RLM_PERL Integration Issue
FreeRadius-ML
freeradius at zap2link.com
Wed Jul 18 12:16:58 CEST 2007
Hi Alan,
Ok, I managed to solve the dual request thingy, apparently that was caused by a config on
the OpenSER server. All requests now are coming out as:
rad_recv: Access-Request packet from host 192.168.2.80:34908, id=213, length=232
User-Name = "101 at openser.org"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010d6f70656e7365722e6f7267
Digest-Attributes = 0x022a34363961623634663863363039653664303632303135363461336237666137663633383433346462
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303031303636
Digest-Attributes = 0x081237323633376361643532353930373938
Digest-Response = "408602140746b6fab2c70881242f7513"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 0x313031
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 831
modcall[authorize]: module "preprocess" returns ok for request 831
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
modcall[authorize]: module "auth_log" returns ok for request 831
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 831
users: Matched entry 101 at openser.org at line 53
modcall[authorize]: module "files" returns ok for request 831
modcall: leaving group authorize (returns ok) for request 831
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 831
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "101"
Digest-Realm = "openser.org"
Digest-Nonce = "469ab64f8c609e6d06201564a3b7fa7f638434db"
Digest-URI = "sip:192.168.2.80"
Digest-Method = "REGISTER"
Digest-QOP = "auth"
Digest-Nonce-Count = "00001066"
Digest-CNonce = "72637cad52590798"
A1 = 101:openser.org:101
A2 = REGISTER:sip:192.168.2.80
H(A1) = f195c177997cee336c919be9279c5703
H(A2) = 046d0643f281affab19fe62ffc848ab5
KD = f195c177997cee336c919be9279c5703:469ab64f8c609e6d06201564a3b7fa7f638434db:00001066:72637cad52590798:auth:046d0643f281affab19fe62ffc848ab5
EXPECTED 408602140746b6fab2c70881242f7513
RECEIVED 408602140746b6fab2c70881242f7513
modcall[authenticate]: module "digest" returns ok for request 831
modcall: leaving group authenticate (returns ok) for request 831
Login OK: [101 at openser.org/<no User-Password attribute>] (from client 192.168.2.80 port 5060)
Sending Access-Accept of id 213 to 192.168.2.80 port 34908
Finished request 831
Going to the next request
Waking up in 6 seconds...
Which as much as I can tell, indicate that the digest authentication/authorization process had completed correctly,
and our users had been successfully authed by the Radius Server. Currently, I have an issue indicating that the
user is actually not registered on the OpenSER server, but i believe that is caused by something else. Unless you have
some form of pointer tip here...
z2l
----- Original Message -----
From: "FreeRadius-ML" <freeradius at zap2link.com>
To: "Alan DeKok" <aland at deployingradius.com>
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 18, 2007 11:26:38 AM (GMT+0200) Asia/Jerusalem
Subject: Re: RLM_PERL Integration Issue
Hi Alan,
Ok, I did as you instructed, and I admit that I appear to be getting somewhere.
