[Users] Radius Authentication failed ?

Edson 4lists at gmail.com
Fri Mar 31 15:30:08 CEST 2006 

Hi!

I still have this same problem with our attempt to move from SER to OpenSER.
Everything is fine, but Radius authentication. We have a Xeon (64 bits off
course) machine and find this very same problem.

At my first thread to this list Daniel point me many checks and I look for
the same things pointed now. I including changed the source (in an ugly way)
of RadiusClient-NG to register, when in DEBUG mode, the shared key used.
It's ok.

The thread stopped when a closer look on the codes appears as the only
solution. As I'm not a programmer I couldn't go further. Maybe Daniel's
HOW-TO would help us to find out the problem.

Wait to see... ;)

Edson.

> -----Original Message-----
> From: users-bounces at openser.org [mailto:users-bounces at openser.org] On
> Behalf Of Klaus Darilion
> Sent: quinta-feira, 30 de março de 2006 09:16
> To: daniel at voice-system.ro
> Cc: users at openser.org
> Subject: Re: [Users] Radius Authentication failed ?
> 
> Hi!
> 
> Recently on the ser list someone reported radiusclient-ng problems on 64
> bit solaris (32 bit solaris works). Maybe this is an 64bit issue?
> Has someone use radiusclient-ng successful on 64 systems?
> 
> regards
> klaus
> 
> Daniel-Constantin Mierla wrote:
> > Have you got any message is syslog coming from radiusclient-ng library?
> > The FreeRadius server reports ok for authentication.
> >
> > Cheers,
> > Daniel
> >
> >
> > On 03/30/06 05:15, Nguyen Duc Phi wrote:
> >> I config openser authenticate from Radius. when softphone register to
> >> openser, Freeradius response "Sending Access-Accept" but openser
> >> inform "ERROR:auth_radius:radius_authorize_sterman: rc_auth failed" So
> >> softphone not registered. I search this title in google and find on
> >> "*OpenSER Users Mailing List*", I didnt find solution to fix problem.
> >> Could someone help me fix this problem ?
> >>
> >> Here is list of product's version I used.
> >> openser-1.0.1
> >> OS : CentOS-4 x86_64
> >> radiusclient-ng-0.5.2
> >> freeradius-1.0.5
> >>
> >> openser show debug :
> >>
> >>  8(8985) parse_headers: flags=ffffffffffffffff
> >>  8(8985) check_via_address(192.168.212.123, 192.168.212.123, 0)
> >>  8(8985) DEBUG:destroy_avp_list: destroying list (nil)
> >>  8(8985) receive_msg: cleaning up
> >>  7(8982) SIP Request:
> >>  7(8982)  method:  <REGISTER>
> >>  7(8982)  uri:     <sip:vdc.com.vn>
> >>  7(8982)  version: <SIP/2.0>
> >>  7(8982) parse_headers: flags=2
> >>  7(8982) DEBUG: get_hdr_body : content_length=0
> >>  7(8982) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
> >>  7(8982) DEBUG:parse_to:end of header reached, state=9
> >>  7(8982) DEBUG: get_hdr_field: <To> [23]; uri=[sip:5001 at vdc.com.vn]
> >>  7(8982) DEBUG: to body [<sip:5001 at vdc.com.vn>
> >> ]
> >>  7(8982) Found param type 235, <rport> = <n/a>; state=6
> >>  7(8982) Found param type 232, <branch> =
> >> <z9hG4bKc0a8d47b0131c9b1442b39c80000367c00000003>; state=16
> >>  7(8982) end of header reached, state=5
> >>  7(8982) parse_headers: Via found, flags=2
> >>  7(8982) parse_headers: this is the first via
> >>  7(8982) After parse_msg...
> >>  7(8982) preparing to run routing scripts...
> >>  7(8982) DEBUG:maxfwd:is_maxfwd_present: value = 70
> >>  7(8982) parse_headers: flags=200
> >>  7(8982) found end of header
> >>  7(8982) find_first_route: No Route headers found
> >>  7(8982) loose_route: There is no Route HF
> >>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  [vdc.com.vn]
> >> == [127.0.0.1]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==13 &&
> >> [vdc.com.vn] == [192.168.212.9]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  [vdc.com.vn]
> >> == [127.0.0.1]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==13 &&
> >> [vdc.com.vn] == [192.168.212.9]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  [vdc.com.vn]
> >> == [127.0.0.1]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==13 &&
> >> [vdc.com.vn] == [192.168.212.9]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  [vdc.com.vn]
> >> == [127.0.0.1]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) grep_sock_info - checking if host==us: 10==13 &&
> >> [vdc.com.vn] == [192.168.212.9]
> >>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
> >>  7(8982) check_nonce(): comparing
> >> [442b360523cece6362803c97fa7fb10b37680cd8] and
> >> [442b360523cece6362803c97fa7fb10b37680cd8]
