[Serusers] SER with RADIUS

Tomasz Zieleniewski tzieleniewski at gmail.com
Wed May 13 11:20:51 CEST 2009


use www_authenticate(digest_realm, credentials) instead...



2009/5/13 Leon Li <Leon.Li at aarnet.edu.au>

>  Hi,
>
>
>
> I am using 2.0.0.
>
>
>
> And I am using radius_www_authenticate to authenticate via FreeRADIUS. The
> problem is not with this function, but *www_challenge function returns
> error **“unknown command, missing loadmodule?”.*
>
>
>
> Cheers
>
> Leon
>
>
>
>
>
> *From:* Tomasz Zieleniewski [mailto:tzieleniewski at gmail.com]
> *Sent:* Tuesday, 12 May 2009 5:44 PM
>
> *To:* Leon Li
> *Cc:* serusers at lists.iptel.org
> *Subject:* Re: [Serusers] SER with RADIUS
>
>
>
> Hi,
>
> You must use www_authenticate(digest_realm, credentials)
> function in order to perform the user authentication.
>
> BTW which version of SER do You use?
>
> Kind regards,
> Tomasz
>
> 2009/5/12 Leon Li <Leon.Li at aarnet.edu.au>
>
> Hi,
>
>
>
> I got the following settings on my SER handling authentication.
>
>
>
> route[AUTHENTICATION]
>
> {
>
>                 # CANCELs and ACKs cannot be challenged.
>
>                 if (method == "CANCEL" || method == "ACK") {
>
>                                 break;
>
>                 }
>
>
>
>                 # Authentication
>
>                 if (method == "REGISTER") {
>
>                                 if (!radius_www_authenticate(" ")) {
>
>                                 *www_challenge("", "1");*
>
>                                 break;
>
>                                 }
>
>                                 save("location");
>
>                                 drop;
>
>                 }
>
> }
>
>
>
> However, when I try to run SER with this file, error come up “unknown
> command, missing loadmodule?” indicating the line in red has problem. If I
> comment this line, SER starts fine but no authentication performed.
>
>
>
> Anyone can help?
>
>
>
> Thanks
>
> Leon
>
>
>
> *From:* Tomasz Zieleniewski [mailto:tzieleniewski at gmail.com]
> *Sent:* Thursday, 7 May 2009 11:03 PM
>
>
> *To:* Leon Li
> *Cc:* serusers at lists.iptel.org
> *Subject:* Re: [Serusers] SER with RADIUS
>
>
>
> Hi,
>
> In order to use radius you need auth_radius module to use database auth_db.
> Other thing is that if You want to authorize user as UAS (registrar)
> then You should use radius_www_authenticate(disgest_realm) function.
>
> Kind regards,
> - Tomasz
>
> 2009/5/7 Leon Li <Leon.Li at aarnet.edu.au>
>
> Thanks Tomasz,
>
>
>
> I know we need different function, however, my problem is that it won’t
> accept www_challenge in ser.cfg which is introduced by auth module, I think.
>
> *            if (method=="REGISTER") {*
>
> *                  # authentication*
>
> *                  if (!radius_www_authorize("")) {*
>
> *                        www_challenge("", "0");*
>
> *                        break;*
>
>                   };
>
>
>
> Regards
>
> Leon
>
>
>
>
>
> *From:* Tomasz Zieleniewski [mailto:tzieleniewski at gmail.com]
> *Sent:* Wednesday, 6 May 2009 6:25 PM
> *To:* Leon Li
> *Cc:* serusers at lists.iptel.org
> *Subject:* Re: [Serusers] SER with RADIUS
>
>
>
> Hi,
>
> From SER version 2.x in order to challenge a SIP Request with FreeRADIUS
> authorization You need to use the radius_proxy_authorize(digest_realm)
> function.
> And analogously proxy_authorize(digest_realm, credentials) if You want to
> use SER database.
>
> Kind regards,
> - Tomasz Zieleniewski
>
> 2009/5/6 Leon Li <Leon.Li at aarnet.edu.au>
>
> Hi,
>
>
>
> I am trying to make SER working with FreeRADIUS. However, I got an error
> using www_challenge, " 0(3184) parse error (119,25-26): unknown command,
> missing loadmodule?" The 119 line is www_challenge("", "0"); I did load auth
> module. Any idea?
>
>
>
> Here is my config:
>
>
>
> #
>
> # $Id: ser-basic.cfg,v 1.1.2.2 2008/06/12 13:15:06 alfredh Exp $ # # This a
> very basic config file w aliases and anamed route but # w/o authentication,
> accounting, database, multi-domain support etc.
>
> # Please refer to ser.cfg for a more complete example #
>
>
>
> # ----------- global configuration parameters ------------------------
>
>
>
> debug=3         # debug level (cmd line: -dddddddddd)
>
> #memdbg=10 # memory debug message level
>
> #memlog=10 # memory statistics log level #log_facility=LOG_LOCAL0 # sets
> the facility used for logging (see syslog(3))
>
>
>
> /* Uncomment these lines to enter debugging mode fork=no log_stderror=yes
> */
>
>
>
> check_via=no    # (cmd. line: -v)
