[Users] How can I send radius authentication packet with openser

Arda Tekin arda at nicivr.com
Mon Nov 28 01:18:53 CET 2005


OK. I have found the problem:

First I made some modifiacations:
in the radiusclient.conf
auth_order  radius
authserver  192.168.1.3:1812
acctserver  192.168.1.3:1813
dictionary      /usr/local/etc/radiusclient-ng/dictionary   (this files is 
the modified. dictionary.radius+dictionary = dictionary)

in the openser.cfg
 if (!radius_www_authorize("")) {
     www_challenge("", "1");
     exit;
 };
http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good reference

But there is still the same problem. rc_auth fails. Because when I check 
radiusclient-ng.0.5.2 release notes, I see that
"Change default bindaddr from localhost to *, this is better default choice; 
"
When I replaced  "bindaddr *" with "bindaddr localhost" then openser could 
send the radius authentication packet successfully.


But I have a new problem. I get access-reject from radius server. Because 
Radius server does not like the authentication packet parameters.

Radius Access-Request packet
---------------------------------
Frame 4 (285 bytes on wire, 285 bytes captured)
Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26
Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr: 
192.168.1.3 (192.168.1.3)
User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812)
Radius Protocol
    Code: Access Request (1)
    Packet identifier: 0x82 (130)
    Length: 243
    Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935
    Attribute value pairs
        t:User Name(1) l:21, Value:"openser at 192.168.1.5"
            User-Name: openser at 192.168.1.5
        t:Unknown Type(207) l:11, Value:Unknown Value Type
        t:Unknown Type(207) l:15, Value:Unknown Value Type
        t:Unknown Type(207) l:44, Value:Unknown Value Type
        t:Unknown Type(207) l:19, Value:Unknown Value Type
        t:Unknown Type(207) l:12, Value:Unknown Value Type
        t:Unknown Type(207) l:8, Value:Unknown Value Type
        t:Unknown Type(207) l:12, Value:Unknown Value Type
        t:Unknown Type(207) l:20, Value:Unknown Value Type
        t:Unknown Type(206) l:34, Value:Unknown Value Type
        t:Service Type(6) l:6, Value:IAPP-Register(15)
            Service-Type: IAPP-Register (15)
        t:Unknown Type(208) l:9, Value:Unknown Value Type
        t:NAS Port(5) l:6, Value:5060
        t:NAS IP Address(4) l:6, Value:192.168.1.5
            Nas IP Address: 192.168.1.5 (192.168.1.5)
---------------------------------

Radius Access-Reject packet
---------------------------------
Frame 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30
Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr: 
192.168.1.5 (192.168.1.5)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029)
Radius Protocol
    Code: Access Reject (3)
    Packet identifier: 0x82 (130)
    Length: 20
    Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99
-------------------------------------


So I need to modify the outgoing packet params. Is it possible? And Can I 
also send additional "Vendor Specific Attribute" parameters?

Regards

Arda















----- Original Message ----- 
From: "Arda Tekin" <arda at nicivr.com>
To: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
Cc: <users at openser.org>
Sent: Saturday, November 26, 2005 2:40 PM
Subject: Re: [Users] How can I send radius authentication packet with 
openser


