[SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Kosilov Fedor
dangerkoffe at gmail.com
Sun Mar 6 16:24:25 CET 2011
Thank you for the tip, Ovidiu!
The problem was with my dictionary indeed. There were two attributes
with duplicate values of "1". I've fixed the dictionary, and now everything
works fine.
Thanks again!
Regards,
Fedor.
2011/3/5 Ovidiu Sas <osas at voipembedded.com>
> You need to check the dictionaries on your kamailio server.
> Mos likely something is miss configured there.
> Check what value do you have for "User-Name" and see if you have any
> duplicates for that value.
>
>
> Regards,
> Ovidiu Sas
>
> On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor <dangerkoffe at gmail.com>
> wrote:
> > Again for testing, I pointed Kamailio directly to my billing radius,
> > bypassing Freeradius. The situation is the same, so the problem is
> > definitely not with the Freeradius server.
> >
> > 2011/3/5 Kosilov Fedor <dangerkoffe at gmail.com>
> >>
> >> Hello, Daniel, thank you for your attention to my problem.
> >>
> >> I actually don't need accounting support, I just want to implement an
> >> authorization using radius.
> >> But for testing purposes, I loaded the acc module and set "radius_extra"
> >> param. Nothing has changed.
> >>
> >> Here is a part of my config:
> >>
> >>
> >> ...
> >> modparam("acc", "radius_config",
> "/etc/radiusclient-ng/radiusclient.conf")
> >> modparam("acc", "radius_extra", "User-Name=$Au")
> >> ...
> >> modparam("auth_radius", "radius_config",
> >> "/etc/radiusclient-ng/radiusclient.conf")
> >> modparam("auth_radius", "auth_extra", "NAS-Identifier=$var(ident)")
> >> ...
> >> route {
> >> #Definitions
> >> $var(ident) = "kamserv.example.com";
> >> ...
> >> route(3); #Auth
> >> ...
> >> }
> >>
> >> ...
> >>
> >> route[3] {
> >> if (is_method("REGISTER"))
> >> {
> >> if (is_from_local()) {
> >> if (!radius_www_authorize("$td"))
> >> {
> >> www_challenge("$sel(to.uri.host)", "1");
> >> exit;
> >> } else {
> >>
> >> avp_db_delete("$sel(to.uri)","$avp(s:ip)");
> >>
> >> avp_db_delete("$sel(to.uri)","$avp(s:dpid)");
> >>
> >> avp_db_delete("$sel(to.uri)","$avp(s:fr_timer)");
> >>
> >> avp_db_delete("$sel(to.uri)","$avp(s:calls_limit)");
> >>
> >> avp_db_store("$sel(to.uri)","$avp(s:ip)");
> >>
> >> avp_db_store("$sel(to.uri)","$avp(s:dpid)");
> >>
> >> avp_db_store("$sel(to.uri)","$avp(s:fr_timer)");
> >>
> >> avp_db_store("$sel(to.uri)","$avp(s:calls_limit)");
> >>
> >> if
> >> ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
> >> sl_send_reply("403","Forbidden
> >> auth ID");
> >> exit;
> >> } else {
> >> if ($avp(s:ip)!='any' &&
> >> $sel(src.ip)!=$avp(s:ip)) {
> >>
> >> sl_send_reply("403","Forbidden");
> >> exit;
> >> }
> >> }
> >> }
> >>
> >> } else {
> >> sl_send_reply("403","Forbidden");
> >> exit;
> >> }
> >> } else {
> >> if ($sel(src.ip)=="192.168.0.2") {
> >> return;
> >> } else if (is_from_local()) {
> >> if
> >> (!radius_proxy_authorize("$sel(from.uri.host)","$sel(from.uri.user)")) {
> >> proxy_challenge("$sel(from.uri.host)",
> >> "1");
> >> exit;
> >> }
> >> if ($avp(s:ip)!='any' &&
> $sel(src.ip)!=$avp(s:ip))
> >> {
> >> sl_send_reply("403","Forbidden");
> >> exit;
> >> }
> >>
> >> if (is_method("PUBLISH"))
> >> {
> >> if ($au!=$sel(to.uri.user)) {
> >> sl_send_reply("403","Forbidden
> >> auth ID");
> >> exit;
> >> }
> >> } else if ($au!=$sel(from.uri.user)) {
> >> sl_send_reply("403","Forbidden auth
> ID");
> >> exit;
> >> }
> >> consume_credentials();
> >> } else {
> >> sl_send_reply("403","Forbidden");
> >> exit;
> >> }
> >> }
> >> }
> >> ...
> >>
> >> And again a part of the freeradius log:
> >>
> >> rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
> >> length=298
> >> User-Name = "2219001 at example.com"
> >> Digest-Attributes = 0x0a0932323139303031
> >> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
> >> Digest-Attributes =
> >> 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
> >> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
> >> Digest-Attributes = 0x030a5245474953544552
> >> Digest-Attributes = 0x050661757468
> >> Digest-Attributes = 0x090a3030303030303031
> >> Digest-Attributes = 0x080c39636238383130616531
> >> Digest-Response = "efdcf92b58f694b97928856614057436"
> >> Service-Type = Sip-Session
> >> Sip-Uri-User = "2219001"
> >> User-Name = "call-id=zomdnicqsndxrnh at koffe-work"
> >> NAS-Identifier = "kamserv.example.com"
> >> NAS-Port = 5060
> >> NAS-IP-Address = 127.0.0.1
> >>
> >>
> >> Regards,
> >> Fedor.
