[SR-Users] Help needed for OpenSer with Radius
Daniel-Constantin Mierla
miconda at gmail.com
Fri Aug 6 12:06:33 CEST 2010
Hello,
the radius client library has a file where you configure the servers,
have you configure it?
http://www.kamailio.org/docs/openser-radius-1.0.x.html#radiusclient_ng_servers
Cheers,
Daniel
On 8/3/10 10:13 AM, Pratik Shrestha wrote:
> Dear Daniel,
>
> Yeah right. I totally forgot, its a reverse dns.
> Now I checked the radius server in debug mode and I cannot see any
> request from openser trying to connect to radius server. So, the
> request from openser is not reaching the radius server.
> Then I installed wireshark and checked the ip address 128.185.38.162
> <http://128-185-38-162.totisp.net:1812> (radius server ip add) in the
> server where openser was installed. There also I did not find any
> entry related to 128.185.38.16 <http://128-185-38-162.totisp.net:1812>.
> So, it seems my configuration is wrong. I am sending you the
> configuration of openser.cfg and radiusclient.conf.
>
> openser.cfg
>
> SSH Secure Shell 3.2.3 (Build 279)
> Copyright (c) 2000-2003 SSH Communications Security Corp -
> http://www.ssh.com/
>
> This copy of SSH Secure Shell is a non-commercial version.
> This version does not include PKI and PKCS #11 functionality.
>
>
> Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16
> 08:10:02 UTC 2010 i686 GNU/Linux
> Ubuntu 10.04 LTS
>
> Welcome to Ubuntu!
> * Documentation: https://help.ubuntu.com/
>
> Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148
> isoftel at isoftel-desktop:~$ cd /usr/local/etc/openser/
> isoftel at isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg
> #
> # $Id$
> #
> # radius config script
> #
>
> # ----------- global configuration parameters ------------------------
>
> debug=6 # debug level (cmd line: -dddddddddd)
> log_stderror=yes # (cmd line: -E)
>
> check_via=no # (cmd. line: -v)
> dns=no # (cmd. line: -r)
> rev_dns=no # (cmd. line: -R)
> port=5060
> children=4
> #listen=udp:localhost
> #alias="kamailio.org <http://kamailio.org>"
>
> fifo="/tmp/openser_fifo"
>
> # ------------------ module loading ----------------------------------
> mpath="/usr/local/lib/openser/modules"
>
> loadmodule "mysql.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "avpops.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "xlog.so"
> loadmodule "uri.so"
> loadmodule "acc.so"
> loadmodule "auth.so"
> loadmodule "auth_radius.so"
> loadmodule "group_radius.so"
> loadmodule "avp_radius.so"
>
> # ----------------- setting module-specific parameters ---------------
>
> # -- usrloc params --
> #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser")
> modparam("usrloc", "db_mode", 2)
>
> # -- acc params --
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 2)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 1)
> modparam("acc", "service_type", 15)
> modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
> modparam("acc|auth_radius|group_radius|avp_radius", "radius_config",
> "/etc/radiusclient-ng/radiusclient.conf")
>
> # -- group_radius params --
> modparam("group_radius", "use_domain", 1)
>
> # -- avpops params --
> modparam("avpops", "avp_aliases", "day=i:101;time=i:102")
>
> # -- rr params --
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
>
> # ------------------------- request routing logic -------------------
>
> # main routing logic
>
> route{
>
> # initial sanity checks -- messages with
> # max_forwards==0, or excessively long requests
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> exit;
> };
>
> if (msg:len >= 2048 ) {
> sl_send_reply("513", "Message too big");
> exit;
> };
>
> # check if user is suspended
> if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
> {
> if (radius_is_user_in("From", "suspended")) {
> sl_send_reply("403", "Forbidden - suspended");
> exit;
> };
> };
> # we record-route all messages -- to make sure that
> # subsequent messages will go through our proxy; that's
