RLM_PERL Integration Issue

tnt at kalik.co.yu tnt at kalik.co.yu
Wed Jul 18 15:04:59 CEST 2007 

Perhaps you need to return some SIP attributes.

Ivan Kalik
Kalik Informatika ISP


Dana 18/7/2007, "FreeRadius-ML" <freeradius at zap2link.com> piše:

>Hi Alan,
>
>  Ok, I managed to solve the dual request thingy, apparently that was caused by a config on
>the OpenSER server. All requests now are coming out as:
>
>
>rad_recv: Access-Request packet from host 192.168.2.80:34908, id=213, length=232
>        User-Name = "101 at openser.org"
>        Digest-Attributes = 0x0a05313031
>        Digest-Attributes = 0x010d6f70656e7365722e6f7267
>        Digest-Attributes = 0x022a34363961623634663863363039653664303632303135363461336237666137663633383433346462
>        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
>        Digest-Attributes = 0x030a5245474953544552
>        Digest-Attributes = 0x050661757468
>        Digest-Attributes = 0x090a3030303031303636
>        Digest-Attributes = 0x081237323633376361643532353930373938
>        Digest-Response = "408602140746b6fab2c70881242f7513"
>        Service-Type = IAPP-Register
>        X-Ascend-PW-Lifetime = 0x313031
>        NAS-Port = 5060
>        NAS-IP-Address = 192.168.2.80
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 831
>  modcall[authorize]: module "preprocess" returns ok for request 831
>radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
>rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
>  modcall[authorize]: module "auth_log" returns ok for request 831
>rlm_digest: Adding Auth-Type = DIGEST
>  modcall[authorize]: module "digest" returns ok for request 831
>    users: Matched entry 101 at openser.org at line 53
>  modcall[authorize]: module "files" returns ok for request 831
>modcall: leaving group authorize (returns ok) for request 831
>  rad_check_password:  Found Auth-Type DIGEST
>auth: type "digest"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 831
>    rlm_digest: Converting Digest-Attributes to something sane...
>        Digest-User-Name = "101"
>        Digest-Realm = "openser.org"
>        Digest-Nonce = "469ab64f8c609e6d06201564a3b7fa7f638434db"
>        Digest-URI = "sip:192.168.2.80"
>        Digest-Method = "REGISTER"
>        Digest-QOP = "auth"
>        Digest-Nonce-Count = "00001066"
>        Digest-CNonce = "72637cad52590798"
>A1 = 101:openser.org:101
>A2 = REGISTER:sip:192.168.2.80
>H(A1) = f195c177997cee336c919be9279c5703
>H(A2) = 046d0643f281affab19fe62ffc848ab5
>KD = f195c177997cee336c919be9279c5703:469ab64f8c609e6d06201564a3b7fa7f638434db:00001066:72637cad52590798:auth:046d0643f281affab19fe62ffc848ab5
>EXPECTED 408602140746b6fab2c70881242f7513
>RECEIVED 408602140746b6fab2c70881242f7513
>  modcall[authenticate]: module "digest" returns ok for request 831
>modcall: leaving group authenticate (returns ok) for request 831
>Login OK: [101 at openser.org/<no User-Password attribute>] (from client 192.168.2.80 port 5060)
>Sending Access-Accept of id 213 to 192.168.2.80 port 34908
>Finished request 831
>Going to the next request
>Waking up in 6 seconds...
>
>Which as much as I can tell, indicate that the digest authentication/authorization process had completed correctly,
>and our users had been successfully authed by the Radius Server. Currently, I have an issue indicating that the
>user is actually not registered on the OpenSER server, but i believe that is caused by something else. Unless you have
>some form of pointer tip here...
>
>z2l
>
>----- Original Message -----
>From: "FreeRadius-ML" <freeradius at zap2link.com>
>To: "Alan DeKok" <aland at deployingradius.com>
>Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
>Sent: Wednesday, July 18, 2007 11:26:38 AM (GMT+0200) Asia/Jerusalem
>Subject: Re: RLM_PERL Integration Issue
>
>Hi Alan,
>
>  Ok, I did as you instructed, and I admit that I appear to be getting somewhere.
>The debug log now shows the following:
>
>
>-------------------------------- SNIP -----------------------------------------
>rad_recv: Access-Request packet from host 192.168.2.80:33365, id=47, length=192
>        User-Name = "101 at openser.org"
>        Digest-Attributes = 0x0a05313031
>        Digest-Attributes = 0x010d6f70656e7365722e6f7267
>        Digest-Attributes = 0x022a34363961613063323661386631313165393066336161303533353430393661323631336462343736
>        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
>        Digest-Attributes = 0x030a5245474953544552
>        Digest-Response = "3f66a7a38c9d6ff05d9d633063085a0c"
>        Service-Type = IAPP-Register
>        X-Ascend-PW-Lifetime = 0x313031
>        NAS-Port = 5060
>        NAS-IP-Address = 192.168.2.80
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 17
>  modcall[authorize]: module "preprocess" returns ok for request 17
>radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
>rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
>  modcall[authorize]: module "auth_log" returns ok for request 17
>rlm_digest: Adding Auth-Type = DIGEST
>  modcall[authorize]: module "digest" returns ok for request 17
