[Serusers] group_radius radius_is_user_in

lenirsantiago at yahoo.com lenirsantiago at yahoo.com
Fri Oct 14 04:46:48 CEST 2005


Hello list,

I've been trying my hardest today to get group_radius to work, and its
function radius_is_user_in().
I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest
authentication. 

Radius authentication works fine.
The problem is that when radius_is_user_in() function gets called, it sends
a radius message but without the User-Password field and freeradius
complains that it requires it since we are using Digest.
I've seen a couple of posts here, but they were never answered: 
http://lists.iptel.org/pipermail/serusers/2005-March/017342.html
http://lists.iptel.org/pipermail/serusers/2005-March/017075.html

-----
I have a small test in my ser.cfg file:
        if (!radius_www_authorize("")) {
                xlog("L_I","%ci - %fu - User not authenticated, Radius
Authenticating...\n");
                www_challenge("","0");
                break;
        } else {
                xlog("L_I","%ci - %fu - User authenticated...\n");
        };

        if (radius_is_user_in("From", "Dialin")){
                xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
        } else {
                xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
        };

        if (radius_is_user_in("Credentials", "Dialin2")){
                xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
        } else {
                xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
        };

-----
In /etc/raddb/users file I have the following at line 152:
DEFAULT Auth-Type = System
        Fall-Through = 1

DEFAULT Service-Type == Group-Check, Auth-Type := None

DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None

-----

These are mysql tables:

+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value    |
+----+----------+-----------+----+----------+
|  1 | Jhassell | Password  | == | changeme |
|  2 | Rneis    | Password  | == | changeme |
|  3 | 1000     | Password  | == | 1000     |
|  4 | 2000     | Password  | == | 2000     |
|  5 | 3000     | Password  | == | 3000     |
|  8 | 1000     | Auth-Type | := | Digest   |
+----+----------+-----------+----+----------+

+----+-----------+-----------+----+--------+
| id | GroupName | Attribute | op | Value  |
+----+-----------+-----------+----+--------+
|  6 | Dialin    | Auth-Type | := | Accept |
+----+-----------+-----------+----+--------+

+----+-----------+---------------+----+----------------------------------+--
----+
| id | GroupName | Attribute     | op | Value                            |
prio |
+----+-----------+---------------+----+----------------------------------+--
----+
|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"  |
0 |
|  2 | Dialin2   | Reply-Message | =  | "Authenticated by group Dialin2" |
0 |
+----+-----------+---------------+----+----------------------------------+--
----+

+----+----------+---------------+----+------------------+
| id | UserName | Attribute     | op | Value            |
+----+----------+---------------+----+------------------+
|  1 | 1000     | Reply-Message | =  | "Authenticated"  |
|  2 | 1000     | Sip-Group     | =  | Dialin           |
|  3 | 1000     | SIP-AVP       | =  | Sip-Group:Dialin |
+----+----------+---------------+----+------------------+

+----+----------+------------+
| id | UserName | GroupName  |
+----+----------+------------+
|  1 | Jhassell | Dialin     |
|  2 | Rneis    | Staticdial |
|  3 | 1000     | Dialin     |
|  4 | 2000     | Dialin     |
|  5 | 3000     | Dialin     |
|  6 | 3000     | Dialin2    |
+----+----------+------------+

------

This is the debug I get from freeradius for the group check:

rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
length=67
        User-Name = "1000 at xx.xx.xx.xx"
        Sip-Group = "Dialin2"
        Service-Type = Group-Check
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 74
  modcall[authorize]: module "preprocess" returns ok for request 74
  modcall[authorize]: module "chap" returns noop for request 74
  modcall[authorize]: module "mschap" returns noop for request 74
  modcall[authorize]: module "digest" returns noop for request 74
    rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000 at xx.xx.xx.xx"
    rlm_realm: Found realm "xx.xx.xx.xx"
    rlm_realm: Adding Stripped-User-Name = "1000"
    rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
    rlm_realm: Adding Realm = "xx.xx.xx.xx"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 74
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 74
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 158
  modcall[authorize]: module "files" returns ok for request 74
radius_xlat:  '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module "sql" returns ok for request 74
modcall: group authorize returns ok for request 74
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 74
ERROR: No Digest-Nonce: Cannot perform Digest authentication
  modcall[authenticate]: module "digest" returns invalid for request 74
modcall: group authenticate returns invalid for request 74
auth: Failed to validate the user.
Delaying request 74 for 1 seconds
Finished request 74
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
        Reply-Message = "Authenticated"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 74 ID 15 with timestamp 434f1121
Nothing to do.  Sleeping until we see a request.





Any help in this matter would be deeply appreciated,




Lenir 







More information about the sr-users mailing list