[SR-Users] Radius authentication
Pablo Ros
pablo.ros at i2cat.net
Mon Feb 28 10:44:10 CET 2011
I am trying to authenticate through radius (info in LDAP database). I am
using kamailio 3.1
First of all I would like to clear up an issue:
As shown the way to do the authentication is done with:
*Code:*
if (! radius_www_authorize("uu.net")) {
www_challenge("uu.net", "0");
return;
}
Ok, when I installed openser I did it with kamailio "flavour" so it was
using the auth_radius module belonging to it.
Does anyone know which would be the correct way to do the challenge to the
user cause is was not working at all. The radius client does not even send
it. I got stuck some time till I just decided to load the module from ser
modules folder and then freeradius server started to get correctly my
requests. Actually I can even see it authenticates them correctly.
However Openser/Kamailio doesn't seem to see the same and it doesn't saves
location.
*Code:*
route[AUTH] {
#!ifdef WITH_AUTH
# Primeramente comprobamos si pertenece a nuestro dominio; si no ya no hace
falta comprobar credenciales.
if (uri==myself)
{
if (is_method("REGISTER"))
{
xlog("L_NOTICE","KAM-INFO: r[AUTH] - REGISTER - User
info: ($fu):($si)>\n");
if (!radius_www_authorize("i2cat.net")){
route(RADIUS);
#www_challenge("i2cat.net","0");
exit;
}
}
if ($au!=$tU)
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
} else {
#!ifdef WITH_IPAUTH
if(allow_source_address())
{
# source IP allowed
return;
}
#!endif
# authenticate if from local subscriber
if (from_uri==myself)
{
if (!proxy_authorize("$fd", "subscriber")) {
proxy_challenge("$fd", "0");
exit;
}
if (is_method("PUBLISH"))
{
if ($au!=$tU) {
sl_send_reply("403","Forbidden auth
ID");
exit;
}
} else {
if ($au!=$fU) {
sl_send_reply("403","Forbidden auth
ID");
exit;
}
}
consume_credentials();
# caller authenticated
} else {
# caller is not local subscriber, then check if it
calls
# a local destination, otherwise deny, not an open
relay here
if (!uri==myself)
{
sl_send_reply("403","Not relaying");
exit;
}
}
}
#!endif
return;
}
Before doing the challenge then it just goes throught:
*Code:*
route[RADIUS]
{
sl_send_reply("100", "Trying");
append_to_reply("Expires: 600\r\n");
append_to_reply("Min-Expires: 240\r\n");
xlog("L_NOTICE","KAM-INFO: RADIUS AUTHENTICATION - AUTHORIZING USER $fU -
<$fu>:<$si>\n");
xlog("L_NOTICE","KAM-INFO: CHALLENGING. - RETCODE-> $rc \n");
www_challenge("i2cat.net", "0");
switch($rc){
case -5:
xlog("L_INFO", "-> 500: internal server error");
sl_send_reply("500", "Internal Server Error");
case -4:
xlog("L_INFO", "-> 404: credentials not found");
sl_send_reply("404", "Credentials Not Found");
case -3:
xlog("L_INFO", "-> 400: bad request - stale nonce");
sl_send_reply("400", "Bad Request");
case -2:
xlog("L_INFO", "-> 401: invalid password");
sl_send_reply("401", "Invalid Password");
case -1:
xlog("L_INFO", "-> 401: invalid user");
sl_send_reply("401", "Invalid User");
default:
xlog("L_INFO", "-> 401: unauthorized");
sl_send_reply("401", "Unauthorized");
}
}
Buuuuuuuuuuuuut... I got that in the debug of Kamailio:
*Code:* 4(31099) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed
value: 1
4(31099) DEBUG: auth_radius [sterman.c:271]: radius_authorize_sterman():
Success
4(31099) WARNING: auth_radius [authorize.c:89]: RADIUS server did not send
SER-UID attribute in digest authentication reply
4(31099) DEBUG: auth [challenge.c:102]: build_challenge_hf: realm='
i2cat.net'
4(31099) DEBUG: auth [challenge.c:113]: build_challenge_hf: qop='auth'
4(31099) DEBUG: auth [challenge.c:236]: auth: 'WWW-Authenticate: Digest
realm="i2cat.net", nonce="TWZJLk1mSAKFVzL0b+dVPzkuyyAnZHQs", qop="auth"
I guess it has something to do with this SER-UID attribute and thus
something about the dictonary? It is weird seeing that the radius server
says 'ok' but then openser is not authenticating it.
I need some clues! Thank you!.
--
Pablo Ros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110228/bd1e0279/attachment-0001.htm>
More information about the sr-users
mailing list