[Users] Radius Authentication
Daniel-Constantin Mierla
daniel at voice-system.ro
Wed Mar 8 20:26:10 CET 2006
Hello,
On 03/07/06 04:16, Edson wrote:
> I run it, now with FreeRadius in debug mode (see results in attached file),
> but nothing changed... I run with the two versions of radiusclient that I
> have...
>
> Any idea?
>
I have seen that radius server returned authenticated, but the
libradiusclient-ng returns failure. You should get some error message in
the syslog file from libradiusclient-ng.
I will set up a radius server and play with it in my environment.
Cheers,
Daniel
> Edson.
>
> PS: in attached file, You will find debug from OpenSER, FreeRadius and logs
> from /var/log/message and
> /var/log/radius/radacct/127.0.0.1/reply-detail-20060306.
>
>
>> -----Original Message-----
>> From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro]
>> Sent: sábado, 4 de março de 2006 08:24
>> To: Edson
>> Cc: 'OpenSER (E-mail)'
>> Subject: Re: [Users] Radius Authentication
>>
>> Hello,
>>
>> On 03/03/06 02:57, Edson wrote:
>>
>>> The working SER installation uses radiusclient-ng 0.5.0-1. It was
>>>
>> compiled
>>
>>> after a CVS download maded on the beginning on jun/2005. Unfortunatly I
>>>
>> miss
>>
>>> the source code and am using an i686-RPM derived from that code.
>>>
>>> I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The
>>> results are the same. Just same message on /var/log/messages:
>>>
>>> "Mar 2 21:45:54 sip openser: rc_check_reply: received invalid reply
>>>
>> digest
>>
>>> from RADIUS server"
>>>
>>>
>> can you run the radius server in debug mode to see there what messages
>> you get. Also, check the /var/log/syslog or /var/log/messages to see
>> other error messages printed by radiusclient-ng library when you use
>> debug mode with openser.
>>
>> Cheers,
>> Daniel
>>
>>
>>> When I start "openser -TDdd I see:
>>> ...
>>> 0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER>
>>> 0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70
>>> 0(16385) parse_headers: flags=200
>>> 0(16385) DEBUG: get_hdr_body : content_length=0
>>> 0(16385) found end of header
>>> 0(16385) find_first_route: No Route headers found
>>> 0(16385) loose_route: There is no Route HF
>>> 0(16385) grep_sock_info - checking if host==us: 13==13 &&
>>>
>> [ZZZ.ZZ.ZZZ.39]
>>
>>> == [ZZZ.ZZ.ZZZ.39]
>>> 0(16385) grep_sock_info - checking if port 5060 matches port 5060
>>> 0(16385) parse_headers: flags=ffffffffffffffff
>>> 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
>>> 0(16385) lookup(): '' Not found in usrloc
>>> 0(16385) check_nonce(): comparing
>>> [440792edd872b52b27f6dbee8ab2af7f61016704] and
>>> [440792edd872b52b27f6dbee8ab2af7f61016704]
>>>
>>> 0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>>
>>> 0(16385) build_auth_hf(): 'WWW-Authenticate: Digest
>>>
>> realm="ZZZ.ZZ.ZZZ.39",
>>
>>> nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"'
>>> 0(16385) parse_headers: flags=ffffffffffffffff
>>> 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
>>> 0(16385) DEBUG:destroy_avp_list: destroying list (nil)
>>> 0(16385) receive_msg: cleaning up
>>> ...
>>> I double checked all the "dictionary" definitions, triple checked my
>>>
>> OpenSER
>>
>>> and Radiusclient-NG config and were not able to find the mistake.
>>>
>>> So I'm really out of ideas... Maybe is the return value
>>>
>> ("Authenticated")
>>
>>> illegal?
>>>
>>> Edson.
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro]
>>>> Sent: quinta-feira, 2 de março de 2006 09:29
>>>> To: Edson
>>>> Cc: 'OpenSER (E-mail)'
>>>> Subject: Re: [Users] Radius Authentication
>>>>
>>>> Hello,
>>>>
>>>> the error:
>>>>
>>>> Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
>>>>
>> invalid
>>
>>>> reply digest from RADIUS server
>>>>
>>>> comes from the radiusclient-ng library, in file "lib/sendserver.c" at
>>>> line 498. Did you use the same version of radiusclient-ng before?
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>> On 03/01/06 22:23, Edson wrote:
>>>>
>>>>
>>>>> Hi, Guys...
>>>>>
>>>>> As the MySQL problem is aparently solved I’m facing a Radius issue…
>>>>>
>> I'm
>>
>>>> using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
>>>>
>>>>
>>>>> If I duplicate the configs used with SER (and that it works fine) I’m
>>>>>
>>>>>
>>>> unable to authenticate my UA (the same that authenticate with SER). The
>>>> message with “debug=4” is:
>>>>
>>>>
>>>>> Mar 1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
>>>>>
>>>>>
>>>> [4405ec129258d5cf9c016ade69cf37e33b5af52b] and
>>>> [4405ec129258d5cf9c016ade69cf37e33b5af52b]
>>>>
>>>>
>>>>> Mar 1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
>>>>>
>>>>>
>>>> invalid reply digest from RADIUS server
>>>>
>>>>
>>>>> Mar 1 15:41:43 dell openser-TEST[20789]:
>>>>>
>>>>>
>>>> ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>>>
>>>>
>>>>> So I supposed that there were some failed configuration, I looked at
>>>>>
>> my
>>
>>>> “radiusd.conf” and finded:
>>>>
>>>>
>>>>> modules {
>>>>> ...
>>>>> digest {
>>>>> }
>>>>> ...
>>>>> }
>>>>> authorize {
>>>>> preprocess
>>>>> auth_log
>>>>> suffix
>>>>> digest
>>>>> sql
>>>>> }
>>>>> authenticate {
>>>>> digest
>>>>> }
>>>>>
>>>>> As my FreeRadius back-end is a MySQL database, the 'sql' statement in
>>>>>
>>>>>
>>>> authorize seems ok. And so do 'digest' in 'autheticate' section.
>>>>
>>>>
>>>>> The question remains: Why are OpenSER complain on Radius response?
>>>>>
>> Maybe
>>
>>>> it's because of the sterman schema (?)....
>>>>
>>>>
>>>>> Anyway, I try to test the server using the radtest tool. The output
>>>>>
>>>>>
>>>> seems good to me:
>>>>
>>>>
>>>>> # radtest 8201 at DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword
>>>>> Sending Access-Request of id 255 to 127.0.0.1:1812
>>>>> User-Name = "8201 at DOMAIN.VALID"
>>>>> User-Password = "8201"
>>>>> NAS-IP-Address = sip
>>>>> NAS-Port = 12345
>>>>> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
>>>>>
>>>>>
>>>> length=35
>>>>
>>>>
>>>>> Reply-Message = "Authenticated"
>>>>>
>>>>> So I discard FreeRadius config. Is this related on the value of
>>>>>
>> “Reply-
>>
>>>> Message”? I already read all Radius material that I found on OpenSER
>>>>
>> web-
>>
>>>> page…
>>>>
>>>>
>>>>> What am I doing wrong? What am I missing? As this same configs work
>>>>>
>> with
>>
>>>> SER 0.9.2, why did it not with OpenSER 1.0.x?
>>>>
>>>>
>>>>> Edson.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
More information about the Users
mailing list