Hi,<br> I successfully done my authentication and authorization with the perl and digest with mix mode, and it reply access accept packets from the radius server. But when i tried to call through asterisk, the server again try to authenticate again and rejected. The auth type is turned into local again though i put perl and digest. How the auth type will be into perl and digest when I called through asterisk.<br>
<br><i><b>This is the output log after the server authenticate a user:<br></b></i><br>rad_recv: Access-Request packet from host <a href="http://192.168.1.227">192.168.1.227</a> port 32958, id=215, length=259<br> User-Name = "<a href="mailto:100@192.168.1.227">100@192.168.1.227</a>"<br>
Digest-Attributes = "\n\005100"<br> Digest-Attributes = "\001\017192.168.1.227"<br> Digest-Attributes = "\002*4832e5db308756e206b4536810ea3e70cf300c66"<br> Digest-Attributes = "\004\023sip:<a href="http://192.168.1.227">192.168.1.227</a>"<br>
Digest-Attributes = "\003\nREGISTER"<br> Digest-Response = "805279e87b5ef1a7bc640350165079ff"<br> Service-Type = SIP<br> Sip-URI-User = "100"<br> Cisco-AVPair = "call-id=<a href="mailto:cceb5fc15db4417d807cbb56871a533d@192.168.1.193">cceb5fc15db4417d807cbb56871a533d@192.168.1.193</a>"<br>
NAS-IP-Address = <a href="http://127.0.0.1">127.0.0.1</a><br> NAS-Port = 5060<br>+- entering group authorize<br>++[preprocess] returns ok<br>perl_pool: item 0x98c2a88 asigned new request. Handled so far: 1<br>
found interpetator at address 0x98c2a88<br>rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff<br>rlm_perl: Added pair Service-Type = SIP<br>rlm_perl: Added pair Cisco-AVPair = call-id=<a href="mailto:cceb5fc15db4417d807cbb56871a533d@192.168.1.193">cceb5fc15db4417d807cbb56871a533d@192.168.1.193</a><br>
rlm_perl: Added pair User-Name = <a href="mailto:100@192.168.1.227">100@192.168.1.227</a><br>rlm_perl: Added pair Sip-URI-User = 100<br>rlm_perl: Added pair NAS-IP-Address = <a href="http://127.0.0.1">127.0.0.1</a><br>rlm_perl: Added pair NAS-Port = 5060<br>
rlm_perl: Added pair Digest-Attributes = \n\005100<br>rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227<br>rlm_perl: Added pair Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66<br>rlm_perl: Added pair Digest-Attributes = \004\023sip:<a href="http://192.168.1.227">192.168.1.227</a><br>
rlm_perl: Added pair Digest-Attributes = \003\nREGISTER<br>rlm_perl: Added pair Cleartext-Password = 100<br>perl_pool total/active/spare [32/0/32]<br>Unreserve perl at address 0x98c2a88<br>++[perl] returns ok<br>rlm_digest: Adding Auth-Type = DIGEST<br>
++[digest] returns ok<br> rlm_realm: Looking up realm "<a href="http://192.168.1.227">192.168.1.227</a>" for User-Name = "<a href="mailto:100@192.168.1.227">100@192.168.1.227</a>"<br> rlm_realm: No such realm "<a href="http://192.168.1.227">192.168.1.227</a>"<br>
++[suffix] returns noop<br> rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br> rad_check_password: Found Auth-Type DIGEST<br>
auth: type "digest"<br>+- entering group authenticate<br> rlm_digest: Converting Digest-Attributes to something sane...<br> Digest-User-Name = "100"<br> Digest-Realm = "<a href="http://192.168.1.227">192.168.1.227</a>"<br>
Digest-Nonce = "4832e5db308756e206b4536810ea3e70cf300c66"<br> Digest-URI = "sip:<a href="http://192.168.1.227">192.168.1.227</a>"<br> Digest-Method = "REGISTER"<br>A1 = 100:<a href="http://192.168.1.227:100">192.168.1.227:100</a><br>
A2 = REGISTER:sip:<a href="http://192.168.1.227">192.168.1.227</a><br>H(A1) = fc0ea6eaea4a4b50ad280e803f4bd6a2<br>H(A2) = fbf27b090821dd0f71c0a0dda09e5e8e<br>KD = fc0ea6eaea4a4b50ad280e803f4bd6a2:4832e5db308756e206b4536810ea3e70cf300c66:fbf27b090821dd0f71c0a0dda09e5e8e<br>
EXPECTED 805279e87b5ef1a7bc640350165079ff<br>RECEIVED 805279e87b5ef1a7bc640350165079ff<br>++[digest] returns ok<br>Login OK: [<a href="http://100@192.168.1.227/">100@192.168.1.227/</a><via Auth-Type = DIGEST>] (from client <a href="http://192.168.1.227">192.168.1.227</a> port 5060)<br>
