rml_perl question
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jul 24 13:07:11 CEST 2007
On Tue, 2007-07-24 at 13:54 +0300, FreeRadius-ML wrote:
> Ok,
>
> It would appear that I'm a little silly, due to the way FreeRadius logs the information
> on the console. I've been debugging the information that I get, and I can see that the
> Digest-Attributes actually contain the information, in accordance to the following:
>
> The first Digest Attribute is the User-Name,
> The second Digest Attribute is the Realm,
> The third Digest Attribute is the nonce,
> The fourth Digest Attribute is the uri,
> The fifth Digest Attribute is the SIP-METHOD request.
>
> I didn't realize this in the begining, as it was all HEX dumped, so I couldn't see
> that I'm actually looking at the information.
>
> Now, my question is this, what is the formula to calculate the digest from all of the
> above information? I've tried backtracking the code, but ended up with a slight headache.
> If anyone has information, that would be highly appreciated.
The "formula" is to do this:
authorize {
preprocess
digest
files
}
authenticate {
Auth-Type DIGEST {
digest
}
}
HA1="0x`echo -n user:example.com:foobar | md5sum | cut -d ' ' -f 1`"
in users:
foo Digest-HA1 := 0xd07911de2b6cfea295166b56e8cecfa2
or better yet:
foo Cleartext-Password := "foobar"
...and FreeRadius should just work.
>
> Regards,
> Z2L
>
> ----- Original Message -----
> From: "FreeRadius-ML" <freeradius at zap2link.com>
> To: "freeradius-users" <freeradius-users at lists.freeradius.org>
> Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
>
> Ok,
>
> I think I'm getting somewhere on this. After running wireshark and capturing the traffic,
> I actually realized that the Authentication/Authorization headers consists of a random hash
> that is identified by the nonce number. Following is an example:
>
> Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", response="1efb1851e1e96ce6855bf406735af4b6"
>
> Now, if I understand correctly, the digest will be calculated from the combination of the
> username, uri and nonce. Problem is, it would appear that I'm unable to access the nonce field
> from rlm_perl, unless, I'm missing something.
>
> Regards,
> Z2L
>
> ----- Original Message -----
> From: "FreeRadius-ML" <freeradius at zap2link.com>
> To: "freeradius-users" <freeradius-users at lists.freeradius.org>
> Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
>
> Hi Peter,
>
> Well, according to the RFC, the string should be:
> username:realm:password and then into the md5sum.
>
> Now, according to my logs, I can see the following:
>
> Packet-Type = Access-Request
> Thu Jul 19 09:37:23 2007
> User-Name = "101 at 192.168.2.80"
> Digest-Attributes = 0x0a05313031
> Digest-Attributes = 0x010e3139322e3136382e322e3830
> Digest-Attributes = 0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733
> Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
> Digest-Attributes = 0x030a5245474953544552
> Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b"
> Service-Type = IAPP-Register
> Sip-Uri-User = "101"
> NAS-Port = 5060
> NAS-IP-Address = 192.168.2.80
> Client-IP-Address = 192.168.2.80
>
> Now, the password for that user is 101.
>
> So, I did the following: echo '101 at 192.168.2.80:192.168.2.80:101' | md5sum, which generated
> the following output: ec6cec8f0b5904ba56401b1e305638b5.
>
> Now, examining the log file shows that a few minutes before that, the Access-Request looks
> like this:
>
> Packet-Type = Access-Request
> Thu Jul 19 09:29:54 2007
> User-Name = "101 at 192.168.2.80"
> Digest-Attributes = 0x0a05313031
> Digest-Attributes = 0x010e3139322e3136382e322e3830
> Digest-Attributes = 0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632
> Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
> Digest-Attributes = 0x030a5245474953544552
> Digest-Response = "a15ff7de436bada1093be663290f8ad8"
> Service-Type = IAPP-Register
> Sip-Uri-User = "101"
> NAS-Port = 5060
> NAS-IP-Address = 192.168.2.80
> Client-IP-Address = 192.168.2.80
>
> As you can see, the Digest here is different, so I'm surely missing something here.
>
> Regards,
> Z2L
>
>
> ----- Original Message -----
> From: "Peter Nixon" <listuser at peternixon.net>
> To: freeradius at zap2link.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Sent: Tuesday, July 24, 2007 11:30:25 AM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
>
> On Tue 24 Jul 2007, FreeRadius-ML wrote:
> > Thanks, that helps a bunch.
> >
> > Another question, may be non related. Anyone has an idea how does OpenSER
> > and FreeRadius calculate the Digest response for rlm_digest?
> >
> > According to the output of my rlm_perl RAD_REQUEST, I'm getting the
> > following request from the OpenSER server:
> >
> > rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
> > rlm_perl: RAD_REQUEST: Digest-Response = 80d23e66bd4d667eb445c89b74ff7a6b
> > rlm_perl: RAD_REQUEST: User-Name = 101 at 192.168.2.80
> > rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
> > rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
> > rlm_perl: RAD_REQUEST: NAS-Port = 5060
> > rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
> > rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x84e7a90)
> > rlm_perl: Added pair Auth-Type = perl
> >
> > If I understand correctly, I need to calculate the digest response,
> > according to the information I hold in my AAA database, which should match
> > the Digest-Response request. My question is, what is the actual string
> > format that is required for the calculation of the Digest-Response?
>
> Read RFC 2617
>
More information about the Freeradius-Users
mailing list