Handling request from OpenSer in Freeradius - I need help
GlobeInPhotos
biuro at globeinphotos.com
Wed Jul 12 07:59:47 CEST 2006
Hi
I have problem to properly handle OpenSer request in Freeradius.
When I switch on debug mode in freeradius I've got LISTING 1 (below).
In the first part of log we can see that INVITE message was received and
authorize_check (defined by _check_query ) SQL statement was called and I've
got proper result.
After that message was parsed and values from Digest-Attributes was moved to
named Digest- attributes e.g Digest-Method
In my radius solution I have to return to OpenSer few attributes when I
detect that Digest-Method is equal to INVITE. But I cannot return attributes
by authorize_check because when authotize_check db procedure is called
Digest-Method is not set (only I can see Digest-Attributes). After call to
authorize_check, freeradius parse request and I have complete set of values:
Digest-User-Name = "test001"
Digest-Realm = "server1.test.pl"
Digest-Nonce = "44b414bb1e6165386992a6c367a1ce2b1682ba32"
Digest-URI = "sip:+4800001 at server1.test.pl"
Digest-Method = "INVITE"
But after this part only one DB procedure is called: test.postauth()
(defined by postauth_query in postgres.sql) but this procedure cannot
return attributes - It can returns only one string.
I have questions:
- how to return list attributes when message is parsed ? Is it possible to
configure that radius will call sql statement after parsing a message
- how to access all Digest-Attrbute from unparsed message when I put
'%{Digest-Attributes}' in query I can see only first attribute
- Is possible to control order of parsing in my example orders is:
- receive of 'raw' request
- execution authorize check
- parsing of raw message (message "mod_digest: Converting
Digest-Attributes to something sane")
But in post
http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-September/03
6519.html order is following
- receive of 'raw' request
- parsing of raw message (message "mod_digest: Converting
Digest-Attributes to something sane")
- execution authorize check
Do you know how to achieve last order ? Should I change something in conf.
files?
Part of my postgres.conf file:
authorize_check_query = "SELECT * FROM
test.authorize_check('%{SQL-User-Name}', '%{Digest-URI}',
'%{Service-Type}')"
postauth_query = "SELECT test.postauth('%{Digest-Method}',
'%{Digest-Attributes:-0}', '%{Digest-Attributes:-3}')"
LISTING 1
---------
rad_recv: Access-Request packet from host 153.19.130.250:34032, id=245,
length=237
User-Name = "test001 at server1.test.pl"
Digest-Attributes = "\n\ttest001"
Digest-Attributes = "\001\026server1.test.pl"
Digest-Attributes = "\002*44b414bb1e6165386992a6c367a1ce2b1682ba32"
Digest-Attributes = "\004#sip:+4800001 at server1.test.pl"
Digest-Attributes = "\003\010INVITE"
Digest-Response = "1475e3bd94becc734d77893ddcd70046"
Service-Type = IAPP-Register
Sip-URI-User = "test001"
NAS-Port = 5060
NAS-IP-Address = 153.19.130.250
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 3
rlm_realm: Looking up realm "server1.test.pl" for User-Name =
"test001 at server1.test.pl"
rlm_realm: No such realm "server1.test.pl"
modcall[authorize]: module "suffix" returns noop for request 3
users: Matched entry DEFAULT at line 5
users: Matched entry DEFAULT at line 42
modcall[authorize]: module "files" returns ok for request 3
radius_xlat: 'test001 at server1.test.pl'
rlm_sql (sql): sql_set_user escaped user --> 'test001 at server1.test.pl'
radius_xlat: 'SELECT * FROM test.authorize_check('test001 at server1.test.pl',
'', '')'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_postgresql: query: SELECT * FROM
test.authorize_check('test001 at server1.test.pl', '', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: ''
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "test001"
Digest-Realm = "server1.test.pl"
Digest-Nonce = "44b414bb1e6165386992a6c367a1ce2b1682ba32"
Digest-URI = "sip:+4800001 at server1.test.pl"
Digest-Method = "INVITE"
A1 = test001:server1.test.pl:gdfi
A2 = INVITE:sip:+4800001 at server1.test.pl
H(A1) = 1307e5525ca6a7907307ad0af15dbb42
H(A2) = 5bfbcc6c93b4debf70853f609176ff45 KD =
1307e5525ca6a7907307ad0af15dbb42:44b414bb1e6165386992a6c367a1ce2b1682ba32:5b
fbcc6c93b4debf70853f609176ff45
EXPECTED 1475e3bd94becc734d77893ddcd70046 RECEIVED
1475e3bd94becc734d77893ddcd70046
modcall[authenticate]: module "digest" returns ok for request 3
modcall: leaving group authenticate (returns ok) for request 3 Login OK:
[test001 at server1.test.pl/<no User-Password attribute>] (from client server1
port 5060)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 3 rlm_sql (sql): Processing
sql_postauth
radius_xlat: 'test001 at server1.test.pl'
rlm_sql (sql): sql_set_user escaped user --> 'test001 at server1.test.pl'
radius_xlat: 'SELECT test.postauth('=5Cn=5Cttest001', '=5Cn=5Cttest001',
'=5Cn=5Cttest001')'
radius_xlat: '/var/log/freeradius/sqltrace.sql'
rlm_sql (sql) in sql_postauth: query is SELECT test.postauth('',
'=5Cn=5Cttest001', '=5Cn=5Cttest001') rlm_sql (sql): Reserving sql socket
id: 2
rlm_sql_postgresql: query: SELECT test.postauth('', '=5Cn=5Cttest001',
'=5Cn=5Cttest001')
Regards
Michal Szymanski
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.10/384 - Release Date: 2006-07-10
More information about the Freeradius-Users
mailing list