[prev in list] [next in list] [prev in thread] [next in thread]
List: sr-dev
Subject: Re: [Serdev] SER and RADIUS authentication
From: <jaime () umtstrial ! co ! uk>
Date: 2003-07-08 15:40:37
Message-ID: 12753.193.36.79.206.1057678837.squirrel () gk ! umtstrial ! co ! uk
[Download RAW message or body]
Hello Alexander,
Thanks for the hints you provided in the last email, they have proved to
be useful and finally the RADIUS messages were triggered from the SIP
proxy. I am trying to provide authentication and accounting using SER as
SIP proxy server.
The current configuration triggers a RADIUS Access-Request on every not
authorised SIP REGISTER. However, the server does not seem to like the
RADIUS requests and rejects in all cases.
Here is a snippet of the "users" file configuration on the RADIUS server:
[.....]
jaime Service-Type := SIP, Auth-Type := SIP
Digest-Response = "lala",
SIP-URI-User = "jaime",
Reply-Message = "Hello, Jaime"
DEFAULT Service-Type := SIP, Auth-Type := SIP
Reply-Message = "Hello, %u"
[.....]
And a sample of the log file:
[.....]
rad_recv: Access-Request packet from host 127.0.0.1:33400, id=139, length=221
Thread 4 assigned request 3
Waking up in 2 seconds...
Thread 4 handling request 3, (1 handled so far)
User-Name = "jaime@vovida.orange.co.uk"
Digest-Attributes = 0x0a076a61696d65
Digest-Attributes = 0x0115766f766964612e6f72616e67652e636f2e756b
Digest-Attributes =
0x022a33663061653835306662323762633365623036653339393932383734373764343639366632333930
Digest-Attributes =
0x04197369703a766f766964612e6f72616e67652e636f2e756b
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "c9d79d2371eb9737e7a5fc3df4695979"
Service-Type = 15
SIP-URI-User = "jaime"
NAS-IP-Address = 192.168.6.154
NAS-Port = 5060
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm vovida.orange.co.uk for User-Name =
"jaime@vovida.orange.co.uk"
rlm_realm: Found realm vovida.orange.co.uk
rlm_realm: Adding Stripped-User-Name = "jaime"
rlm_realm: Proxying request from user jaime to realm vovida.orange.co.uk
rlm_realm: Adding Realm = "vovida.orange.co.uk"
rlm_realm: Authentication realm is LOCAL.
rlm_realm: auth_port is not set. proxy cancelled
modcall[authorize]: module "suffix" returns noop
users: Matched jaime at 99
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type SIP
auth: type "SIP"
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Thread 4 waiting to be assigned a request
--- Walking the entire request list ---
Cleaning up request 2 ID 138 with timestamp 3f0ae72b
Sending Access-Reject of id 139 to 127.0.0.1:33400
Reply-Message = "Hello, Jaime"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 139 with timestamp 3f0ae72f
Nothing to do. Sleeping until we see a request.
[....]
-------------------------------------------
I reckon the problem is in the configuration of the RADIUS server.
Does anyone have a working configuration of SER with FreeRadius? If so,
would it be possible to share any relevant parts of the "users" file?
Thanks and regards,
Jaime
---------------------------------------------------
> On (10.06.03 17:20), jaime@umtstrial.co.uk wrote:
>> Is there anyone with a working configuration example using RADIUS
>> authentication in SER?
>
> yep, there is. We're still in the testing stages, but we have a working
> radius setup.
>
> ser config snippet:
>
> if (!radius_www_authorize("")) {
> # challenge if none or invalid credentials
> www_challenge("", "0");
> break;
> };
>
> (we have a multi-domain setup, so any request get's forwarded to the
> radius server, not only a specific domain).
>
> related ser config parameters:
>
> modparam("auth_radius",
> "radius_config","/usr/local/etc/ser/radiusclient.conf")
>
> radiusclient.conf is rather generic. localhost is set as authentication
> & accounting server, "new" standard ports (1811, 1812) used.
> You may want to check if your dictionary file includes the
> Digest & SIP-specific attributes & service types [output from quick
> fgrep]:
>
> # Digest related stuff
> ATTRIBUTE Digest-Response 206 string
> ATTRIBUTE Digest-Attributes 207 binary
> ATTRIBUTE Digest-Realm 1063 string
> ATTRIBUTE Digest-Nonce 1064 string
> ATTRIBUTE Digest-Method 1065 string
> ATTRIBUTE Digest-URI 1066 string
> ATTRIBUTE Digest-QOP 1067 string
> ATTRIBUTE Digest-Algorigthm 1068 string
> ATTRIBUTE Digest-Body-Digest 1069 string
> ATTRIBUTE Digest-Cnonce 1070 string
> ATTRIBUTE Digest-Nonce-Count 1071 string
> ATTRIBUTE Digest-User-Name 1072 string
>
> # SIP attributes from draft-sterman-aaa-sip-00.txt
> ATTRIBUTE SIP-URI-User 208 string
> ATTRIBUTE SIP-Method 209 integer
> ATTRIBUTE SIP-Response-Code 210 integer
> ATTRIBUTE SIP-From-Tag 211 string
> ATTRIBUTE SIP-To-Tag 212 string
> ATTRIBUTE SIP-Cseq 213 string
> ATTRIBUTE SIP-Translated-URI 214 string
> VALUE Service-Type SIP 12
>
> hope that helps.
>
> cheers
>
> axelm
>
> _______________________________________________
> Serdev mailing list
> serdev@lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic