RLM_PERL Integration Issue

FreeRadius-ML freeradius at zap2link.com
Wed Jul 18 12:16:58 CEST 2007


Hi Alan,

  Ok, I managed to solve the dual request thingy, apparently that was caused by a config on
the OpenSER server. All requests now are coming out as:


rad_recv: Access-Request packet from host 192.168.2.80:34908, id=213, length=232
        User-Name = "101 at openser.org"
        Digest-Attributes = 0x0a05313031
        Digest-Attributes = 0x010d6f70656e7365722e6f7267
        Digest-Attributes = 0x022a34363961623634663863363039653664303632303135363461336237666137663633383433346462
        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
        Digest-Attributes = 0x030a5245474953544552
        Digest-Attributes = 0x050661757468
        Digest-Attributes = 0x090a3030303031303636
        Digest-Attributes = 0x081237323633376361643532353930373938
        Digest-Response = "408602140746b6fab2c70881242f7513"
        Service-Type = IAPP-Register
        X-Ascend-PW-Lifetime = 0x313031
        NAS-Port = 5060
        NAS-IP-Address = 192.168.2.80
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 831
  modcall[authorize]: module "preprocess" returns ok for request 831
radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
  modcall[authorize]: module "auth_log" returns ok for request 831
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 831
    users: Matched entry 101 at openser.org at line 53
  modcall[authorize]: module "files" returns ok for request 831
modcall: leaving group authorize (returns ok) for request 831
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 831
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "101"
        Digest-Realm = "openser.org"
        Digest-Nonce = "469ab64f8c609e6d06201564a3b7fa7f638434db"
        Digest-URI = "sip:192.168.2.80"
        Digest-Method = "REGISTER"
        Digest-QOP = "auth"
        Digest-Nonce-Count = "00001066"
        Digest-CNonce = "72637cad52590798"
A1 = 101:openser.org:101
A2 = REGISTER:sip:192.168.2.80
H(A1) = f195c177997cee336c919be9279c5703
H(A2) = 046d0643f281affab19fe62ffc848ab5
KD = f195c177997cee336c919be9279c5703:469ab64f8c609e6d06201564a3b7fa7f638434db:00001066:72637cad52590798:auth:046d0643f281affab19fe62ffc848ab5
EXPECTED 408602140746b6fab2c70881242f7513
RECEIVED 408602140746b6fab2c70881242f7513
  modcall[authenticate]: module "digest" returns ok for request 831
modcall: leaving group authenticate (returns ok) for request 831
Login OK: [101 at openser.org/<no User-Password attribute>] (from client 192.168.2.80 port 5060)
Sending Access-Accept of id 213 to 192.168.2.80 port 34908
Finished request 831
Going to the next request
Waking up in 6 seconds...

Which as much as I can tell, indicate that the digest authentication/authorization process had completed correctly,
and our users had been successfully authed by the Radius Server. Currently, I have an issue indicating that the 
user is actually not registered on the OpenSER server, but i believe that is caused by something else. Unless you have
some form of pointer tip here...

z2l

----- Original Message -----
From: "FreeRadius-ML" <freeradius at zap2link.com>
To: "Alan DeKok" <aland at deployingradius.com>
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 18, 2007 11:26:38 AM (GMT+0200) Asia/Jerusalem
Subject: Re: RLM_PERL Integration Issue

Hi Alan,

  Ok, I did as you instructed, and I admit that I appear to be getting somewhere.
The debug log now shows the following:


-------------------------------- SNIP -----------------------------------------
rad_recv: Access-Request packet from host 192.168.2.80:33365, id=47, length=192
        User-Name = "101 at openser.org"
        Digest-Attributes = 0x0a05313031
        Digest-Attributes = 0x010d6f70656e7365722e6f7267
        Digest-Attributes = 0x022a34363961613063323661386631313165393066336161303533353430393661323631336462343736
        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "3f66a7a38c9d6ff05d9d633063085a0c"
        Service-Type = IAPP-Register
        X-Ascend-PW-Lifetime = 0x313031
        NAS-Port = 5060
        NAS-IP-Address = 192.168.2.80
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 17
  modcall[authorize]: module "preprocess" returns ok for request 17
radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
  modcall[authorize]: module "auth_log" returns ok for request 17
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 17
    users: Matched entry 101 at openser.org at line 54
  modcall[authorize]: module "files" returns ok for request 17
modcall: leaving group authorize (returns ok) for request 17
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "101"
        Digest-Realm = "openser.org"
        Digest-Nonce = "469aa0c26a8f111e90f3aa05354096a2613db476"
        Digest-URI = "sip:192.168.2.80"
        Digest-Method = "REGISTER"
A1 = 101:openser.org:101
A2 = REGISTER:sip:192.168.2.80
H(A1) = f195c177997cee336c919be9279c5703
H(A2) = 046d0643f281affab19fe62ffc848ab5
KD = f195c177997cee336c919be9279c5703:469aa0c26a8f111e90f3aa05354096a2613db476:046d0643f281affab19fe62ffc848ab5
EXPECTED 3f66a7a38c9d6ff05d9d633063085a0c
RECEIVED 3f66a7a38c9d6ff05d9d633063085a0c
  modcall[authenticate]: module "digest" returns ok for request 17
modcall: leaving group authenticate (returns ok) for request 17
Login OK: [101 at openser.org/<no User-Password attribute>] (from client openser-network port 5060)
Sending Access-Accept of id 47 to 192.168.2.80 port 33365
Finished request 17
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.2.80:33366, id=48, length=67
        User-Name = "101 at 192.168.2.80"
        X-Ascend-PPP-VJ-1172 = 0x73757370656e646564
        Service-Type = Voice
        NAS-Port = 0
        NAS-IP-Address = 192.168.2.80
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
  modcall[authorize]: module "preprocess" returns ok for request 18
radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
  modcall[authorize]: module "auth_log" returns ok for request 18
  modcall[authorize]: module "digest" returns noop for request 18
    users: Matched entry 101 at 192.168.2.80 at line 53
  modcall[authorize]: module "files" returns ok for request 18
modcall: leaving group authorize (returns ok) for request 18
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [101 at 192.168.2.80/<no User-Password attribute>] (from client openser-network port 0)
Delaying request 18 for 1 seconds
Finished request 18
Going to the next request
Waking up in 4 seconds...
-------------------------------- SNIP -----------------------------------------

If you were to examine the log, you would see that request number 17 is receiving the 
LOGIN OK, while request 18 is rejected. The silly part here is this, there is only a single
IP Phone on the network, which is using a single OpenSER server. I'm kind'a struck with a 
silly question, where is the second request coming from?

Z2L


----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: freeradius at zap2link.com
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 18, 2007 11:24:19 AM (GMT+0200) Asia/Jerusalem
Subject: Re: RLM_PERL Integration Issue

FreeRadius-ML wrote:
>   Now, I'm basically re-learning everything, as the world of OpenSER + FreeRadius is a little new to me,
> and sometimes frustrates me. The amount of documentation in the configuration files is great, but the lack
> of updated examples is somewhat annoying. Even Asterisk, which is one of the most undocumented environments
> in the world, has more configuration examples available.

  The majority of FreeRADIUS installations put users & password into SQL
or LDAP, and then don't touch it ever again.  For them, the existing
examples are mostly OK.

  For *complex* scenarios, RADIUS quickly gets more complicated than
DNS, DHCP, Web servers, and (I suspect) Asterisk.  There just isn't
enough space in the world to document every configuration that everyone
needs.

>   In any case, lets go back to what we were discussing. If I understand you correctly, on the FreeRadius side,
> I only need to enable digest based authentication and authorization, define the user in the users file - and that 
> should be working just fine? 

  Yes.  The entire *point* of the default configuration is to have as
many authentication protocols as possible work... just by defining a
user and password.  See:

http://deployingradius.com/documents/configuration/pap.html

  When 2.0 is released, defining a username & password will cause the
following authentication methods to work:

    * PAP
    * CHAP
    * MS-CHAP
    * Digest
    * EAP-MD5
    * EAP-MSCHAPv2
    * Cisco LEAP
    * PEAP-MSCHAPv2
    * PEAP-GTC
    * EAP-TTLS with
       * PAP
       * CHAP
       * MS-CHAP
       * EAP-MD5
       * EAP-MSCHAPv2

  Try *that* with any other program: "I added one line in a
configuration file, and VOIP works, WiFi works, dial-up works, PPPoE
works, VPN's work, for Apple, Windows, and Linux".  No fighting, no fuss.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list