Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'

Ivan Kalik tnt at kalik.net
Tue May 6 12:32:24 CEST 2008


1. First rule is to start with default configuration and then make
changes.

2. I don't see any modules running here  - only perl and preprocess. You
have obviously made major changes to the default configuration.

3. Go back to the default configuration uncomment digest entries and get
digest authentication working with an entry in users file:

http://wiki.freeradius.org/Digest

4. Once that is working add your perl module into the mix. As i said
before digest attributes might be in $RAD_CHECK rather than $RAD_REQUEST.

Ivan Kalik
Kalik Informatika ISP


Dana 6/5/2008, "johnson elangbam" <elangbamjohnson at gmail.com> piše:

>>Good. Now you are getting Digest-Attributes. Now uncomment digest entry
>>in authorize section of default or whatever virtual server is processing
>>this.
>Hi Kalik,
>              As per your instruction I've uncommented all the digest entry
>in authorize and authenticate section in the sites-enabled/default file,
>unfortunately I still didn't get the values of these attributes in my perl
>code to authenticate. I am confusing what should I emphasized, please help.
>
>
>*I am submitting the complete radius log when it run in debug mode before
>authenticate a user here*
>
>FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr  9 2008
>at 21:42:16
>Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE.
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License.
>Starting - reading configuration files ...
>including configuration file /usr/local/etc/raddb/radiusd.conf
>including configuration file /usr/local/etc/raddb/clients.conf
>including configuration file /usr/local/etc/raddb/snmp.conf
>including configuration file /usr/local/etc/raddb/eap.conf
>including configuration file /usr/local/etc/raddb/sql.conf
>including configuration file /usr/local/etc/raddb/policy.conf
>including files in directory /usr/local/etc/raddb/sites-enabled/
>including configuration file /usr/local/etc/raddb/sites-enabled/default
>including dictionary file /usr/local/etc/raddb/dictionary
>main {
>        prefix = "/usr/local"
>        localstatedir = "/usr/local/var"
>        logdir = "/usr/local/var/log/radius"
>        libdir = "/usr/local/lib"
>        radacctdir = "/usr/local/var/log/radius/radacct"
>        hostname_lookups = no
>        max_request_time = 30
>        cleanup_delay = 5
>        max_requests = 1024
>        allow_core_dumps = no
>        pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>        checkrad = "/usr/local/sbin/checkrad"
>        debug_level = 0
>        proxy_requests = yes
> security {
>        max_attributes = 200
>        reject_delay = 1
>        status_server = yes
> }
>}
> client localhost {
>        ipaddr = 127.0.0.1
>        require_message_authenticator = no
>        secret = "testing123"
>        shortname = "localhost"
>        nastype = "other"
> }
> client 192.168.1.227 {
>        require_message_authenticator = no
>        secret = "johnson"
> }
>radiusd: #### Loading Realms and Home Servers ####
>radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating exec
>  exec {
>        wait = yes
>        input_pairs = "request"
>        shell_escape = yes
>  }
> Module: Linked to module rlm_expr
> Module: Instantiating expr
> Module: Linked to module rlm_expiration
> Module: Instantiating expiration
>  expiration {
>        reply-message = "Password Has Expired  "
>  }
> Module: Linked to module rlm_logintime
> Module: Instantiating logintime
>  logintime {
>        reply-message = "You are calling outside your allowed timespan  "
>        minimum-timeout = 60
>  }
> }
>radiusd: #### Loading Virtual Servers ####
>server {
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_perl
> Module: Instantiating perl
>  perl {
>        module = "/usr/local/etc/raddb/myperltemp.pl"
>        func_authorize = "authorize"
>        func_authenticate = "authenticate"
>        func_accounting = "accounting"
>        func_preacct = "preacct"
>        func_checksimul = "checksimul"
>        func_detach = "detach"
>        func_xlat = "xlat"
>        func_pre_proxy = "pre_proxy"
>        func_post_proxy = "post_proxy"
>        func_post_auth = "post_auth"
>  }
>  perl {
>        max_clones = 32
>        start_clones = 32
>        min_spare_clones = 0
>        max_spare_clones = 32
>        cleanup_delay = 5
>        max_request_per_clone = 0
>  }
> Module: Linked to module rlm_pap
> Module: Instantiating pap
>  pap {
>        encryption_scheme = "auto"
>        auto_header = no
>  }
> Module: Linked to module rlm_chap
> Module: Instantiating chap
> Module: Linked to module rlm_digest
> Module: Instantiating digest
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating preprocess
>  preprocess {
>        huntgroups = "/usr/local/etc/raddb/huntgroups"
>        hints = "/usr/local/etc/raddb/hints"
>        with_ascend_hack = no
>        ascend_channels_per_line = 23
>        with_ntdomain_hack = no
>        with_specialix_jetstream_hack = no
>        with_cisco_vsa_hack = no
