[SR-Users] Auth_radius - digest auth problem

Alfonso Pinto alfonso.pinto at gmail.com
Mon May 22 21:29:47 CEST 2017 

Hi Daniel,

I don't use radius since ages but I think I can install a small PoC
and update the tutorial.

Cheers,
Alfonso

On Mon, May 22, 2017 at 3:00 PM, Daniel-Constantin Mierla
<miconda at gmail.com> wrote:
> Hello,
>
> thanks for sharing back the solution. It will be useful in the future for
> people facing the same issue.
>
> Probably we should update the very old tutorial for using Radius
> (https://www.kamailio.org/docs/openser-radius-1.0.x.html). I can take the
> time to put it on gihub (probably as markdown file so we can use mkdocs to
> publish it in nice html output), but I need people using Radius these days
> to contribute updates, because I don't use Radius anymore for many years.
>
> Is anyone interested in helping with it?
>
> Cheers,
> Daniel
>
> On Mon, May 22, 2017 at 8:56 AM, Donat Zenichev <donat.zenichev at gmail.com>
> wrote:
>>
>> What did you mean, when you ask for 'backend'?
>> If you meant an storage, so it's not a .txt users file, I'm using db -
>> radcheck table.
>>
>> So guys, the I've solved the problem.
>> It wasn't consisted of kamailio functions or radius configuration.
>>
>> So you're free to use: www_challenge("$fd", "1"), until up
>> radius_www_authorize("$fd","$fU") comes up.
>> Qop parameter does what he does and changes nothing within radius
>> authentication process.
>>
>>
>> My problem was about username column in radcheck table.
>> It's not enough to insert an username, you ought to use full URI, like:
>> username at my.proxy.domain
>> Also don't forget about attributes of the row that belongs to a certain
>> user agent.
>>
>> So my part of table for one of users looks like that:
>>
>> ;-------------------------------------------------------------------------------------------------------------------;
>>
>> ;---id---;---username-------;------attribute---------;------op-------;----------value---------------------;
>>
>> ;-------------------------------------------------------------------------------------------------------------------;
>> ;__1__;__ua at dom.com_;__User-Password_;___==_____;_____hereuapassowrd____;
>> ;__2__;__ua at dom.com_;__Auth-Type_____;___:=______;_____Digest____________;
>> ;__....
>>
>> Actually, I don't know why, but there is just a few articles all over the
>> net, that describes a bit the functionality and processing with auth_radius
>> module.
>> I hope my case will be useful for others, who uses kamailio + radius/db
>>
>> But I have a problem how to request AVPs for a certain user from RADIUS, I
>> found some solutions with SIP-AVP attribute, but still haven't done it.
>> Now I have to databases, one for Kamailio (that contains users AVPs, that
>> Kamailio gets by avp_db_query) and second for users credentials (that are
>> used while authorization on INVITE, REGISTER requests).
>>
>> And as for the future, I have a goal to store passwords in ha1, haven't
>> started to discover this.
>>
>>
>>
>>
>> 2017-05-18 17:11 GMT+03:00 Donat Zenichev <donat.zenichev at gmail.com>:
>>>
>>> Hi all.
>>> Have a problem with radius authorization.
>>>
>>> I'm using auth_radius.so
>>>
>>> modparams, only path to client file:
>>> modparam("auth_radius", "radius_config",
>>> "/etc/radiusclient/radiusclient.conf")
>>>
>>> Freeradius installed and is working properly, radtest authentication from
>>> kamailio host succeed .
>>>
>>> How authorization block looks like:
>>>
>>> if (!is_present_hf("Authorization")) {
>>> xlog("L_NOTICE", "----- Athorization HF is not found - passing the
>>> challenge -----\n");
>>>
>>> if (nat_uac_test("2")) {
>>> force_rport();
>>> }
>>>
>>> www_challenge("$fd", "1");
>>> exit;
>>>
>>>
>>> if (!radius_www_authorize("$fd","$fU")) {
>>>
>>> if (nat_uac_test("2")) {
>>> force_rport();
>>> }
>>> xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from $si:$sp
>>> Rejected. Code: $rc -----\n");
>>>
>>> sl_send_reply("401","Unauthorized");
>>> exit;
>>>
>>> Radius log is filled by rows like:
>>> Auth: [digest] Cleartext-Password or Digest-HA1 is required for
>>> authentication.
>>>
>>> Tried to use radius_www_authorize without $fU - didn't change anything.
>>> Tried to use www_challenge without qop - didn't change anything.
>>>
>>> So, this solution is quite simple, but I have a fail while digest
>>> authentication.
>>> Any ideas?
>>>
>>>
>>> --
>>> --
>>> BR, Donat Zenichev
>>> Wnet VoIP team
>>> Tel:  +380(44) 5-900-808
>>> http://wnet.ua
>>
>>
>>
>>
>> --
>> --
>> BR, Donat Zenichev
>> Wnet VoIP team
>> Tel:  +380(44) 5-900-808
>> http://wnet.ua
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
>
>
> --
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>

More information about the sr-users mailing list