[Users] How can I send radius authentication packet with openser

Bogdan-Andrei Iancu bogdan at voice-system.ro
Wed Nov 30 17:37:47 CET 2005 

Hi,

you cannot alter the content of the radius auth request only if you get 
into sources. Are you sure you need to do this? isn't it just a matter 
of configuration on your RADIUS server? what server are you using? and 
what is the logged error from server?

regards,
bogdan


Arda Tekin wrote:

> OK. I have found the problem:
>
> First I made some modifiacations:
> in the radiusclient.conf
> auth_order  radius
> authserver  192.168.1.3:1812
> acctserver  192.168.1.3:1813
> dictionary      /usr/local/etc/radiusclient-ng/dictionary   (this 
> files is the modified. dictionary.radius+dictionary = dictionary)
>
> in the openser.cfg
> if (!radius_www_authorize("")) {
>     www_challenge("", "1");
>     exit;
> };
> http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good 
> reference
>
> But there is still the same problem. rc_auth fails. Because when I 
> check radiusclient-ng.0.5.2 release notes, I see that
> "Change default bindaddr from localhost to *, this is better default 
> choice; "
> When I replaced  "bindaddr *" with "bindaddr localhost" then openser 
> could send the radius authentication packet successfully.
>
>
> But I have a new problem. I get access-reject from radius server. 
> Because Radius server does not like the authentication packet parameters.
>
> Radius Access-Request packet
> ---------------------------------
> Frame 4 (285 bytes on wire, 285 bytes captured)
> Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26
> Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr: 
> 192.168.1.3 (192.168.1.3)
> User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812)
> Radius Protocol
>    Code: Access Request (1)
>    Packet identifier: 0x82 (130)
>    Length: 243
>    Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935
>    Attribute value pairs
>        t:User Name(1) l:21, Value:"openser at 192.168.1.5"
>            User-Name: openser at 192.168.1.5
>        t:Unknown Type(207) l:11, Value:Unknown Value Type
>        t:Unknown Type(207) l:15, Value:Unknown Value Type
>        t:Unknown Type(207) l:44, Value:Unknown Value Type
>        t:Unknown Type(207) l:19, Value:Unknown Value Type
>        t:Unknown Type(207) l:12, Value:Unknown Value Type
>        t:Unknown Type(207) l:8, Value:Unknown Value Type
>        t:Unknown Type(207) l:12, Value:Unknown Value Type
>        t:Unknown Type(207) l:20, Value:Unknown Value Type
>        t:Unknown Type(206) l:34, Value:Unknown Value Type
>        t:Service Type(6) l:6, Value:IAPP-Register(15)
>            Service-Type: IAPP-Register (15)
>        t:Unknown Type(208) l:9, Value:Unknown Value Type
>        t:NAS Port(5) l:6, Value:5060
>        t:NAS IP Address(4) l:6, Value:192.168.1.5
>            Nas IP Address: 192.168.1.5 (192.168.1.5)
> ---------------------------------
>
> Radius Access-Reject packet
> ---------------------------------
> Frame 5 (62 bytes on wire, 62 bytes captured)
> Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30
> Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr: 
> 192.168.1.5 (192.168.1.5)
> User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029)
> Radius Protocol
>    Code: Access Reject (3)
>    Packet identifier: 0x82 (130)
>    Length: 20
>    Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99
> -------------------------------------
>
>
> So I need to modify the outgoing packet params. Is it possible? And 
> Can I also send additional "Vendor Specific Attribute" parameters?
>
> Regards
>
> Arda
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ----- Original Message ----- From: "Arda Tekin" <arda at nicivr.com>
> To: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
> Cc: <users at openser.org>
> Sent: Saturday, November 26, 2005 2:40 PM
> Subject: Re: [Users] How can I send radius authentication packet with 
> openser
>
>
>> I have also compiled "avp_radius" module and load it in openser.cfg. 
>> Nothing
>> changed.
>>
>> Sip Client IP: 192.168.1.2
>> OpenSER: 192.168.1.5
>> Radius Server: 192.168.1.3
>>
>> Here is the openser debug log:
>> ------------------------------------
>> [root at localhost openser]#  6(2884) SIP Request:
>> 6(2884)  method:  <REGISTER>
>> 6(2884)  uri:     <sip:192.168.1.5>
>> 6(2884)  version: <SIP/2.0>
>> 6(2884) parse_headers: flags=2
>> 6(2884) DEBUG:parse_to:end of header reached, state=9
>> 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda at 192.168.1.5]
>> 6(2884) DEBUG: to body [arda_eyebeam<sip:arda at 192.168.1.5>
>> ]
>> 6(2884) Found param type 232, <branch> = 
>> <z9hG4bK-d87543-622802375-1--d87543->; state=6
>> 6(2884) Found param type 235, <rport> = <n/a>; state=17
>> 6(2884) end of header reached, state=5
>> 6(2884) parse_headers: Via found, flags=2
>> 6(2884) parse_headers: this is the first via
>> 6(2884) After parse_msg...
>> 6(2884) preparing to run routing scripts...
>> 6(2884) parse_headers: flags=100
>> 6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER>
>> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
>> 6(2884) parse_headers: flags=200
>> 6(2884) DEBUG: get_hdr_body : content_length=0
>> 6(2884) found end of header