> # particularly good if upstream and downstream entities
> # use different transport protocol
> if (!method=="REGISTER")
> record_route();
>
> # subsequent messages withing a dialog should take the
> # path determined by record-routing
> if (loose_route()) {
> # mark routing logic in request
> append_hf("P-hint: rr-enforced\r\n");
> if(is_method("BYE"))
> { # log it all the time
> acc_rad_request("200 ok");
> acc_log_request("200 ok");
> }
> route(1);
> };
>
> if(is_method("INVITE") && !has_totag())
> { # set the acc flags
> setflag(1);
> setflag(2);
> };
>
> if (!uri==myself) {
> # check if user is allowed to do voip calls to other domains
> if(is_method("INVITE|MESSAGE")) {
> if (!radius_is_user_in("From", "voip")) {
> sl_send_reply("403", "Forbidden VoIP");
> exit;
> };
> };
> # mark routing logic in request
> append_hf("P-hint: outbound\r\n");
> route(1);
> };
>
> # if the request is for other domain use UsrLoc
> # (in case, it does not work, use the following command
> # with proper names and addresses in it)
> if (uri==myself) {
> # authenticate registers
> if (method=="REGISTER") {
> if (!radius_www_authorize("")) {
> www_challenge("", "1");
> exit;
> };
>
> # check the src ip address
> if(!avp_check("i:2", "eq/$src_ip/ig"))
> {
> sl_send_reply("403", "Forbidden IP");
> exit;
> };
>
> save("location");
> exit;
> };
>
> # calls to pstn
> if(uri=~"sip:00[1-9][0-9]+@") {
> if(is_method("INVITE") && !has_totag()) {
> if (!radius_is_user_in("From", "pstn")) {
> sl_send_reply("403", "Forbidden PSTN");
> exit;
> };
> };
> # set gateway address
> rewritehostport("localhost:5090");
> route(1);
> };
> # load callee's avps
> if(avp_load_radius("callee"))
> {
> # check if user has time filter enabled
> if(avp_check("i:3", "eq/i:1"))
> {
> # print time in an avp
> avp_printf("i:100", "$Tf");
> # extract day
> avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/");
> if(!avp_check("i:6", "fm/$day")) {
> sl_send_reply("403", "Forbidden - day");
> exit;
> };
> # extract 'hours:minutes'
> avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/");
> if((is_avp_set("i:4") && avp_check("i:4", "gt/$time"))
> || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) {
> sl_send_reply("403", "Forbidden - time");
> exit;
> };
> };
> };
> # native SIP destinations are handled using our USRLOC DB
> if (!lookup("location")) {
> # log to acc as missed call
> acc_rad_request("404 Not Found");
> acc_log_request("404 Not Found");
> sl_send_reply("404", "Not Found");
> exit;
> };
> append_hf("P-hint: usrloc applied\r\n");
> };
>
> route(1);
> }
>
> # generic forward
> route[1] {
> # send it out now; use stateful forwarding as it works reliably
> # even for UDP2TCP
> if (!t_relay()) {
> sl_reply_error();
> };
> exit;
> }
>
>
> radiusclient-ng.conf
>
> # General settings
>
> # specify which authentication comes first respectively which
> # authentication is used. possible values are: "radius" and "local".
> # if you specify "radius,local" then the RADIUS server is asked
> # first then the local one. if only one keyword is specified only
> # this server is asked.
> auth_order radius
> #add 'local' with comma
>
> # maximum login tries a user has
> login_tries 4
>
> # timeout for all login tries
> # if this time is exceeded the user is kicked out
> login_timeout 60
>
> # name of the nologin file which when it exists disables logins.
> # it may be extended by the ttyname which will result in
> # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
> # logins on /dev/ttyS2)
> nologin /etc/nologin
>
> # name of the issue file. it's only display when no username is passed
> # on the radlogin command line
> issue /etc/radiusclient-ng/issue
>
> # RADIUS settings
>
> # RADIUS server to use for authentication requests. this config
> # item can appear more then one time. if multiple servers are
> # defined they are tried in a round robin fashion if one
> # server is not answering.
