[Users] openser+freeradius:(radius_is_user_in(): Failure)+(DEBUG:avpops:ops_c)

buptzhaoyuan at sina.com buptzhaoyuan at sina.com
Wed Jan 3 16:07:11 CET 2007


 Hi,
  Lists,happy new year!  
    Probably a stupid question,but I can not solved it correctly.The ua can not register the openser normally.I think the 5 step runs well and the last is down.The debug shows two errors. The first error is  " 0(5898) radius_is_user_in(): Failure" ;the other is " 0(5898) DEBUG:avpops:ops_check_avp: no src avp found".So please give me help and some suggestion. 
    And the fellowing is my configure file and debug infomation.Thanks!! 
      HTTP/SIP           RADIUS
 
    +-----+    (1)    +-----+           +-----+
    |     |==========>|     |           |     |
    |     |    (2)    |     |           |     |
    |     |<==========|     |           |     |
    |     |    (3)    |     |           |     |
    |     |==========>|     |           |     |
    |  A  |           |  B  |    (4)    |  C  |
    |     |           |     |---------->|     |
    |     |           |     |    (5)    |     |
    |     |           |     |<----------|     |
    |     |    (6)    |     |           |     |
    |     |<==========|     |           |     |
    +-----+           +-----+           +-----+
 
    ====> HTTP/SIP
    ----> RADIUS
 
    I setup the system by using the document(http://www.openser.org/docs/openser-radius-1.0.x.html)
 and my openser is openser-1.1.0-tls, the file openser.cfg is the same as the document.
 
#
#$Id$
#
# radius config script 
#
 
# ----------- global configuration parameters ------------------------
 
debug=7            # debug level (cmd line: -dddddddddd)
        fork=no
        log_stderror=yes    # (cmd line: -E)
 
        check_via=no    # (cmd. line: -v)
        dns=no          # (cmd. line: -r)
        rev_dns=no      # (cmd. line: -R)
        port=5060
        children=4
        listen=udp:192.168.168.3
        alias="swifton.org"
        alias="192.168.168.3"
#fifo="/tmp/openser_fifo"
 
# ------------------ module loading ----------------------------------
[root at localhost openser]# cat openser.cfg
#
#$Id$
#
# radius config script
#
 
# ----------- global configuration parameters ------------------------
 
debug=7            # debug level (cmd line: -dddddddddd)
        fork=no
        log_stderror=yes    # (cmd line: -E)
 
        check_via=no    # (cmd. line: -v)
        dns=no          # (cmd. line: -r)
        rev_dns=no      # (cmd. line: -R)
        port=5060
        children=4
        listen=udp:192.168.168.3
        alias="swifton.org"
        alias="192.168.168.3"
#fifo="/tmp/openser_fifo"
 
# ------------------ module loading ----------------------------------
        mpath="/usr/local/lib/openser/modules"
 
        loadmodule "mysql.so"
        loadmodule "sl.so"
        loadmodule "tm.so"
        loadmodule "rr.so"
        loadmodule "maxfwd.so"
        loadmodule "avpops.so"
        loadmodule "usrloc.so"
        loadmodule "registrar.so"
        loadmodule "textops.so"
        loadmodule "xlog.so"
        loadmodule "uri.so"
        loadmodule "acc.so"
        loadmodule "auth.so"
        loadmodule "auth_radius.so"
        loadmodule "group_radius.so"
        loadmodule "avp_radius.so"
 
# ----------------- setting module-specific parameters ---------------
 
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
        modparam("usrloc", "db_mode", 2)
 
# -- acc params --
        modparam("acc", "radius_flag", 1)
        modparam("acc", "radius_missed_flag", 2)
        modparam("acc", "log_flag", 1)
        modparam("acc", "log_missed_flag", 1)
        modparam("acc", "service_type", 15)
        modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
        modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",
                            "/etc/radiusclient-ng/radiusclient.conf")
 
# -- group_radius params --
        modparam("group_radius", "use_domain", 1)
 
# -- avpops params --
        modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
 
# -- rr params --
# add value to ;lr param to make some broken UAs happy
        modparam("rr", "enable_full_lr", 1)
 
# -------------------------  request routing logic -------------------
 
# main routing logic
 
        route{
 
    # initial sanity checks -- messages with
    # max_forwards==0, or excessively long requests
    if (!mf_process_maxfwd_header("10")) {
        sl_send_reply("483","Too Many Hops");
        exit;
    };
 
    if (msg:len >=  2048 ) {
        sl_send_reply("513", "Message too big");
        exit;
    };
 
