Digest & Messenger
saman alaniazar
samanalani at gmail.com
Tue Apr 11 11:13:28 CEST 2006
dear Alan
I changed the version of freeradius to 1.1.1 and we kept the last
radiusd.conf file from 1.0.5 version unchanged. Belove you can see the
excerpt of radiusd.conf file
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
# preprocess
# auth_log
# attr_filter
# chap
# mschap
digest
# eap
sql
}
authenticate {
# Auth-Type PAP {
# pap
# }
# Auth-Type CHAP {
# chap
# }
# Auth-Type MS-CHAP {
# mschap
# }
digest
# unix
# eap
}
===============================================================
When I test the server with some open source sip phones, everything is ok
but when I want to test following user with MSN messenger , reject packet
was received :
user = server2_user1
password = test
URI =user at testrealm.icii.com
Method = REGISTER
Algorithm = "MD5"
Here it is the dubug of freeradius for this packet :
rad_recv: Access-Request packet from host 10.10.1.3:2309, id=242, length=200
NAS-Identifier = "testrealm"
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x0a0f736572766572325f7573657231
Digest-Attributes =
0x02226530663765326631373633376638323638316463323461396262363264643637
Digest-Attributes = 0x06054d4435
User-Name = "server2_user1"
Digest-Attributes =
0x04187369703a746573747265616c6d2e696369692e636f6d
Digest-Response = "5f0fc8449eb607379d80ad34a83fe512"
Digest-Attributes = 0x0114746573747265616c6d2e696369692e636f6d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 0
radius_xlat: 'server2_user1'
rlm_sql (sql): sql_set_user escaped user --> 'server2_user1'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'server2_user1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,
radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE usergroup.Username = 'server2_user1' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'server2_user1' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,
radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE usergroup.Username = 'test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Method = "REGISTER"
Digest-User-Name = "server2_user1"
Digest-Nonce = "e0f7e2f17637f82681dc24a9bb62dd67"
Digest-Algorithm = "MD5"
Digest-URI = "sip:testrealm.icii.com"
Digest-Realm = "testrealm.icii.com"
A1 = server2_user1:testrealm.icii.com:test
A2 = REGISTER:sip:testrealm.icii.com
KD =
590b483ad6e6df65edb1826f5404e3a5:e0f7e2f17637f82681dc24a9bb62dd67:684a8ca612e13a06c419dc89351ac183
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
=======================================================
Now let's look at a correct authentication that was sent by open source sip
phone.
rad_recv: Access-Request packet from host 10.10.1.3:2773, id=22, length=200
NAS-Identifier = "testrealm"
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x0a0f736572766572325f7573657231
Digest-Attributes =
0x02226562376234336638333032613234656261343338313533366338346334393335
Digest-Attributes = 0x06054d4435
User-Name = "server2_user1"
Digest-Attributes =
0x04187369703a746573747265616c6d2e696369692e636f6d
Digest-Response = "d1b993f54dc5e242c4b67389188db5dd"
Digest-Attributes = 0x0114746573747265616c6d2e696369692e636f6d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 36
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 36
radius_xlat: 'server2_user1'
rlm_sql (sql): sql_set_user escaped user --> 'server2_user1'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'server2_user1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,
radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE usergroup.Username = 'server2_user1' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'server2_user1' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,
radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE usergroup.Username = 'server2_user1' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 36
modcall: leaving group authorize (returns ok) for request 36
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 36
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Method = "REGISTER"
Digest-User-Name = "server2_user1"
Digest-Nonce = "eb7b43f8302a24eba4381536c84c4935"
Digest-Algorithm = "MD5"
Digest-URI = "sip:testrealm.icii.com"
Digest-Realm = "testrealm.icii.com"
A1 = server2_user1:testrealm.icii.com:test
A2 = REGISTER:sip:testrealm.icii.com
KD =
590b483ad6e6df65edb1826f5404e3a5:eb7b43f8302a24eba4381536c84c4935:684a8ca612e13a06c419dc89351ac183
modcall[authenticate]: module "digest" returns ok for request 36
modcall: leaving group authenticate (returns ok) for request 36
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 36
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'server2_user1'
rlm_sql (sql): sql_set_user escaped user --> 'server2_user1'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values
('', 'server2_user1', 'Chap-Password', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user,
pass, reply, date) values ('', 'server2_user1', 'Chap-Password',
'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
modcall[post-auth]: module "sql" returns ok for request 36
modcall: leaving group post-auth (returns ok) for request 36
Sending Access-Accept of id 22 to 10.10.1.3 port 2773
>* I have installed FreeRadius 1.1.0 as an authentication server for our sip
*>* proxy, I am using MSN messenger and some other sip phone to test.
*>* everything in my database is ok and I receive access packet by the sip
*>* phones except MSN messenger , when I am using MSN mesenger , I receive
*>* reject packet.
*
Run the server in debugging mode to see what's going wrong.
Also, you might try using version 1.1.1, which has updates to the
digest module.
Alan DeKok.
--
S.A.A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060411/cd4f6529/attachment.html>
More information about the Freeradius-Users
mailing list