[SR-Users] Kamailio auth_radius: duplicate User-Name attribute

Ovidiu Sas osas at voipembedded.com
Sat Mar 5 18:18:40 CET 2011


You need to check the dictionaries on your kamailio server.
Mos likely something is miss configured there.
Check what value do you have for "User-Name" and see if you have any
duplicates for that value.


Regards,
Ovidiu Sas

On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor <dangerkoffe at gmail.com> wrote:
> Again for testing, I pointed Kamailio directly to my billing radius,
> bypassing Freeradius. The situation is the same, so the problem is
> definitely not with the Freeradius server.
>
> 2011/3/5 Kosilov Fedor <dangerkoffe at gmail.com>
>>
>> Hello, Daniel, thank you for your attention to my problem.
>>
>> I actually don't need accounting support, I just want to implement an
>> authorization using radius.
>> But for testing purposes, I loaded the acc module and set "radius_extra"
>> param. Nothing has changed.
>>
>> Here is a part of my config:
>>
>>
>> ...
>> modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
>> modparam("acc", "radius_extra", "User-Name=$Au")
>> ...
>> modparam("auth_radius", "radius_config",
>> "/etc/radiusclient-ng/radiusclient.conf")
>> modparam("auth_radius", "auth_extra",  "NAS-Identifier=$var(ident)")
>> ...
>> route {
>>         #Definitions
>>         $var(ident) = "kamserv.example.com";
>> ...
>> route(3); #Auth
>> ...
>> }
>>
>> ...
>>
>> route[3] {
>>         if (is_method("REGISTER"))
>>         {
>>                 if (is_from_local()) {
>>                         if (!radius_www_authorize("$td"))
>>                         {
>>                                 www_challenge("$sel(to.uri.host)", "1");
>>                                 exit;
>>                         } else {
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:ip)");
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
>>
>> avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:ip)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:dpid)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
>>
>> avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
>>
>>                                if
>> ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
>>                                         sl_send_reply("403","Forbidden
>> auth ID");
>>                                         exit;
>>                                 } else {
>>                                         if ($avp(s:ip)!='any' &&
>> $sel(src.ip)!=$avp(s:ip)) {
>>
>> sl_send_reply("403","Forbidden");
>>                                                 exit;
>>                                         }
>>                                 }
>>                         }
>>
>>                 } else {
>>                                 sl_send_reply("403","Forbidden");
>>                                 exit;
>>                 }
>>         } else {
>>                 if ($sel(src.ip)=="192.168.0.2") {
>>                         return;
>>                 } else if (is_from_local()) {
>>                         if
>> (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) {
>>                                 proxy_challenge("$sel(from.uri.host)",
>> "1");
>>                                 exit;
>>                         }
>>                         if ($avp(s:ip)!='any' && $sel(src.ip)!=$avp(s:ip))
>> {
>>                                  sl_send_reply("403","Forbidden");
>>                                 exit;
>>                         }
>>
>>                         if (is_method("PUBLISH"))
>>                         {
>>                                 if ($au!=$sel(to.uri.user)) {
>>                                         sl_send_reply("403","Forbidden
>> auth ID");
>>                                         exit;
>>                                 }
>>                         } else if ($au!=$sel(from.uri.user)) {
>>                                 sl_send_reply("403","Forbidden auth ID");
>>                                 exit;
>>                         }
>>                         consume_credentials();
>>                 } else {
>>                         sl_send_reply("403","Forbidden");
>>                         exit;
>>                 }
>>         }
>> }
>> ...
>>
>> And again a part of the freeradius log:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
>> length=298
>>     User-Name = "2219001 at example.com"
>>     Digest-Attributes = 0x0a0932323139303031
>>     Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>     Digest-Attributes =
>> 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