    # check if user is suspended
    if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
    {
        if (radius_is_user_in("From", "suspended")) {
            sl_send_reply("403", "Forbidden - suspended");
            exit;
        };
    };
    
    # we record-route all messages -- to make sure that
    # subsequent messages will go through our proxy; that's
    # particularly good if upstream and downstream entities
    # use different transport protocol
    if (!method=="REGISTER")
        record_route();
 
    # subsequent messages withing a dialog should take the
    # path determined by record-routing
    if (loose_route()) {
        # mark routing logic in request
        append_hf("P-hint: rr-enforced\r\n");
        if(is_method("BYE"))
        { # log it all the time
            acc_rad_request("200 ok");
            acc_log_request("200 ok");
        }
        route(1);
    };
 
    if(is_method("INVITE") && !has_totag())
    {   # set the acc flags
        setflag(1);
        setflag(2);
    };
 
    if (!uri==myself) {
        # check if user is allowed to do voip calls to other domains
        if(is_method("INVITE|MESSAGE")) {
            if (!radius_is_user_in("From", "voip")) {
                sl_send_reply("403", "Forbidden VoIP");
                exit;
            };
        };
        # mark routing logic in request
        append_hf("P-hint: outbound\r\n"); 
        route(1);
    };
 
    # if the request is for other domain use UsrLoc
    # (in case, it does not work, use the following command
    # with proper names and addresses in it)
    if (uri==myself) {
        # authenticate registers
        if (method=="REGISTER") {
            if (!radius_www_authorize("swifton.org")) {
                www_challenge("swifton.org", "0");
                exit;
            };
 
            # check the src ip address
            if(!avp_check("$avp(i:2)", "eq/$src_ip/ig"))
            {
                sl_send_reply("403", "Forbidden IP");
                exit;
            };
 
            save("location");
            exit;
        };
 
        # calls to pstn
        if(uri=~"sip:00[1-9][0-9]+@") {
            if(is_method("INVITE") && !has_totag()) {
                if (!radius_is_user_in("From", "pstn")) {
                    sl_send_reply("403", "Forbidden PSTN");
                    exit;
                };
            };
            # set gateway address
            rewritehostport("10.10.10.10:5090");
            route(1);
        };
        
        # load callee's avps
        if(avp_load_radius("callee"))
        {
            # check if user has time filter enabled
            if(avp_check("$avp(i:3)", "eq/i:1"))
            {
                # print time in an avp
                avp_printf("$avp(i:100)", "$Tf");
                # extract day
                avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/");
                if(!avp_check("$avp(i:6)", "fm/$day")) {
                    sl_send_reply("403", "Forbidden - day");
                    exit;
                };
                # extract 'hours:minutes'
                avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/");
                if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$time")) 
                || (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$time"))) {
                    sl_send_reply("403", "Forbidden - time");
                    exit;
                };
            };
        };
        ......
 
