[Users] Radius Authentication failed ?

Daniel-Constantin Mierla daniel at voice-system.ro
Thu Mar 30 13:36:33 CEST 2006


Hello,

here you can find the description of this error:

http://docs.hp.com/en/T1428-90025/ch08s02.html

Received invalid reply digest from server => Server and client do not 
agree on shared secret => Verify the shared secret in the clients file 
agrees with the secret configured on the client.

I started an OpenSER-Radius tutorial, but due to time constraints it is 
not finished yet. Hopefully in next days will be ready. I will post it 
on the web and announce on the mailing list.

Cheers,
Daniel



On 03/30/06 14:24, Nguyen Duc Phi wrote:
> Thanks for supporting, Here is syslog of radiusclient.
>
> Mar 30 18:00:49 sipserver openser: rc_check_reply: received invalid 
> reply digest from RADIUS server
>
> ----- Original Message ----- From: "Daniel-Constantin Mierla" 
> <daniel at voice-system.ro>
> To: "Nguyen Duc Phi" <ndphi at vdc.com.vn>
> Cc: <users at openser.org>
> Sent: Thursday, March 30, 2006 6:12 PM
> Subject: Re: [Users] Radius Authentication failed ?
>
>
>> Have you got any message is syslog coming from radiusclient-ng 
>> library? The FreeRadius server reports ok for authentication.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 03/30/06 05:15, Nguyen Duc Phi wrote:
>>> I config openser authenticate from Radius. when softphone register 
>>> to openser, Freeradius response "Sending Access-Accept" but openser 
>>> inform "ERROR:auth_radius:radius_authorize_sterman: rc_auth failed" 
>>> So softphone not registered. I search this title in google and find 
>>> on "*OpenSER Users Mailing List*", I didnt find solution to fix 
>>> problem.  Could someone help me fix this problem ?
>>>  Here is list of product's version I used.
>>> openser-1.0.1
>>> OS : CentOS-4 x86_64
>>> radiusclient-ng-0.5.2
>>> freeradius-1.0.5
>>>  openser show debug :
>>>  8(8985) parse_headers: flags=ffffffffffffffff
>>>  8(8985) check_via_address(192.168.212.123, 192.168.212.123, 0)
>>>  8(8985) DEBUG:destroy_avp_list: destroying list (nil)
>>>  8(8985) receive_msg: cleaning up
>>>  7(8982) SIP Request:
>>>  7(8982)  method:  <REGISTER>
>>>  7(8982)  uri:     <sip:vdc.com.vn>
>>>  7(8982)  version: <SIP/2.0>
>>>  7(8982) parse_headers: flags=2
>>>  7(8982) DEBUG: get_hdr_body : content_length=0
>>>  7(8982) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
>>>  7(8982) DEBUG:parse_to:end of header reached, state=9
>>>  7(8982) DEBUG: get_hdr_field: <To> [23]; uri=[sip:5001 at vdc.com.vn]
>>>  7(8982) DEBUG: to body [<sip:5001 at vdc.com.vn>
>>> ]
>>>  7(8982) Found param type 235, <rport> = <n/a>; state=6
>>>  7(8982) Found param type 232, <branch> = 
>>> <z9hG4bKc0a8d47b0131c9b1442b39c80000367c00000003>; state=16
>>>  7(8982) end of header reached, state=5
>>>  7(8982) parse_headers: Via found, flags=2
>>>  7(8982) parse_headers: this is the first via
>>>  7(8982) After parse_msg...
>>>  7(8982) preparing to run routing scripts...
>>>  7(8982) DEBUG:maxfwd:is_maxfwd_present: value = 70
>>>  7(8982) parse_headers: flags=200
>>>  7(8982) found end of header
>>>  7(8982) find_first_route: No Route headers found
>>>  7(8982) loose_route: There is no Route HF
>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>> [vdc.com.vn] == [127.0.0.1]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>> [vdc.com.vn] == [192.168.212.9]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>> [vdc.com.vn] == [127.0.0.1]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>> [vdc.com.vn] == [192.168.212.9]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>> [vdc.com.vn] == [127.0.0.1]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>> [vdc.com.vn] == [192.168.212.9]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>> [vdc.com.vn] == [127.0.0.1]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>> [vdc.com.vn] == [192.168.212.9]
>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>  7(8982) check_nonce(): comparing 
>>> [442b360523cece6362803c97fa7fb10b37680cd8] and 
>>> [442b360523cece6362803c97fa7fb10b37680cd8]