>>     Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>     Digest-Attributes = 0x030a5245474953544552
>>     Digest-Attributes = 0x050661757468
>>     Digest-Attributes = 0x090a3030303030303031
>>     Digest-Attributes = 0x080c39636238383130616531
>>     Digest-Response = "efdcf92b58f694b97928856614057436"
>>     Service-Type = Sip-Session
>>     Sip-Uri-User = "2219001"
>>     User-Name = "call-id=zomdnicqsndxrnh at koffe-work"
>>     NAS-Identifier = "kamserv.example.com"
>>     NAS-Port = 5060
>>     NAS-IP-Address = 127.0.0.1
>>
>>
>> Regards,
>> Fedor.
>>
>>
>>
>> 2011/3/5 Daniel-Constantin Mierla <miconda at gmail.com>
>>>
>>> Hello,
>>>
>>> what is the value of parameter radius_extra for acc module?
>>>
>>> Cheers,
>>> Daniel
>>>
>>> On 3/4/11 1:06 PM, Kosilov Fedor wrote:
>>>
>>> Hello List!
>>>
>>> I'm trying to set up authorization with our billing proprietary radius
>>> server, using Freeradius as a proxy. Currently I'm experiencing the
>>> following problem:
>>>
>>> The Access-Request packet, sent by Kamailio, contains two User-Name
>>> attribute records
>>> Here is a log from the Freeradius server:
>>>
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112,
>>> length=298
>>>     User-Name = "2219001 at example.com"
>>>     Digest-Attributes = 0x0a0932323139303031
>>>     Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>>     Digest-Attributes =
>>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
>>>     Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>>     Digest-Attributes = 0x030a5245474953544552
>>>     Digest-Attributes = 0x050661757468
>>>     Digest-Attributes = 0x090a3030303030303031
>>>     Digest-Attributes = 0x080c32383034636535373032
>>>     Digest-Response = "e79b47955c02401fe52d05f7956609aa"
>>>     Service-Type = Sip-Session
>>>     Sip-Uri-User = "2219001"
>>>     User-Name = "call-id=domcmqmnychbwlp at koffe-work"
>>>     NAS-Identifier = "kamserv.example.com"
>>>     NAS-Port = 5060
>>>     NAS-IP-Address = 127.0.0.1
>>> # Executing section authorize from file
>>> /etc/freeradius/sites-enabled/default
>>> +- entering group authorize {...}
>>> ++[preprocess] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>> [digest] Checking for correctly formatted Digest-Attributes
>>> [digest] Digest-Attributes look OK.  Converting them to something more
>>> usful.
>>>     Digest-User-Name = "2219001"
>>>     Digest-Realm = "example.com"
>>>     Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ"
>>>     Digest-URI = "sip:example.com"
>>>     Digest-Method = "REGISTER"
>>>     Digest-QOP = "auth"
>>>     Digest-Nonce-Count = "00000001"
>>>     Digest-CNonce = "2804ce5702"
>>> [digest] Adding Auth-Type = DIGEST
>>> ++[digest] returns ok
>>> [suffix] Looking up realm "example.com" for User-Name =
>>> "2219001 at example.com"
>>> [suffix] Found realm "example.com"
>>> [suffix] Adding Realm = "example.com"
>>> [suffix] Proxying request from user 2219001 to realm example.com
>>> [suffix] Preparing to proxy authentication request to realm "example.com"
>>> ++[suffix] returns updated
>>> [eap] No EAP-Message, not doing EAP
>>> ++[eap] returns noop
>>> ++[files] returns noop
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> ++[pap] returns noop
>>> Sending Access-Request of id 250 to 127.0.0.1 port 1822
>>>     User-Name = "2219001 at example.com"
>>>     Digest-Attributes = 0x0a0932323139303031
>>>     Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
>>>     Digest-Attributes =
>>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
>>>     Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
>>>     Digest-Attributes = 0x030a5245474953544552
>>>     Digest-Attributes = 0x050661757468
>>>     Digest-Attributes = 0x090a3030303030303031
>>>     Digest-Attributes = 0x080c32383034636535373032
>>>     Digest-Response = "e79b47955c02401fe52d05f7956609aa"
>>>     Service-Type = Sip-Session
>>>     Sip-Uri-User = "2219001"
>>>     User-Name = "call-id=domcmqmnychbwlp at koffe-work"
>>>     NAS-Identifier = "kamserv.example.com"
>>>     NAS-Port = 5060
>>>     NAS-IP-Address = 127.0.0.1
>>>     Proxy-State = 0x313132
>>> Proxying request 1 to home server 127.0.0.1 port 1822
>>>
>>> As I understand, this second User-Name attribute has to be a call-id
>>> attribute.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>>
>>>
>>>
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>> --
>>> Daniel-Constantin Mierla
>>> http://www.asipto.com
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>



More information about the sr-users mailing list