SIP UAC authentication using Digest-HA1 and Ldap

Stadler Karel Karel.Stadler at psi.ch
Fri May 11 16:04:23 CEST 2007 

Hello

We have a setup with Active Directory and there we used a field for the
Digest-HA1 hash (testpurpose). This field
contains a md5-hashed value of "username:realm:password".

FreeRadius is configured to do a Ldap query to the AD and pullout this
value, which works very well.

I've configured the ldap.attrmap for "checkItem Digest-HA1 ADFIELD" and
commented out the "password_attribute=" in
modules{} as described on a FreeRadius Wiki. Now the problem is that
FreeRadius produces this error.

"rlm_digest: Configuration item "User-Password" is required for
authentication."

How can this be solved and please don't say "tell the server what the
password is". I need to
know how it can be configured. We're using FreeRadius Version 1.0.1.

best rgds
-Karel Stadler

------------------------------------------------------------------------
---------------

rad_recv: Access-Request packet from host 127.0.0.1:33040, id=237,
length=196
        User-Name = "mueller at foo.net"
        Digest-Attributes = 0x0a09737461646c6572
        Digest-Attributes = 0x01087073692e6368
        Digest-Attributes =
0x022a343634343735353636376136383965393834373832373930303739653336346331
31396365346630
        Digest-Attributes = 0x04147369703a3132392e3132392e3139322e3234
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "2f9bcef76be40b7a3a2c78367ae24e8b"
        Service-Type = IAPP-Register
        Sip-URI-User = "mueller"
        NAS-Port = 5060
        NAS-IP-Address = 127.0.0.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  hints: Matched DEFAULT at 37
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "mueller"
        Digest-Realm = "foo.net"
        Digest-Nonce = "4644755667a689e984782790079e364c119ce4f0"
        Digest-URI = "sip:10.10.10.24"
        Digest-Method = "REGISTER"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 0
    rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched DEFAULT at 8
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mueller
radius_xlat:  '(sAMAccountName=mueller)'
radius_xlat:  'ou=users,ou=foo,dc=m,dc=foo,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 129.129.193.110:389, authentication 0
rlm_ldap: bind as cn=mueller,ou=users,ou=foo,dc=m,dc=foo,dc=net/PaSw0R$D
to 10.10.10.110:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=foo,dc=m,dc=foo,dc=net, with
filter (sAMAccountName=mueller)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding title as Digest-HA1, value
8e041f49c9e4a473d58c0f7700e7049d & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mueller authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_digest: Configuration item "User-Password" is required for
authentication.
  modcall[authenticate]: module "digest" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...

-----------------------------------
Karel Stadler
Network Technician
Paul Scherrer Institute
CH-5332 Villigen
Switzerland
-----------------------------------
PGP KeyId:0x1B740D81

More information about the Freeradius-Users mailing list