[SR-Users] Help needed for OpenSer with Radius
Pratik Shrestha
pratikdbl at gmail.com
Tue Aug 3 10:13:05 CEST 2010
Dear Daniel,
Yeah right. I totally forgot, its a reverse dns.
Now I checked the radius server in debug mode and I cannot see any request
from openser trying to connect to radius server. So, the request from
openser is not reaching the radius server.
Then I installed wireshark and checked the ip address
128.185.38.162<http://128-185-38-162.totisp.net:1812> (radius
server ip add) in the server where openser was installed. There also I did
not find any entry related to
128.185.38.16<http://128-185-38-162.totisp.net:1812>
.
So, it seems my configuration is wrong. I am sending you the configuration
of openser.cfg and radiusclient.conf.
openser.cfg
SSH Secure Shell 3.2.3 (Build 279)
Copyright (c) 2000-2003 SSH Communications Security Corp -
http://www.ssh.com/
This copy of SSH Secure Shell is a non-commercial version.
This version does not include PKI and PKCS #11 functionality.
Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02
UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148
isoftel at isoftel-desktop:~$ cd /usr/local/etc/openser/
isoftel at isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg
#
# $Id$
#
# radius config script
#
# ----------- global configuration parameters ------------------------
debug=6 # debug level (cmd line: -dddddddddd)
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
#listen=udp:localhost
#alias="kamailio.org"
fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("usrloc", "db_mode", 2)
# -- acc params --
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 1)
modparam("acc", "service_type", 15)
modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
# -- group_radius params --
modparam("group_radius", "use_domain", 1)
# -- avpops params --
modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(is_method("BYE"))
{ # log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};
if(is_method("INVITE") && !has_totag())
{ # set the acc flags
setflag(1);
setflag(2);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(is_method("INVITE|MESSAGE")) {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("")) {
www_challenge("", "1");
exit;
};
# check the src ip address
if(!avp_check("i:2", "eq/$src_ip/ig"))
{
sl_send_reply("403", "Forbidden IP");
exit;
};
save("location");
exit;
};
# calls to pstn
if(uri=~"sip:00[1-9][0-9]+@") {
if(is_method("INVITE") && !has_totag()) {
if (!radius_is_user_in("From", "pstn")) {
sl_send_reply("403", "Forbidden PSTN");
exit;
};
};
# set gateway address
rewritehostport("localhost:5090");
route(1);
};
# load callee's avps
if(avp_load_radius("callee"))
{
# check if user has time filter enabled
if(avp_check("i:3", "eq/i:1"))
{
# print time in an avp
avp_printf("i:100", "$Tf");
# extract day
avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");
if(!avp_check("i:6", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};
# extract 'hours:minutes'
avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/");
if((is_avp_set("i:4") && avp_check("i:4", "gt/$time"))
|| (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# log to acc as missed call
acc_rad_request("404 Not Found");
acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
# generic forward
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
exit;
}
radiusclient-ng.conf
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius
#add 'local' with comma
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue /etc/radiusclient-ng/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver 128.185.38.162
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver 128.185.38.162
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /etc/radiusclient-ng/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /etc/radiusclient-ng/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient-ng/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# local address from which radius packets have to be sent
bindaddr localhost
#change with 'localhost'
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
I have edited servers file also with the servername and secret.
Thank you very much.
Regards,
Pratik
On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla <miconda at gmail.com
> wrote:
> Hello,
>
>
> On 8/2/10 12:36 PM, Pratik Shrestha wrote:
>
> Dear Daniel,
> Now the new issue. Seems now openser is trying to talk with radius server.
> But still I am getting the one error in syslog which is as follows.
>
> rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812
>
> Actually I have written only 128.185.38.162 in auth_server in
> radiusclient.conf. I don't know how this totisp.net is added. I haven't
> mentioned it anywhere.
>
>
> probably reverse dns is done in the library, it is not relevant anyhow. Can
> you start radius server in debug mode and see if it got some request? You
> can also do a ngrep/wireshark on port 1812 of your radius server to watch
> for network packets coming from kamailio.
>
> Cheers,
> Daniel
>
>
>
> Please help me.
> Thanks.
>
> Regards,
> Pratik
>
> On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha <pratikdbl at gmail.com>wrote:
>
>> Dear Daniel,
>>
>> Before I work for the new version, I am first trying to configure old
>> version of openser and radius. I am using openser version 1.0.1 and radius
>> client version 0.5.1 and I am following the tutorial given in
>> http://kamailio.net/docs/openser-radius-1.0.x.html.