> # optionally you can specify a the port number on which is remote
> # RADIUS listens separated by a colon from the hostname. if
> # no port is specified /etc/services is consulted of the radius
> # service. if this fails also a compiled in default is used.
> authserver 128.185.38.162
>
> # RADIUS server to use for accouting requests. All that I
> # said for authserver applies, too.
> #
> acctserver 128.185.38.162
>
> # file holding shared secrets used for the communication
> # between the RADIUS client and server
> servers /etc/radiusclient-ng/servers
>
> # dictionary of allowed attributes and values
> # just like in the normal RADIUS distributions
> dictionary /etc/radiusclient-ng/dictionary
>
> # program to call for a RADIUS authenticated login
> login_radius /usr/sbin/login.radius
>
> # file which holds sequence number for communication with the
> # RADIUS server
> seqfile /var/run/radius.seq
>
> # file which specifies mapping between ttyname and NAS-Port attribute
> mapfile /etc/radiusclient-ng/port-id-map
>
> # default authentication realm to append to all usernames if no
> # realm was explicitly specified by the user
> # the radiusd directly form Livingston doesnt use any realms, so leave
> # it blank then
> default_realm
>
> # time to wait for a reply from the RADIUS server
> radius_timeout 10
>
> # resend request this many times before trying the next server
> radius_retries 3
>
> # local address from which radius packets have to be sent
> bindaddr localhost
> #change with 'localhost'
>
> # LOCAL settings
>
> # program to execute for local login
> # it must support the -f flag for preauthenticated login
> login_local /bin/login
>
>
> I have edited servers file also with the servername and secret.
>
> Thank you very much.
>
> Regards,
> Pratik
>
> On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla
> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
> Hello,
>
>
> On 8/2/10 12:36 PM, Pratik Shrestha wrote:
>> Dear Daniel,
>> Now the new issue. Seems now openser is trying to talk with
>> radius server. But still I am getting the one error in syslog
>> which is as follows.
>>
>> rc_send_server: no reply from RADIUS server
>> 128-185-38-162.totisp.net:1812
>> <http://128-185-38-162.totisp.net:1812>
>>
>> Actually I have written only 128.185.38.162 in auth_server in
>> radiusclient.conf. I don't know how this totisp.net
>> <http://totisp.net> is added. I haven't mentioned it anywhere.
>
> probably reverse dns is done in the library, it is not relevant
> anyhow. Can you start radius server in debug mode and see if it
> got some request? You can also do a ngrep/wireshark on port 1812
> of your radius server to watch for network packets coming from
> kamailio.
>
> Cheers,
> Daniel
>
>
>>
>> Please help me.
>> Thanks.
>>
>> Regards,
>> Pratik
>>
>> On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha
>> <pratikdbl at gmail.com <mailto:pratikdbl at gmail.com>> wrote:
>>
>> Dear Daniel,
>>
>> Before I work for the new version, I am first trying to
>> configure old version of openser and radius. I am using
>> openser version 1.0.1 and radius client version 0.5.1 and I
>> am following the tutorial given in
>> http://kamailio.net/docs/openser-radius-1.0.x.html.
>>
>> My freeradius server is in another machine and when I use
>> radclient to check the user I made, I get the "Authenticated"
>> message.
>> But when I use X-lite and connect to openser, it seems
>> openser is not talking with freeradius servers. I am sure the
>> "secret" I am using is right as I have already tested from
>> radclient. The log which I am getting in openser is as shown
>> below
>>
>> 9(1986) SIP Request:
>> 9(1986) method: <REGISTER>
>> 9(1986) uri: <sip:192.168.0.56>
>> 9(1986) version: <SIP/2.0>
>> 9(1986) parse_headers: flags=2
>> 9(1986) Found param type 232, <branch> =
>> <z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6
>> 9(1986) Found param type 235, <rport> = <n/a>; state=17
>> 9(1986) end of header reached, state=5
>> 9(1986) parse_headers: Via found, flags=2
>> 9(1986) parse_headers: this is the first via
>> 9(1986) After parse_msg...
>> 9(1986) preparing to run routing scripts...