    route(1);
}
 
......
    exit;
}
#
 
and the openser start as follows:
898) SIP Request:
898)  method:  <REGISTER>
898)  uri:     <sip:swifton.org>
898)  version: <SIP/2.0>
898) parse_headers: flags=2
898) end of header reached, state=5
898) parse_headers: Via found, flags=2
898) parse_headers: this is the first via
898) After parse_msg...
898) preparing to run routing scripts...
898) parse_headers: flags=100
898) DEBUG:maxfwd:is_maxfwd_present: value = 70
898) parse_headers: flags=10
898) DEBUG: add_param: tag=f59c388b5de348778e76ebda993c2d8e
898) DEBUG: add_param: epid=b6757bf3fc
898) DEBUG:parse_to:end of header reached, state=29
898) DBUG:parse_to: display={}, ruri={sip:zhaoy at swifton.org}
898) radius_is_user_in(): Failure
898) parse_headers: flags=200
898) DEBUG:parse_to:end of header reached, state=10
......
 0(5898) grep_sock_info - checking if host==us: 11==13 &&  [swifton.org] == [192.168.168.3]
 0(5898) grep_sock_info - checking if port 5060 matches port 5060
 0(5898) grep_sock_info - checking if host==us: 11==13 &&  [swifton.org] == [192.168.168.3]
 0(5898) grep_sock_info - checking if port 5060 matches port 5060
 0(5898) check_nonce(): comparing [459bb612ad569015987d4849d1ae603515f32e6b] and
 [459bb612ad569015987d4849d1ae603515f32e6b]
 0(5898) DEBUG:auth_radius:radius_authorize_sterman: Success
 0(5898) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225
 0(5898) DEBUG:auth_radius:extract_avp: string is <Sip-Group:voip>
 0(5898) DEBUG:auth_radius:extract_avp: AVP name is <Sip-Group>
 0(5898) DEBUG:auth_radius:extract_avp: AVP val is <voip>
 0(5898) DEBUG:auth_radius:generate_avps: AVP 'Sip-Group'/0='voip'/0 has been added
 0(5898) DEBUG:avpops:ops_check_avp: no src avp found
 0(5898) parse_headers: flags=ffffffffffffffff
 0(5898) check_via_address(192.168.168.30, 192.168.168.30, 0)
 0(5898) DEBUG:destroy_avp_list: destroying list 0x422bc440
 0(5898) receive_msg: cleaning up
 
the freeradius debug infomation as follows:
  
er-Name = "zhaoy at swifton.org"        Digest-Attributes = 0x0a077a68616f79        Digest-Attributes = 0x010d73776966746f6e2e6f7267        Digest-Attributes = 0x022a34353962623631326164353639303135393837643438343964316165363033353135663332653662        Digest-Attributes = 0x04117369703a73776966746f6e2e6f7267        Digest-Attributes = 0x030a5245474953544552        Digest-Response = "2ead4f5b9d78013a35f2eb7a792971a5"        Service-Type = Sip-Session        Sip-Uri-User = "zhaoy"        NAS-Port = 5060        NAS-IP-Address = 192.168.168.3  Processing the authorize section of radiusd.confmodcall: entering group authorize for request 167  modcall[authorize]: module "preprocess" returns ok for request 167  modcall[authorize]: module "chap" returns noop for request 167  modcall[authorize]: module "mschap" returns noop for request 167    rlm_digest: Converting Digest-Attributes to something sane...        Digest-User-Name = "zhaoy"        Digest-Realm = "swifton.org"        Digest-Nonce = "459bb612ad569015987d4849d1ae603515f32e6b"        Digest-URI = "sip:swifton.org"        Digest-Method = "REGISTER"rlm_digest: Adding Auth-Type = DIGEST  modcall[authorize]: module "digest" returns ok for request 167 .......
Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 167A1 = zhaoy:swifton.org:zhaoyA2 = REGISTER:sip:swifton.orgH(A1) = eff77a9105c5c0973492694f59c944f2H(A2) = d3add39dad2709bea55016ba79eb675aKD = eff77a9105c5c0973492694f59c944f2:459bb612ad569015987d4849d1ae603515f32e6b:d3add39dad2709bea55016ba79eb675aEXPECTED 2ead4f5b9d78013a35f2eb7a792971a5RECEIVED 2ead4f5b9d78013a35f2eb7a792971a5  modcall[authenticate]: module "digest" returns ok for request 167modcall: group authenticate returns ok for request 167radius_xlat:  'Authenticated'Login OK: [zhaoy at swifton.org] (from client openser port 5060)Sending Access-Accept of id 13 to 192.168.168.3:33101        SIP-AVP = "Sip-Group:voip"        Reply-Message = "Authenticated"        Sip-Group = "voip"Finished request 167
    and my MSN:buptzhaoyuan at sina.com .I am nice to communicate with you!

-------------------------------------------------------------------
惠普商用台式机dc5750,高性能,低功耗!( http://ad4.sina.com.cn/sina/limeng3/mail_zhuiyu/2006/mail_zhuiyu_20061225.html )

===================================================================
注册新浪2G免费邮箱( http://mail.sina.com.cn/chooseMode.html )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20070103/a473feda/attachment.htm>


More information about the sr-users mailing list