[OpenSER-Users] checking radius return attributes

danish.samad at vocalseeds.com danish.samad at vocalseeds.com
Sat Sep 1 10:45:11 CEST 2007


Hi Dan,

Thanks for all your help and support, I really appreciate it. I was able
to get it to work.
Although I had to replace all VSA'a with the SIP-AVP attributes. For some
reason the SIP-AVP's were not loaded due to the presence of other VSA's.
Maybe it was because I was using a = sign in the value prefixes instead of
: or #.
Is this a known issue.

Regards,
Danish
ps: Someone asked earlier about the radius server I was using. The radius
server along with the billing solution is from advancedvoip.com, so far
our experience with them has been quite good.
> Hi Danish,
>
> sorry for replying to you so late, but I was out from the office today.
>
> Here you go:
>
> First of all, my bad, the returned value should be in the form:
> return-code#0 if you want your value to be treated as an integer or
> return-code:0 if 0 the AVP should be considered as string - has been a
> while since I worked last time with those. By using a higher layer of
> debug you should be able to see your avps converted inside when
> received from radius.
> The rest of your configuration looks good. Note that you can return
> more AVP values with the same reply, so you can include the credit
> amount as well:
> SIP-AVP="return-code#0"
> SIP-AVP="h323-credit-amount#4206"
>
> Hope you will rock now.
>
> Cheers,
> DanB
>
> On 8/30/07, danish.samad at vocalseeds.com <danish.samad at vocalseeds.com>
> wrote:
>> Hi Dan,
>> To test the functionality of SIP-AVP, I am trying to get theses avp's in
>> the registration block, shown below. Basically on sucessful registration
>> the radius server returns the following attributes in acces-accpet
>>
>> Attributes:
>>         SIP-AVP = "return-code=0"
>>         cisco-h323-credit-amount = "h323-credit-amount=4206"
>>
>> so after registration I am trying to get the return code value. The
>> registration block is shown below
>>
>> route[2] {
>> # -----------------------------------------------------------------
>> # REGISTER Message Handler
>> # ----------------------------------------------------------------
>>         xlog("L_NOTICE","Danish: Entering route[2]\n");
>>         xlog("L_NOTICE","Danish: Register message IPsrcaddr [$si],
>> RecvdIPaddr[$Ri]\n");
>>         if (!search("^Contact:[ ]*\*") && nat_uac_test("2")) {
>>                 xlog("L_NOTICE","Danish: In route[2] Found Nated
>> contact\n");
>>                 setflag(6);
>>                 setbflag(6);
>>                 # if you want OPTIONS natpings uncomment next
>>                 setbflag(7);
>>                 fix_nated_register();
>>                 force_rport();
>>         };
>>
>>         sl_send_reply("100", "Trying");
>>         if (!radius_www_authorize("192.168.0.99")) {
>>                 www_challenge("192.168.0.99", "1");
>>         };
>>         consume_credentials();
>>
>>         #avp_print();
>>         xlog("L_NOTICE","Danish: Before is set check\n");
>>         if(is_avp_set("$avp(s:return-code)")){
>>                 xlog("L_NOTICE","Danish: return code is set \n");
>>         };
>>         xlog("L_NOTICE","Danish: After is set check\n");
>>         if(avp_check("$avp(s:return-code)", "eq/i:0/g"))
>>         {
>>                 xlog("L_NOTICE","Danish: return code 0 received \n");
>>         };
>>
>>         if (!save("location")) {
>>                 sl_reply_error();
>>         };
>>
>> }
>>
>> In my logs I see
>>
>> 058) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair 225
>>  4(11058) Danish: Before is set check
>>  4(11058) Danish: After is set check
>>  4(11058) DEBUG:avpops:ops_check_avp: no src avp found
>>
>> so both conditional avp checks fail and the last debug line is a bit
>> worrying
>> I traced the first debug line above to sterman.c->generate_avps()
>> so just under this debug line I added this piece of code
>>
>>    vp=rc_avpair_get(vp,attrs[A_SIP_AVP].v,0);
>>     if (vp != NULL)
>>     {
>>      DBG("DEBUG:auth_radius:generate_avps: strvalue %s\n",
>>      vp->strvalue);
>>     }
>>     else
>>       DBG("DEBUG:auth_radius:generate_avps: vp is null\n");
>>
>> and this is what I got
>>
>> 4(11058) DEBUG:auth_radius:generate_avps: getting SIP AVPs from avpair
>> 225
>> 4(11058) DEBUG:auth_radius:generate_avps: vp is null
>>
>> hence openser is not loading the SIP-avp in $avp(s:return-code). I think
>> either I am missing something in the openser script or the way I am
>> returning the attribute.
>>
>> all relevant definitions in the cfg are given below:
>>
>> loadmodule "/usr/local/lib/openser/modules/auth_radius.so"
>> loadmodule "/usr/local/lib/openser/modules/uri_radius.so"
>> loadmodule "/usr/local/lib/openser/modules/avp_radius.so"
