[Users] Errors whie starting openser with radius server integration
Sanjeev Manoli
meghsan at gmail.com
Wed Nov 8 08:35:08 CET 2006
Hi Ravi,
Thanks for your help and suggestion. I went through avp
module documentation and figured out that the avp_check syntax in
config.cfg file was incorrect. I changed it as follows and now it's
working,
if(!avp_check("$avp(i:2)", "eq/$avp($src_ip)/ig"))
{
sl_send_reply("403", "Forbidden IP");
exit;
};
But still I get parse error for following 2 statements in
openser.cfg (I commented them to make forward progress). Please advice
modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
Another thing is I am currently using the file based radius
authentication for the users. (I have created a file called
/usr/local/etc/raddb/users with 2 users). Do you know how to
enable/use radius with user authentication done from a database (i am
using mysql). I couldn't find any documentation for it.
Thanks for the help
- Sanjeev
On 11/6/06, raviprakash sunkara <sunkara.raviprakash.feb14 at gmail.com> wrote:
> Usrs usrloc is comment,
>
>
>
>
>
> On 11/7/06, Sanjeev Manoli <meghsan at gmail.com> wrote:
> > Hi,
> > I am getting following errors as seen in /var/log/message while
> > running openser with radius integration,
> >
> *****************************************************************************************
> > Nov 6 20:33:45 lx-dev monit[13565]: 'openser' start: /etc/init.d/openser
> > Nov 6 20:33:45 lx-dev monit[13565]: 'openser' failed to start
> > Nov 6 20:33:45 lx-dev openser: init_tcp: using epoll_lt as the io
> > watch method (auto detected)
> > Nov 6 20:33:45 lx-dev openser: INFO: statistics manager successfully
> > initialized
> > Nov 6 20:33:45 lx-dev openser: StateLess module - initializing
> > Nov 6 20:33:45 lx-dev openser: TM - initializing...
> > Nov 6 20:33:46 lx-dev openser: Maxfwd module- initializing
> > Nov 6 20:33:46 lx-dev openser: AVPops - initializing
> > Nov 6 20:33:46 lx-dev openser: TextOPS - initializing
> > Nov 6 20:33:46 lx-dev openser: ACC - initializing
> > Nov 6 20:33:46 lx-dev openser: AUTH module - initializing
> > Nov 6 20:33:46 lx-dev openser: xl_parse_item: error - bad parameters
> > Nov 6 20:33:46 lx-dev openser: ERROR:avpops:fixup_check_avp: unable
> > to get pseudo-variable in P1
> > Nov 6 20:33:46 lx-dev openser: ERROR: fix_actions: fixing failed
> > (code=-2) at cfg line 146
> > Nov 6 20:33:46 lx-dev openser: ERROR: fix_expr : fix_actions error
> >
> *****************************************************************************************
> > I am using openser (Version: openser-1.1.0-tls) and radius server
> > (freeradius-1.1.3) along with radiusclient-ng (radiusclient-ng-0.5.2 ).
> > I exactly followed the following radius integration documentation
> > from openser web site,
> > http://openser.org/docs/openser-radius-1.0.x.html
> >
> > If I remove the radius integration related part from openser.cfg then
> > my openser server starts fine, I have tested it with kphone SIP UA and
> > it works fine.
> >
> > One other question is I get parse error for following 2 statements in
> > openser.cfg (I commented them to make forward progress). Please advice
> > the right syntax to use following modparam statements.
> > modparam("acc", "radius_extra",
> "Sip-Src-IP=$si;Sip-Src-Port=$sp")
> > modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
> >
> > This is kind of urgent for me and I am clueless at this point so
> > really appreciate all your help.
> >
> > Thanks,
> > - San
> > P.S. For your reference here is the openser.cfg file that I am using,
> > #
> > # $Id$
> > #
> > # radius config script
> > #
> >
> > # ----------- global configuration parameters ------------------------
> >
> > debug=9 # debug level (cmd line: -dddddddddd)
> > fork=no
> > log_stderror=no # (cmd line: -E)
> >
> > check_via=no # (cmd. line: -v)
> > dns=no # (cmd. line: -r)
> > rev_dns=no # (cmd. line: -R)
> > port=5060
> > children=4
> > listen=udp: 192.168.0.5
> > alias="192.168.0.5"
> >
> > #fifo="/tmp/openser_fifo"
> >
> > # ------------------ module loading
> ----------------------------------
> > mpath="/usr/local/lib/openser/modules"
> >
> > loadmodule "mysql.so"
> > loadmodule "sl.so"
> > loadmodule "tm.so"
> > loadmodule "rr.so"
> > loadmodule "maxfwd.so"
> > loadmodule "avpops.so"
> > loadmodule " usrloc.so"
> > loadmodule "registrar.so"
> > loadmodule "textops.so"
> > loadmodule "xlog.so"
> > loadmodule "uri.so"
> > loadmodule "acc.so"
> > loadmodule "auth.so"
> > loadmodule "auth_radius.so"
> > loadmodule "group_radius.so"
> > loadmodule "avp_radius.so"
> >
> > # ----------------- setting module-specific parameters ---------------
> >
> > # -- usrloc params --
> >
> #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
> > modparam("usrloc", "db_mode", 2)
> >
> > # -- acc params --
> > modparam("acc", "radius_flag", 1)
