[OpenSER-Users] Radius integration issue
OpenSER ML
openser at zap2link.com
Wed Jul 18 13:21:32 CEST 2007
Hi Dan,
I modified my config to use a realm called sip.greenfieldtech.net, but the situation remains.
Here is the config file:
#
# $Id$
#
# radius config script
#
# ----------- global configuration parameters ------------------------
debug=9 # debug level (cmd line: -dddddddddd)
fork=no
log_stderror=yes # (cmd line: -E)
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5060
children=4
listen=udp:192.168.2.80
#alias="openser.org"
#fifo="/tmp/openser_fifo"
# ------------------ module loading ----------------------------------
mpath="/usr/local/lib/openser/modules"
loadmodule "mysql.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "avpops.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "xlog.so"
loadmodule "uri.so"
loadmodule "acc.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
#modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
modparam("usrloc", "db_mode", 2)
# -- acc params --
#modparam("acc", "radius_flag", 1)
#modparam("acc", "radius_missed_flag", 2)
#modparam("acc", "log_flag", 1)
#modparam("acc", "log_missed_flag", 1)
#modparam("acc", "service_type", 15)
#modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
modparam("auth_radius|group_radius|avp_radius", "radius_config","/etc/radiusclient/radiusclient.conf")
# -- group_radius params --
modparam("group_radius", "use_domain", 0)
# -- avpops params --
avp_aliases="day=i:101;time=i:102"
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
modparam("usrloc", "use_domain", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# check if user is suspended
#if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
#{
# if (radius_is_user_in("From", "suspended")) {
# sl_send_reply("403", "Forbidden - suspended");
# exit;
# };
#};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER")
record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(is_method("BYE"))
{ # log it all the time
#acc_rad_request("200 ok");
#acc_log_request("200 ok");
}
route(1);
};
if(is_method("INVITE") && !has_totag())
{ # set the acc flags
setflag(1);
setflag(2);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(is_method("INVITE|MESSAGE")) {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("sip.greenfieldtech.net")) {
www_challenge("sip.greenfieldtech.net", "1");
exit;
};
if (radius_www_authorize("sip.greenfieldtech.net")) {
sl_send_reply("200", "ok");
exit;
};
# check the src ip address
#if(!avp_check("$avp(i:2)", "eq/$src_ip/ig"))
#{
# sl_send_reply("403", "Forbidden IP");
# exit;
#};
save("location");
exit;
};
# calls to pstn
if(uri=~"sip:00[1-9][0-9]+@") {
if(is_method("INVITE") && !has_totag()) {
if (!radius_is_user_in("From", "pstn")) {
sl_send_reply("403", "Forbidden PSTN");
exit;
};
};
# set gateway address
rewritehostport("10.10.10.10:5090");
route(1);
};
# load callee's avps
if(avp_load_radius("callee"))
{
# check if user has time filter enabled
#if(avp_check($avp("i:3"), $avp("eq/i:1")))
#{
# print time in an avp
# avp_printf("i:100", "$Tf");
# extract day
# avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");
# if(!avp_check("i:6", "fm/$day")) {
# sl_send_reply("403", "Forbidden - day");
# exit;
# };
# # extract 'hours:minutes'
# avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/");
# if((is_avp_set("i:4") && avp_check("i:4", "gt/$time"))
# || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) {
# sl_send_reply("403", "Forbidden - time");
# exit;
# };
#};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
# log to acc as missed call
#acc_rad_request("404 Not Found");
#acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
# generic forward
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
exit;
}
#
Version is 1.2.1
Z2L
----- Original Message -----
From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
To: openser at zap2link.com
Cc: "users" <users at openser.org>
Sent: Wednesday, July 18, 2007 2:02:11 PM (GMT+0200) Asia/Jerusalem
Subject: Re: [OpenSER-Users] Radius integration issue
Can u post your openser configuration + version also? From the debug u
sent it all looks fine except the error.
DanB
On 7/18/07, OpenSER ML <openser at zap2link.com> wrote:
> Hi Dan,
>
> I am running in debug mode, here is the output of FreeRadius which seems fine to me:
>
> rad_recv: Access-Request packet from host 192.168.2.80:35223, id=250, length=232
> User-Name = "101 at openser.org"
> Digest-Attributes = 0x0a05313031
> Digest-Attributes = 0x010d6f70656e7365722e6f7267
> Digest-Attributes = 0x022a34363961626230616465333832613934646432333533636264663264666438336231353933663564
> Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x090a3030303030303930
> Digest-Attributes = 0x081235343038316466316439623562383564
> Digest-Response = "d3ff78d09d9b2cefdce0c975b3c6fd26"
> Service-Type = IAPP-Register
> X-Ascend-PW-Lifetime = 0x313031
> NAS-Port = 5060
> NAS-IP-Address = 192.168.2.80
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1124
> modcall[authorize]: module "preprocess" returns ok for request 1124
> radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
> rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
> modcall[authorize]: module "auth_log" returns ok for request 1124
> rlm_digest: Adding Auth-Type = DIGEST
> modcall[authorize]: module "digest" returns ok for request 1124
> users: Matched entry 101 at openser.org at line 53
> modcall[authorize]: module "files" returns ok for request 1124
> modcall: leaving group authorize (returns ok) for request 1124
> rad_check_password: Found Auth-Type DIGEST
> auth: type "digest"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1124
> rlm_digest: Converting Digest-Attributes to something sane...