>
> dns=no          # (cmd. line: -r)
>
> rev_dns=no      # (cmd. line: -R)
>
> listen=202.158.197.134
>
> port=5060
>
> children=4
>
> #user=ser
>
> #group=ser
>
> #disable_core=yes #disables core dumping
>
> #open_fd_limit=1024 # sets the open file descriptors limit #mhomed=yes  #
> usefull for multihomed hosts, small performance penalty #disable_tcp=yes
> #tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
>
>
>
> #
>
>
>
> # ------------------ module loading ----------------------------------
>
>
>
> loadmodule "/usr/local/lib/ser/modules/sl.so"
>
> loadmodule "/usr/local/lib/ser/modules/tm.so"
>
> loadmodule "/usr/local/lib/ser/modules/rr.so"
>
> loadmodule "/usr/local/lib/ser/modules/textops.so"
>
> loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>
> loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>
> loadmodule "/usr/local/lib/ser/modules/registrar.so"
>
> loadmodule "/usr/local/lib/ser/modules/ctl.so"
>
> *loadmodule "/usr/local/lib/ser/modules/auth.so"*
>
> loadmodule "/usr/local/lib/ser/modules/auth_radius.so"
>
>
>
> # ----------------- setting module-specific parameters ---------------
>
>
>
> # -- usrloc params --
>
>
>
> modparam("usrloc", "db_mode",   0)
>
>
>
> # -- rr params --
>
> # add value to ;lr param to make some broken UAs happy modparam("rr",
> "enable_full_lr", 1)
>
>
>
> # ctl params
>
> # by default ctl listens on unixs:/tmp/ser_ctl if no other address is #
> specified in modparams; this is also the default for sercmd modparam("ctl",
> "binrpc", "unixs:/tmp/ser_ctl") # listen on the "standard" fifo for backward
> compatibility modparam("ctl", "fifo", "fifo:/tmp/ser_fifo") # listen on tcp,
> localhost #modparam("ctl", "binrpc", "tcp:localhost:2046")
>
>
>
> # -- auth_radius params --
>
> modparam("auth_radius", "radius_config",
> "/usr/local/etc/radiusclient-ng/radiusclient.conf")
>
>
>
> # -------------------------  request routing logic -------------------
>
>
>
> # main routing logic
>
>
>
> route{
>
>
>
>       # initial sanity checks -- messages with
>
>       # max_forwards==0, or excessively long requests
>
>       if (!mf_process_maxfwd_header("10")) {
>
>             sl_reply("483","Too Many Hops");
>
>             break;
>
>       }
>
>       if (msg:len >=  max_len ) {
>
>             sl_reply("513", "Message too big");
>
>             break;
>
>       }
>
>
>
>       # we record-route all messages -- to make sure that
>
>       # subsequent messages will go through our proxy; that's
>
>       # particularly good if upstream and downstream entities
>
>       # use different transport protocol
>
>       if (!method=="REGISTER") record_route();
>
>
>
>       # subsequent messages withing a dialog should take the
>
>       # path determined by record-routing
>
>       if (loose_route()) {
>
>             # mark routing logic in request
>
>             append_hf("P-hint: rr-enforced\r\n");
>
>             route(FORWARD);
>
>             break;
>
>       }
>
>
>
>       if (!uri==myself) {
>
>             # mark routing logic in request
>
>             append_hf("P-hint: outbound\r\n");
>
>             route(FORWARD);
>
>             break;
>
>       }
>
>
>
>       # if the request is for other domain use UsrLoc
>
>       # (in case, it does not work, use the following command
>
>       # with proper names and addresses in it)
>
>       if (uri==myself) {
>
>
>
> *            if (method=="REGISTER") {*
>
> *                  # authentication*
>
> *                  if (!radius_www_authorize("")) {*
>
> *                        www_challenge("", "0");*
>
> *                        break;*
>
>                   };
>
>                   save_contacts("location");
>
>                   break;
>
>             }
>
>
>
>             # native SIP destinations are handled using our USRLOC DB
>
>             if (!lookup_contacts("location")) {
>
>                   sl_reply("404", "Not Found");
>
>                   break;
>
>             }
>
>             append_hf("P-hint: usrloc applied\r\n");
>
>       }
>
>       route(FORWARD);
>
> }
>
>
>
> route[FORWARD]
>
> {
>
>       # send it out now; use stateful forwarding as it works reliably
>
>       # even for UDP2TCP
>
>       if (!t_relay()) {
>
>             sl_reply_error();
>
>       }
>
> }
>
>
>
> Thanks,
>
> Leon
>
>
>
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>
>
>
>
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20090513/5d70546a/attachment.htm>


More information about the sr-users mailing list