[Users] Problem with Radius authentication
Matthew Williams
matthew.williams at intecbilling.com
Mon Oct 10 17:34:43 CEST 2005
Hello,
I'm trying to set up OpenSER to use Radius authentication, but am having
problems. I can't get the OpenSER server to actually send any Radius packets
out over the network to my Radius server. I've been sniffing the network with
Ethereal and no packets are sent out, even though I get messages in the
syslog saying;
Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9057]: rc_send_server: no
reply from RADIUS server boxster:1812
Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9058]: rc_send_server: no
reply from RADIUS server boxster:1812
Oct 10 16:59:25 ibwok-2mrt71j /usr/sbin/openser[9059]: rc_send_server: no
reply from RADIUS server boxster:1812
and so on.
My openser.cfg file (see below) is pretty much unchanged from the default
config file, except adding Radius options as according to this HOWTO
http://www.iptel.org/ser/doc/ser_radius/ser_radius.html
I've seen this problem both with the pre-complied Debian packages on a Debian
Sarge installation and also when compiled by hand on a Sun Solaris 9 server.
I must be missing something from my configuration files, but I can't work out
what it is. Does anyone have any ideas?
Thanks in advance,
Matt Williams
------------------------------------------------------------------
openser.cfg
------------------------------------------------------
#
# $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $
#
# simple quick-start config script
#
# ----------- global configuration parameters ------------------------
#debug=3 # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/openser_fifo"
alias=testdomain
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
#loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so"
loadmodule "/usr/lib/openser/modules/tm.so"
loadmodule "/usr/lib/openser/modules/rr.so"
loadmodule "/usr/lib/openser/modules/maxfwd.so"
loadmodule "/usr/lib/openser/modules/usrloc.so"
loadmodule "/usr/lib/openser/modules/registrar.so"
loadmodule "/usr/lib/openser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/openser/modules/auth.so"
#loadmodule "/usr/lib/openser/modules/auth_db.so"
loadmodule "/usr/lib/openser/modules/auth_radius.so"
# ----------------- setting module-specific parameters ---------------
modparam("auth_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
#modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
#modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
break;
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!radius_www_authorize("testdomain")) {
www_challenge("testdomain", "1");
break;
};
save("location");
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
}
------------------------------------------------------------------------
radiusclient.conf
------------------------------------------------------------------------
General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver boxster
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver boxster
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# local address from which radius packets have to be sent
bindaddr localhost
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful.
Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
More information about the sr-users
mailing list