<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br>
<br>
On 2/28/11 10:44 AM, Pablo Ros wrote:
<blockquote
cite="mid:AANLkTi=RnCJ7xJ57HHmgaCNFvCUwV_-dUwWp_Q8y06cJ@mail.gmail.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<span class="Apple-style-span" style="font-family:
Verdana,Arial,Helvetica,sans-serif; font-size: 12px;">I am
trying to authenticate through radius (info in LDAP database). I
am using kamailio 3.1<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
First of all I would like to clear up an issue: <br
style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
As shown the way to do the authentication is done with: <br
style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<table style="margin: 0px; padding: 0px; font-size: 1em;"
align="center" border="0" cellpadding="3" cellspacing="1"
width="90%">
<tbody style="margin: 0px; padding: 0px;">
<tr style="margin: 0px; padding: 0px;">
<td style="margin: 0px; padding: 1px;"><span
class="genmed" style="margin: 0px; padding: 0px;"><strong
style="margin: 0px; padding: 0px;">Code:</strong></span></td>
</tr>
<tr style="margin: 0px; padding: 0px;">
<td class="code" style="margin: 0px 20px; padding: 3px;
height: 40px; overflow: auto; border: 1px solid gray;
font: 12px Courier,'Courier New',sans-serif; color:
rgb(0, 102, 0); background-color: rgb(255, 255, 255);">
<br style="margin: 0px; padding: 0px;">
if (! radius_www_authorize("<a moz-do-not-send="true"
href="http://uu.net">uu.net</a>")) { <br
style="margin: 0px; padding: 0px;">
www_challenge("<a moz-do-not-send="true"
href="http://uu.net">uu.net</a>", "0"); <br
style="margin: 0px; padding: 0px;">
return; <br style="margin: 0px; padding:
0px;">
} <br style="margin: 0px; padding: 0px;">
</td>
</tr>
</tbody>
</table>
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
</span></blockquote>
first, if you don't have the above block in main request route
block, replace 'return' with 'exit'.<br>
<br>
<blockquote
cite="mid:AANLkTi=RnCJ7xJ57HHmgaCNFvCUwV_-dUwWp_Q8y06cJ@mail.gmail.com"
type="cite"><span class="Apple-style-span" style="font-family:
Verdana,Arial,Helvetica,sans-serif; font-size: 12px;">
Ok, when I installed openser I did it with kamailio "flavour" so
it was using the auth_radius module belonging to it. <br
style="margin: 0px; padding: 0px;">
Does anyone know which would be the correct way to do the
challenge to the user cause is was not working at all. The
radius client does not even send it.</span></blockquote>
<br>
IIRC, even for RADIUS, the challenge is built by Kamailio auth
module, nothing exchanged with the RADIUS server for challenge.<br>
<br>
<blockquote
cite="mid:AANLkTi=RnCJ7xJ57HHmgaCNFvCUwV_-dUwWp_Q8y06cJ@mail.gmail.com"
type="cite"><span class="Apple-style-span" style="font-family:
Verdana,Arial,Helvetica,sans-serif; font-size: 12px;"> I got
stuck some time till I just decided to load the module from ser
modules folder and then freeradius server started to get
correctly my requests. Actually I can even see it authenticates
them correctly. <br style="margin: 0px; padding: 0px;">
</span></blockquote>
<br>
Can you update kamailio default config where you replace auth_db
module with auth_radius (from modules_k), and inside the routing
blocks use:<br>
<br>
- www_radius_authorize() instead of www_authorize()<br>
- proxy_radius_authorize() instead of proxy_authorize()<br>
<br>
Then start it with:<br>
<br>
kamailio -E -ddd<br>
<br>
and see if you see any hint/error there. Then run a test call and
watch the logs, you should see some errors if communication with
radius is not happening. If you don't understand exactly what
happened, send those messages here.<br>
<br>
Cheers,<br>
Daniel<br>
<blockquote
cite="mid:AANLkTi=RnCJ7xJ57HHmgaCNFvCUwV_-dUwWp_Q8y06cJ@mail.gmail.com"
type="cite"><span class="Apple-style-span" style="font-family:
Verdana,Arial,Helvetica,sans-serif; font-size: 12px;">
<br style="margin: 0px; padding: 0px;">
However Openser/Kamailio doesn't seem to see the same and it
doesn't saves location. <br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<table style="margin: 0px; padding: 0px; font-size: 1em;"
align="center" border="0" cellpadding="3" cellspacing="1"
width="90%">
<tbody style="margin: 0px; padding: 0px;">
<tr style="margin: 0px; padding: 0px;">
<td style="margin: 0px; padding: 1px;"><span
class="genmed" style="margin: 0px; padding: 0px;"><strong
