[Users] Radius Authentication failed ?

Daniel-Constantin Mierla daniel at voice-system.ro
Thu Mar 30 15:35:47 CEST 2006 

Hello,

please take care of the backward compatibility files, if you are using 
FreeRADIUS. There are two files to config the clients, "clients.conf" 
(new one and this is recommendable to be used) and "clients" (obsoleted 
but still kept for compatibility).

Cheers,
Daniel

PS. Please keep cc-ing to mailing list so everybody can benefit of the 
answers or can come with solutions.


On 03/30/06 15:27, Nguyen Duc Phi wrote:
> Hello,
>
> I checked file config on radiusclient and Radius server again, shared 
> secret on both server and client the same. I dont know why they not 
> agree? Please help me out of this problem. thank in advance.
>
> Best regards,
> Nguyen
>
> Here my config file
>
> Freeradius run at  192.168.212.10
>
> /usr/local/etc/raddb/clients.conf
>
> client 192.168.212.9 {
> secret  = testing123
> shortname = 192.168.212.9
> }
>
> openser run at 192.168.212.9
>
> /usr/local/etc/radiusclient-ng/servers
>
> #Server Name or Client/Server pair  Key
> #----------------    ---------------
> #portmaster.elemental.net   hardlyasecret
> #portmaster2.elemental.net       donttellanyone
> 192.168.212.10         testing123
>
>
> ----- Original Message ----- From: "Daniel-Constantin Mierla" 
> <daniel at voice-system.ro>
> To: "Nguyen Duc Phi" <ndphi at vdc.com.vn>; <users at openser.org>
> Sent: Thursday, March 30, 2006 6:36 PM
> Subject: Re: [Users] Radius Authentication failed ?
>
>
>> Hello,
>>
>> here you can find the description of this error:
>>
>> http://docs.hp.com/en/T1428-90025/ch08s02.html
>>
>> Received invalid reply digest from server => Server and client do not 
>> agree on shared secret => Verify the shared secret in the clients 
>> file agrees with the secret configured on the client.
>>
>> I started an OpenSER-Radius tutorial, but due to time constraints it 
>> is not finished yet. Hopefully in next days will be ready. I will 
>> post it on the web and announce on the mailing list.
>>
>> Cheers,
>> Daniel
>>
>>
>>
>> On 03/30/06 14:24, Nguyen Duc Phi wrote:
>>> Thanks for supporting, Here is syslog of radiusclient.
>>>
>>> Mar 30 18:00:49 sipserver openser: rc_check_reply: received invalid 
>>> reply digest from RADIUS server
>>>
>>> ----- Original Message ----- From: "Daniel-Constantin Mierla" 
>>> <daniel at voice-system.ro>
>>> To: "Nguyen Duc Phi" <ndphi at vdc.com.vn>
>>> Cc: <users at openser.org>
>>> Sent: Thursday, March 30, 2006 6:12 PM
>>> Subject: Re: [Users] Radius Authentication failed ?
>>>
>>>
>>>> Have you got any message is syslog coming from radiusclient-ng 
>>>> library? The FreeRadius server reports ok for authentication.
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>>
>>>> On 03/30/06 05:15, Nguyen Duc Phi wrote:
>>>>> I config openser authenticate from Radius. when softphone register 
>>>>> to openser, Freeradius response "Sending Access-Accept" but 
>>>>> openser inform "ERROR:auth_radius:radius_authorize_sterman: 
>>>>> rc_auth failed" So softphone not registered. I search this title 
>>>>> in google and find on "*OpenSER Users Mailing List*", I didnt find 
>>>>> solution to fix problem. Could someone help me fix this problem ?
>>>>>  Here is list of product's version I used.
>>>>> openser-1.0.1
>>>>> OS : CentOS-4 x86_64
>>>>> radiusclient-ng-0.5.2