> >>  7(8982) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
> >>  7(8982) build_auth_hf(): 'WWW-Authenticate: Digest
> >> realm="vdc.com.vn", nonce="442b360523cece6362803c97fa7fb10b37680cd8"
> >> '
> >>  7(8982) parse_headers: flags=ffffffffffffffff
> >>  7(8982) check_via_address(192.168.212.123, 192.168.212.123, 0)
> >>  7(8982) DEBUG:destroy_avp_list: destroying list (nil)
> >>  7(8982) receive_msg: cleaning up
> >>
> >> Radius show debug:
> >>
> >> rad_recv: Access-Request packet from host 192.168.212.9:32826, id=205,
> >> length=203
> >>         User-Name = "5001 at vdc.com.vn <mailto:5001 at vdc.com.vn>"
> >>         Digest-Attributes = 0x0a0635303031
> >>         Digest-Attributes = 0x010c7664632e636f6d2e766e
> >>         Digest-Attributes =
> >>
> 0x022a34343262333630353233636563653633363238303363393766613766623130623337
> 363830636438
> >>
> >>         Digest-Attributes = 0x04107369703a7664632e636f6d2e766e
> >>         Digest-Attributes = 0x030a5245474953544552
> >>         Digest-Response = "1c3d532fc6c1c37004c6df6027e6242c"
> >>         Service-Type = 0x0000000f00000000
> >>         Sip-Uri-User = "5001"
> >>         NAS-Port = 0x000013c400000000
> >>         NAS-IP-Address = 0xc0a8d40900000000
> >>   Processing the authorize section of radiusd.conf
> >> modcall: entering group authorize for request 0
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >> Invalid operator for item Suffix: reverting to '=='
> >>   hints: Matched DEFAULT at 82
> >>   modcall[authorize]: module "preprocess" returns ok for request 0
> >>   modcall[authorize]: module "chap" returns noop for request 0
> >>   modcall[authorize]: module "mschap" returns noop for request 0
> >>     rlm_digest: Converting Digest-Attributes to something sane...
> >>         Digest-User-Name = "5001"
> >>         Digest-Realm = "vdc.com.vn"
> >>         Digest-Nonce = "442b360523cece6362803c97fa7fb10b37680cd8"
> >>         Digest-URI = "sip:vdc.com.vn"
> >>         Digest-Method = "REGISTER"
> >> rlm_digest: Adding Auth-Type = DIGEST
> >>   modcall[authorize]: module "digest" returns ok for request 0
> >>     rlm_realm: No '@' <mailto:%27@%27> in User-Name = "5001", looking
> >> up realm NULL
> >>     rlm_realm: No such realm "NULL"
> >>   modcall[authorize]: module "suffix" returns noop for request 0
> >> radius_xlat:  '5001'
> >> rlm_sql (sql): sql_set_user escaped user --> '5001'
> >> radius_xlat:  'SELECT 1 as id,'5001' as UserName,'User-Password' as
> >> Attribute,subscriber_password as Value,'==' as op FROM subscribers
> >> WHERE subscriber_username = '5001'AND subscriber_status=1'
> >> rlm_sql (sql): Reserving sql socket id: 4
> >> radius_xlat:  ''
> >> radius_xlat:  'SELECT 1 as id,'5001' as UserName,'Session-Timeout' as
> >> Attribute,getSessionTime('5001','')as Value,'=' as op FROM dual'
> >> radius_xlat:  ''
> >> rlm_sql (sql): Released sql socket id: 4
> >>   modcall[authorize]: module "sql" returns ok for request 0
> >> modcall: group authorize returns ok for request 0
> >>   rad_check_password:  Found Auth-Type DIGEST
> >> auth: type "digest"
> >>   Processing the authenticate section of radiusd.conf
> >> modcall: entering group authenticate for request 0
> >> A1 = 5001:vdc.com.vn:test
> >> A2 = REGISTER:sip:vdc.com.vn
> >> H(A1) = 454e15015603bd4bd79faf0c5ddd3346
> >> H(A2) = ac5bd79ed3d6bd2bddcb1cffafbbd09a
> >> KD =
> >>
> 454e15015603bd4bd79faf0c5ddd3346:442b360523cece6362803c97fa7fb10b37680cd8:
> ac5bd79ed3d6bd2bddcb1cffafbbd09a
> >>
> >> EXPECTED 1c3d532fc6c1c37004c6df6027e6242c
> >> RECEIVED 1c3d532fc6c1c37004c6df6027e6242c
> >>   modcall[authenticate]: module "digest" returns ok for request 0
> >> modcall: group authenticate returns ok for request 0
> >> Login OK: [5001] (from client 192.168.212.9 port 3134307025)
> >> Sending Access-Accept of id 205 to 192.168.212.9:32826
> >>         Session-Timeout = 60
> >> Finished request 0
> >> Going to the next request
> >> --- Walking the entire request list ---
> >> Waking up in 6 seconds...
> >> --- Walking the entire request list ---
> >> Cleaning up request 0 ID 205 with timestamp 442b3adf
> >> Nothing to do.  Sleeping until we see a request.
> >>
> >> Best regards,
> >> Nguyen
> >> -----------------------------------------------------------------------
> -
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> 
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users

More information about the sr-users mailing list