> > modparam("acc", "radius_missed_flag", 2)
> > modparam("acc", "log_flag", 1)
> > modparam("acc", "log_missed_flag", 1)
> > modparam("acc", "service_type", 15)
> > #modparam("acc", "radius_extra",
> "Sip-Src-IP=$si;Sip-Src-Port=$sp")
> > modparam("acc|auth_radius|group_radius|avp_radius",
> "radius_config",
> > "/etc/radiusclient-ng/radiusclient.conf")
> >
> > # -- group_radius params --
> > modparam("group_radius", "use_domain", 1)
> >
> > # -- avpops params --
> > #modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
> >
> > # -- rr params --
> > # add value to ;lr param to make some broken UAs happy
> > modparam("rr", "enable_full_lr", 1)
> >
> > # ------------------------- request routing logic
> -------------------
> >
> > # main routing logic
> >
> > route{
> >
> > # initial sanity checks -- messages with
> > # max_forwards==0, or excessively long requests
> > if (!mf_process_maxfwd_header("10")) {
> > sl_send_reply("483","Too Many Hops");
> > exit;
> > };
> >
> > if (msg:len >= 2048 ) {
> > sl_send_reply("513", "Message too big");
> > exit;
> > };
> >
> > # check if user is suspended
> >
> if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
> > {
> > if (radius_is_user_in("From", "suspended")) {
> > sl_send_reply("403", "Forbidden -
> suspended");
> > exit;
> > };
> > };
> >
> > # we record-route all messages -- to make sure that
> > # subsequent messages will go through our proxy; that's
> > # particularly good if upstream and downstream entities
> > # use different transport protocol
> > if (!method=="REGISTER")
> > record_route();
> >
> > # subsequent messages withing a dialog should take the
> > # path determined by record-routing
> > if (loose_route()) {
> > # mark routing logic in request
> > append_hf("P-hint: rr-enforced\r\n");
> > if(is_method("BYE"))
> > { # log it all the time
> > acc_rad_request("200 ok");
> > acc_log_request("200 ok");
> > }
> > route(1);
> > };
> >
> > if(is_method("INVITE") && !has_totag())
> > { # set the acc flags
> > setflag(1);
> > setflag(2);
> > };
> >
> > if (!uri==myself) {
> > # check if user is allowed to do voip calls to other domains
> > if(is_method("INVITE|MESSAGE")) {
> > if (!radius_is_user_in("From", "voip")) {
> > sl_send_reply("403", "Forbidden VoIP");
> > exit;
> > };
> > };
> > # mark routing logic in request
> > append_hf("P-hint: outbound\r\n");
> > route(1);
> > };
> >
> > # if the request is for other domain use UsrLoc
> > # (in case, it does not work, use the following command
> > # with proper names and addresses in it)
> > if (uri==myself) {
> > # authenticate registers
> > if (method=="REGISTER") {
> > if (!radius_www_authorize("192.168.0.5")) {
> > www_challenge("192.168.0.5", "0");
> > exit;
> > };
> >
> > # check the src ip address
>
>
> Call the method is Wrong , Check the Module doc od avp_radius and Avp,
>
> >
> > if(!avp_check("i:2", "eq/$src_ip/ig"))
> > {
> > sl_send_reply("403", "Forbidden IP");
> > exit;
> > };
> >
> > save("location");
> > exit;
> > };
> >
> > # calls to pstn
> > if(uri=~"sip:00[1-9][0-9]+@") {
> > if(is_method("INVITE") && !has_totag()) {
> > if (!radius_is_user_in("From", "pstn")) {
> > sl_send_reply("403", "Forbidden
> PSTN");
> > exit;
> > };
> > };
> > # set gateway address
> > rewritehostport(" 10.10.10.10:5090");
> > route(1);
> > };
> >
> > # load callee's avps
> > if(avp_load_radius("callee"))
> > {
> > # check if user has time filter enabled
> > if(avp_check("i:3", "eq/i:1"))
> > {
> > # print time in an avp
> > avp_printf("i:100", "$Tf");
> > # extract day
> > avp_subst("i:100/i:101", "/(.{3})
> .+/*\1*/");
> > if(!avp_check("i:6", "fm/$day")) {
> > sl_send_reply("403", "Forbidden -
> day");
> > exit;
> > };
> > # extract 'hours:minutes'
> > avp_subst("i:100/i:102", "/(.{10})
> (.{5}):.+/\2/");
> > if((is_avp_set("i:4") && avp_check("i:4",
> "gt/$time"))
> > || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) {
> > sl_send_reply("403", "Forbidden -
> time");
> > exit;
> > };
> > };
> > };
> >
> > # native SIP destinations are handled using our USRLOC DB
> > if (!lookup("location")) {
> > # log to acc as missed call
> > acc_rad_request("404 Not Found");
> > acc_log_request("404 Not Found");
> > sl_send_reply("404", "Not Found");
> > exit;
> > };
> > append_hf("P-hint: usrloc applied\r\n");
> > };
> >
> > route(1);
> > }
> >
> > # generic forward
> > route[1] {
> > # send it out now; use stateful forwarding as it works reliably
> > # even for UDP2TCP
> > if (!t_relay()) {
> > sl_reply_error();
> > };
> > exit;
> > }
> > #
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
>
>
>
> --
> Thanks and Regards
> Ravi Prakash Sunkara
> ravi.sunkara at hyperion-tech.com
> M:+91 9985077535
> O:+91 40 23114549
> F:+91 40 40208727
> ravi.sunkara at hyperion-tech.com
> www.hyperion-tech.com
More information about the sr-users
mailing list