+- entering group post-auth<br>perl_pool: item 0x9997960 asigned new request. Handled so far: 1<br>found interpetator at address 0x9997960<br>rlm_perl: Added pair Digest-User-Name = 100<br>rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff<br>
rlm_perl: Added pair Service-Type = SIP<br>rlm_perl: Added pair Digest-URI = sip:<a href="http://192.168.1.227">192.168.1.227</a><br>rlm_perl: Added pair Digest-Realm = <a href="http://192.168.1.227">192.168.1.227</a><br>
rlm_perl: Added pair Cisco-AVPair = call-id=<a href="mailto:cceb5fc15db4417d807cbb56871a533d@192.168.1.193">cceb5fc15db4417d807cbb56871a533d@192.168.1.193</a><br>rlm_perl: Added pair Digest-Method = REGISTER<br>rlm_perl: Added pair User-Name = <a href="mailto:100@192.168.1.227">100@192.168.1.227</a><br>
rlm_perl: Added pair Sip-URI-User = 100<br>rlm_perl: Added pair Digest-Nonce = 4832e5db308756e206b4536810ea3e70cf300c66<br>rlm_perl: Added pair NAS-IP-Address = <a href="http://127.0.0.1">127.0.0.1</a><br>rlm_perl: Added pair NAS-Port = 5060<br>
rlm_perl: Added pair Digest-Attributes = \n\005100<br>rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227<br>rlm_perl: Added pair Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66<br>rlm_perl: Added pair Digest-Attributes = \004\023sip:<a href="http://192.168.1.227">192.168.1.227</a><br>
rlm_perl: Added pair Digest-Attributes = \003\nREGISTER<br>rlm_perl: Added pair Cleartext-Password = 100<br>rlm_perl: Added pair Auth-Type = digest<br>perl_pool total/active/spare [32/0/32]<br>Unreserve perl at address 0x9997960<br>
++[perl] returns ok<br>Sending Access-Accept of id 215 to <a href="http://192.168.1.227">192.168.1.227</a> port 32958<br>Finished request 1.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>Cleaning up request 0 ID 214 with timestamp +5<br>
Cleaning up request 1 ID 215 with timestamp +5<br>Ready to process requests.<br><br><i><b>This is the output log after the server reject a user when it is call through asterisk<br><br></b></i>rad_recv: Access-Request packet from host <a href="http://192.168.1.227">192.168.1.227</a> port 33036, id=222, length=104<br>
Called-Station-Id = "200"<br> Calling-Station-Id = "100"<br> User-Name = "100"<br> User-Password = "\034]W\242\237\233\312s6\210Sx\241\345pl"<br> NAS-Identifier = "Asterisk"<br>
h323-conf-id = "1211297773.35"<br> NAS-IP-Address = <a href="http://192.168.1.227">192.168.1.227</a><br> NAS-Port = 5071<br>+- entering group authorize<br>++[preprocess] returns ok<br>perl_pool: item 0x9cc2358 asigned new request. Handled so far: 1<br>
found interpetator at address 0x9cc2358<br>rlm_perl: Added pair Calling-Station-Id = 100<br>rlm_perl: Added pair Called-Station-Id = 200<br>rlm_perl: Added pair User-Name = 100<br>rlm_perl: Added pair User-Password = \034]W\242\237\233\312s6\210Sx\241\345pl<br>
rlm_perl: Added pair NAS-Identifier = Asterisk<br>rlm_perl: Added pair h323-conf-id = 1211297773.35<br>rlm_perl: Added pair NAS-IP-Address = <a href="http://192.168.1.227">192.168.1.227</a><br>rlm_perl: Added pair NAS-Port = 5071<br>
rlm_perl: Added pair Cleartext-Password = 100<br>perl_pool total/active/spare [32/0/32]<br>Unreserve perl at address 0x9cc2358<br>++[perl] returns ok<br>++[digest] returns noop<br> rlm_realm: No '@' in User-Name = "100", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>++[suffix] returns noop<br> rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>
auth: type Local<br>auth: user supplied User-Password does NOT match local User-Password<br>auth: Failed to validate the user.<br>Login incorrect: [100/\034]W\242\237\233\312s6\210Sx\241\345pl] (from client <a href="http://192.168.1.227">192.168.1.227</a> port 5071 cli 100)<br>
Found Post-Auth-Type Reject<br>+- entering group REJECT<br> expand: %{User-Name} -> 100<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 2 for 1 seconds<br>
Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 2<br>Sending Access-Reject of id 222 to <a href="http://192.168.1.227">192.168.1.227</a> port 33036<br>Waking up in 4.9 seconds.<br>
Cleaning up request 2 ID 222 with timestamp +768<br>Ready to process requests.<br><br><br>with regards,<br>Elangbam Johnson<br>