[Users] Radius Authentication

Daniel-Constantin Mierla daniel at voice-system.ro
Wed Mar 8 20:26:10 CET 2006 

Hello,

On 03/07/06 04:16, Edson wrote:
> I run it, now with FreeRadius in debug mode (see results in attached file),
> but nothing changed... I run with the two versions of radiusclient that I
> have...
>
> Any idea?
>   
I have seen that radius server returned authenticated, but the 
libradiusclient-ng returns failure. You should get some error message in 
the syslog file from libradiusclient-ng.

I will set up a radius server and play with it in my environment.

Cheers,
Daniel

> Edson.
>
> PS: in attached file, You will find debug from OpenSER, FreeRadius and logs
> from /var/log/message and
> /var/log/radius/radacct/127.0.0.1/reply-detail-20060306.
>
>   
>> -----Original Message-----
>> From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro]
>> Sent: sábado, 4 de março de 2006 08:24
>> To: Edson
>> Cc: 'OpenSER (E-mail)'
>> Subject: Re: [Users] Radius Authentication
>>
>> Hello,
>>
>> On 03/03/06 02:57, Edson wrote:
>>     
>>> The working SER installation uses radiusclient-ng 0.5.0-1. It was
>>>       
>> compiled
>>     
>>> after a CVS download maded on the beginning on jun/2005. Unfortunatly I
>>>       
>> miss
>>     
>>> the source code and am using an i686-RPM derived from that code.
>>>
>>> I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The
>>> results are the same. Just same message on /var/log/messages:
>>>
>>> "Mar  2 21:45:54 sip openser: rc_check_reply: received invalid reply
>>>       
>> digest
>>     
>>> from RADIUS server"
>>>
>>>       
>> can you run the radius server in debug mode to see there what messages
>> you get. Also, check the /var/log/syslog or /var/log/messages to see
>> other error messages printed by radiusclient-ng library when you use
>> debug mode with openser.
>>
>> Cheers,
>> Daniel
>>
>>     
>>> When I start "openser -TDdd I see:
>>> ...
>>>  0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER>
>>>  0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70
>>>  0(16385) parse_headers: flags=200
>>>  0(16385) DEBUG: get_hdr_body : content_length=0
>>>  0(16385) found end of header
>>>  0(16385) find_first_route: No Route headers found
>>>  0(16385) loose_route: There is no Route HF
>>>  0(16385) grep_sock_info - checking if host==us: 13==13 &&
>>>       
>> [ZZZ.ZZ.ZZZ.39]
>>     
>>> == [ZZZ.ZZ.ZZZ.39]
>>>  0(16385) grep_sock_info - checking if port 5060 matches port 5060
>>>  0(16385) parse_headers: flags=ffffffffffffffff
>>>  0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
>>>  0(16385) lookup(): '' Not found in usrloc
>>>  0(16385) check_nonce(): comparing
>>> [440792edd872b52b27f6dbee8ab2af7f61016704] and
>>> [440792edd872b52b27f6dbee8ab2af7f61016704]
>>>
>>>  0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>>
>>>  0(16385) build_auth_hf(): 'WWW-Authenticate: Digest
>>>       
>> realm="ZZZ.ZZ.ZZZ.39",
>>     
>>> nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"'
>>>  0(16385) parse_headers: flags=ffffffffffffffff
>>>  0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
>>>  0(16385) DEBUG:destroy_avp_list: destroying list (nil)
>>>  0(16385) receive_msg: cleaning up
>>> ...
>>> I double checked all the "dictionary" definitions, triple checked my
>>>       
>> OpenSER
>>     
>>> and Radiusclient-NG config and were not able to find the mistake.
>>>
>>> So I'm really out of ideas... Maybe is the return value
>>>       
>> ("Authenticated")
>>     
>>> illegal?
>>>
>>> Edson.
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro]
>>>> Sent: quinta-feira, 2 de março de 2006 09:29
>>>> To: Edson
>>>> Cc: 'OpenSER (E-mail)'
>>>> Subject: Re: [Users] Radius Authentication
>>>>
>>>> Hello,
>>>>
>>>> the error:
>>>>
>>>> Mar  1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
>>>>         
>> invalid
>>     
>>>> reply digest from RADIUS server
>>>>
>>>> comes from the radiusclient-ng library, in file "lib/sendserver.c" at
>>>> line 498. Did you use the same version of radiusclient-ng before?
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>> On 03/01/06 22:23, Edson wrote:
>>>>
>>>>         
>>>>> Hi, Guys...
>>>>>
>>>>> As the MySQL problem is aparently solved I’m facing a Radius issue…
>>>>>           
>> I'm
>>     
>>>> using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
>>>>
>>>>         
>>>>> If I duplicate the configs used with SER (and that it works fine) I’m
>>>>>
>>>>>           
>>>> unable to authenticate my UA (the same that authenticate with SER). The
>>>> message with “debug=4” is:
>>>>
>>>>         
>>>>> Mar  1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
>>>>>
>>>>>           
>>>> [4405ec129258d5cf9c016ade69cf37e33b5af52b] and
>>>> [4405ec129258d5cf9c016ade69cf37e33b5af52b]
>>>>
>>>>         
>>>>> Mar  1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
>>>>>
>>>>>           
>>>> invalid reply digest from RADIUS server
>>>>
>>>>         
>>>>> Mar  1 15:41:43 dell openser-TEST[20789]:
>>>>>
>>>>>           
>>>> ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>>>
>>>>         
>>>>> So I supposed that there were some failed configuration, I looked at
>>>>>           
>> my
>>     
>>>> “radiusd.conf” and finded:
>>>>
>>>>         
>>>>>   modules {
>>>>>   ...
>>>>>     digest {
>>>>>     }
>>>>>   ...
>>>>>   }
>>>>>   authorize {
>>>>>           preprocess
>>>>>           auth_log
>>>>>           suffix
>>>>>           digest
>>>>>           sql
>>>>>   }
>>>>>   authenticate {
>>>>>           digest
>>>>>   }
>>>>>
>>>>> As my FreeRadius back-end is a MySQL database, the 'sql' statement in
>>>>>
>>>>>           
>>>> authorize seems ok. And so do 'digest' in 'autheticate' section.
>>>>
>>>>         
>>>>> The question remains: Why are OpenSER complain on Radius response?
>>>>>           
>> Maybe
>>     
>>>> it's because of the sterman schema (?)....
>>>>
>>>>         
>>>>> Anyway, I try to test the server using the radtest tool. The output
>>>>>
>>>>>           
>>>> seems good to me:
>>>>
>>>>         
>>>>> # radtest 8201 at DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword
>>>>> Sending Access-Request of id 255 to 127.0.0.1:1812
>>>>>         User-Name = "8201 at DOMAIN.VALID"
>>>>>         User-Password = "8201"
>>>>>         NAS-IP-Address = sip
>>>>>         NAS-Port = 12345
>>>>> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
>>>>>
>>>>>           
>>>> length=35
>>>>
>>>>         
>>>>>         Reply-Message = "Authenticated"
>>>>>
>>>>> So I discard FreeRadius config. Is this related on the value of
>>>>>           
>> “Reply-
>>     
>>>> Message”? I already read all Radius material that I found on OpenSER
>>>>         
>> web-
>>     
>>>> page…
>>>>
>>>>         
>>>>> What am I doing wrong? What am I missing? As this same configs work
>>>>>           
>> with
>>     
>>>> SER 0.9.2, why did it not with OpenSER 1.0.x?
>>>>
>>>>         
>>>>> Edson.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>>           
>>>
>>>

More information about the Users mailing list