[SR-Users] Radius authentication
Daniel-Constantin Mierla
miconda at gmail.com
Wed Mar 2 09:40:05 CET 2011
Hello,
On 2/28/11 10:44 AM, Pablo Ros wrote:
> I am trying to authenticate through radius (info in LDAP database). I
> am using kamailio 3.1
>
> First of all I would like to clear up an issue:
>
> As shown the way to do the authentication is done with:
>
> *Code:*
>
> if (! radius_www_authorize("uu.net <http://uu.net>")) {
> www_challenge("uu.net <http://uu.net>", "0");
> return;
> }
>
>
>
first, if you don't have the above block in main request route block,
replace 'return' with 'exit'.
> Ok, when I installed openser I did it with kamailio "flavour" so it
> was using the auth_radius module belonging to it.
> Does anyone know which would be the correct way to do the challenge to
> the user cause is was not working at all. The radius client does not
> even send it.
IIRC, even for RADIUS, the challenge is built by Kamailio auth module,
nothing exchanged with the RADIUS server for challenge.
> I got stuck some time till I just decided to load the module from ser
> modules folder and then freeradius server started to get correctly my
> requests. Actually I can even see it authenticates them correctly.
Can you update kamailio default config where you replace auth_db module
with auth_radius (from modules_k), and inside the routing blocks use:
- www_radius_authorize() instead of www_authorize()
- proxy_radius_authorize() instead of proxy_authorize()
Then start it with:
kamailio -E -ddd
and see if you see any hint/error there. Then run a test call and watch
the logs, you should see some errors if communication with radius is not
happening. If you don't understand exactly what happened, send those
messages here.
Cheers,
Daniel
>
> However Openser/Kamailio doesn't seem to see the same and it doesn't
> saves location.
>
>
>
> *Code:*
>
>
> route[AUTH] {
> #!ifdef WITH_AUTH
> # Primeramente comprobamos si pertenece a nuestro dominio; si no ya no
> hace falta comprobar credenciales.
> if (uri==myself)
> {
> if (is_method("REGISTER"))
> {
> xlog("L_NOTICE","KAM-INFO: r[AUTH] - REGISTER
> - User info: ($fu):($si)>\n");
> if (!radius_www_authorize("i2cat.net
> <http://i2cat.net>")){
> route(RADIUS);
> #www_challenge("i2cat.net
> <http://i2cat.net>","0");
> exit;
> }
> }
>
> if ($au!=$tU)
> {
> sl_send_reply("403","Forbidden auth ID");
> exit;
> }
> } else {
>
> #!ifdef WITH_IPAUTH
> if(allow_source_address())
> {
> # source IP allowed
> return;
> }
> #!endif
>
> # authenticate if from local subscriber
> if (from_uri==myself)
> {
> if (!proxy_authorize("$fd", "subscriber")) {
> proxy_challenge("$fd", "0");
> exit;
> }
> if (is_method("PUBLISH"))
> {
> if ($au!=$tU) {
> sl_send_reply("403","Forbidden
> auth ID");
> exit;
> }
> } else {
> if ($au!=$fU) {
> sl_send_reply("403","Forbidden
> auth ID");
> exit;
> }
> }
>
> consume_credentials();
> # caller authenticated
> } else {
> # caller is not local subscriber, then check
> if it calls
> # a local destination, otherwise deny, not an
> open relay here
> if (!uri==myself)
> {
> sl_send_reply("403","Not relaying");
> exit;
> }
> }
> }
> #!endif
> return;
> }
>
>
>
> Before doing the challenge then it just goes throught:
>
> *Code:*
>
>
> route[RADIUS]
> {
>
> sl_send_reply("100", "Trying");
> append_to_reply("Expires: 600\r\n");
> append_to_reply("Min-Expires: 240\r\n");
>
> xlog("L_NOTICE","KAM-INFO: RADIUS AUTHENTICATION - AUTHORIZING USER
> $fU - <$fu>:<$si>\n");
>
> xlog("L_NOTICE","KAM-INFO: CHALLENGING. - RETCODE-> $rc \n");
> www_challenge("i2cat.net <http://i2cat.net>", "0");
> switch($rc){
> case -5:
> xlog("L_INFO", "-> 500: internal server error");
> sl_send_reply("500", "Internal Server Error");
> case -4:
> xlog("L_INFO", "-> 404: credentials not found");
> sl_send_reply("404", "Credentials Not Found");
> case -3:
> xlog("L_INFO", "-> 400: bad request - stale nonce");
> sl_send_reply("400", "Bad Request");
> case -2:
> xlog("L_INFO", "-> 401: invalid password");
> sl_send_reply("401", "Invalid Password");
> case -1:
> xlog("L_INFO", "-> 401: invalid user");
> sl_send_reply("401", "Invalid User");
> default:
> xlog("L_INFO", "-> 401: unauthorized");
> sl_send_reply("401", "Unauthorized");
> }
> }
>
>
>
> Buuuuuuuuuuuuut... I got that in the debug of Kamailio:
>
>
> *Code:*
> 4(31099) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
> 4(31099) DEBUG: auth_radius [sterman.c:271]:
> radius_authorize_sterman(): Success
> 4(31099) WARNING: auth_radius [authorize.c:89]: RADIUS server did not
> send SER-UID attribute in digest authentication reply
> 4(31099) DEBUG: auth [challenge.c:102]: build_challenge_hf:
> realm='i2cat.net <http://i2cat.net>'
> 4(31099) DEBUG: auth [challenge.c:113]: build_challenge_hf: qop='auth'
> 4(31099) DEBUG: auth [challenge.c:236]: auth: 'WWW-Authenticate:
> Digest realm="i2cat.net <http://i2cat.net>",
> nonce="TWZJLk1mSAKFVzL0b+dVPzkuyyAnZHQs", qop="auth"
>
>
>
> I guess it has something to do with this SER-UID attribute and thus
> something about the dictonary? It is weird seeing that the radius
> server says 'ok' but then openser is not authenticating it.
>
> I need some clues! Thank you!.
>
> --
> Pablo Ros
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110302/387b3408/attachment-0001.htm>
More information about the sr-users
mailing list