>    users: Matched entry 101 at openser.org at line 54
>  modcall[authorize]: module "files" returns ok for request 17
>modcall: leaving group authorize (returns ok) for request 17
>  rad_check_password:  Found Auth-Type DIGEST
>auth: type "digest"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 17
>    rlm_digest: Converting Digest-Attributes to something sane...
>        Digest-User-Name = "101"
>        Digest-Realm = "openser.org"
>        Digest-Nonce = "469aa0c26a8f111e90f3aa05354096a2613db476"
>        Digest-URI = "sip:192.168.2.80"
>        Digest-Method = "REGISTER"
>A1 = 101:openser.org:101
>A2 = REGISTER:sip:192.168.2.80
>H(A1) = f195c177997cee336c919be9279c5703
>H(A2) = 046d0643f281affab19fe62ffc848ab5
>KD = f195c177997cee336c919be9279c5703:469aa0c26a8f111e90f3aa05354096a2613db476:046d0643f281affab19fe62ffc848ab5
>EXPECTED 3f66a7a38c9d6ff05d9d633063085a0c
>RECEIVED 3f66a7a38c9d6ff05d9d633063085a0c
>  modcall[authenticate]: module "digest" returns ok for request 17
>modcall: leaving group authenticate (returns ok) for request 17
>Login OK: [101 at openser.org/<no User-Password attribute>] (from client openser-network port 5060)
>Sending Access-Accept of id 47 to 192.168.2.80 port 33365
>Finished request 17
>Going to the next request
>Waking up in 4 seconds...
>rad_recv: Access-Request packet from host 192.168.2.80:33366, id=48, length=67
>        User-Name = "101 at 192.168.2.80"
>        X-Ascend-PPP-VJ-1172 = 0x73757370656e646564
>        Service-Type = Voice
>        NAS-Port = 0
>        NAS-IP-Address = 192.168.2.80
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 18
>  modcall[authorize]: module "preprocess" returns ok for request 18
>radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
>rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
>  modcall[authorize]: module "auth_log" returns ok for request 18
>  modcall[authorize]: module "digest" returns noop for request 18
>    users: Matched entry 101 at 192.168.2.80 at line 53
>  modcall[authorize]: module "files" returns ok for request 18
>modcall: leaving group authorize (returns ok) for request 18
>auth: type Local
>auth: No User-Password or CHAP-Password attribute in the request
>auth: Failed to validate the user.
>Login incorrect: [101 at 192.168.2.80/<no User-Password attribute>] (from client openser-network port 0)
>Delaying request 18 for 1 seconds
>Finished request 18
>Going to the next request
>Waking up in 4 seconds...
>-------------------------------- SNIP -----------------------------------------
>
>If you were to examine the log, you would see that request number 17 is receiving the
>LOGIN OK, while request 18 is rejected. The silly part here is this, there is only a single
>IP Phone on the network, which is using a single OpenSER server. I'm kind'a struck with a
>silly question, where is the second request coming from?
>
>Z2L
>
>
>----- Original Message -----
>From: "Alan DeKok" <aland at deployingradius.com>
>To: freeradius at zap2link.com
>Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
>Sent: Wednesday, July 18, 2007 11:24:19 AM (GMT+0200) Asia/Jerusalem
>Subject: Re: RLM_PERL Integration Issue
>
>FreeRadius-ML wrote:
>>   Now, I'm basically re-learning everything, as the world of OpenSER + FreeRadius is a little new to me,
>> and sometimes frustrates me. The amount of documentation in the configuration files is great, but the lack
>> of updated examples is somewhat annoying. Even Asterisk, which is one of the most undocumented environments
>> in the world, has more configuration examples available.
>
>  The majority of FreeRADIUS installations put users & password into SQL
>or LDAP, and then don't touch it ever again.  For them, the existing
>examples are mostly OK.
>
>  For *complex* scenarios, RADIUS quickly gets more complicated than
>DNS, DHCP, Web servers, and (I suspect) Asterisk.  There just isn't
>enough space in the world to document every configuration that everyone
>needs.
>
>>   In any case, lets go back to what we were discussing. If I understand you correctly, on the FreeRadius side,
>> I only need to enable digest based authentication and authorization, define the user in the users file - and that
>> should be working just fine?
>
>  Yes.  The entire *point* of the default configuration is to have as
>many authentication protocols as possible work... just by defining a
>user and password.  See:
>
>http://deployingradius.com/documents/configuration/pap.html
>
>  When 2.0 is released, defining a username & password will cause the
>following authentication methods to work:
>
>    * PAP
>    * CHAP
>    * MS-CHAP
>    * Digest
>    * EAP-MD5
>    * EAP-MSCHAPv2
>    * Cisco LEAP
>    * PEAP-MSCHAPv2
>    * PEAP-GTC
>    * EAP-TTLS with
>       * PAP
>       * CHAP
>       * MS-CHAP
>       * EAP-MD5
>       * EAP-MSCHAPv2
>
>  Try *that* with any other program: "I added one line in a
>configuration file, and VOIP works, WiFi works, dial-up works, PPPoE
>works, VPN's work, for Apple, Windows, and Linux".  No fighting, no fuss.
>
>  Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list