Auth type change when it called through asterisk.

johnson elangbam elangbamjohnson at gmail.com
Tue May 20 18:42:16 CEST 2008


Hi,
     I successfully done my authentication and authorization with the perl
and digest with mix mode, and it reply access accept packets from the radius
server. But when i tried to call through asterisk, the server again try to
authenticate again and rejected. The auth type is turned into local again
though i put perl and digest. How the auth type will be into perl and digest
when I called through asterisk.

*This is the output log after the server authenticate a user:
*
rad_recv: Access-Request packet from host 192.168.1.227 port 32958, id=215,
length=259
        User-Name = "100 at 192.168.1.227"
        Digest-Attributes = "\n\005100"
        Digest-Attributes = "\001\017192.168.1.227"
        Digest-Attributes = "\002*4832e5db308756e206b4536810ea3e70cf300c66"
        Digest-Attributes = "\004\023sip:192.168.1.227"
        Digest-Attributes = "\003\nREGISTER"
        Digest-Response = "805279e87b5ef1a7bc640350165079ff"
        Service-Type = SIP
        Sip-URI-User = "100"
        Cisco-AVPair = "call-id=
cceb5fc15db4417d807cbb56871a533d at 192.168.1.193"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 5060
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x98c2a88 asigned new request. Handled so far: 1
found interpetator at address 0x98c2a88
rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff
rlm_perl: Added pair Service-Type = SIP
rlm_perl: Added pair Cisco-AVPair = call-id=
cceb5fc15db4417d807cbb56871a533d at 192.168.1.193
rlm_perl: Added pair User-Name = 100 at 192.168.1.227
rlm_perl: Added pair Sip-URI-User = 100
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = \n\005100
rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227
rlm_perl: Added pair Digest-Attributes =
\002*4832e5db308756e206b4536810ea3e70cf300c66
rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227
rlm_perl: Added pair Digest-Attributes = \003\nREGISTER
rlm_perl: Added pair Cleartext-Password = 100
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x98c2a88
++[perl] returns ok
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
    rlm_realm: Looking up realm "192.168.1.227" for User-Name = "
100 at 192.168.1.227"
    rlm_realm: No such realm "192.168.1.227"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
+- entering group authenticate
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "100"
        Digest-Realm = "192.168.1.227"
        Digest-Nonce = "4832e5db308756e206b4536810ea3e70cf300c66"
        Digest-URI = "sip:192.168.1.227"
        Digest-Method = "REGISTER"
A1 = 100:192.168.1.227:100
A2 = REGISTER:sip:192.168.1.227
H(A1) = fc0ea6eaea4a4b50ad280e803f4bd6a2
H(A2) = fbf27b090821dd0f71c0a0dda09e5e8e
KD =
fc0ea6eaea4a4b50ad280e803f4bd6a2:4832e5db308756e206b4536810ea3e70cf300c66:fbf27b090821dd0f71c0a0dda09e5e8e
EXPECTED 805279e87b5ef1a7bc640350165079ff
RECEIVED 805279e87b5ef1a7bc640350165079ff
++[digest] returns ok
Login OK: [100 at 192.168.1.227/<via Auth-Type = DIGEST>] (from client
192.168.1.227 port 5060)
+- entering group post-auth
perl_pool: item 0x9997960 asigned new request. Handled so far: 1
found interpetator at address 0x9997960
rlm_perl: Added pair Digest-User-Name = 100
rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff
rlm_perl: Added pair Service-Type = SIP
rlm_perl: Added pair Digest-URI = sip:192.168.1.227
rlm_perl: Added pair Digest-Realm = 192.168.1.227
rlm_perl: Added pair Cisco-AVPair = call-id=
cceb5fc15db4417d807cbb56871a533d at 192.168.1.193
rlm_perl: Added pair Digest-Method = REGISTER
rlm_perl: Added pair User-Name = 100 at 192.168.1.227
rlm_perl: Added pair Sip-URI-User = 100
rlm_perl: Added pair Digest-Nonce = 4832e5db308756e206b4536810ea3e70cf300c66
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port = 5060
rlm_perl: Added pair Digest-Attributes = \n\005100
rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227
rlm_perl: Added pair Digest-Attributes =
\002*4832e5db308756e206b4536810ea3e70cf300c66
rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227
rlm_perl: Added pair Digest-Attributes = \003\nREGISTER
rlm_perl: Added pair Cleartext-Password = 100
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9997960
++[perl] returns ok
Sending Access-Accept of id 215 to 192.168.1.227 port 32958
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 214 with timestamp +5
Cleaning up request 1 ID 215 with timestamp +5
Ready to process requests.

*This is the output log after the server reject a user when it is call
through asterisk

*rad_recv: Access-Request packet from host 192.168.1.227 port 33036, id=222,
length=104
        Called-Station-Id = "200"
        Calling-Station-Id = "100"
        User-Name = "100"
        User-Password = "\034]W\242\237\233\312s6\210Sx\241\345pl"
        NAS-Identifier = "Asterisk"
        h323-conf-id = "1211297773.35"
        NAS-IP-Address = 192.168.1.227
        NAS-Port = 5071
+- entering group authorize
++[preprocess] returns ok
perl_pool: item 0x9cc2358 asigned new request. Handled so far: 1
found interpetator at address 0x9cc2358
rlm_perl: Added pair Calling-Station-Id = 100
rlm_perl: Added pair Called-Station-Id = 200
rlm_perl: Added pair User-Name = 100
rlm_perl: Added pair User-Password =
\034]W\242\237\233\312s6\210Sx\241\345pl
rlm_perl: Added pair NAS-Identifier = Asterisk
rlm_perl: Added pair h323-conf-id = 1211297773.35
rlm_perl: Added pair NAS-IP-Address = 192.168.1.227
rlm_perl: Added pair NAS-Port = 5071
rlm_perl: Added pair Cleartext-Password = 100
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x9cc2358
++[perl] returns ok
++[digest] returns noop
    rlm_realm: No '@' in User-Name = "100", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [100/\034]W\242\237\233\312s6\210Sx\241\345pl] (from client
192.168.1.227 port 5071 cli 100)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> 100
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 222 to 192.168.1.227 port 33036
Waking up in 4.9 seconds.
Cleaning up request 2 ID 222 with timestamp +768
Ready to process requests.


with regards,
Elangbam Johnson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080520/94dda733/attachment.html>


More information about the Freeradius-Users mailing list