>> 6(2884) find_first_route: No Route headers found
>> 6(2884) loose_route: There is no Route HF
>> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  
>> [192.168.1.5] == [127.0.0.1]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  
>> [192.168.1.5] == [192.168.1.5]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  
>> [192.168.1.5] == [127.0.0.1]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  
>> [192.168.1.5] == [192.168.1.5]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) parse_headers: flags=2000
>> 6(2884) pre_auth(): Credentials with given realm not found
>> 6(2884) REGISTER: challenging user2
>> 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest 
>> realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
>> '
>> 6(2884) parse_headers: flags=ffffffffffffffff
>> 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
>> 6(2884) DEBUG:destroy_avp_list: destroying list (nil)
>> 6(2884) receive_msg: cleaning up
>> 6(2884) SIP Request:
>> 6(2884)  method:  <REGISTER>
>> 6(2884)  uri:     <sip:192.168.1.5>
>> 6(2884)  version: <SIP/2.0>
>> 6(2884) parse_headers: flags=2
>> 6(2884) DEBUG:parse_to:end of header reached, state=9
>> 6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:arda at 192.168.1.5]
>> 6(2884) DEBUG: to body [arda_eyebeam<sip:arda at 192.168.1.5>
>> ]
>> 6(2884) Found param type 232, <branch> = 
>> <z9hG4bK-d87543-907902613-1--d87543->; state=6
>> 6(2884) Found param type 235, <rport> = <n/a>; state=17
>> 6(2884) end of header reached, state=5
>> 6(2884) parse_headers: Via found, flags=2
>> 6(2884) parse_headers: this is the first via
>> 6(2884) After parse_msg...
>> 6(2884) preparing to run routing scripts...
>> 6(2884) parse_headers: flags=100
>> 6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
>> 6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
>> 6(2884) parse_headers: flags=200
>> 6(2884) DEBUG: get_hdr_body : content_length=0
>> 6(2884) found end of header
>> 6(2884) find_first_route: No Route headers found
>> 6(2884) loose_route: There is no Route HF
>> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  
>> [192.168.1.5] == [127.0.0.1]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  
>> [192.168.1.5] == [192.168.1.5]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) grep_sock_info - checking if host==us: 11==9 &&  
>> [192.168.1.5] == [127.0.0.1]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) grep_sock_info - checking if host==us: 11==11 &&  
>> [192.168.1.5] == [192.168.1.5]
>> 6(2884) grep_sock_info - checking if port 5060 matches port 5060
>> 6(2884) check_nonce(): comparing 
>> [438222d8c7aac499351c46bad60c32a2c03eb751] and 
>> [438222d8c7aac499351c46bad60c32a2c03eb751]
>> 6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>> 6(2884) REGISTER: challenging user2
>> 6(2884) build_auth_hf(): 'WWW-Authenticate: Digest 
>> realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
>> '
>> 6(2884) parse_headers: flags=ffffffffffffffff
>> 6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
>> 6(2884) DEBUG:destroy_avp_list: destroying list (nil)
>> 6(2884) receive_msg: cleaning up
>> -------------------------------------------
>>
>> As I see in the sterman.c source rc_auth fails:
>>
>> /* Send request */
>> if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) {
>>    DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n");
>>    rc_avpair_free(send);
>>    send = 0;
>>
>>    generate_avps(received);
>>
>>    rc_avpair_free(received);
>>    return 1;
>> } else {
>>    LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: "
>>    "rc_auth failed\n");
>>    goto err;
>> }
>>
>> Any opinion?
>>
>> Thanks in advance
>>
>> Arda
>>
>>
>>
>>
>>
>> ----- Original Message ----- From: "Bogdan-Andrei Iancu" 
>> <bogdan at voice-system.ro>
>> To: "Arda Tekin" <arda at nicivr.com>
>> Cc: <users at openser.org>
>> Sent: Friday, November 25, 2005 5:00 PM
>> Subject: Re: [Users] How can I send radius authentication packet with 
>> openser
>>
>>
>>> Hi Arda,
>>>
>>> you need to use auth_radius for this purpose. See:
>>>    http://www.openser.org/docs/modules/1.1.x/auth_radius.html
>>>
>>> regards,
>>> bogdan
>>>
>>> Arda Tekin wrote:
>>>
>>>> Hi,
>>>>  I have installed openser, mysql, radiusclient-ng-0.5.2 
>>>> successfully on REL3.0. openser works well with mysql. I need to 
>>>> send a radius authentication packet to a radius server(according to 
>>>> RFC2865).
>>>> Packet contains base params:
>>>>
>>>> User-name                    (attr.1)                    $Username
>>>>
>>>> Password                      (attr.2)                    $Password
>>>>
>>>> NAS-Identifier                (attr.4) (auto-generated)
>>>>
>>>> NAS-Port                      (attr.5)                    $uref
>>>>
>>>> State                            (attr.24)                  0
>>>>
>>>> Client-Port-DNIS            (attr.30)                  NONE
>>>>
>>>> Caller-Id                        (attr.31)                  $calling
>>>>
>>>>  I can not find a clear sample about radius. Which module is used 
>>>> for this purpose?
>>>>  Regards
>>>>  Arda
>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openser.org
>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users 
>
>
>

More information about the sr-users mailing list