unknown Value Type
t:Unknown Type(207) l:19, Value:Unknown Value Type
t:Unknown Type(207) l:12, Value:Unknown Value Type
t:Unknown Type(207) l:8, Value:Unknown Value Type
t:Unknown Type(207) l:12, Value:Unknown Value Type
t:Unknown Type(207) l:20, Value:Unknown Value Type
t:Unknown Type(206) l:34, Value:Unknown Value Type
t:Service Type(6) l:6, Value:IAPP-Register(15)
Service-Type: IAPP-Register (15)
t:Unknown Type(208) l:9, Value:Unknown Value Type
t:NAS Port(5) l:6, Value:5060
t:NAS IP Address(4) l:6, Value:192.168.1.5
Nas IP Address: 192.168.1.5 (192.168.1.5)
---------------------------------
Radius Access-Reject packet
---------------------------------
Frame 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30
Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr:
192.168.1.5 (192.168.1.5)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029)
Radius Protocol
Code: Access Reject (3)
Packet identifier: 0x82 (130)
Length: 20
Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99
-------------------------------------
So I need to modify the outgoing packet params. Is it possible? And Can I
also send additional "Vendor Specific Attribute" parameters?
Regards
Arda
----- Original Message -----
From: "Arda Tekin" <arda at nicivr.com>
To: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
Cc: <users at openser.org>
Sent: Saturday, November 26, 2005 2:40 PM
Subject: Re: [Users] How can I send radius authentication packet with
openser
>I have also compiled "avp_radius" module and load it in openser.cfg.
>Nothing
> changed.
>
> Sip Client IP: 192.168.1.2
> OpenSER: 192.168.1.5
> Radius Server: 192.168.1.3
>
> Here is the openser debug log:
> ------------------------------------
> [root at localhost openser]# 6(2884) SIP Request:
> 6(2884) method: <REGISTER>
> 6(2884) uri: <sip:192.168.1.5>
> 6(2884) version: <SIP/2.0>
> 6(2884) parse_headers: flags=2
> 6(2884) DEBUG:parse_to:end of header reached, state=9
> 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda at 192.168.1.5]
> 6(2884) DEBUG: to body [arda_eyebeam<sip:arda at 192.168.1.5>
> ]
> 6(2884) Found param type 232, <branch> =
> <z9hG4bK-d87543-622802375-1--d87543->; state=6
> 6(2884) Found param type 235, <rport> = <n/a>; state=17
> 6(2884) end of header reached, state=5
> 6(2884) parse_headers: Via found, flags=2
> 6(2884) parse_headers: this is the first via
> 6(2884) After parse_msg...
> 6(2884) preparing to run routing scripts...
> 6(2884) parse_headers: flags=100
> 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER>
> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
> 6(2884) parse_headers: flags=200
> 6(2884) DEBUG: get_hdr_body : content_length=0
> 6(2884) found end of header
> 6(2884) find_first_route: No Route headers found
> 6(2884) loose_route: There is no Route HF
> 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] ==
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] ==
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] ==
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] ==
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) parse_headers: flags=2000
> 6(2884) pre_auth(): Credentials with given realm not found
> 6(2884) REGISTER: challenging user2
> 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5",
> nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
> '
> 6(2884) parse_headers: flags=ffffffffffffffff
> 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
> 6(2884) DEBUG:destroy_avp_list: destroying list (nil)
> 6(2884) receive_msg: cleaning up
> 6(2884) SIP Request:
> 6(2884) method: <REGISTER>
> 6(2884) uri: <sip:192.168.1.5>
> 6(2884) version: <SIP/2.0>
> 6(2884) parse_headers: flags=2
> 6(2884) DEBUG:parse_to:end of header reached, state=9
> 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda at 192.168.1.5]
> 6(2884) DEBUG: to body [arda_eyebeam<sip:arda at 192.168.1.5>
> ]
> 6(2884) Found param type 232, <branch> =
> <z9hG4bK-d87543-907902613-1--d87543->; state=6
> 6(2884) Found param type 235, <rport> = <n/a>; state=17
> 6(2884) end of header reached, state=5
> 6(2884) parse_headers: Via found, flags=2
> 6(2884) parse_headers: this is the first via
> 6(2884) After parse_msg...
> 6(2884) preparing to run routing scripts...
> 6(2884) parse_headers: flags=100
> 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
> 6(2884) parse_headers: flags=200
> 6(2884) DEBUG: get_hdr_body : content_length=0
> 6(2884) found end of header
> 6(2884) find_first_route: No Route headers found
> 6(2884) loose_route: There is no Route HF
> 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] ==
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] ==
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==9 && [192.168.1.5] ==
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 && [192.168.1.5] ==
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) check_nonce(): comparing
> [438222d8c7aac499351c46bad60c32a2c03eb751] and
> [438222d8c7aac499351c46bad60c32a2c03eb751]
> 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
> 6(2884) REGISTER: challenging user2
> 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5",
> nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
> '
> 6(2884) parse_headers: flags=ffffffffffffffff
> 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
> 6(2884) DEBUG:destroy_avp_list: destroying list (nil)
> 6(2884) receive_msg: cleaning up
> -------------------------------------------
>
> As I see in the sterman.c source rc_auth fails:
>
> /* Send request */
> if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) {
> DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n");
> rc_avpair_free(send);
> send = 0;
>
> generate_avps(received);
>
> rc_avpair_free(received);
> return 1;
> } else {
> LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: "
> "rc_auth failed\n");
> goto err;
> }
>
> Any opinion?
>
> Thanks in advance
>
> Arda
>
>
>
>
>
> ----- Original Message -----
> From: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
> To: "Arda Tekin" <arda at nicivr.com>
> Cc: <users at openser.org>
> Sent: Friday, November 25, 2005 5:00 PM
> Subject: Re: [Users] How can I send radius authentication packet with
> openser
>
>
>> Hi Arda,
>>
>> you need to use auth_radius for this purpose. See:
>> http://www.openser.org/docs/modules/1.1.x/auth_radius.html
>>
>> regards,
>> bogdan
>>
>> Arda Tekin wrote:
>>
>>> Hi,
>>> I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on
>>> REL3.0. openser works well with mysql. I need to send a radius
>>> authentication packet to a radius server(according to RFC2865).
>>> Packet contains base params:
>>>
>>> User-name (attr.1) $Username
>>>
>>> Password (attr.2) $Password
>>>
>>> NAS-Identifier (attr.4) (auto-generated)
>>>
>>> NAS-Port (attr.5) $uref
>>>
>>> State (attr.24) 0
>>>
>>> Client-Port-DNIS (attr.30) NONE
>>>
>>> Caller-Id (attr.31) $calling
>>>
>>> I can not find a clear sample about radius. Which module is used for
>>> this purpose?
>>> Regards
>>> Arda
>>>
>>>------------------------------------------------------------------------
>>>
>>>_______________________________________________
>>>Users mailing list
>>>Users at openser.org
>>>http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
More information about the sr-users
mailing list