[SR-Users] Kamailio auth_radius: duplicate User-Name attribute

Kosilov Fedor dangerkoffe at gmail.com
Sat Mar 5 08:32:03 CET 2011


Again for testing, I pointed Kamailio directly to my billing radius,
bypassing Freeradius. The situation is the same, so the problem is
definitely not with the Freeradius server.

2011/3/5 Kosilov Fedor <dangerkoffe at gmail.com>

> Hello, Daniel, thank you for your attention to my problem.
>
> I actually don't need accounting support, I just want to implement an
> authorization using radius.
> But for testing purposes, I loaded the acc module and set "radius_extra"
> param. Nothing has changed.
>
> Here is a part of my config:
>
>
> ...
> modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
> modparam("acc", "radius_extra", "User-Name=$Au")
> ...
> modparam("auth_radius", "radius_config",
> "/etc/radiusclient-ng/radiusclient.conf")
> modparam("auth_radius", "auth_extra",  "NAS-Identifier=$var(ident)")
> ...
> route {
>         #Definitions
>         $var(ident) = "kamserv.example.com";
> ...
> route(3); #Auth
> ...
> }
>
> ...
>
> route[3] {
>         if (is_method("REGISTER"))
>         {
>                 if (is_from_local()) {
>                         if (!radius_www_authorize("$td"))
>                         {
>                                 www_challenge("$sel(to.uri.host)", "1");
>                                 exit;
>                         } else {
>
> avp_db_delete("$sel(to.uri)","$avp(s:ip)");
>
> avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
>
> avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
>
> avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
>
> avp_db_store("$sel(to.uri)","$avp(s:ip)");
>
> avp_db_store("$sel(to.uri)","$avp(s:dpid)");
>
> avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
>
> avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
>
>                                if
> ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
>                                         sl_send_reply("403","Forbidden auth
> ID");
>                                         exit;
>                                 } else {
>                                         if ($avp(s:ip)!='any' &&
> $sel(src.ip)!=$avp(s:ip)) {
>
> sl_send_reply("403","Forbidden");
>                                                 exit;
>                                         }
>                                 }
>                         }
>
>                 } else {
>                                 sl_send_reply("403","Forbidden");
>                                 exit;
>                 }
>         } else {
>                 if ($sel(src.ip)=="192.168.0.2") {
>                         return;
>                 } else if (is_from_local()) {
>                         if
> (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) {
>                                 proxy_challenge("$sel(from.uri.host)",
> "1");
>                                 exit;
>                         }
>                         if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip))
> {
>                                  sl_send_reply("403","Forbidden");
>                                 exit;
>                         }
>
>                         if (is_method("PUBLISH"))
>                         {
>                                 if ($au!=$sel(to.uri.user)) {
>                                         sl_send_reply("403","Forbidden auth
> ID");
>                                         exit;
>                                 }
>                         } else if ($au!=$sel(from.uri.user)) {
>                                 sl_send_reply("403","Forbidden auth ID");
>                                 exit;
>                         }
>                         consume_credentials();
>                 } else {
>                         sl_send_reply("403","Forbidden");
>                         exit;
>                 }
>         }
> }
> ...
>
> And again a part of the freeradius log:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
> length=298
>
>     *User-Name = "2219001 at example.com"*
>     Digest-Attributes = 0x0a0932323139303031
>     Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>     Digest-Attributes =
> 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
