On Tue, 2007-07-24 at 13:54 +0300, FreeRadius-ML wrote:
Ok,
It would appear that I'm a little silly, due to the way FreeRadius logs the information on the console. I've been debugging the information that I get, and I can see that the Digest-Attributes actually contain the information, in accordance to the following:
The first Digest Attribute is the User-Name, The second Digest Attribute is the Realm, The third Digest Attribute is the nonce, The fourth Digest Attribute is the uri, The fifth Digest Attribute is the SIP-METHOD request.
I didn't realize this in the begining, as it was all HEX dumped, so I couldn't see that I'm actually looking at the information.
Now, my question is this, what is the formula to calculate the digest from all of the above information? I've tried backtracking the code, but ended up with a slight headache. If anyone has information, that would be highly appreciated.
The "formula" is to do this: authorize { preprocess digest files } authenticate { Auth-Type DIGEST { digest } } HA1="0x`echo -n user:example.com:foobar | md5sum | cut -d ' ' -f 1`" in users: foo Digest-HA1 := 0xd07911de2b6cfea295166b56e8cecfa2 or better yet: foo Cleartext-Password := "foobar" ...and FreeRadius should just work.
Regards, Z2L
----- Original Message ----- From: "FreeRadius-ML" <freeradius@zap2link.com> To: "freeradius-users" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question
Ok,
I think I'm getting somewhere on this. After running wireshark and capturing the traffic, I actually realized that the Authentication/Authorization headers consists of a random hash that is identified by the nonce number. Following is an example:
Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", response="1efb1851e1e96ce6855bf406735af4b6"
Now, if I understand correctly, the digest will be calculated from the combination of the username, uri and nonce. Problem is, it would appear that I'm unable to access the nonce field from rlm_perl, unless, I'm missing something.
Regards, Z2L
----- Original Message ----- From: "FreeRadius-ML" <freeradius@zap2link.com> To: "freeradius-users" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question
Hi Peter,
Well, according to the RFC, the string should be: username:realm:password and then into the md5sum.
Now, according to my logs, I can see the following:
Packet-Type = Access-Request Thu Jul 19 09:37:23 2007 User-Name = "101@192.168.2.80" Digest-Attributes = 0x0a05313031 Digest-Attributes = 0x010e3139322e3136382e322e3830 Digest-Attributes = 0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733 Digest-Attributes = 0x04127369703a3139322e3136382e322e3830 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b" Service-Type = IAPP-Register Sip-Uri-User = "101" NAS-Port = 5060 NAS-IP-Address = 192.168.2.80 Client-IP-Address = 192.168.2.80
Now, the password for that user is 101.
So, I did the following: echo '101@192.168.2.80:192.168.2.80:101' | md5sum, which generated the following output: ec6cec8f0b5904ba56401b1e305638b5.
Now, examining the log file shows that a few minutes before that, the Access-Request looks like this:
Packet-Type = Access-Request Thu Jul 19 09:29:54 2007 User-Name = "101@192.168.2.80" Digest-Attributes = 0x0a05313031 Digest-Attributes = 0x010e3139322e3136382e322e3830 Digest-Attributes = 0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632 Digest-Attributes = 0x04127369703a3139322e3136382e322e3830 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "a15ff7de436bada1093be663290f8ad8" Service-Type = IAPP-Register Sip-Uri-User = "101" NAS-Port = 5060 NAS-IP-Address = 192.168.2.80 Client-IP-Address = 192.168.2.80
As you can see, the Digest here is different, so I'm surely missing something here.
Regards, Z2L
----- Original Message ----- From: "Peter Nixon" <listuser@peternixon.net> To: freeradius@zap2link.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 24, 2007 11:30:25 AM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question
On Tue 24 Jul 2007, FreeRadius-ML wrote:
Thanks, that helps a bunch.
Another question, may be non related. Anyone has an idea how does OpenSER and FreeRadius calculate the Digest response for rlm_digest?
According to the output of my rlm_perl RAD_REQUEST, I'm getting the following request from the OpenSER server:
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80 rlm_perl: RAD_REQUEST: Digest-Response = 80d23e66bd4d667eb445c89b74ff7a6b rlm_perl: RAD_REQUEST: User-Name = 101@192.168.2.80 rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Sip-Uri-User = 101 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x84e7a90) rlm_perl: Added pair Auth-Type = perl
If I understand correctly, I need to calculate the digest response, according to the information I hold in my AAA database, which should match the Digest-Response request. My question is, what is the actual string format that is required for the calculation of the Digest-Response?
Read RFC 2617