[SR-Users] Auth_radius - digest auth problem
Daniel-Constantin Mierla
miconda at gmail.com
Tue Jun 6 10:09:49 CEST 2017
Hello,
On 22.05.17 16:56, Donat Zenichev wrote:
> Well, actually I can try.
> What will be the main goal of this edition?
to get it updated for latest kamailio stable version, 5.0.x.
>
> Now I'm trying to find all features (about Radius) that have any
> influence on authentication process.
> And one more question, is it possible to discuss the refurbish actions
> of the article not at sr-list, but in personal mailing?
Discussions on mailing list is better. I don't use RADIUS anymore, for
many years, so I can't really help much on private.
Moreover, my inbox is not checked very often, it's a lot of unsolicited
mail there. I rarely respond to emails there, unless I ask explicitly
for some sensitive details and then have a filter on catching such
messages. I check always the folders for mailing lists when I have a bit
of time, when it's nothing do respond on mailing list, nothing to fix
from bug tracker or nothing else to spend time on it, then I may get on
the inbox -- in other words, it's very unlikely, that's why I send from
time to time reminders here that writing private messages regarding
kamailio have little chance to be answered - mailing lists are way better.
Cheers,
Daniel
>
>
>
> 2017-05-22 9:56 GMT+03:00 Donat Zenichev <donat.zenichev at gmail.com
> <mailto:donat.zenichev at gmail.com>>:
>
> What did you mean, when you ask for 'backend'?
> If you meant an storage, so it's not a .txt users file, I'm using
> db - radcheck table.
>
> So guys, the I've solved the problem.
> It wasn't consisted of kamailio functions or radius configuration.
>
> So you're free to use: www_challenge("$fd", "1"), until
> up radius_www_authorize("$fd","$fU") comes up.
> Qop parameter does what he does and changes nothing within radius
> authentication process.
>
>
> My problem was about username column in radcheck table.
> It's not enough to insert an username, you ought to use full URI,
> like: username at my.proxy.domain
> Also don't forget about attributes of the row that belongs to a
> certain user agent.
>
> So my part of table for one of users looks like that:
> ;-------------------------------------------------------------------------------------------------------------------;
> ;---id---;---username-------;------attribute---------;------op-------;----------value---------------------;
> ;-------------------------------------------------------------------------------------------------------------------;
> ;__1__;__ua at dom.com_;__User-Password_;___==_____;_____hereuapassowrd____;
> ;__2__;__ua at dom.com_;__Auth-Type_____;___:=______;_____Digest____________;
> ;__....
>
> Actually, I don't know why, but there is just a few articles all
> over the net, that describes a bit the functionality and
> processing with auth_radius module.
> I hope my case will be useful for others, who uses kamailio +
> radius/db
>
> But I have a problem how to request AVPs for a certain user from
> RADIUS, I found some solutions with SIP-AVP attribute, but still
> haven't done it.
> Now I have to databases, one for Kamailio (that contains users
> AVPs, that Kamailio gets by avp_db_query) and second for users
> credentials (that are used while authorization on INVITE, REGISTER
> requests).
>
> And as for the future, I have a goal to store passwords in ha1,
> haven't started to discover this.
>
>
>
>
> 2017-05-18 17:11 GMT+03:00 Donat Zenichev
> <donat.zenichev at gmail.com <mailto:donat.zenichev at gmail.com>>:
>
> Hi all.
> Have a problem with radius authorization.
>
> I'm using auth_radius.so
>
> modparams, only path to client file:
> modparam("auth_radius", "radius_config",
> "/etc/radiusclient/radiusclient.conf")
>
> Freeradius installed and is working properly, radtest
> authentication from kamailio host succeed .
>
> How authorization block looks like:
>
> if (!is_present_hf("Authorization")) {
> xlog("L_NOTICE", "----- Athorization HF is not found - passing
> the challenge -----\n");
>
> if (nat_uac_test("2")) {
> force_rport();
> }
>
> www_challenge("$fd", "1");
> exit;
>
>
> if (!radius_www_authorize("$fd","$fU")) {
>
> if (nat_uac_test("2")) {
> force_rport();
> }
> xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from
> $si:$sp Rejected. Code: $rc -----\n");
>
> sl_send_reply("401","Unauthorized");
> exit;
>
> Radius log is filled by rows like:
> Auth: [digest] Cleartext-Password or Digest-HA1 is required
> for authentication.
>
> Tried to use radius_www_authorize without $fU - didn't change
> anything.
> Tried to use www_challenge without qop - didn't change anything.
>
> So, this solution is quite simple, but I have a fail while
> digest authentication.
> Any ideas?
>
>
> --
> --
> BR, Donat Zenichev
> Wnet VoIP team
> Tel: +380(44) 5-900-808
> http://wnet.ua
>
>
>
>
> --
> --
> BR, Donat Zenichev
> Wnet VoIP team
> Tel: +380(44) 5-900-808
> http://wnet.ua
>
>
>
>
> --
> --
> BR, Donat Zenichev
> Wnet VoIP team
> Tel: +380(44) 5-900-808
> http://wnet.ua
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20170606/0a1801a2/attachment.html>
More information about the sr-users
mailing list