>>>>> freeradius-1.0.5
>>>>>  openser show debug :
>>>>>  8(8985) parse_headers: flags=ffffffffffffffff
>>>>>  8(8985) check_via_address(192.168.212.123, 192.168.212.123, 0)
>>>>>  8(8985) DEBUG:destroy_avp_list: destroying list (nil)
>>>>>  8(8985) receive_msg: cleaning up
>>>>>  7(8982) SIP Request:
>>>>>  7(8982)  method:  <REGISTER>
>>>>>  7(8982)  uri:     <sip:vdc.com.vn>
>>>>>  7(8982)  version: <SIP/2.0>
>>>>>  7(8982) parse_headers: flags=2
>>>>>  7(8982) DEBUG: get_hdr_body : content_length=0
>>>>>  7(8982) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
>>>>>  7(8982) DEBUG:parse_to:end of header reached, state=9
>>>>>  7(8982) DEBUG: get_hdr_field: <To> [23]; uri=[sip:5001 at vdc.com.vn]
>>>>>  7(8982) DEBUG: to body [<sip:5001 at vdc.com.vn>
>>>>> ]
>>>>>  7(8982) Found param type 235, <rport> = <n/a>; state=6
>>>>>  7(8982) Found param type 232, <branch> = 
>>>>> <z9hG4bKc0a8d47b0131c9b1442b39c80000367c00000003>; state=16
>>>>>  7(8982) end of header reached, state=5
>>>>>  7(8982) parse_headers: Via found, flags=2
>>>>>  7(8982) parse_headers: this is the first via
>>>>>  7(8982) After parse_msg...
>>>>>  7(8982) preparing to run routing scripts...
>>>>>  7(8982) DEBUG:maxfwd:is_maxfwd_present: value = 70
>>>>>  7(8982) parse_headers: flags=200
>>>>>  7(8982) found end of header
>>>>>  7(8982) find_first_route: No Route headers found
>>>>>  7(8982) loose_route: There is no Route HF
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>>>> [vdc.com.vn] == [127.0.0.1]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>>>> [vdc.com.vn] == [192.168.212.9]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>>>> [vdc.com.vn] == [127.0.0.1]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>>>> [vdc.com.vn] == [192.168.212.9]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>>>> [vdc.com.vn] == [127.0.0.1]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>>>> [vdc.com.vn] == [192.168.212.9]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==9 &&  
>>>>> [vdc.com.vn] == [127.0.0.1]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) grep_sock_info - checking if host==us: 10==13 &&  
>>>>> [vdc.com.vn] == [192.168.212.9]
>>>>>  7(8982) grep_sock_info - checking if port 5060 matches port 5060
>>>>>  7(8982) check_nonce(): comparing 
>>>>> [442b360523cece6362803c97fa7fb10b37680cd8] and 
>>>>> [442b360523cece6362803c97fa7fb10b37680cd8]
>>>>>  7(8982) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>>>>  7(8982) build_auth_hf(): 'WWW-Authenticate: Digest 
>>>>> realm="vdc.com.vn", nonce="442b360523cece6362803c97fa7fb10b37680cd8"
>>>>> '
>>>>>  7(8982) parse_headers: flags=ffffffffffffffff
>>>>>  7(8982) check_via_address(192.168.212.123, 192.168.212.123, 0)
>>>>>  7(8982) DEBUG:destroy_avp_list: destroying list (nil)
>>>>>  7(8982) receive_msg: cleaning up
>>>>>  Radius show debug:
>>>>>  rad_recv: Access-Request packet from host 192.168.212.9:32826, 
>>>>> id=205, length=203
>>>>>         User-Name = "5001 at vdc.com.vn <mailto:5001 at vdc.com.vn>"
>>>>>         Digest-Attributes = 0x0a0635303031
>>>>>         Digest-Attributes = 0x010c7664632e636f6d2e766e
>>>>>         Digest-Attributes = 
>>>>> 0x022a34343262333630353233636563653633363238303363393766613766623130623337363830636438 
>>>>>
>>>>>         Digest-Attributes = 0x04107369703a7664632e636f6d2e766e
>>>>>         Digest-Attributes = 0x030a5245474953544552