>        with_alvarion_vsa_hack = no
>  }
> Module: Linked to module rlm_realm
> Module: Instantiating suffix
>  realm suffix {
>        format = "suffix"
>        delimiter = "@"
>        ignore_default = no
>        ignore_null = no
>  }
> Module: Linked to module rlm_eap
> Module: Instantiating eap
>  eap {
>        default_eap_type = "md5"
>        timer_expire = 60
>        ignore_unknown_eap_types = no
>        cisco_accounting_username_bug = no
>  }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
>   gtc {
>        challenge = "Password: "
>        auth_type = "PAP"
>   }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
>   tls {
>        rsa_key_exchange = no
>        dh_key_exchange = yes
>        rsa_key_length = 512
>        dh_key_length = 512
>        verify_depth = 0
>        pem_file_type = yes
>        private_key_file = "/usr/local/etc/raddb/certs/server.pem"
>        certificate_file = "/usr/local/etc/raddb/certs/server.pem"
>        CA_file = "/usr/local/etc/raddb/certs/ca.pem"
>        private_key_password = "whatever"
>        dh_file = "/usr/local/etc/raddb/certs/dh"
>        random_file = "/usr/local/etc/raddb/certs/random"
>        fragment_size = 1024
>        include_length = yes
>        check_crl = no
>        cipher_list = "DEFAULT"
>        make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
>   }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
>   ttls {
>        default_eap_type = "md5"
>        copy_request_to_tunnel = no
>        use_tunneled_reply = no
>   }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
>   peap {
>        default_eap_type = "mschapv2"
>        copy_request_to_tunnel = no
>        use_tunneled_reply = no
>        proxy_tunneled_request_as_eap = yes
>   }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
>   mschapv2 {
>        with_ntdomain_hack = no
>   }
> Module: Linked to module rlm_files
> Module: Instantiating files
>  files {
>        usersfile = "/usr/local/etc/raddb/users"
>        acctusersfile = "/usr/local/etc/raddb/acct_users"
>        preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
>        compat = "no"
>  }
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating acct_unique
>  acct_unique {
>        key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
>  }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating detail
>  detail {
>        detailfile =
>"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>        header = "%t"
>        detailperm = 384
>        dirperm = 493
>        locking = no
>        log_packet_header = no
>  }
> Module: Linked to module rlm_radutmp
> Module: Instantiating radutmp
>  radutmp {
>        filename = "/usr/local/var/log/radius/radutmp"
>        username = "%{User-Name}"
>        case_sensitive = yes
>        check_with_nas = yes
>        perm = 384
>        callerid = yes
>  }
> Module: Linked to module rlm_attr_filter
> Module: Instantiating attr_filter.accounting_response
>  attr_filter attr_filter.accounting_response {
>        attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
>        key = "%{User-Name}"
>  }
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating attr_filter.access_reject
>  attr_filter attr_filter.access_reject {
>        attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
>        key = "%{User-Name}"
>  }
> }
>}
>radiusd: #### Opening IP addresses and Ports ####
>listen {
>        type = "auth"
>        ipaddr = *
>        port = 0
>}
>listen {
>        type = "acct"
>        ipaddr = *
>        port = 0
>}
>main {
>        snmp = no
>        smux_password = ""
>        snmp_write_access = no
>}
>Listening on authentication address * port 1812
>Listening on accounting address * port 1813
>Listening on proxy address * port 1814
>Ready to process requests.
>
>*Here is the log output after rejecting a user*
>
>
>rad_recv: Access-Request packet from host 192.168.1.227 port 33192, id=169,
>length=271
>        User-Name = "johnson at 192.168.1.227"
>        Digest-Attributes = 0x0a096a6f686e736f6e
>        Digest-Attributes = 0x010f3139322e3136382e312e323237
>        Digest-Attributes =
>0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
>        Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
>        Digest-Attributes = 0x030a5245474953544552
>        Digest-Response = "bb91be247c053ec09ab0da78d666c469"
>        Service-Type = Sip-Session
>        Sip-Uri-User = "johnson"
>        Cisco-AVPair = "call-id=
>2ce841ba64a44ec9ad8a53c0e20fb453 at 192.168.1.193"
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 5060
>+- entering group authorize
>++[preprocess] returns ok
>perl_pool: item 0x9cb1b90 asigned new request. Handled so far: 1
>found interpetator at address 0x9cb1b90
>rlm_perl: ###############################################################
>rlm_perl: RAD_REQUEST: Digest-Response = bb91be247c053ec09ab0da78d666c469
>rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
>rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
>2ce841ba64a44ec9ad8a53c0e20fb453 at 192.168.1.193
>rlm_perl: RAD_REQUEST: User-Name = johnson at 192.168.1.227
>rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
>rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
>rlm_perl: RAD_REQUEST: NAS-Port = 5060
>rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x9e79f88)
>rlm_perl: ###############################################################
>rlm_perl: Added pair Digest-Response = bb91be247c053ec09ab0da78d666c469
>rlm_perl: Added pair Service-Type = Sip-Session
>rlm_perl: Added pair Cisco-AVPair = call-id=
>2ce841ba64a44ec9ad8a53c0e20fb453 at 192.168.1.193
>rlm_perl: Added pair User-Name = johnson at 192.168.1.227
>rlm_perl: Added pair Sip-Uri-User = johnson
>rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
>rlm_perl: Added pair NAS-Port = 5060
>rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
>rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
>rlm_perl: Added pair Digest-Attributes =
>0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
>rlm_perl: Added pair Digest-Attributes =
>0x04137369703a3139322e3136382e312e323237
>rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
>rlm_perl: Added pair Reply-Message = Incorrect Password
>perl_pool total/active/spare [32/0/32]
>Unreserve perl at address 0x9cb1b90
>++[perl] returns reject
>Invalid user: [johnson at 192.168.1.227/<no User-Password attribute>] (from
>client 192.168.1.227 port 5060)
>  Found Post-Auth-Type Reject
>+- entering group REJECT
>        expand: %{User-Name} -> johnson at 192.168.1.227
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Delaying reject of request 0 for 1 seconds
>Going to the next request
>Waking up in 0.9 seconds.
>rad_recv: Access-Request packet from host 192.168.1.227 port 33193, id=170,
>length=271
>        User-Name = "johnson at 192.168.1.227"
>        Digest-Attributes = 0x0a096a6f686e736f6e
>        Digest-Attributes = 0x010f3139322e3136382e312e323237
>        Digest-Attributes =
>0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
>        Digest-Attributes = 0x04137369703a3139322e3136382e312e323237
>        Digest-Attributes = 0x030a5245474953544552
>        Digest-Response = "bb91be247c053ec09ab0da78d666c469"
>        Service-Type = Sip-Session
>        Sip-Uri-User = "johnson"
>        Cisco-AVPair = "call-id=
>2ce841ba64a44ec9ad8a53c0e20fb453 at 192.168.1.193"
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 5060
>+- entering group authorize
>++[preprocess] returns ok
>perl_pool: item 0x9eeddc8 asigned new request. Handled so far: 1
>found interpetator at address 0x9eeddc8
>rlm_perl: ###############################################################
>rlm_perl: RAD_REQUEST: Digest-Response = bb91be247c053ec09ab0da78d666c469
>rlm_perl: RAD_REQUEST: Service-Type = Sip-Session
>rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id=
>2ce841ba64a44ec9ad8a53c0e20fb453 at 192.168.1.193
>rlm_perl: RAD_REQUEST: User-Name = johnson at 192.168.1.227
>rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson
>rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
>rlm_perl: RAD_REQUEST: NAS-Port = 5060
>rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x9f83c98)
>rlm_perl: ###############################################################
>rlm_perl: Added pair Digest-Response = bb91be247c053ec09ab0da78d666c469
>rlm_perl: Added pair Service-Type = Sip-Session
>rlm_perl: Added pair Cisco-AVPair = call-id=
>2ce841ba64a44ec9ad8a53c0e20fb453 at 192.168.1.193
>rlm_perl: Added pair User-Name = johnson at 192.168.1.227
>rlm_perl: Added pair Sip-Uri-User = johnson
>rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
>rlm_perl: Added pair NAS-Port = 5060
>rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e
>rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237
>rlm_perl: Added pair Digest-Attributes =
>0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931
>rlm_perl: Added pair Digest-Attributes =
>0x04137369703a3139322e3136382e312e323237
>rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552
>rlm_perl: Added pair Reply-Message = Incorrect Password
>perl_pool total/active/spare [32/0/32]
>Unreserve perl at address 0x9eeddc8
>++[perl] returns reject
>Invalid user: [johnson at 192.168.1.227/<no User-Password attribute>] (from
>client 192.168.1.227 port 5060)
>  Found Post-Auth-Type Reject
>+- entering group REJECT
>        expand: %{User-Name} -> johnson at 192.168.1.227
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Delaying reject of request 1 for 1 seconds
>Going to the next request
>Waking up in 0.4 seconds.
>Sending delayed reject for request 0
>Sending Access-Reject of id 169 to 192.168.1.227 port 33192
>        Reply-Message = "Incorrect Password"
>Waking up in 0.4 seconds.
>Sending delayed reject for request 1
>Sending Access-Reject of id 170 to 192.168.1.227 port 33193
>        Reply-Message = "Incorrect Password"
>Waking up in 4.5 seconds.
>Cleaning up request 0 ID 169 with timestamp +8
>Waking up in 0.4 seconds.
>Cleaning up request 1 ID 170 with timestamp +8
>Ready to process requests.
>
>
>Thanks for your valuable time.
>
>With regards,
>Elangbam Johnson
>
>




More information about the Freeradius-Users mailing list