> Digest-User-Name = "101"
> Digest-Realm = "openser.org"
> Digest-Nonce = "469abb0ade382a94dd2353cbdf2dfd83b1593f5d"
> Digest-URI = "sip:192.168.2.80"
> Digest-Method = "REGISTER"
> Digest-QOP = "auth"
> Digest-Nonce-Count = "00000090"
> Digest-CNonce = "54081df1d9b5b85d"
> A1 = 101:openser.org:101
> A2 = REGISTER:sip:192.168.2.80
> H(A1) = f195c177997cee336c919be9279c5703
> H(A2) = 046d0643f281affab19fe62ffc848ab5
> KD = f195c177997cee336c919be9279c5703:469abb0ade382a94dd2353cbdf2dfd83b1593f5d:00000090:54081df1d9b5b85d:auth:046d0643f281affab19fe62ffc848ab5
> EXPECTED d3ff78d09d9b2cefdce0c975b3c6fd26
> RECEIVED d3ff78d09d9b2cefdce0c975b3c6fd26
> modcall[authenticate]: module "digest" returns ok for request 1124
> modcall: leaving group authenticate (returns ok) for request 1124
> Login OK: [101 at openser.org/<no User-Password attribute>] (from client 192.168.2.80 port 5060)
> Sending Access-Accept of id 250 to 192.168.2.80 port 35223
> Finished request 1124
> Going to the next request
> Waking up in 6 seconds...
>
>
> Z2L
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> To: openser at zap2link.com
> Sent: Wednesday, July 18, 2007 1:53:14 PM (GMT+0200) Asia/Jerusalem
> Subject: Re: [OpenSER-Users] Radius integration issue
>
> Hi,
>
> try running FreeRADIUS in debug mode, this will tell u more info
> regarding the cause of failure.
> To run FreeRADIUS in debug start it with -X option.
>
> Let us know about the results.
>
> Cheers,
> DanB
>
> On 7/18/07, OpenSER ML <openser at zap2link.com> wrote:
> > Hi All,
> >
> > I'm trying to connect OpenSER with FreeRadius. I've managed to get the digest authentication
> > going correctly, having the Radius respond with LOGIN OK for the requests that are in the users file. However, although the authentication process appears to succeed, the IP phone doesn't register to the OpenSER server.
> >
> > The following can be seen in the debug:
> >
> > 0(17821) SIP Request:
> > 0(17821) method: <REGISTER>
> > 0(17821) uri: <sip:192.168.2.80>
> > 0(17821) version: <SIP/2.0>
> > 0(17821) parse_headers: flags=2
> > 0(17821) Found param type 232, <branch> = <z9hG4bK4d7202f23b6595fc>; state=16
> > 0(17821) end of header reached, state=5
> > 0(17821) parse_headers: Via found, flags=2
> > 0(17821) parse_headers: this is the first via
> > 0(17821) After parse_msg...
> > 0(17821) preparing to run routing scripts...
> > 0(17821) parse_headers: flags=100
> > 0(17821) DEBUG:parse_to:end of header reached, state=10
> > 0(17821) DBUG:parse_to: display={}, ruri={sip:101 at 192.168.2.80;user=phone}
> > 0(17821) DEBUG: get_hdr_field: <To> [35]; uri=[sip:101 at 192.168.2.80;user=phone]
> > 0(17821) DEBUG: to body [<sip:101 at 192.168.2.80;user=phone>
> > ]
> > 0(17821) get_hdr_field: cseq <CSeq>: <20048> <REGISTER>
> > 0(17821) DEBUG:maxfwd:is_maxfwd_present: value = 70
> > 0(17821) parse_headers: flags=200
> > 0(17821) DEBUG: get_hdr_body : content_length=0
> > 0(17821) found end of header
> > 0(17821) find_first_route: No Route headers found
> > 0(17821) loose_route: There is no Route HF
> > 0(17821) grep_sock_info - checking if host==us: 12==12 && [192.168.2.80] == [192.168.2.80]
> > 0(17821) grep_sock_info - checking if port 5060 matches port 5060
> > 0(17821) grep_sock_info - checking if host==us: 12==12 && [192.168.2.80] == [192.168.2.80]
> > 0(17821) grep_sock_info - checking if port 5060 matches port 5060
> > 0(17821) check_nonce(): comparing [469aba5f4ff6b78f7b9588ad19fc0ab514e709da] and [469aba5f4ff6b78f7b9588ad19fc0ab514e709da]
> > 0(17821) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
> > 0(17821) build_auth_hf(): 'WWW-Authenticate: Digest realm="openser.org", nonce="469aba5f4ff6b78f7b9588ad19fc0ab514e709da", qop="auth"
> > '
> > 0(17821) parse_headers: flags=ffffffffffffffff
> > 0(17821) check_via_address(192.168.2.101, 192.168.2.101, 0)
> > 0(17821) DEBUG:destroy_avp_list: destroying list (nil)
> > 0(17821) receive_msg: cleaning up
> >
> > As you can surely see, the ERROR is somewhere in the authorization status. Now, I've verified
> > the secret key between the machine, and all seems to be in place - any pointers will be highly appreciated.
> >
> > Z2L
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
>
>
More information about the Users
mailing list