style="margin: 0px; padding: 0px;">Code:</strong></span></td>
</tr>
<tr style="margin: 0px; padding: 0px;">
<td class="code" style="margin: 0px 20px; padding: 3px;
height: 40px; overflow: auto; border: 1px solid gray;
font: 12px Courier,'Courier New',sans-serif; color:
rgb(0, 102, 0); background-color: rgb(255, 255, 255);">
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
route[AUTH] { <br style="margin: 0px; padding: 0px;">
#!ifdef WITH_AUTH <br style="margin: 0px; padding: 0px;">
# Primeramente comprobamos si pertenece a nuestro
dominio; si no ya no hace falta comprobar credenciales. <br
style="margin: 0px; padding: 0px;">
if (uri==myself) <br style="margin: 0px;
padding: 0px;">
{ <br style="margin: 0px; padding: 0px;">
if (is_method("REGISTER")) <br
style="margin: 0px; padding: 0px;">
{ <br style="margin: 0px; padding: 0px;">
xlog("L_NOTICE","KAM-INFO:
r[AUTH] - REGISTER - User info: ($fu):($si)>\n"); <br
style="margin: 0px; padding: 0px;">
if (!radius_www_authorize("<a
moz-do-not-send="true" href="http://i2cat.net">i2cat.net</a>")){ <br
style="margin: 0px; padding: 0px;">
route(RADIUS); <br
style="margin: 0px; padding: 0px;">
#www_challenge("<a
moz-do-not-send="true" href="http://i2cat.net">i2cat.net</a>","0"); <br
style="margin: 0px; padding: 0px;">
exit; <br style="margin:
0px; padding: 0px;">
} <br style="margin: 0px;
padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
if ($au!=$tU) <br style="margin: 0px;
padding: 0px;">
{ <br style="margin: 0px; padding: 0px;">
sl_send_reply("403","Forbidden
auth ID"); <br style="margin: 0px; padding: 0px;">
exit; <br style="margin: 0px;
padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
} else { <br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
#!ifdef WITH_IPAUTH <br style="margin: 0px; padding:
0px;">
if(allow_source_address()) <br
style="margin: 0px; padding: 0px;">
{ <br style="margin: 0px; padding: 0px;">
# source IP allowed <br
style="margin: 0px; padding: 0px;">
return; <br style="margin: 0px;
padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
#!endif <br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
# authenticate if from local subscriber <br
style="margin: 0px; padding: 0px;">
if (from_uri==myself) <br style="margin:
0px; padding: 0px;">
{ <br style="margin: 0px; padding: 0px;">
if (!proxy_authorize("$fd",
"subscriber")) { <br style="margin: 0px; padding: 0px;">
proxy_challenge("$fd",
"0"); <br style="margin: 0px; padding: 0px;">
exit; <br style="margin:
0px; padding: 0px;">
} <br style="margin: 0px;
padding: 0px;">
if (is_method("PUBLISH")) <br
style="margin: 0px; padding: 0px;">
{ <br style="margin: 0px;
padding: 0px;">
if ($au!=$tU) { <br
style="margin: 0px; padding: 0px;">
sl_send_reply("403","Forbidden auth ID"); <br
style="margin: 0px; padding: 0px;">
exit; <br
style="margin: 0px; padding: 0px;">
} <br style="margin:
0px; padding: 0px;">
} else { <br style="margin: 0px;
padding: 0px;">
if ($au!=$fU) { <br
style="margin: 0px; padding: 0px;">
sl_send_reply("403","Forbidden auth ID"); <br
style="margin: 0px; padding: 0px;">
exit; <br
style="margin: 0px; padding: 0px;">
} <br style="margin:
0px; padding: 0px;">
} <br style="margin: 0px;
padding: 0px;">
<br style="margin: 0px; padding: 0px;">
consume_credentials(); <br
style="margin: 0px; padding: 0px;">
# caller authenticated <br
style="margin: 0px; padding: 0px;">
} else { <br style="margin: 0px;
padding: 0px;">
# caller is not local
subscriber, then check if it calls <br style="margin:
0px; padding: 0px;">
# a local destination, otherwise
deny, not an open relay here <br style="margin: 0px;
padding: 0px;">
if (!uri==myself) <br
style="margin: 0px; padding: 0px;">
{ <br style="margin: 0px;
padding: 0px;">
sl_send_reply("403","Not
relaying"); <br style="margin: 0px; padding: 0px;">
exit; <br style="margin:
0px; padding: 0px;">
} <br style="margin: 0px;
padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
#!endif <br style="margin: 0px; padding: 0px;">
return; <br style="margin: 0px; padding: 0px;">
}
<br style="margin: 0px; padding:
0px;">
</td>
</tr>
</tbody>
</table>
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
Before doing the challenge then it just goes throught: <br
style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<table style="margin: 0px; padding: 0px; font-size: 1em;"
align="center" border="0" cellpadding="3" cellspacing="1"
width="90%">
