[Users] Problem with Radius authentication

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Oct 10 20:52:09 CEST 2005 

Hi Matthew,

first of all you should get the outgoing RADIUS packages - be sure you 
are listening on the proper interface for traffic to boxster (is this 
name resolvable via DNS?).

regards,
bogdan

Matthew Williams wrote:

>Hello,
>
>I'm trying to set up OpenSER to use Radius authentication, but am having 
>problems. I can't get the OpenSER server to actually send any Radius packets 
>out over the network to my Radius server. I've been sniffing the network with 
>Ethereal and no packets are sent out, even though I get messages in the 
>syslog saying;
>
>Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9057]: rc_send_server: no 
>reply from RADIUS server boxster:1812
>Oct 10 16:59:24 ibwok-2mrt71j /usr/sbin/openser[9058]: rc_send_server: no 
>reply from RADIUS server boxster:1812
>Oct 10 16:59:25 ibwok-2mrt71j /usr/sbin/openser[9059]: rc_send_server: no 
>reply from RADIUS server boxster:1812
>
>and so on. 
>
>My openser.cfg file (see below) is pretty much unchanged from the default 
>config file, except adding Radius options as according to this HOWTO 
>http://www.iptel.org/ser/doc/ser_radius/ser_radius.html
>
>I've seen this problem both with the pre-complied Debian packages on a Debian 
>Sarge installation and also when compiled by hand on a Sun Solaris 9 server. 
>I must be missing something from my configuration files, but I can't work out 
>what it is. Does anyone have any ideas? 
>
>Thanks in advance,
>
>Matt Williams
>
>------------------------------------------------------------------
>openser.cfg
>------------------------------------------------------
>#
># $Id: openser.cfg,v 1.1.1.1 2005/06/13 16:47:30 bogdan_iancu Exp $
>#
># simple quick-start config script
>#
>
># ----------- global configuration parameters ------------------------
>
>#debug=3         # debug level (cmd line: -dddddddddd)
>#fork=yes
>#log_stderror=no	# (cmd line: -E)
>
>/* Uncomment these lines to enter debugging mode 
>fork=no
>log_stderror=yes
>*/
>
>check_via=no	# (cmd. line: -v)
>dns=no           # (cmd. line: -r)
>rev_dns=no      # (cmd. line: -R)
>#port=5060
>#children=4
>fifo="/tmp/openser_fifo"
>alias=testdomain
>
># ------------------ module loading ----------------------------------
>
># Uncomment this if you want to use SQL database
>#loadmodule "/usr/local/lib/ser/modules/mysql.so"
>
>loadmodule "/usr/lib/openser/modules/sl.so"
>loadmodule "/usr/lib/openser/modules/tm.so"
>loadmodule "/usr/lib/openser/modules/rr.so"
>loadmodule "/usr/lib/openser/modules/maxfwd.so"
>loadmodule "/usr/lib/openser/modules/usrloc.so"
>loadmodule "/usr/lib/openser/modules/registrar.so"
>loadmodule "/usr/lib/openser/modules/textops.so"
>
># Uncomment this if you want digest authentication
># mysql.so must be loaded !
>loadmodule "/usr/lib/openser/modules/auth.so"
>#loadmodule "/usr/lib/openser/modules/auth_db.so"
>loadmodule "/usr/lib/openser/modules/auth_radius.so"
>
># ----------------- setting module-specific parameters ---------------
>modparam("auth_radius", "radius_config", 
>"/etc/radiusclient-ng/radiusclient.conf")
>
># -- usrloc params --
>
>modparam("usrloc", "db_mode",   0)
>
># Uncomment this if you want to use SQL database 
># for persistent storage and comment the previous line
>#modparam("usrloc", "db_mode", 2)
>
># -- auth params --
># Uncomment if you are using auth module
>#
>#modparam("auth_db", "calculate_ha1", yes)
>#
># If you set "calculate_ha1" parameter to yes (which true in this config), 
># uncomment also the following parameter)
>#
>#modparam("auth_db", "password_column", "password")
>
># -- rr params --
># add value to ;lr param to make some broken UAs happy
>modparam("rr", "enable_full_lr", 1)
>
># -------------------------  request routing logic -------------------
>
># main routing logic
>
>route{
>
>	# initial sanity checks -- messages with
>	# max_forwards==0, or excessively long requests
>	if (!mf_process_maxfwd_header("10")) {
>		sl_send_reply("483","Too Many Hops");
>		break;
>	};
>	if (msg:len >=  2048 ) {
>		sl_send_reply("513", "Message too big");
>		break;
>	};
>	
>
>	# we record-route all messages -- to make sure that
>	# subsequent messages will go through our proxy; that's
>	# particularly good if upstream and downstream entities
>	# use different transport protocol
>	if (!method=="REGISTER") record_route();	
>
>	# subsequent messages withing a dialog should take the
>	# path determined by record-routing
>	if (loose_route()) {
>		# mark routing logic in request
>		append_hf("P-hint: rr-enforced\r\n"); 
>		route(1);
>		break;
>	};
>
>	if (!uri==myself) {
>		# mark routing logic in request
>		append_hf("P-hint: outbound\r\n"); 
