[Serusers] SER with RADIUS

Tomasz Zieleniewski tzieleniewski at gmail.com
Wed May 6 10:25:17 CEST 2009


Hi,

>From SER version 2.x in order to challenge a SIP Request with FreeRADIUS
authorization You need to use the radius_proxy_authorize(digest_realm)
function.
And analogously proxy_authorize(digest_realm, credentials) if You want to
use SER database.

Kind regards,
- Tomasz Zieleniewski

2009/5/6 Leon Li <Leon.Li at aarnet.edu.au>

>  Hi,
>
>
>
> I am trying to make SER working with FreeRADIUS. However, I got an error
> using www_challenge, " 0(3184) parse error (119,25-26): unknown command,
> missing loadmodule?" The 119 line is www_challenge("", "0"); I did load auth
> module. Any idea?
>
>
>
> Here is my config:
>
>
>
> #
>
> # $Id: ser-basic.cfg,v 1.1.2.2 2008/06/12 13:15:06 alfredh Exp $ # # This a
> very basic config file w aliases and anamed route but # w/o authentication,
> accounting, database, multi-domain support etc.
>
> # Please refer to ser.cfg for a more complete example #
>
>
>
> # ----------- global configuration parameters ------------------------
>
>
>
> debug=3         # debug level (cmd line: -dddddddddd)
>
> #memdbg=10 # memory debug message level
>
> #memlog=10 # memory statistics log level #log_facility=LOG_LOCAL0 # sets
> the facility used for logging (see syslog(3))
>
>
>
> /* Uncomment these lines to enter debugging mode fork=no log_stderror=yes
> */
>
>
>
> check_via=no    # (cmd. line: -v)
>
> dns=no          # (cmd. line: -r)
>
> rev_dns=no      # (cmd. line: -R)
>
> listen=202.158.197.134
>
> port=5060
>
> children=4
>
> #user=ser
>
> #group=ser
>
> #disable_core=yes #disables core dumping
>
> #open_fd_limit=1024 # sets the open file descriptors limit #mhomed=yes  #
> usefull for multihomed hosts, small performance penalty #disable_tcp=yes
> #tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
>
>
>
> #
>
>
>
> # ------------------ module loading ----------------------------------
>
>
>
> loadmodule "/usr/local/lib/ser/modules/sl.so"
>
> loadmodule "/usr/local/lib/ser/modules/tm.so"
>
> loadmodule "/usr/local/lib/ser/modules/rr.so"
>
> loadmodule "/usr/local/lib/ser/modules/textops.so"
>
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
>
> loadmodule "/usr/local/lib/ser/modules/ctl.so"
>
> *loadmodule "/usr/local/lib/ser/modules/auth.so"*
>
> loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
>
>
>
> # ----------------- setting module-specific parameters ---------------
>
>
>
> # -- usrloc params --
>
>
>
> modparam("usrloc", "db_mode",   0)
>
>
>
> # -- rr params --
>
> # add value to ;lr param to make some broken UAs happy modparam("rr",
> "enable_full_lr", 1)
>
>
>
> # ctl params
>
> # by default ctl listens on unixs:/tmp/ser_ctl if no other address is #
> specified in modparams; this is also the default for sercmd modparam("ctl",
> "binrpc", "unixs:/tmp/ser_ctl") # listen on the "standard" fifo for backward
> compatibility modparam("ctl", "fifo", "fifo:/tmp/ser_fifo") # listen on tcp,
> localhost #modparam("ctl", "binrpc", "tcp:localhost:2046")
>
>
>
> # -- auth_radius params --
>
> modparam("auth_radius", "radius_config",
> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>
>
>
> # -------------------------  request routing logic -------------------
>
>
>
> # main routing logic
>
>
>
> route{
>
>
>
>       # initial sanity checks -- messages with
>
>       # max_forwards==0, or excessively long requests
>
>       if (!mf_process_maxfwd_header("10")) {
>
>             sl_reply("483","Too Many Hops");
>
>             break;
>
>       }
>
>       if (msg:len >=  max_len ) {
>
>             sl_reply("513", "Message too big");
>
>             break;
>
>       }
>
>
>
>       # we record-route all messages -- to make sure that
>
>       # subsequent messages will go through our proxy; that's
>
>       # particularly good if upstream and downstream entities
>
>       # use different transport protocol
>
>       if (!method=="REGISTER") record_route();
>
>
>
>       # subsequent messages withing a dialog should take the
>
>       # path determined by record-routing
>
>       if (loose_route()) {
>
>             # mark routing logic in request
>
>             append_hf("P-hint: rr-enforced\r\n");
>
>             route(FORWARD);
>
>             break;
>
>       }
>
>
>
>       if (!uri==myself) {
>
>             # mark routing logic in request
>
>             append_hf("P-hint: outbound\r\n");
>
>             route(FORWARD);
>
>             break;
>
>       }
>
>
>
>       # if the request is for other domain use UsrLoc
>
>       # (in case, it does not work, use the following command
>
>       # with proper names and addresses in it)
>
>       if (uri==myself) {
>
>
>
> *            if (method=="REGISTER") {*
>
> *                  # authentication*
>
> *                  if (!radius_www_authorize("")) {*
>
> *                        www_challenge("", "0");*
>
> *                        break;*
>
>                   };
>
>                   save_contacts("location");
>
>                   break;
>
>             }
>
>
>
>             # native SIP destinations are handled using our USRLOC DB
>
>             if (!lookup_contacts("location")) {
>
>                   sl_reply("404", "Not Found");
>
>                   break;
>
>             }
>
>             append_hf("P-hint: usrloc applied\r\n");
>
>       }
>
>       route(FORWARD);
>
> }
>
>
>
> route[FORWARD]
>
> {
>
>       # send it out now; use stateful forwarding as it works reliably
>
>       # even for UDP2TCP
>
>       if (!t_relay()) {
>
>             sl_reply_error();
>
>       }
>
> }
>
>
>
> Thanks,
>
> Leon
>
>
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20090506/5ec385d6/attachment.htm>


More information about the sr-users mailing list