>
>     Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>     Digest-Attributes = 0x030a5245474953544552
>     Digest-Attributes = 0x050661757468
>     Digest-Attributes = 0x090a3030303030303031
>     Digest-Attributes = 0x080c39636238383130616531
>     Digest-Response = "efdcf92b58f694b97928856614057436"
>
>     Service-Type = Sip-Session
>     Sip-Uri-User = "2219001"
>     *User-Name = "call-id=zomdnicqsndxrnh at koffe-work"*
>
>     NAS-Identifier = "kamserv.example.com"
>     NAS-Port = 5060
>     NAS-IP-Address = 127.0.0.1
>
>
> Regards,
> Fedor.
>
>
>
> 2011/3/5 Daniel-Constantin Mierla <miconda at gmail.com>
>
>  Hello,
>>
>> what is the value of parameter radius_extra for acc module?
>>
>> Cheers,
>> Daniel
>>
>>
>> On 3/4/11 1:06 PM, Kosilov Fedor wrote:
>>
>> Hello List!
>>
>> I'm trying to set up authorization with our billing proprietary radius
>> server, using Freeradius as a proxy. Currently I'm experiencing the
>> following problem:
>>
>> The Access-Request packet, sent by Kamailio, contains two User-Name
>> attribute records
>> Here is a log from the Freeradius server:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112,
>> length=298
>>     User-Name = "2219001 at example.com"
>>     Digest-Attributes = 0x0a0932323139303031
>>     Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>     Digest-Attributes =
>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
>>     Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>     Digest-Attributes = 0x030a5245474953544552
>>     Digest-Attributes = 0x050661757468
>>     Digest-Attributes = 0x090a3030303030303031
>>     Digest-Attributes = 0x080c32383034636535373032
>>     Digest-Response = "e79b47955c02401fe52d05f7956609aa"
>>     Service-Type = Sip-Session
>>     Sip-Uri-User = "2219001"
>> *    User-Name = "call-id=domcmqmnychbwlp at koffe-work"*
>>     NAS-Identifier = "kamserv.example.com"
>>     NAS-Port = 5060
>>     NAS-IP-Address = 127.0.0.1
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> [digest] Checking for correctly formatted Digest-Attributes
>> [digest] Digest-Attributes look OK.  Converting them to something more
>> usful.
>>     Digest-User-Name = "2219001"
>>     Digest-Realm = "example.com"
>>     Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ"
>>     Digest-URI = "sip:example.com"
>>     Digest-Method = "REGISTER"
>>     Digest-QOP = "auth"
>>     Digest-Nonce-Count = "00000001"
>>     Digest-CNonce = "2804ce5702"
>> [digest] Adding Auth-Type = DIGEST
>> ++[digest] returns ok
>> [suffix] Looking up realm "example.com" for User-Name = "
>> 2219001 at example.com"
>> [suffix] Found realm "example.com"
>> [suffix] Adding Realm = "example.com"
>> [suffix] Proxying request from user 2219001 to realm example.com
>> [suffix] Preparing to proxy authentication request to realm "example.com"
>>
>> ++[suffix] returns updated
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[files] returns noop
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> ++[pap] returns noop
>> Sending Access-Request of id 250 to 127.0.0.1 port 1822
>>     User-Name = "2219001 at example.com"
>>     Digest-Attributes = 0x0a0932323139303031
>>     Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>     Digest-Attributes =
>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
>>     Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>     Digest-Attributes = 0x030a5245474953544552
>>     Digest-Attributes = 0x050661757468
>>     Digest-Attributes = 0x090a3030303030303031
>>     Digest-Attributes = 0x080c32383034636535373032
>>     Digest-Response = "e79b47955c02401fe52d05f7956609aa"
>>     Service-Type = Sip-Session
>>     Sip-Uri-User = "2219001"
>> *    User-Name = "call-id=domcmqmnychbwlp at koffe-work"*
>>     NAS-Identifier = "kamserv.example.com"
>>     NAS-Port = 5060
>>     NAS-IP-Address = 127.0.0.1
>>     Proxy-State = 0x313132
>> Proxying request 1 to home server 127.0.0.1 port 1822
>>
>> As I understand, this second User-Name attribute has to be a call-id
>> attribute.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>> --
>> Daniel-Constantin Mierla
>> http://www.asipto.com
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110305/d8a92628/attachment.htm>


More information about the sr-users mailing list