rml_perl question

FreeRadius-ML freeradius at zap2link.com
Tue Jul 24 13:12:07 CEST 2007 

Hi Phil,
  
  I would agree, however, it kind of negates the purpose of using rlm_perl, doesn't it?

Z2L

----- Original Message -----
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: freeradius at zap2link.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 24, 2007 2:07:11 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue, 2007-07-24 at 13:54 +0300, FreeRadius-ML wrote:
> Ok,
> 
>   It would appear that I'm a little silly, due to the way FreeRadius logs the information
> on the console. I've been debugging the information that I get, and I can see that the 
> Digest-Attributes actually contain the information, in accordance to the following:
> 
>   The first Digest Attribute is the User-Name, 
>   The second Digest Attribute is the Realm,
>   The third Digest Attribute is the nonce,
>   The fourth Digest Attribute is the uri,
>   The fifth Digest Attribute is the SIP-METHOD request.
> 
>   I didn't realize this in the begining, as it was all HEX dumped, so I couldn't see
> that I'm actually looking at the information.
> 
>   Now, my question is this, what is the formula to calculate the digest from all of the 
> above information? I've tried backtracking the code, but ended up with a slight headache.
> If anyone has information, that would be highly appreciated.

The "formula" is to do this:

authorize {
  preprocess
  digest
  files
}
authenticate {
  Auth-Type DIGEST {
    digest
  }
}

HA1="0x`echo -n user:example.com:foobar | md5sum | cut -d ' ' -f 1`"

in users:

foo	Digest-HA1 := 0xd07911de2b6cfea295166b56e8cecfa2

or better yet:

foo	Cleartext-Password := "foobar"

...and FreeRadius should just work.

> 
> Regards,
>   Z2L
> 
> ----- Original Message -----
> From: "FreeRadius-ML" <freeradius at zap2link.com>
> To: "freeradius-users" <freeradius-users at lists.freeradius.org>
> Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
> 
> Ok,
> 
>   I think I'm getting somewhere on this. After running wireshark and capturing the traffic,
> I actually realized that the Authentication/Authorization headers consists of a random hash
> that is identified by the nonce number. Following is an example:
> 
> Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", response="1efb1851e1e96ce6855bf406735af4b6"
> 
>   Now, if I understand correctly, the digest will be calculated from the combination of the 
> username, uri and nonce. Problem is, it would appear that I'm unable to access the nonce field
> from rlm_perl, unless, I'm missing something.
> 
> Regards,
>   Z2L
> 
> ----- Original Message -----
> From: "FreeRadius-ML" <freeradius at zap2link.com>
> To: "freeradius-users" <freeradius-users at lists.freeradius.org>
> Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
> 
> Hi Peter,
> 
>   Well, according to the RFC, the string should be:
> username:realm:password and then into the md5sum.
> 
>   Now, according to my logs, I can see the following:
> 
> Packet-Type = Access-Request
> Thu Jul 19 09:37:23 2007
>         User-Name = "101 at 192.168.2.80"
>         Digest-Attributes = 0x0a05313031
>         Digest-Attributes = 0x010e3139322e3136382e322e3830
>         Digest-Attributes = 0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733
>         Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
>         Digest-Attributes = 0x030a5245474953544552
>         Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b"
>         Service-Type = IAPP-Register
>         Sip-Uri-User = "101"
>         NAS-Port = 5060
>         NAS-IP-Address = 192.168.2.80
>         Client-IP-Address = 192.168.2.80
> 
>   Now, the password for that user is 101.
> 
>   So, I did the following: echo '101 at 192.168.2.80:192.168.2.80:101' | md5sum, which generated
> the following output: ec6cec8f0b5904ba56401b1e305638b5.
> 
>   Now, examining the log file shows that a few minutes before that, the Access-Request looks
> like this:
> 
> Packet-Type = Access-Request
> Thu Jul 19 09:29:54 2007
>         User-Name = "101 at 192.168.2.80"
>         Digest-Attributes = 0x0a05313031
>         Digest-Attributes = 0x010e3139322e3136382e322e3830
>         Digest-Attributes = 0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632
>         Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
>         Digest-Attributes = 0x030a5245474953544552
>         Digest-Response = "a15ff7de436bada1093be663290f8ad8"
>         Service-Type = IAPP-Register
>         Sip-Uri-User = "101"
>         NAS-Port = 5060
>         NAS-IP-Address = 192.168.2.80
>         Client-IP-Address = 192.168.2.80
> 
>   As you can see, the Digest here is different, so I'm surely missing something here.
> 
> Regards,
>   Z2L
> 
> 
> ----- Original Message -----
> From: "Peter Nixon" <listuser at peternixon.net>
> To: freeradius at zap2link.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Sent: Tuesday, July 24, 2007 11:30:25 AM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
> 
> On Tue 24 Jul 2007, FreeRadius-ML wrote:
> > Thanks, that helps a bunch.
> >
> > Another question, may be non related. Anyone has an idea how does OpenSER
> > and FreeRadius calculate the Digest response for rlm_digest?
> >
> > According to the output of my rlm_perl RAD_REQUEST, I'm getting the
> > following request from the OpenSER server:
> >
> > rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
> > rlm_perl: RAD_REQUEST: Digest-Response = 80d23e66bd4d667eb445c89b74ff7a6b
> > rlm_perl: RAD_REQUEST: User-Name = 101 at 192.168.2.80
> > rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
> > rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
> > rlm_perl: RAD_REQUEST: NAS-Port = 5060
> > rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
> > rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x84e7a90)
> > rlm_perl: Added pair Auth-Type = perl
> >
> > If I understand correctly, I need to calculate the digest response,
> > according to the information I hold in my AAA database, which should match
> > the Digest-Response request. My question is, what is the actual string
> > format that is required for the calculation of the Digest-Response?
> 
> Read RFC 2617
>

More information about the Freeradius-Users mailing list