[SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Kosilov Fedor
dangerkoffe at gmail.com
Sat Mar 5 08:05:14 CET 2011
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an
authorization using radius.
But for testing purposes, I loaded the acc module and set "radius_extra"
param. Nothing has changed.
Here is a part of my config:
...
modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("acc", "radius_extra", "User-Name=$Au")
...
modparam("auth_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)")
...
route {
#Definitions
$var(ident) = "kamserv.example.com";
...
route(3); #Auth
...
}
...
route[3] {
if (is_method("REGISTER"))
{
if (is_from_local()) {
if (!radius_www_authorize("$td"))
{
www_challenge("$sel(to.uri.host)", "1");
exit;
} else {
avp_db_delete("$sel(to.uri)","$avp(s:ip)");
avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
avp_db_store("$sel(to.uri)","$avp(s:ip)");
avp_db_store("$sel(to.uri)","$avp(s:dpid)");
avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
if
($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
sl_send_reply("403","Forbidden auth
ID");
exit;
} else {
if ($avp(s:ip)!='any' &&
$sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden");
exit;
}
}
}
} else {
sl_send_reply("403","Forbidden");
exit;
}
} else {
if ($sel(src.ip)=="192.168.0.2") {
return;
} else if (is_from_local()) {
if
(!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) {
proxy_challenge("$sel(from.uri.host)", "1");
exit;
}
if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip)) {
sl_send_reply("403","Forbidden");
exit;
}
if (is_method("PUBLISH"))
{
if ($au!=$sel(to.uri.user)) {
sl_send_reply("403","Forbidden auth
ID");
exit;
}
} else if ($au!=$sel(from.uri.user)) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
} else {
sl_send_reply("403","Forbidden");
exit;
}
}
}
...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
length=298
*User-Name = "2219001 at example.com"*
Digest-Attributes = 0x0a0932323139303031
Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
Digest-Attributes =
0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080c39636238383130616531
Digest-Response = "efdcf92b58f694b97928856614057436"
Service-Type = Sip-Session
Sip-Uri-User = "2219001"
*User-Name = "call-id=zomdnicqsndxrnh at koffe-work"*
NAS-Identifier = "kamserv.example.com"
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
Regards,
Fedor.
2011/3/5 Daniel-Constantin Mierla <miconda at gmail.com>
> Hello,
>
> what is the value of parameter radius_extra for acc module?
>
> Cheers,
> Daniel
>
>
> On 3/4/11 1:06 PM, Kosilov Fedor wrote:
>
> Hello List!
>
> I'm trying to set up authorization with our billing proprietary radius
> server, using Freeradius as a proxy. Currently I'm experiencing the
> following problem:
>
> The Access-Request packet, sent by Kamailio, contains two User-Name
> attribute records
> Here is a log from the Freeradius server:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112,
> length=298
> User-Name = "2219001 at example.com"
> Digest-Attributes = 0x0a0932323139303031
> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
> Digest-Attributes =
> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030303031
> Digest-Attributes = 0x080c32383034636535373032
> Digest-Response = "e79b47955c02401fe52d05f7956609aa"
> Service-Type = Sip-Session
> Sip-Uri-User = "2219001"
> * User-Name = "call-id=domcmqmnychbwlp at koffe-work"*
> NAS-Identifier = "kamserv.example.com"
> NAS-Port = 5060
> NAS-IP-Address = 127.0.0.1
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [digest] Checking for correctly formatted Digest-Attributes
> [digest] Digest-Attributes look OK. Converting them to something more
> usful.
> Digest-User-Name = "2219001"
> Digest-Realm = "example.com"
> Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ"
> Digest-URI = "sip:example.com"
> Digest-Method = "REGISTER"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "00000001"
> Digest-CNonce = "2804ce5702"
> [digest] Adding Auth-Type = DIGEST
> ++[digest] returns ok
> [suffix] Looking up realm "example.com" for User-Name = "
> 2219001 at example.com"
> [suffix] Found realm "example.com"
> [suffix] Adding Realm = "example.com"
> [suffix] Proxying request from user 2219001 to realm example.com
> [suffix] Preparing to proxy authentication request to realm "example.com"
> ++[suffix] returns updated
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Sending Access-Request of id 250 to 127.0.0.1 port 1822
> User-Name = "2219001 at example.com"
> Digest-Attributes = 0x0a0932323139303031
> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
> Digest-Attributes =
> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030303031
> Digest-Attributes = 0x080c32383034636535373032
> Digest-Response = "e79b47955c02401fe52d05f7956609aa"
> Service-Type = Sip-Session
> Sip-Uri-User = "2219001"
> * User-Name = "call-id=domcmqmnychbwlp at koffe-work"*
> NAS-Identifier = "kamserv.example.com"
> NAS-Port = 5060
> NAS-IP-Address = 127.0.0.1
> Proxy-State = 0x313132
> Proxying request 1 to home server 127.0.0.1 port 1822
>
> As I understand, this second User-Name attribute has to be a call-id
> attribute.
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
> --
> Daniel-Constantin Mierla
> http://www.asipto.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110305/4d690757/attachment-0001.htm>
More information about the sr-users
mailing list