>>>>>         Digest-Response = "1c3d532fc6c1c37004c6df6027e6242c"
>>>>>         Service-Type = 0x0000000f00000000
>>>>>         Sip-Uri-User = "5001"
>>>>>         NAS-Port = 0x000013c400000000
>>>>>         NAS-IP-Address = 0xc0a8d40900000000
>>>>>   Processing the authorize section of radiusd.conf
>>>>> modcall: entering group authorize for request 0
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>> Invalid operator for item Suffix: reverting to '=='
>>>>>   hints: Matched DEFAULT at 82
>>>>>   modcall[authorize]: module "preprocess" returns ok for request 0
>>>>>   modcall[authorize]: module "chap" returns noop for request 0
>>>>>   modcall[authorize]: module "mschap" returns noop for request 0
>>>>>     rlm_digest: Converting Digest-Attributes to something sane...
>>>>>         Digest-User-Name = "5001"
>>>>>         Digest-Realm = "vdc.com.vn"
>>>>>         Digest-Nonce = "442b360523cece6362803c97fa7fb10b37680cd8"
>>>>>         Digest-URI = "sip:vdc.com.vn"
>>>>>         Digest-Method = "REGISTER"
>>>>> rlm_digest: Adding Auth-Type = DIGEST
>>>>>   modcall[authorize]: module "digest" returns ok for request 0
>>>>>     rlm_realm: No '@' <mailto:%27@%27> in User-Name = "5001", 
>>>>> looking up realm NULL
>>>>>     rlm_realm: No such realm "NULL"
>>>>>   modcall[authorize]: module "suffix" returns noop for request 0
>>>>> radius_xlat:  '5001'
>>>>> rlm_sql (sql): sql_set_user escaped user --> '5001'
>>>>> radius_xlat:  'SELECT 1 as id,'5001' as UserName,'User-Password' 
>>>>> as Attribute,subscriber_password as Value,'==' as op FROM 
>>>>> subscribers WHERE subscriber_username = '5001'AND 
>>>>> subscriber_status=1'
>>>>> rlm_sql (sql): Reserving sql socket id: 4
>>>>> radius_xlat:  ''
>>>>> radius_xlat:  'SELECT 1 as id,'5001' as UserName,'Session-Timeout' 
>>>>> as Attribute,getSessionTime('5001','')as Value,'=' as op FROM dual'
>>>>> radius_xlat:  ''
>>>>> rlm_sql (sql): Released sql socket id: 4
>>>>>   modcall[authorize]: module "sql" returns ok for request 0
>>>>> modcall: group authorize returns ok for request 0
>>>>>   rad_check_password:  Found Auth-Type DIGEST
>>>>> auth: type "digest"
>>>>>   Processing the authenticate section of radiusd.conf
>>>>> modcall: entering group authenticate for request 0
>>>>> A1 = 5001:vdc.com.vn:test
>>>>> A2 = REGISTER:sip:vdc.com.vn
>>>>> H(A1) = 454e15015603bd4bd79faf0c5ddd3346
>>>>> H(A2) = ac5bd79ed3d6bd2bddcb1cffafbbd09a
>>>>> KD = 
>>>>> 454e15015603bd4bd79faf0c5ddd3346:442b360523cece6362803c97fa7fb10b37680cd8:ac5bd79ed3d6bd2bddcb1cffafbbd09a 
>>>>>
>>>>> EXPECTED 1c3d532fc6c1c37004c6df6027e6242c
>>>>> RECEIVED 1c3d532fc6c1c37004c6df6027e6242c
>>>>>   modcall[authenticate]: module "digest" returns ok for request 0
>>>>> modcall: group authenticate returns ok for request 0
>>>>> Login OK: [5001] (from client 192.168.212.9 port 3134307025)
>>>>> Sending Access-Accept of id 205 to 192.168.212.9:32826
>>>>>         Session-Timeout = 60
>>>>> Finished request 0
>>>>> Going to the next request
>>>>> --- Walking the entire request list ---
>>>>> Waking up in 6 seconds...
>>>>> --- Walking the entire request list ---
>>>>> Cleaning up request 0 ID 205 with timestamp 442b3adf
>>>>> Nothing to do.  Sleeping until we see a request.
>>>>>  Best regards,
>>>>> Nguyen
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>
>>>
>>>
>>
>
>

More information about the Users mailing list