[SR-Users] n00b question -- RADIUS authentication.

Måns Nilsson mansaxel at besserwisser.org
Mon May 5 12:00:42 CEST 2014 

[first post to list]

Greetings, 

I'm in the process of getting a Kamailio 3.3.2 installation authenticating
its SIP accounts against a RADIUS database. There are -- at the moment --
no plans to do any fancy accounting nor any authorisation beyond simple
authentication.

I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server. 

After a fairly steep learning curve involving RADIUS dictionaries I've
come so far that kamailio sends out a RADIUS Access-Request message
that is received by FreeRadius, processed, and returned to Kamailio
which promptly ignores it and continues to send 401 to the client;
the SIP message exchange with the client being:

	(some identifing info has been redacted) 

>	REGISTER sip:my.domain SIP/2.0
<	SIP/2.0 401 Unauthorized
		Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
>	REGISTER sip:my.domain SIP/2.0
		Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport
<	SIP/2.0 401 Unauthorized
		Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688

The RADIUS exchange: 

10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17), length 270)
    10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242
	Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4
	  Username Attribute (1), length: 18, Value: mtu-06 at my.domain
	    0x0000:  6d74 752d 3036 4069 706b 2e73 722e 7365
	  Unknown Attribute (207), length: 10, Value: 
	    0x0000:  0a08 6d74 752d 3036
	  Unknown Attribute (207), length: 13, Value: 
	    0x0000:  010b 6970 6b2e 7372 2e73 65
	  Unknown Attribute (207), length: 36, Value: 
	    0x0000:  0222 5532 6448 326c 4e6e 5271 3677 4353
	    0x0010:  6463 6775 5056 3050 516e 3936 324d 5635
	    0x0020:  6d34
	  Unknown Attribute (207), length: 17, Value: 
	    0x0000:  040f 7369 703a 6970 6b2e 7372 2e73 65
	  Unknown Attribute (207), length: 12, Value: 
	    0x0000:  030a 5245 4749 5354 4552
	  Unknown Attribute (207), length: 8, Value: 
	    0x0000:  0506 6175 7468
	  Unknown Attribute (207), length: 12, Value: 
	    0x0000:  090a 3030 3030 3030 3031
	  Unknown Attribute (207), length: 36, Value: 
	    0x0000:  0822 3933 3832 3333 3333 3530 3162 3238
	    0x0010:  6439 3236 3739 3863 3964 3038 6539 3134
	    0x0020:  3733
	  Unknown Attribute (206), length: 34, Value: 
	    0x0000:  3538 3665 3336 3763 3230 3163 3137 6438
	    0x0010:  6261 3265 3830 3533 3763 6433 3562 3761
	  Service Type Attribute (6), length: 6, Value: #15
	    0x0000:  0000 000f
	  Unknown Attribute (208), length: 8, Value: 
	    0x0000:  6d74 752d 3036
	  NAS Port Attribute (5), length: 6, Value: 5060
	    0x0000:  0000 13c4
	  NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198
	    0x0000:  c079 c2c6
10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17), length 48)
    10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!] RADIUS, length: 20
	Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1


The RADIUS part of the Kamailio config is: 

	if (is_method("REGISTER") || from_uri==myself)
	#if (is_method("REGISTER") )
	{
		
        	# authenticate requests
		xlog("L_INFO", "authenticate [$fd]\n");
		### RADIUS ### 
		if (!radius_www_authorize("my.domain")) {
		   $var(ret) = $rc;
		   xlog("L_INFO", "response code: [$var(ret)]\n");
		   switch ($var(ret)) {
		    case -7:
	    	    	 send_reply("500", "Server Internal Error");
	    		 exit;
                    case -1:
	    	    	 send_reply("400", "Bad Request");
	    		 exit;
        	    default:
        	    };
        	    if (defined($avp(digest_challenge)) &&
                       ($avp(digest_challenge) != "")) {
            	    append_to_reply("$avp(digest_challenge)");
        	};
		send_reply("401", "Unauthorized");
                exit;
		};
		# user authenticated - remove auth header
		if(!is_method("REGISTER|PUBLISH"))
			consume_credentials();
	}

Any clues? What is missing from my narrative? 

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
Actually, what I'd like is a little toy spaceship!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140505/5f01c4ab/attachment.pgp>

More information about the sr-users mailing list