Question on FreeRADIUS digest authentication with SIP proxy
I have setup SER to authenticate via FreeRADIUS with MSSQL DB. The SIP proxy (SER) use digest authentication to authenticate with FreeRADIUS server. This way the user's password is stored as cleartext in the database. I'd like to know is there a way to make such setup using hashed password (just MD5 or HA1)? I asked this question on SER's mailing list, but seems cleartext password is the only way to do digest authentication with FreeRADIUS. After reading through RFC2617 and draft-ietf-radext-digest-auth-04, seems to me that if Digest-Algorithm attribute in RADIUS packet is 'MD5-sess', there is a Digest-HA1 attribute might be useful for my purpose. Is there any options to tweak FreeRADIUS's digest authentication mode, something like 'auth_type' or 'encrypt_method' for MSCHAP or other authentication methods? Thanks.
Hi, Chen. There is ongoing discussion on this topic : http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.h... You might also want to check this, for information related to digest authentication with RADIUS and LDAP : http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_... Bye, Philippe On 10/12/05, Cheng Zhang <czhang.cmu@gmail.com> wrote:
I have setup SER to authenticate via FreeRADIUS with MSSQL DB. The SIP proxy (SER) use digest authentication to authenticate with FreeRADIUS server. This way the user's password is stored as cleartext in the database. I'd like to know is there a way to make such setup using hashed password (just MD5 or HA1)? I asked this question on SER's mailing list, but seems cleartext password is the only way to do digest authentication with FreeRADIUS. After reading through RFC2617 and draft-ietf-radext-digest-auth-04, seems to me that if Digest-Algorithm attribute in RADIUS packet is 'MD5-sess', there is a Digest-HA1 attribute might be useful for my purpose. Is there any options to tweak FreeRADIUS's digest authentication mode, something like 'auth_type' or 'encrypt_method' for MSCHAP or other authentication methods? Thanks.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Philippe. It works for me as well. I will also let people on serusers and openser-users mailing lists to know. Without your patch, AFATK, the password has to be in clear text form if using RADIUS to do the authentication. Thanks again. On 10/12/05, Philippe Sultan <philippe.sultan@gmail.com> wrote:
Hi, Chen.
There is ongoing discussion on this topic :
http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.h...
You might also want to check this, for information related to digest authentication with RADIUS and LDAP :
http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_...
Bye,
Philippe
ok Cheng. Note that it should be fixed in the CVS version within a few days, without changing the configuration of rlm_digest. The MD5-Password (present in CVS) fits our need in this case, I will try to bring a fix next week including LDAP password pullout during authorization. Bye, Philippe On 10/12/05, Cheng Zhang <czhang.cmu@gmail.com> wrote:
Thanks Philippe. It works for me as well. I will also let people on serusers and openser-users mailing lists to know. Without your patch, AFATK, the password has to be in clear text form if using RADIUS to do the authentication.
Thanks again.
On 10/12/05, Philippe Sultan <philippe.sultan@gmail.com> wrote:
Hi, Chen.
There is ongoing discussion on this topic :
http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.h...
You might also want to check this, for information related to digest authentication with RADIUS and LDAP :
http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_...
Bye,
Philippe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Cheng. maybe you can check the proposed patch for current CVS version if you find some time : http://bugs.freeradius.org/show_bug.cgi?id=287 It avoids the digest module configuration option given earlier (in the FreeRADIUS 1.0.5 patch), and uses the MD5-Password attribute to store H(username:realm:password). Note that it has been tested with option 'auto_header' in radiusd.conf set to 'yes', as the 'password_header' option is deprecated in CVS. I also successfully tested it along with an LDAP server, with password pullout during the authorization process. Thank you for your feedback regarding this problem, Regards, Philippe On 10/12/05, Philippe Sultan <philippe.sultan@gmail.com> wrote:
ok Cheng. Note that it should be fixed in the CVS version within a few days, without changing the configuration of rlm_digest. The MD5-Password (present in CVS) fits our need in this case, I will try to bring a fix next week including LDAP password pullout during authorization. Bye, Philippe
On 10/12/05, Cheng Zhang <czhang.cmu@gmail.com> wrote:
Thanks Philippe. It works for me as well. I will also let people on serusers and openser-users mailing lists to know. Without your patch, AFATK, the password has to be in clear text form if using RADIUS to do the authentication.
Thanks again.
On 10/12/05, Philippe Sultan <philippe.sultan@gmail.com > wrote:
Hi, Chen.
There is ongoing discussion on this topic :
http://lists.freeradius.org/pipermail/freeradius-users/2005-October/047606.h...
You might also want to check this, for information related to digest authentication with RADIUS and LDAP :
http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_...
Bye,
Philippe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Cheng Zhang -
Philippe Sultan