[SR-Users] n00b question -- RADIUS authentication.

Daniel-Constantin Mierla miconda at gmail.com
Mon May 5 12:09:54 CEST 2014


Hello,

you should just use www_challenge() to send back the 401 response.

Here is a old tutorial, from the time when the project was named 
openser, but could be a good reading anyhow:

- http://www.kamailio.org/docs/openser-radius-1.0.x.html

The authentication part is pretty much the same.

Cheers,
Daniel

On 05/05/14 12:00, Måns Nilsson wrote:
> [first post to list]
>
> Greetings,
>
> I'm in the process of getting a Kamailio 3.3.2 installation authenticating
> its SIP accounts against a RADIUS database. There are -- at the moment --
> no plans to do any fancy accounting nor any authorisation beyond simple
> authentication.
>
> I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
>
> After a fairly steep learning curve involving RADIUS dictionaries I've
> come so far that kamailio sends out a RADIUS Access-Request message
> that is received by FreeRadius, processed, and returned to Kamailio
> which promptly ignores it and continues to send 401 to the client;
> the SIP message exchange with the client being:
>
> 	(some identifing info has been redacted)
>
>> 	REGISTER sip:my.domain SIP/2.0
> <	SIP/2.0 401 Unauthorized
> 		Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
>> 	REGISTER sip:my.domain SIP/2.0
> 		Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport
> <	SIP/2.0 401 Unauthorized
> 		Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
>
> The RADIUS exchange:
>
> 10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17), length 270)
>      10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242
> 	Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4
> 	  Username Attribute (1), length: 18, Value: mtu-06 at my.domain
> 	    0x0000:  6d74 752d 3036 4069 706b 2e73 722e 7365
> 	  Unknown Attribute (207), length: 10, Value:
> 	    0x0000:  0a08 6d74 752d 3036
> 	  Unknown Attribute (207), length: 13, Value:
> 	    0x0000:  010b 6970 6b2e 7372 2e73 65
> 	  Unknown Attribute (207), length: 36, Value:
> 	    0x0000:  0222 5532 6448 326c 4e6e 5271 3677 4353
> 	    0x0010:  6463 6775 5056 3050 516e 3936 324d 5635
> 	    0x0020:  6d34
> 	  Unknown Attribute (207), length: 17, Value:
> 	    0x0000:  040f 7369 703a 6970 6b2e 7372 2e73 65
> 	  Unknown Attribute (207), length: 12, Value:
> 	    0x0000:  030a 5245 4749 5354 4552
> 	  Unknown Attribute (207), length: 8, Value:
> 	    0x0000:  0506 6175 7468
> 	  Unknown Attribute (207), length: 12, Value:
> 	    0x0000:  090a 3030 3030 3030 3031
> 	  Unknown Attribute (207), length: 36, Value:
> 	    0x0000:  0822 3933 3832 3333 3333 3530 3162 3238
> 	    0x0010:  6439 3236 3739 3863 3964 3038 6539 3134
> 	    0x0020:  3733
> 	  Unknown Attribute (206), length: 34, Value:
> 	    0x0000:  3538 3665 3336 3763 3230 3163 3137 6438
> 	    0x0010:  6261 3265 3830 3533 3763 6433 3562 3761
> 	  Service Type Attribute (6), length: 6, Value: #15
> 	    0x0000:  0000 000f
> 	  Unknown Attribute (208), length: 8, Value:
> 	    0x0000:  6d74 752d 3036
> 	  NAS Port Attribute (5), length: 6, Value: 5060
> 	    0x0000:  0000 13c4
> 	  NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198
> 	    0x0000:  c079 c2c6
> 10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17), length 48)
>      10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!] RADIUS, length: 20
> 	Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
>
>
> The RADIUS part of the Kamailio config is:
>
> 	if (is_method("REGISTER") || from_uri==myself)
> 	#if (is_method("REGISTER") )
> 	{
> 		
>          	# authenticate requests
> 		xlog("L_INFO", "authenticate [$fd]\n");
> 		### RADIUS ###
> 		if (!radius_www_authorize("my.domain")) {
> 		   $var(ret) = $rc;
> 		   xlog("L_INFO", "response code: [$var(ret)]\n");
> 		   switch ($var(ret)) {
> 		    case -7:
> 	    	    	 send_reply("500", "Server Internal Error");
> 	    		 exit;
>                      case -1:
> 	    	    	 send_reply("400", "Bad Request");
> 	    		 exit;
>          	    default:
>          	    };
>          	    if (defined($avp(digest_challenge)) &&
>                         ($avp(digest_challenge) != "")) {
>              	    append_to_reply("$avp(digest_challenge)");
>          	};
> 		send_reply("401", "Unauthorized");
>                  exit;
> 		};
> 		# user authenticated - remove auth header
> 		if(!is_method("REGISTER|PUBLISH"))
> 			consume_credentials();
> 	}
>
> Any clues? What is missing from my narrative?
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140505/8829b21e/attachment.html>


More information about the sr-users mailing list