>I have also compiled "avp_radius" module and load it in openser.cfg. 
>Nothing
> changed.
>
> Sip Client IP: 192.168.1.2
> OpenSER: 192.168.1.5
> Radius Server: 192.168.1.3
>
> Here is the openser debug log:
> ------------------------------------
> [root at localhost openser]#  6(2884) SIP Request:
> 6(2884)  method:  <REGISTER>
> 6(2884)  uri:     <sip:192.168.1.5>
> 6(2884)  version: <SIP/2.0>
> 6(2884) parse_headers: flags=2
> 6(2884) DEBUG:parse_to:end of header reached, state=9
> 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda at 192.168.1.5]
> 6(2884) DEBUG: to body [arda_eyebeam<sip:arda at 192.168.1.5>
> ]
> 6(2884) Found param type 232, <branch> = 
> <z9hG4bK-d87543-622802375-1--d87543->; state=6
> 6(2884) Found param type 235, <rport> = <n/a>; state=17
> 6(2884) end of header reached, state=5
> 6(2884) parse_headers: Via found, flags=2
> 6(2884) parse_headers: this is the first via
> 6(2884) After parse_msg...
> 6(2884) preparing to run routing scripts...
> 6(2884) parse_headers: flags=100
> 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER>
> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
> 6(2884) parse_headers: flags=200
> 6(2884) DEBUG: get_hdr_body : content_length=0
> 6(2884) found end of header
> 6(2884) find_first_route: No Route headers found
> 6(2884) loose_route: There is no Route HF
> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  [192.168.1.5] == 
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  [192.168.1.5] == 
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  [192.168.1.5] == 
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  [192.168.1.5] == 
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) parse_headers: flags=2000
> 6(2884) pre_auth(): Credentials with given realm not found
> 6(2884) REGISTER: challenging user2
> 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", 
> nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
> '
> 6(2884) parse_headers: flags=ffffffffffffffff
> 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
> 6(2884) DEBUG:destroy_avp_list: destroying list (nil)
> 6(2884) receive_msg: cleaning up
> 6(2884) SIP Request:
> 6(2884)  method:  <REGISTER>
> 6(2884)  uri:     <sip:192.168.1.5>
> 6(2884)  version: <SIP/2.0>
> 6(2884) parse_headers: flags=2
> 6(2884) DEBUG:parse_to:end of header reached, state=9
> 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda at 192.168.1.5]
> 6(2884) DEBUG: to body [arda_eyebeam<sip:arda at 192.168.1.5>
> ]
> 6(2884) Found param type 232, <branch> = 
> <z9hG4bK-d87543-907902613-1--d87543->; state=6
> 6(2884) Found param type 235, <rport> = <n/a>; state=17
> 6(2884) end of header reached, state=5
> 6(2884) parse_headers: Via found, flags=2
> 6(2884) parse_headers: this is the first via
> 6(2884) After parse_msg...
> 6(2884) preparing to run routing scripts...
> 6(2884) parse_headers: flags=100
> 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
> 6(2884) parse_headers: flags=200
> 6(2884) DEBUG: get_hdr_body : content_length=0
> 6(2884) found end of header
> 6(2884) find_first_route: No Route headers found
> 6(2884) loose_route: There is no Route HF
> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  [192.168.1.5] == 
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  [192.168.1.5] == 
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  [192.168.1.5] == 
> [127.0.0.1]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  [192.168.1.5] == 
> [192.168.1.5]
> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
> 6(2884) check_nonce(): comparing 
> [438222d8c7aac499351c46bad60c32a2c03eb751] and 
> [438222d8c7aac499351c46bad60c32a2c03eb751]
> 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
> 6(2884) REGISTER: challenging user2
> 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.1.5", 
> nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
> '
> 6(2884) parse_headers: flags=ffffffffffffffff
> 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
> 6(2884) DEBUG:destroy_avp_list: destroying list (nil)
> 6(2884) receive_msg: cleaning up
> -------------------------------------------
>
> As I see in the sterman.c source rc_auth fails:
>
> /* Send request */
> if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) {
>    DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n");
>    rc_avpair_free(send);
>    send = 0;
>
>    generate_avps(received);
>
>    rc_avpair_free(received);
>    return 1;
> } else {
>    LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: "
>    "rc_auth failed\n");
>    goto err;
> }
>
> Any opinion?
>
> Thanks in advance
>
> Arda
>
>
>
>
>
> ----- Original Message ----- 
> From: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
> To: "Arda Tekin" <arda at nicivr.com>
> Cc: <users at openser.org>
> Sent: Friday, November 25, 2005 5:00 PM
> Subject: Re: [Users] How can I send radius authentication packet with 
> openser
>
>
>> Hi Arda,
>>
>> you need to use auth_radius for this purpose. See:
>>    http://www.openser.org/docs/modules/1.1.x/auth_radius.html
>>
>> regards,
>> bogdan
>>
>> Arda Tekin wrote:
>>
>>> Hi,
>>>  I have installed openser, mysql, radiusclient-ng-0.5.2 successfully on 
>>> REL3.0. openser works well with mysql. I need to send a radius 
>>> authentication packet to a radius server(according to RFC2865).
>>> Packet contains base params:
>>>
>>> User-name                    (attr.1)                    $Username
>>>
>>> Password                      (attr.2)                    $Password
>>>
>>> NAS-Identifier                (attr.4) (auto-generated)
>>>
>>> NAS-Port                      (attr.5)                    $uref
>>>
>>> State                            (attr.24)                  0
>>>
>>> Client-Port-DNIS            (attr.30)                  NONE
>>>
>>> Caller-Id                        (attr.31)                  $calling
>>>
>>>  I can not find a clear sample about radius. Which module is used for 
>>> this purpose?
>>>  Regards
>>>  Arda
>>>
>>>------------------------------------------------------------------------
>>>
>>>_______________________________________________
>>>Users mailing list
>>>Users at openser.org
>>>http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users 





More information about the sr-users mailing list