* I have installed FreeRadius 1.1.0 as an authentication server for our sip *>* proxy, I am using MSN messenger and some other sip phone to test. *>* everything in my database is ok and I receive access packet by the sip *>* phones except MSN messenger , when I am using MSN mesenger , I receive *>* reject packet.
dear Alan I changed the version of freeradius to 1.1.1 and we kept the last radiusd.conf file from 1.0.5 version unchanged. Belove you can see the excerpt of radiusd.conf file expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { # preprocess # auth_log # attr_filter # chap # mschap digest # eap sql } authenticate { # Auth-Type PAP { # pap # } # Auth-Type CHAP { # chap # } # Auth-Type MS-CHAP { # mschap # } digest # unix # eap } =============================================================== When I test the server with some open source sip phones, everything is ok but when I want to test following user with MSN messenger , reject packet was received : user = server2_user1 password = test URI =user@testrealm.icii.com Method = REGISTER Algorithm = "MD5" Here it is the dubug of freeradius for this packet : rad_recv: Access-Request packet from host 10.10.1.3:2309, id=242, length=200 NAS-Identifier = "testrealm" Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x0a0f736572766572325f7573657231 Digest-Attributes = 0x02226530663765326631373633376638323638316463323461396262363264643637 Digest-Attributes = 0x06054d4435 User-Name = "server2_user1" Digest-Attributes = 0x04187369703a746573747265616c6d2e696369692e636f6d Digest-Response = "5f0fc8449eb607379d80ad34a83fe512" Digest-Attributes = 0x0114746573747265616c6d2e696369692e636f6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 radius_xlat: 'server2_user1' rlm_sql (sql): sql_set_user escaped user --> 'server2_user1' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'server2_user1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'server2_user1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'server2_user1' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-Method = "REGISTER" Digest-User-Name = "server2_user1" Digest-Nonce = "e0f7e2f17637f82681dc24a9bb62dd67" Digest-Algorithm = "MD5" Digest-URI = "sip:testrealm.icii.com" Digest-Realm = "testrealm.icii.com" A1 = server2_user1:testrealm.icii.com:test A2 = REGISTER:sip:testrealm.icii.com KD = 590b483ad6e6df65edb1826f5404e3a5:e0f7e2f17637f82681dc24a9bb62dd67:684a8ca612e13a06c419dc89351ac183 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. ======================================================= Now let's look at a correct authentication that was sent by open source sip phone. rad_recv: Access-Request packet from host 10.10.1.3:2773, id=22, length=200 NAS-Identifier = "testrealm" Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x0a0f736572766572325f7573657231 Digest-Attributes = 0x02226562376234336638333032613234656261343338313533366338346334393335 Digest-Attributes = 0x06054d4435 User-Name = "server2_user1" Digest-Attributes = 0x04187369703a746573747265616c6d2e696369692e636f6d Digest-Response = "d1b993f54dc5e242c4b67389188db5dd" Digest-Attributes = 0x0114746573747265616c6d2e696369692e636f6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 36 rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 36 radius_xlat: 'server2_user1' rlm_sql (sql): sql_set_user escaped user --> 'server2_user1' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'server2_user1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'server2_user1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'server2_user1' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'server2_user1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 36 modcall: leaving group authorize (returns ok) for request 36 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 36 rlm_digest: Converting Digest-Attributes to something sane... Digest-Method = "REGISTER" Digest-User-Name = "server2_user1" Digest-Nonce = "eb7b43f8302a24eba4381536c84c4935" Digest-Algorithm = "MD5" Digest-URI = "sip:testrealm.icii.com" Digest-Realm = "testrealm.icii.com" A1 = server2_user1:testrealm.icii.com:test A2 = REGISTER:sip:testrealm.icii.com KD = 590b483ad6e6df65edb1826f5404e3a5:eb7b43f8302a24eba4381536c84c4935:684a8ca612e13a06c419dc89351ac183 modcall[authenticate]: module "digest" returns ok for request 36 modcall: leaving group authenticate (returns ok) for request 36 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 36 rlm_sql (sql): Processing sql_postauth radius_xlat: 'server2_user1' rlm_sql (sql): sql_set_user escaped user --> 'server2_user1' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'server2_user1', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'server2_user1', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 modcall[post-auth]: module "sql" returns ok for request 36 modcall: leaving group post-auth (returns ok) for request 36 Sending Access-Accept of id 22 to 10.10.1.3 port 2773 * Run the server in debugging mode to see what's going wrong. Also, you might try using version 1.1.1, which has updates to the digest module. Alan DeKok. -- S.A.A