[OpenSER-Users] auth_radius:radius_authorize_sterman: rc_auth failed

Simon J Xuereb sjxuereb at gmail.com
Fri May 16 21:09:57 CEST 2008 

Hi,

I am trying to configure openser + freeradius for authentication &
accounting.
I have my freeradius configured with openldap and it's working successfully.

tested with

radclient -f digest 127.0.0.1:1812 auth testing123

results are successfull.

However I cannot get it to work with openser. I see nothing happening in my
"/usr/sbin/radius -X" output  coming from openser when i try to register.

My enviroment was tested on Fedora 8 and Fedora 9 both with rpm's and same
results.

auth_radius:radius_authorize_sterman: rc_auth failed

no output is seen in my  /usr/sbin/radius -X

Below please find my openser.cfg & radiusclient.conf & servers

######## radiusclient.conf

# General settings

# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order      radius,local

# maximum login tries a user has
login_tries     4

# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout   60

# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin

# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue   /etc/radiusclient-ng/issue

# RADIUS settings

# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver      127.0.0.1
authserver      10.0.0.10
authserver      localhost

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver      127.0.0.1:1813

# file holding shared secrets used for the communication
# between the RADIUS client and server
servers         /etc/radiusclient-ng/servers

# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
#dictionary     /usr/share/radiusclient-ng/dictionary
dictionary      /etc/radiusclient-ng/dictionary.openser

# program to call for a RADIUS authenticated login
login_radius    /usr/sbin/login.radius

# file which holds sequence number for communication with the
# RADIUS server
seqfile         /var/run/radius.seq

# file which specifies mapping between ttyname and NAS-Port attribute
mapfile         /etc/radiusclient-ng/port-id-map

# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm

# time to wait for a reply from the RADIUS server
radius_timeout  10

# resend request this many times before trying the next server
radius_retries  3

# local address from which radius packets have to be sent
bindaddr *

# LOCAL settings

# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local     /bin/login

########################################################

#/etc/radiusclient-ng/servers

#Server Name or Client/Server pair              Key
#----------------                               ---------------
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
localhost                                       testing123
127.0.0.1                                       testing123
10.0.0.10                                       testing123

#######################################################

##########openser.cfg

# -- rr params --
debug=3
log_stderror=yes
log_facility=LOG_LOCAL0

fork=yes
children=4

port=5060

# ------------------ module loading ----------------------------------
mpath="/usr/lib/openser/modules/"

loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "mi_fifo.so"

modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")




# ----------------- setting module-specific parameters ---------------

# -- usrloc params --
modparam("usrloc","db_url","mysql://openser:openser@localhost/openser")
modparam("usrloc", "db_mode", 2)

# -- acc params --

modparam("auth_radius","radius_config","/etc/radiusclient-ng/radiusclient.conf")

# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# -------------------------  request routing logic -------------------

# main routing logic

route{

        # authenticate registers
        if (method=="REGISTER") {
            if (!radius_www_authorize("")) {
                www_challenge("", "0");
                exit;
            };

            save("location");
            exit;

    };

    route(1);
}

# generic forward
route[1] {
    # send it out now; use stateful forwarding as it works reliably
    # even for UDP2TCP
    if (!t_relay()) {
        sl_reply_error();
    };
    exit;
}
#

Thanks for your help

SJX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20080516/82e59b3b/attachment.htm>

More information about the sr-users mailing list