>> 9(1986) parse_headers: flags=100
>> 9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70
>> 9(1986) parse_headers: flags=10
>> 9(1986) DEBUG:parse_to:end of header reached, state=9
>> 9(1986) DEBUG: get_hdr_field: <To> [44];
>> uri=[sip:101%40kamailio.org
>> <http://40kamailio.org>@192.168.0.56 <http://192.168.0.56>]
>> 9(1986) DEBUG: to body ["101"<sip:101%40kamailio.org
>> <http://40kamailio.org>@192.168.0.56 <http://192.168.0.56>>
>> ]
>> 9(1986) DEBUG: add_param: tag=cc6e4259
>> 9(1986) DEBUG:parse_to:end of header reached, state=29
>> 9(1986) radius_is_user_in(): Failure
>> 9(1986) parse_headers: flags=200
>> 9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
>> 9(1986) DEBUG: get_hdr_body : content_length=0
>> 9(1986) found end of header
>> 9(1986) find_first_route: No Route headers found
>> 9(1986) loose_route: There is no Route HF
>> 9(1986) grep_sock_info - checking if host==us: 12==9 &&
>> [192.168.0.56] == [127.0.0.1]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) grep_sock_info - checking if host==us: 12==12 &&
>> [192.168.0.56] == [192.168.0.56]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) grep_sock_info - checking if host==us: 12==9 &&
>> [192.168.0.56] == [127.0.0.1]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) grep_sock_info - checking if host==us: 12==12 &&
>> [192.168.0.56] == [192.168.0.56]
>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060
>> 9(1986) check_nonce(): comparing
>> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and
>> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c]
>> 9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth
>> failed
>> 9(1986) build_auth_hf(): 'WWW-Authenticate: Digest
>> realm="192.168.0.56",
>> nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c"
>> '
>> 9(1986) parse_headers: flags=ffffffffffffffff
>> 9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0)
>> 9(1986) DEBUG:destroy_avp_list: destroying list (nil)
>> 9(1986) receive_msg: cleaning up
>>
>> At freeradius also, no request goes from openser.
>>
>> Please advise me how to get rid of this problem.
>>
>> Best Regards,
>> Pratik
>>
>>
>> On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha
>> <pratikdbl at gmail.com <mailto:pratikdbl at gmail.com>> wrote:
>>
>> Thanks a lot. I will give it a try
>>
>> Pratik
>>
>>
>> On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla
>> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>>
>> Hello,
>>
>>
>> On 7/22/10 6:06 AM, Pratik Shrestha wrote:
>>
>> Dear All,
>>
>> I am very new to OpenSer. I want to use latest
>> version of OpenSer with Radius. I need the
>> documentation/tutorial on how to do this.
>> Googling, Ionly found for the old version. Please
>> help me.
>>
>>
>> indeed, there is a rather old version:
>>
>> http://www.kamailio.org/docs/openser-radius-1.0.x.html
>>
>> What I can say now is that you can skip the part of
>> installing kamailio and use next link instead:
>> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git
>>
>> Radius client library is now in most of common Linux
>> distributions, so you can install it with the package
>> manager (you need the devel headers as well, the -dev
>> package).
>>
>> FreeRadius configuration should be more or less the same.
>>
>> The config of kamailio has changed quite a lot. Use
>> the default one from kamailio, follow the WITH_AUTH
>> define conditions and replace auth_db with
>> auth_radius modules and functions. Also, the rest of
>> radius modules were merged into misc_radius. For
>> enabling radius acc, you need to recompile acc module
>> after editing the Makefile in module directory.
>>
>> Hope it helps to start, ask here if you get stuck.
>>
>>
>> Cheers,
>> Daniel
>>
>> --
>> Daniel-Constantin Mierla
>> http://www.asipto.com/
>>
>>
>>
>>
>
> --
> Daniel-Constantin Mierla
> http://www.asipto.com/
>
>
>
--
Daniel-Constantin Mierla
http://www.asipto.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100806/56cccd62/attachment-0001.htm>
More information about the sr-users
mailing list