>> loadmodule "/usr/local/lib/openser/modules/avpops.so"
>>
>> modparam("auth_radius|uri_radius|avp_radius", "radius_config",
>> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>>
>> modparam("uri_db|usrloc", "db_url",
>> "mysql://openser:openserrw@localhost/openser")
>>
>> modparam("nathelper", "natping_interval", 20)
>> modparam("nathelper", "ping_nated_only", 1)
>> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
>> modparam("nathelper", "received_avp", "$avp(i:42)")
>> modparam("nathelper", "sipping_bflag", 7)
>> modparam("nathelper", "sipping_from", "sip:pinger at abc.org")
>>
>> modparam("registrar", "received_avp", "$avp(i:42)")
>> modparam("usrloc", "db_mode", 2)
>> modparam("usrloc", "nat_bflag", 6)
>>
>> Hope this explains everything and you would be in a better position to
>> help.
>>
>> Regards,
>> Danish
>> ps: isnt there any sample script I can refer to for sip-avp radius
>> configurations.
>>
>>
>> > Hi Danish,
>> >
>> > can u post the full block where you are doing these checks?
>> >
>> > DanB
>> >
>> > On 8/29/07, danish.samad at vocalseeds.com <danish.samad at vocalseeds.com>
>> > wrote:
>> >> Hi Dan,
>> >> Thanks for the explanation, things are more clear now. Now I am
>> >> returning
>> >> a SIP-AVP from radius (for authentication), this is what I see in the
>> >> logs
>> >>
>> >> Attributes:
>> >>         SIP-AVP = "return-code=0"
>> >>         .......
>> >>
>> >> In my script I do
>> >>         avp_print();
>> >>         if(is_avp_set("$avp(s:return-code)")){
>> >>                 xlog("L_NOTICE","return code is set \n");
>> >>         };
>> >>         if(avp_check("$avp(s:return-code)", "eq/0/g"))
>> >>         {
>> >>                xlog("L_NOTICE","return code 0 received \n");
>> >>         };
>> >>
>> >> none of the checks pass and nothing is printed from avp_print. In
>> >> openser
>> >> logs I see this line
>> >>
>> >> 1(32550) DEBUG:auth_radius:generate_avps: getting SIP AVPs from
>> avpair
>> >> 225
>> >>
>> >> am I missing some pre-requisites or what am I doing wrong.
>> >>
>> >> Regards,
>> >> Danish
>> >>
>> >>
>> >> > Hi Danish,
>> >> >
>> >> > for the moment you cannot process attributes other than SIP-AVP
>> inside
>> >> > openser script. This one is automatically converted into avp.
>> >> > EG. A SIP-AVP attribute in the form of: "reason='No Credit'" should
>> >> > automatically create an AVP named reason with value "No Credit".
>> >> >
>> >> > Hope that helps,
>> >> > DanB
>> >> >
>> >> >
>> >> > On 8/29/07, danish.samad at vocalseeds.com
>> <danish.samad at vocalseeds.com>
>> >> > wrote:
>> >> >> Hi Dan,
>> >> >>
>> >> >> Thanks for your reply.
>> >> >>
>> >> >> Actually I am currently returning an integer status value in
>> >> >> cisco-h323-return-code (a vendor specific attribute). So basically
>> >> how
>> >> >> can
>> >> >> I extract the value returned in this attribute, compare it and
>> then
>> >> send
>> >> >> and sl reply.
>> >> >>
>> >> >> Probably there is a way of loading this attr value in an avp and
>> >> >> comparing
>> >> >> it?
>> >> >>
>> >> >> Regards,
>> >> >> Danish
>> >> >>
>> >> >> > Hello Danish,
>> >> >> >
>> >> >> > a solution would be returning a SIP-AVP, containing the reason
>> for
>> >> >> > failure, and then forward this to the client using sl.
>> >> >> > Another one would be completely rewriting R-URI again from your
>> >> >> > SIP-AVP and then send the request to an announcement server (eg:
>> >> >> > ann:paymentrequired at your.server - which should play Payment
>> >> Required
>> >> >> > annoucement).
>> >> >> >
>> >> >> > Cheers,
>> >> >> > DanB
>> >> >> >
>> >> >> > On 8/29/07, danish.samad at vocalseeds.com
>> >> <danish.samad at vocalseeds.com>
>> >> >> > wrote:
>> >> >> >> Hi,
>> >> >> >>
>> >> >> >> I have configured openser-1.2 with a (commercial) third party
>> >> radius
>> >> >> >> server and it is working great. Now I have a requirement where
>> I
>> >> need
>> >> >> to
>> >> >> >> check a radius return attribute in case an access reject is
>> >> received
>> >> >> in
>> >> >> >> response to an  authorization request. Is there some way I can
>> do
>> >> >> this
>> >> >> >> in
>> >> >> >> the openser script.
>> >> >> >>
>> >> >> >> Basically I want to send a 402 payment required message to a
>> sip
>> >> >> client
>> >> >> >> in
>> >> >> >> case the call is rejected due low balance. In such cases radius
>> >> >> returns
>> >> >> >> a
>> >> >> >> status  response code with access reject.
>> >> >> >>
>> >> >> >>
>> >> >> >> Thanks,
>> >> >> >> Danish
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> Users mailing list
>> >> >> >> Users at openser.org
>> >> >> >> http://openser.org/cgi-bin/mailman/listinfo/users
>> >> >> >>
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >
>>
>>
>





More information about the sr-users mailing list