The debug log now shows the following:
-------------------------------- SNIP -----------------------------------------
rad_recv: Access-Request packet from host 192.168.2.80:33365, id=47, length=192
User-Name = "101 at openser.org"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010d6f70656e7365722e6f7267
Digest-Attributes = 0x022a34363961613063323661386631313165393066336161303533353430393661323631336462343736
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "3f66a7a38c9d6ff05d9d633063085a0c"
Service-Type = IAPP-Register
X-Ascend-PW-Lifetime = 0x313031
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 17
modcall[authorize]: module "preprocess" returns ok for request 17
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
modcall[authorize]: module "auth_log" returns ok for request 17
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 17
users: Matched entry 101 at openser.org at line 54
modcall[authorize]: module "files" returns ok for request 17
modcall: leaving group authorize (returns ok) for request 17
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "101"
Digest-Realm = "openser.org"
Digest-Nonce = "469aa0c26a8f111e90f3aa05354096a2613db476"
Digest-URI = "sip:192.168.2.80"
Digest-Method = "REGISTER"
A1 = 101:openser.org:101
A2 = REGISTER:sip:192.168.2.80
H(A1) = f195c177997cee336c919be9279c5703
H(A2) = 046d0643f281affab19fe62ffc848ab5
KD = f195c177997cee336c919be9279c5703:469aa0c26a8f111e90f3aa05354096a2613db476:046d0643f281affab19fe62ffc848ab5
EXPECTED 3f66a7a38c9d6ff05d9d633063085a0c
RECEIVED 3f66a7a38c9d6ff05d9d633063085a0c
modcall[authenticate]: module "digest" returns ok for request 17
modcall: leaving group authenticate (returns ok) for request 17
Login OK: [101 at openser.org/<no User-Password attribute>] (from client openser-network port 5060)
Sending Access-Accept of id 47 to 192.168.2.80 port 33365
Finished request 17
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.2.80:33366, id=48, length=67
User-Name = "101 at 192.168.2.80"
X-Ascend-PPP-VJ-1172 = 0x73757370656e646564
Service-Type = Voice
NAS-Port = 0
NAS-IP-Address = 192.168.2.80
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
modcall[authorize]: module "preprocess" returns ok for request 18
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716
modcall[authorize]: module "auth_log" returns ok for request 18
modcall[authorize]: module "digest" returns noop for request 18
users: Matched entry 101 at 192.168.2.80 at line 53
modcall[authorize]: module "files" returns ok for request 18
modcall: leaving group authorize (returns ok) for request 18
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [101 at 192.168.2.80/<no User-Password attribute>] (from client openser-network port 0)
Delaying request 18 for 1 seconds
Finished request 18
Going to the next request
Waking up in 4 seconds...
-------------------------------- SNIP -----------------------------------------
If you were to examine the log, you would see that request number 17 is receiving the
LOGIN OK, while request 18 is rejected. The silly part here is this, there is only a single
IP Phone on the network, which is using a single OpenSER server. I'm kind'a struck with a
silly question, where is the second request coming from?
Z2L
----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: freeradius at zap2link.com
Cc: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 18, 2007 11:24:19 AM (GMT+0200) Asia/Jerusalem
Subject: Re: RLM_PERL Integration Issue
FreeRadius-ML wrote:
> Now, I'm basically re-learning everything, as the world of OpenSER + FreeRadius is a little new to me,
> and sometimes frustrates me. The amount of documentation in the configuration files is great, but the lack
> of updated examples is somewhat annoying. Even Asterisk, which is one of the most undocumented environments
> in the world, has more configuration examples available.
The majority of FreeRADIUS installations put users & password into SQL
or LDAP, and then don't touch it ever again. For them, the existing
examples are mostly OK.
For *complex* scenarios, RADIUS quickly gets more complicated than
DNS, DHCP, Web servers, and (I suspect) Asterisk. There just isn't
enough space in the world to document every configuration that everyone
needs.
> In any case, lets go back to what we were discussing. If I understand you correctly, on the FreeRadius side,
> I only need to enable digest based authentication and authorization, define the user in the users file - and that
> should be working just fine?
Yes. The entire *point* of the default configuration is to have as
many authentication protocols as possible work... just by defining a
user and password. See:
http://deployingradius.com/documents/configuration/pap.html
When 2.0 is released, defining a username & password will cause the
following authentication methods to work:
* PAP
* CHAP
* MS-CHAP
* Digest
* EAP-MD5
* EAP-MSCHAPv2
* Cisco LEAP
* PEAP-MSCHAPv2
* PEAP-GTC
* EAP-TTLS with
* PAP
* CHAP
* MS-CHAP
* EAP-MD5
* EAP-MSCHAPv2
Try *that* with any other program: "I added one line in a
configuration file, and VOIP works, WiFi works, dial-up works, PPPoE
works, VPN's work, for Apple, Windows, and Linux". No fighting, no fuss.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list