>>>  7(8982) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>>  7(8982) build_auth_hf(): 'WWW-Authenticate: Digest 
>>> realm="vdc.com.vn", nonce="442b360523cece6362803c97fa7fb10b37680cd8"
>>> '
>>>  7(8982) parse_headers: flags=ffffffffffffffff
>>>  7(8982) check_via_address(192.168.212.123, 192.168.212.123, 0)
>>>  7(8982) DEBUG:destroy_avp_list: destroying list (nil)
>>>  7(8982) receive_msg: cleaning up
>>>  Radius show debug:
>>>  rad_recv: Access-Request packet from host 192.168.212.9:32826, 
>>> id=205, length=203
>>>         User-Name = "5001 at vdc.com.vn <mailto:5001 at vdc.com.vn>"
>>>         Digest-Attributes = 0x0a0635303031
>>>         Digest-Attributes = 0x010c7664632e636f6d2e766e
>>>         Digest-Attributes = 
>>> 0x022a34343262333630353233636563653633363238303363393766613766623130623337363830636438 
>>>
>>>         Digest-Attributes = 0x04107369703a7664632e636f6d2e766e
>>>         Digest-Attributes = 0x030a5245474953544552
>>>         Digest-Response = "1c3d532fc6c1c37004c6df6027e6242c"
>>>         Service-Type = 0x0000000f00000000
>>>         Sip-Uri-User = "5001"
>>>         NAS-Port = 0x000013c400000000
>>>         NAS-IP-Address = 0xc0a8d40900000000
>>>   Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 0
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>> Invalid operator for item Suffix: reverting to '=='
>>>   hints: Matched DEFAULT at 82
>>>   modcall[authorize]: module "preprocess" returns ok for request 0
>>>   modcall[authorize]: module "chap" returns noop for request 0
>>>   modcall[authorize]: module "mschap" returns noop for request 0
>>>     rlm_digest: Converting Digest-Attributes to something sane...
>>>         Digest-User-Name = "5001"
>>>         Digest-Realm = "vdc.com.vn"
>>>         Digest-Nonce = "442b360523cece6362803c97fa7fb10b37680cd8"
>>>         Digest-URI = "sip:vdc.com.vn"
>>>         Digest-Method = "REGISTER"
>>> rlm_digest: Adding Auth-Type = DIGEST
>>>   modcall[authorize]: module "digest" returns ok for request 0
>>>     rlm_realm: No '@' <mailto:%27@%27> in User-Name = "5001", 
>>> looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>>   modcall[authorize]: module "suffix" returns noop for request 0
>>> radius_xlat:  '5001'
>>> rlm_sql (sql): sql_set_user escaped user --> '5001'
>>> radius_xlat:  'SELECT 1 as id,'5001' as UserName,'User-Password' as 
>>> Attribute,subscriber_password as Value,'==' as op FROM subscribers 
>>> WHERE subscriber_username = '5001'AND subscriber_status=1'
>>> rlm_sql (sql): Reserving sql socket id: 4
>>> radius_xlat:  ''
>>> radius_xlat:  'SELECT 1 as id,'5001' as UserName,'Session-Timeout' 
>>> as Attribute,getSessionTime('5001','')as Value,'=' as op FROM dual'
>>> radius_xlat:  ''
>>> rlm_sql (sql): Released sql socket id: 4
>>>   modcall[authorize]: module "sql" returns ok for request 0
>>> modcall: group authorize returns ok for request 0
>>>   rad_check_password:  Found Auth-Type DIGEST
>>> auth: type "digest"
>>>   Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 0
>>> A1 = 5001:vdc.com.vn:test
>>> A2 = REGISTER:sip:vdc.com.vn
>>> H(A1) = 454e15015603bd4bd79faf0c5ddd3346
>>> H(A2) = ac5bd79ed3d6bd2bddcb1cffafbbd09a
>>> KD = 
>>> 454e15015603bd4bd79faf0c5ddd3346:442b360523cece6362803c97fa7fb10b37680cd8:ac5bd79ed3d6bd2bddcb1cffafbbd09a 
>>>
>>> EXPECTED 1c3d532fc6c1c37004c6df6027e6242c
>>> RECEIVED 1c3d532fc6c1c37004c6df6027e6242c
>>>   modcall[authenticate]: module "digest" returns ok for request 0
>>> modcall: group authenticate returns ok for request 0
>>> Login OK: [5001] (from client 192.168.212.9 port 3134307025)
>>> Sending Access-Accept of id 205 to 192.168.212.9:32826
>>>         Session-Timeout = 60
>>> Finished request 0
>>> Going to the next request
>>> --- Walking the entire request list ---
>>> Waking up in 6 seconds...
>>> --- Walking the entire request list ---
>>> Cleaning up request 0 ID 205 with timestamp 442b3adf
>>> Nothing to do.  Sleeping until we see a request.
>>>  Best regards,
>>> Nguyen
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>
>




More information about the Users mailing list