>>
>> My freeradius server is in another machine and when I use radclient to
>> check the user I made, I get the "Authenticated" message.
>> But when I use X-lite and connect to openser, it seems openser is not
>> talking with freeradius servers. I am sure the "secret" I am using is right
>> as I have already tested from radclient. The log which I am getting in
>> openser is as shown below
>>
>> 9(1986) SIP Request:
>> 9(1986) method: <REGISTER>
>> 9(1986) uri: <sip:192.168.0.56>
>> 9(1986) version: <SIP/2.0>
>> 9(1986) parse_headers: flags=2
>> 9(1986) Found param type 232, <branch> =
>> <z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6
>> 9(1986) Found param type 235, <rport> = <n/a>; state=17
>> 9(1986) end of header reached, state=5
>> 9(1986) parse_headers: Via found, flags=2
>> 9(1986) parse_headers: this is the first via
>> 9(1986) After parse_msg...
>> 9(1986) preparing to run routing scripts...
>> 9(1986) parse_headers: flags=100
>> 9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70
>> 9(1986) parse_headers: flags=10
>> 9(1986) DEBUG:parse_to:end of header reached, state=9
>> 9(1986) DEBUG: get_hdr_field: <To> [44]; uri=[sip:101%40kamailio.org@
>> 192.168.0.56]
>> 9(1986) DEBUG: to body ["101"<sip:101%40kamailio.org at 192.168.0.56>
>> ]
>> 9(1986) DEBUG: add_param: tag=cc6e4259
>> 9(1986) DEBUG:parse_to:end of header reached, state=29
>> 9(1986) radius_is_user_in(): Failure
>> 9(1986) parse_headers: flags=200
>> 9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
>> 9(1986) DEBUG: get_hdr_body : content_length=0
>> 9(1986) found end of header
>> 9(1986) find_first_route: No Route headers found
>> 9(1986) loose_route: There is no Route HF
>> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56]
>> == [127.0.0.1]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56]
>> == [192.168.0.56]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56]
>> == [127.0.0.1]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56]
>> == [192.168.0.56]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) check_nonce(): comparing
>> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and
>> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c]
>> 9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>> 9(1986) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.0.56",
>> nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c"
>> '
>> 9(1986) parse_headers: flags=ffffffffffffffff
>> 9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0)
>> 9(1986) DEBUG:destroy_avp_list: destroying list (nil)
>> 9(1986) receive_msg: cleaning up
>>
>> At freeradius also, no request goes from openser.
>>
>> Please advise me how to get rid of this problem.
>>
>> Best Regards,
>> Pratik
>>
>>
>> On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha <pratikdbl at gmail.com>wrote:
>>
>>> Thanks a lot. I will give it a try
>>>
>>> Pratik
>>>
>>>
>>> On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla <
>>> miconda at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>>
>>>> On 7/22/10 6:06 AM, Pratik Shrestha wrote:
>>>>
>>>>> Dear All,
>>>>>
>>>>> I am very new to OpenSer. I want to use latest version of OpenSer with
>>>>> Radius. I need the documentation/tutorial on how to do this. Googling, Ionly
>>>>> found for the old version. Please help me.
>>>>>
>>>>
>>>> indeed, there is a rather old version:
>>>>
>>>> http://www.kamailio.org/docs/openser-radius-1.0.x.html
>>>>
>>>> What I can say now is that you can skip the part of installing kamailio
>>>> and use next link instead:
>>>>
>>>> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git
>>>>
>>>> Radius client library is now in most of common Linux distributions, so
>>>> you can install it with the package manager (you need the devel headers as
>>>> well, the -dev package).
>>>>
>>>> FreeRadius configuration should be more or less the same.
>>>>
>>>> The config of kamailio has changed quite a lot. Use the default one from
>>>> kamailio, follow the WITH_AUTH define conditions and replace auth_db with
>>>> auth_radius modules and functions. Also, the rest of radius modules were
>>>> merged into misc_radius. For enabling radius acc, you need to recompile acc
>>>> module after editing the Makefile in module directory.
>>>>
>>>> Hope it helps to start, ask here if you get stuck.
>>>>
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>> --
>>>> Daniel-Constantin Mierla
>>>> http://www.asipto.com/
>>>>
>>>>
>>>
>>
>
> --
> Daniel-Constantin Mierlahttp://www.asipto.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100803/a9a5ae22/attachment-0001.htm>
More information about the sr-users
mailing list