> >>
> >>
> >>
> >> 2011/3/5 Daniel-Constantin Mierla <miconda at gmail.com>
> >>>
> >>> Hello,
> >>>
> >>> what is the value of parameter radius_extra for acc module?
> >>>
> >>> Cheers,
> >>> Daniel
> >>>
> >>> On 3/4/11 1:06 PM, Kosilov Fedor wrote:
> >>>
> >>> Hello List!
> >>>
> >>> I'm trying to set up authorization with our billing proprietary radius
> >>> server, using Freeradius as a proxy. Currently I'm experiencing the
> >>> following problem:
> >>>
> >>> The Access-Request packet, sent by Kamailio, contains two User-Name
> >>> attribute records
> >>> Here is a log from the Freeradius server:
> >>>
> >>> rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112,
> >>> length=298
> >>> User-Name = "2219001 at example.com"
> >>> Digest-Attributes = 0x0a0932323139303031
> >>> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
> >>> Digest-Attributes =
> >>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
> >>> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
> >>> Digest-Attributes = 0x030a5245474953544552
> >>> Digest-Attributes = 0x050661757468
> >>> Digest-Attributes = 0x090a3030303030303031
> >>> Digest-Attributes = 0x080c32383034636535373032
> >>> Digest-Response = "e79b47955c02401fe52d05f7956609aa"
> >>> Service-Type = Sip-Session
> >>> Sip-Uri-User = "2219001"
> >>> User-Name = "call-id=domcmqmnychbwlp at koffe-work"
> >>> NAS-Identifier = "kamserv.example.com"
> >>> NAS-Port = 5060
> >>> NAS-IP-Address = 127.0.0.1
> >>> # Executing section authorize from file
> >>> /etc/freeradius/sites-enabled/default
> >>> +- entering group authorize {...}
> >>> ++[preprocess] returns ok
> >>> ++[chap] returns noop
> >>> ++[mschap] returns noop
> >>> [digest] Checking for correctly formatted Digest-Attributes
> >>> [digest] Digest-Attributes look OK. Converting them to something more
> >>> usful.
> >>> Digest-User-Name = "2219001"
> >>> Digest-Realm = "example.com"
> >>> Digest-Nonce = "TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ"
> >>> Digest-URI = "sip:example.com"
> >>> Digest-Method = "REGISTER"
> >>> Digest-QOP = "auth"
> >>> Digest-Nonce-Count = "00000001"
> >>> Digest-CNonce = "2804ce5702"
> >>> [digest] Adding Auth-Type = DIGEST
> >>> ++[digest] returns ok
> >>> [suffix] Looking up realm "example.com" for User-Name =
> >>> "2219001 at example.com"
> >>> [suffix] Found realm "example.com"
> >>> [suffix] Adding Realm = "example.com"
> >>> [suffix] Proxying request from user 2219001 to realm example.com
> >>> [suffix] Preparing to proxy authentication request to realm "
> example.com"
> >>> ++[suffix] returns updated
> >>> [eap] No EAP-Message, not doing EAP
> >>> ++[eap] returns noop
> >>> ++[files] returns noop
> >>> ++[expiration] returns noop
> >>> ++[logintime] returns noop
> >>> ++[pap] returns noop
> >>> Sending Access-Request of id 250 to 127.0.0.1 port 1822
> >>> User-Name = "2219001 at example.com"
> >>> Digest-Attributes = 0x0a0932323139303031
> >>> Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
> >>> Digest-Attributes =
> >>> 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
> >>> Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
> >>> Digest-Attributes = 0x030a5245474953544552
> >>> Digest-Attributes = 0x050661757468
> >>> Digest-Attributes = 0x090a3030303030303031
> >>> Digest-Attributes = 0x080c32383034636535373032
> >>> Digest-Response = "e79b47955c02401fe52d05f7956609aa"
> >>> Service-Type = Sip-Session
> >>> Sip-Uri-User = "2219001"
> >>> User-Name = "call-id=domcmqmnychbwlp at koffe-work"
> >>> NAS-Identifier = "kamserv.example.com"
> >>> NAS-Port = 5060
> >>> NAS-IP-Address = 127.0.0.1
> >>> Proxy-State = 0x313132
> >>> Proxying request 1 to home server 127.0.0.1 port 1822
> >>>
> >>> As I understand, this second User-Name attribute has to be a call-id
> >>> attribute.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >>> sr-users at lists.sip-router.org
> >>>
> >>>
> >>>
> >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>
> >>> --
> >>> Daniel-Constantin Mierla
> >>> http://www.asipto.com
> >
> >
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110306/b8ecf1f2/attachment-0001.htm>
More information about the sr-users
mailing list