Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'

johnson elangbam elangbamjohnson at gmail.com
Wed May 7 16:57:36 CEST 2008


hi,
     I am using freeradius 2.0.3 with radiusclient-ng 0.5.6. I need to used
the following attributes
Digest-User-name', 'Digest-Realm',   'Digest-Method', 'Digest-Uri',
'Digest-Nonce',   'Digest-Response' into my perl code, to do my md5
calculation, unfortunately I can't get any of the values except
Digest-Response,
hopefully i've tried all the alternatives that is posted by Ivan Kalik
earlier.

1. I've uncommented all the digest entries in sites-enabled/default file and
I've uncommented out all the perl entries from the
default.
2. I've tried accessing the digest attributes in my perl code by using
RAD_CHECK as well as RAD_CHECK.

But it doesn't work.

can anybody please tell me that is it possible to call the digest attributes
in the perl code. If it is possible, please show me the way how to call
these attributes('Digest-User-name', 'Digest-Realm',   'Digest-Method',
'Digest-Uri', 'Digest-Nonce',   'Digest-Response'.

Or will it be the problem of not getting the digest attributes by the
incompatible dictionaries of radius client and radius server.
Please help,I am really confused where is the problem.

Thanks for your valuable time.

*Here is the output files when running in debug mode before authenticate a
user*

FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on May  7 2008
at 16:45:53
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
        prefix = "/usr/local"
        localstatedir = "/usr/local/var"
        logdir = "/usr/local/var/log/radius"
        libdir = "/usr/local/lib"
        radacctdir = "/usr/local/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/local/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        shortname = "localhost"
        nastype = "other"
 }
 client 192.168.1.227 {
        require_message_authenticator = no
        secret = "johnson"
        shortname = "mynetwork"
        nastype = "other"
 }
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
        wait = yes
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_digest
 Module: Instantiating digest
 Module: Linked to module rlm_perl
 Module: Instantiating perl
  perl {
        module = "/usr/local/etc/raddb/myperltemp.pl"
        func_authorize = "authorize"
        func_authenticate = "authenticate"
        func_accounting = "accounting"
        func_preacct = "preacct"
        func_checksimul = "checksimul"
        func_detach = "detach"
        func_xlat = "xlat"
        func_pre_proxy = "pre_proxy"
        func_post_proxy = "post_proxy"
        func_post_auth = "post_auth"
  }
  perl {
        max_clones = 32
        start_clones = 32
        min_spare_clones = 0
        max_spare_clones = 32
        cleanup_delay = 5
        max_request_per_clone = 0
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
        huntgroups = "/usr/local/etc/raddb/huntgroups"
        hints = "/usr/local/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "md5"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/usr/local/etc/raddb/certs/server.pem"
        certificate_file = "/usr/local/etc/raddb/certs/server.pem"
        CA_file = "/usr/local/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/usr/local/etc/raddb/certs/dh"
        random_file = "/usr/local/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
        usersfile = "/usr/local/etc/raddb/users"
        acctusersfile = "/usr/local/etc/raddb/acct_users"
        preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
        compat = "no"
  }
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
        detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
        filename = "/usr/local/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
        attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
        attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
  }
 }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
main {
        snmp = no
        smux_password = ""
        snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

*Here is the output after rejecting a user*

rad_recv: Access-Request packet from host 192.168.1.227 port 33360, id=95,
length=252
        User-Name = "john at 192.168.1.227"
        X-Ascend-Netware-timeout = 1785686126
        X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
        X-Ascend-Receive-Secret =
0x34383231633363636239626234663963343639646561323765653066666534346438373831653830
        X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
        X-Ascend-IPX-Peer-Mode = 0x5245474953544552
        Digest-Response = "7cfeea7f2242db43d8ee8956cf116617"
        Service-Type = IAPP-Register
        X-Ascend-PW-Lifetime = 1785686126
        Cisco-AVPair = "call-id=
b848148f9ebb461b92072b1eca706df5 at 192.168.1.193"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
ERROR: Received Digest-Response without Digest-Attributes
++[digest] returns invalid
Invalid user: [john at 192.168.1.227/<no User-Password attribute>] (from client
mynetwork port 5060)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> john at 192.168.1.227
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.227 port 33361, id=96,
length=252
        User-Name = "john at 192.168.1.227"
        X-Ascend-Netware-timeout = 1785686126
        X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
        X-Ascend-Receive-Secret =
0x34383231633363636239626234663963343639646561323765653066666534346438373831653830
        X-Ascend-IP-Pool-Definition = "sip:192.168.1.227"
        X-Ascend-IPX-Peer-Mode = 0x5245474953544552
        Digest-Response = "7cfeea7f2242db43d8ee8956cf116617"
        Service-Type = IAPP-Register
        X-Ascend-PW-Lifetime = 1785686126
        Cisco-AVPair = "call-id=
b848148f9ebb461b92072b1eca706df5 at 192.168.1.193"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
ERROR: Received Digest-Response without Digest-Attributes
++[digest] returns invalid
Invalid user: [john at 192.168.1.227/<no User-Password attribute>] (from client
mynetwork port 5060)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> john at 192.168.1.227
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.5 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 95 to 192.168.1.227 port 33360
Waking up in 0.4 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 96 to 192.168.1.227 port 33361
Waking up in 4.5 seconds.
Cleaning up request 0 ID 95 with timestamp +3
Waking up in 0.4 seconds.
Cleaning up request 1 ID 96 with timestamp +3
Ready to process requests.

With Regards
Elangbam Johnson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080507/90a28bb3/attachment.html>


More information about the Freeradius-Users mailing list