[SR-Users] Auth_radius - digest auth problem

Daniel-Constantin Mierla miconda at gmail.com
Tue Jun 6 10:02:27 CEST 2017 

Hello,

the tutorial is now in markdown format at:

  - https://github.com/kamailio/kamailio-tutorials

It is a plain migration from old html version to mkdocs, only replacing
some of openser words with kamailio.

Pull requests to get it up to date are welcome!

Cheers,
Daniel

On 22.05.17 21:29, Alfonso Pinto wrote:
> Hi Daniel,
>
> I don't use radius since ages but I think I can install a small PoC
> and update the tutorial.
>
> Cheers,
> Alfonso
>
> On Mon, May 22, 2017 at 3:00 PM, Daniel-Constantin Mierla
> <miconda at gmail.com> wrote:
>> Hello,
>>
>> thanks for sharing back the solution. It will be useful in the future for
>> people facing the same issue.
>>
>> Probably we should update the very old tutorial for using Radius
>> (https://www.kamailio.org/docs/openser-radius-1.0.x.html). I can take the
>> time to put it on gihub (probably as markdown file so we can use mkdocs to
>> publish it in nice html output), but I need people using Radius these days
>> to contribute updates, because I don't use Radius anymore for many years.
>>
>> Is anyone interested in helping with it?
>>
>> Cheers,
>> Daniel
>>
>> On Mon, May 22, 2017 at 8:56 AM, Donat Zenichev <donat.zenichev at gmail.com>
>> wrote:
>>> What did you mean, when you ask for 'backend'?
>>> If you meant an storage, so it's not a .txt users file, I'm using db -
>>> radcheck table.
>>>
>>> So guys, the I've solved the problem.
>>> It wasn't consisted of kamailio functions or radius configuration.
>>>
>>> So you're free to use: www_challenge("$fd", "1"), until up
>>> radius_www_authorize("$fd","$fU") comes up.
>>> Qop parameter does what he does and changes nothing within radius
>>> authentication process.
>>>
>>>
>>> My problem was about username column in radcheck table.
>>> It's not enough to insert an username, you ought to use full URI, like:
>>> username at my.proxy.domain
>>> Also don't forget about attributes of the row that belongs to a certain
>>> user agent.
>>>
>>> So my part of table for one of users looks like that:
>>>
>>> ;-------------------------------------------------------------------------------------------------------------------;
>>>
>>> ;---id---;---username-------;------attribute---------;------op-------;----------value---------------------;
>>>
>>> ;-------------------------------------------------------------------------------------------------------------------;
>>> ;__1__;__ua at dom.com_;__User-Password_;___==_____;_____hereuapassowrd____;
>>> ;__2__;__ua at dom.com_;__Auth-Type_____;___:=______;_____Digest____________;
>>> ;__....
>>>
>>> Actually, I don't know why, but there is just a few articles all over the
>>> net, that describes a bit the functionality and processing with auth_radius
>>> module.
>>> I hope my case will be useful for others, who uses kamailio + radius/db
>>>
>>> But I have a problem how to request AVPs for a certain user from RADIUS, I
>>> found some solutions with SIP-AVP attribute, but still haven't done it.
>>> Now I have to databases, one for Kamailio (that contains users AVPs, that
>>> Kamailio gets by avp_db_query) and second for users credentials (that are
>>> used while authorization on INVITE, REGISTER requests).
>>>
>>> And as for the future, I have a goal to store passwords in ha1, haven't
>>> started to discover this.
>>>
>>>
>>>
>>>
>>> 2017-05-18 17:11 GMT+03:00 Donat Zenichev <donat.zenichev at gmail.com>:
>>>> Hi all.
>>>> Have a problem with radius authorization.
>>>>
>>>> I'm using auth_radius.so
>>>>
>>>> modparams, only path to client file:
>>>> modparam("auth_radius", "radius_config",
>>>> "/etc/radiusclient/radiusclient.conf")
>>>>
>>>> Freeradius installed and is working properly, radtest authentication from
>>>> kamailio host succeed .
>>>>
>>>> How authorization block looks like:
>>>>
>>>> if (!is_present_hf("Authorization")) {
>>>> xlog("L_NOTICE", "----- Athorization HF is not found - passing the
>>>> challenge -----\n");
>>>>
>>>> if (nat_uac_test("2")) {
>>>> force_rport();
>>>> }
>>>>
>>>> www_challenge("$fd", "1");
>>>> exit;
>>>>
>>>>
>>>> if (!radius_www_authorize("$fd","$fU")) {
>>>>
>>>> if (nat_uac_test("2")) {
>>>> force_rport();
>>>> }
>>>> xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from $si:$sp
>>>> Rejected. Code: $rc -----\n");
>>>>
>>>> sl_send_reply("401","Unauthorized");
>>>> exit;
>>>>
>>>> Radius log is filled by rows like:
>>>> Auth: [digest] Cleartext-Password or Digest-HA1 is required for
>>>> authentication.
>>>>
>>>> Tried to use radius_www_authorize without $fU - didn't change anything.
>>>> Tried to use www_challenge without qop - didn't change anything.
>>>>
>>>> So, this solution is quite simple, but I have a fail while digest
>>>> authentication.
>>>> Any ideas?
>>>>
>>>>
>>>> --
>>>> --
>>>> BR, Donat Zenichev
>>>> Wnet VoIP team
>>>> Tel:  +380(44) 5-900-808
>>>> http://wnet.ua
>>>
>>>
>>>
>>> --
>>> --
>>> BR, Donat Zenichev
>>> Wnet VoIP team
>>> Tel:  +380(44) 5-900-808
>>> http://wnet.ua
>>>
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>
>>
>> --
>> Daniel-Constantin Mierla - http://www.asipto.com
>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com

More information about the sr-users mailing list