>		route(1);
>		break;
>	};
>
>	# if the request is for other domain use UsrLoc
>	# (in case, it does not work, use the following command
>	# with proper names and addresses in it)
>	if (uri==myself) {
>
>		if (method=="REGISTER") {
>
># Uncomment this if you want to use digest authentication
>			if (!radius_www_authorize("testdomain")) {
>				www_challenge("testdomain", "1");
>				break;
>			};
>
>			save("location");
>			break;
>		};
>
>		lookup("aliases");
>		if (!uri==myself) {
>			append_hf("P-hint: outbound alias\r\n"); 
>			route(1);
>			break;
>		};
>
>		# native SIP destinations are handled using our USRLOC DB
>		if (!lookup("location")) {
>			sl_send_reply("404", "Not Found");
>			break;
>		};
>	};
>	append_hf("P-hint: usrloc applied\r\n"); 
>	route(1);
>}
>
>route[1] 
>{
>	# send it out now; use stateful forwarding as it works reliably
>	# even for UDP2TCP
>	if (!t_relay()) {
>		sl_reply_error();
>	};
>}
>------------------------------------------------------------------------
>
>radiusclient.conf
>------------------------------------------------------------------------
> General settings
>
># specify which authentication comes first respectively which
># authentication is used. possible values are: "radius" and "local".
># if you specify "radius,local" then the RADIUS server is asked
># first then the local one. if only one keyword is specified only
># this server is asked.
>auth_order	radius
>
># maximum login tries a user has
>login_tries	4
>
># timeout for all login tries
># if this time is exceeded the user is kicked out
>login_timeout	60
>
># name of the nologin file which when it exists disables logins.
># it may be extended by the ttyname which will result in
># a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
># logins on /dev/ttyS2)
>nologin /etc/nologin
>
># name of the issue file. it's only display when no username is passed
># on the radlogin command line
>issue	/etc/radiusclient-ng/issue
>
># RADIUS settings
>
># RADIUS server to use for authentication requests. this config
># item can appear more then one time. if multiple servers are
># defined they are tried in a round robin fashion if one
># server is not answering.
># optionally you can specify a the port number on which is remote
># RADIUS listens separated by a colon from the hostname. if
># no port is specified /etc/services is consulted of the radius
># service. if this fails also a compiled in default is used.
>authserver 	boxster
>
># RADIUS server to use for accouting requests. All that I
># said for authserver applies, too. 
>#
>acctserver 	boxster
>
># file holding shared secrets used for the communication
># between the RADIUS client and server
>servers		/etc/radiusclient-ng/servers
>
># dictionary of allowed attributes and values
># just like in the normal RADIUS distributions
>dictionary 	/etc/radiusclient-ng/dictionary
>
># program to call for a RADIUS authenticated login
>login_radius	/usr/sbin/login.radius
>
># file which holds sequence number for communication with the
># RADIUS server
>seqfile		/var/run/radius.seq
>
># file which specifies mapping between ttyname and NAS-Port attribute
>mapfile		/etc/radiusclient-ng/port-id-map
>
># default authentication realm to append to all usernames if no
># realm was explicitly specified by the user
># the radiusd directly form Livingston doesnt use any realms, so leave
># it blank then
>default_realm
>
># time to wait for a reply from the RADIUS server
>radius_timeout	10
>
># resend request this many times before trying the next server
>radius_retries	3
>
># local address from which radius packets have to be sent
>bindaddr localhost
>
># LOCAL settings
>
># program to execute for local login
># it must support the -f flag for preauthenticated login
>login_local	/bin/login
>
>
>This e-mail and any attachments are confidential and may also be legally privileged and/or copyright material of Intec Telecom Systems PLC (or its affiliated companies). If you are not an intended or authorised recipient of this e-mail or have received it in error, please delete it immediately and notify the sender by e-mail. In such a case, reading, reproducing, printing or further dissemination of this e-mail or its contents is strictly prohibited and may be unlawful. 
>
>Intec Telecom Systems PLC does not represent or warrant that an attachment hereto is free from computer viruses or other defects. The opinions expressed in this e-mail and any attachments may be those of the author and are not necessarily those of Intec Telecom Systems PLC.
>
>
>_______________________________________________
>Users mailing list
>Users at openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users
>
>  
>

More information about the Users mailing list