SIP UAC authentication using Digest-HA1 and Ldap

Bodin Bruno bbodin01 at univ-lr.fr
Fri May 11 16:12:06 CEST 2007 

Stadler Karel a écrit :
> Hello
>
> We have a setup with Active Directory and there we used a field for the
> Digest-HA1 hash (testpurpose). This field
> contains a md5-hashed value of "username:realm:password".
>
> FreeRadius is configured to do a Ldap query to the AD and pullout this
> value, which works very well.
>
> I've configured the ldap.attrmap for "checkItem Digest-HA1 ADFIELD" and
> commented out the "password_attribute=" in
> modules{} as described on a FreeRadius Wiki. Now the problem is that
> FreeRadius produces this error.
>
> "rlm_digest: Configuration item "User-Password" is required for
> authentication."
>
> How can this be solved and please don't say "tell the server what the
> password is". I need to
> know how it can be configured. We're using FreeRadius Version 1.0.1.
>
> best rgds
> -Karel Stadler
>
> ------------------------------------------------------------------------
> ---------------
>
> rad_recv: Access-Request packet from host 127.0.0.1:33040, id=237,
> length=196
>         User-Name = "mueller at foo.net"
>         Digest-Attributes = 0x0a09737461646c6572
>         Digest-Attributes = 0x01087073692e6368
>         Digest-Attributes =
> 0x022a343634343735353636376136383965393834373832373930303739653336346331
> 31396365346630
>         Digest-Attributes = 0x04147369703a3132392e3132392e3139322e3234
>         Digest-Attributes = 0x030a5245474953544552
>         Digest-Response = "2f9bcef76be40b7a3a2c78367ae24e8b"
>         Service-Type = IAPP-Register
>         Sip-URI-User = "mueller"
>         NAS-Port = 5060
>         NAS-IP-Address = 127.0.0.1
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   hints: Matched DEFAULT at 37
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_digest: Converting Digest-Attributes to something sane...
>         Digest-User-Name = "mueller"
>         Digest-Realm = "foo.net"
>         Digest-Nonce = "4644755667a689e984782790079e364c119ce4f0"
>         Digest-URI = "sip:10.10.10.24"
>         Digest-Method = "REGISTER"
> rlm_digest: Adding Auth-Type = DIGEST
>   modcall[authorize]: module "digest" returns ok for request 0
>     rlm_realm: Request already proxied.  Ignoring.
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
>     users: Matched DEFAULT at 8
>   modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for mueller
> radius_xlat:  '(sAMAccountName=mueller)'
> radius_xlat:  'ou=users,ou=foo,dc=m,dc=foo,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 129.129.193.110:389, authentication 0
> rlm_ldap: bind as cn=mueller,ou=users,ou=foo,dc=m,dc=foo,dc=net/PaSw0R$D
> to 10.10.10.110:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,ou=foo,dc=m,dc=foo,dc=net, with
> filter (sAMAccountName=mueller)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding title as Digest-HA1, value
> 8e041f49c9e4a473d58c0f7700e7049d & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user mueller authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type Digest
> auth: type "digest"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_digest: Configuration item "User-Password" is required for
> authentication.
>   modcall[authenticate]: module "digest" returns invalid for request 0
> modcall: group authenticate returns invalid for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
>
> -----------------------------------
> Karel Stadler
> Network Technician
> Paul Scherrer Institute
> CH-5332 Villigen
> Switzerland
> -----------------------------------
> PGP KeyId:0x1B740D81 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
HI,
you need to use 1.0.5 freeradius version minimun.
good luck

More information about the Freeradius-Users mailing list