<tbody style="margin: 0px; padding: 0px;">
<tr style="margin: 0px; padding: 0px;">
<td style="margin: 0px; padding: 1px;"><span
class="genmed" style="margin: 0px; padding: 0px;"><strong
style="margin: 0px; padding: 0px;">Code:</strong></span></td>
</tr>
<tr style="margin: 0px; padding: 0px;">
<td class="code" style="margin: 0px 20px; padding: 3px;
height: 40px; overflow: auto; border: 1px solid gray;
font: 12px Courier,'Courier New',sans-serif; color:
rgb(0, 102, 0); background-color: rgb(255, 255, 255);">
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
route[RADIUS] <br style="margin: 0px; padding: 0px;">
{ <br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
sl_send_reply("100", "Trying"); <br style="margin:
0px; padding: 0px;">
append_to_reply("Expires: 600\r\n"); <br
style="margin: 0px; padding: 0px;">
append_to_reply("Min-Expires: 240\r\n"); <br
style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
xlog("L_NOTICE","KAM-INFO: RADIUS AUTHENTICATION -
AUTHORIZING USER $fU - <$fu>:<$si>\n"); <br
style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
xlog("L_NOTICE","KAM-INFO: CHALLENGING. -
RETCODE-> $rc \n"); <br style="margin: 0px; padding:
0px;">
www_challenge("<a moz-do-not-send="true"
href="http://i2cat.net">i2cat.net</a>", "0"); <br
style="margin: 0px; padding: 0px;">
switch($rc){ <br style="margin: 0px; padding: 0px;">
case -5: <br style="margin: 0px; padding: 0px;">
xlog("L_INFO", "-> 500: internal server
error"); <br style="margin: 0px; padding: 0px;">
sl_send_reply("500", "Internal Server
Error"); <br style="margin: 0px; padding: 0px;">
case -4: <br style="margin: 0px; padding: 0px;">
xlog("L_INFO", "-> 404: credentials not
found"); <br style="margin: 0px; padding: 0px;">
sl_send_reply("404", "Credentials Not
Found"); <br style="margin: 0px; padding: 0px;">
case -3: <br style="margin: 0px; padding: 0px;">
xlog("L_INFO", "-> 400: bad request -
stale nonce"); <br style="margin: 0px; padding: 0px;">
sl_send_reply("400", "Bad Request"); <br
style="margin: 0px; padding: 0px;">
case -2: <br style="margin: 0px; padding: 0px;">
xlog("L_INFO", "-> 401: invalid
password"); <br style="margin: 0px; padding: 0px;">
sl_send_reply("401", "Invalid Password"); <br
style="margin: 0px; padding: 0px;">
case -1: <br style="margin: 0px; padding: 0px;">
xlog("L_INFO", "-> 401: invalid user"); <br
style="margin: 0px; padding: 0px;">
sl_send_reply("401", "Invalid User"); <br
style="margin: 0px; padding: 0px;">
default: <br style="margin: 0px; padding: 0px;">
xlog("L_INFO", "-> 401: unauthorized"); <br
style="margin: 0px; padding: 0px;">
sl_send_reply("401", "Unauthorized"); <br
style="margin: 0px; padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
} <br style="margin: 0px; padding: 0px;">
</td>
</tr>
</tbody>
</table>
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
Buuuuuuuuuuuuut... I got that in the debug of Kamailio: <br
style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
<table style="margin: 0px; padding: 0px; font-size: 1em;"
align="center" border="0" cellpadding="3" cellspacing="1"
width="90%">
<tbody style="margin: 0px; padding: 0px;">
<tr style="margin: 0px; padding: 0px;">
<td style="margin: 0px; padding: 1px;"><span
class="genmed" style="margin: 0px; padding: 0px;"><strong
style="margin: 0px; padding: 0px;">Code:</strong></span></td>
</tr>
<tr style="margin: 0px; padding: 0px;">
<td class="code" style="margin: 0px 20px; padding: 3px;
height: 40px; overflow: auto; border: 1px solid gray;
font: 12px Courier,'Courier New',sans-serif; color:
rgb(0, 102, 0); background-color: rgb(255, 255, 255);">
4(31099) DEBUG: auth [api.c:95]: auth: digest-algo: MD5
parsed value: 1 <br style="margin: 0px; padding: 0px;">
4(31099) DEBUG: auth_radius [sterman.c:271]:
radius_authorize_sterman(): Success <br style="margin:
0px; padding: 0px;">
4(31099) WARNING: auth_radius [authorize.c:89]: RADIUS
server did not send SER-UID attribute in digest
authentication reply <br style="margin: 0px; padding:
0px;">
4(31099) DEBUG: auth [challenge.c:102]:
build_challenge_hf: realm='<a moz-do-not-send="true"
href="http://i2cat.net">i2cat.net</a>' <br
style="margin: 0px; padding: 0px;">
4(31099) DEBUG: auth [challenge.c:113]:
build_challenge_hf: qop='auth' <br style="margin: 0px;
padding: 0px;">
4(31099) DEBUG: auth [challenge.c:236]: auth:
'WWW-Authenticate: Digest realm="<a
moz-do-not-send="true" href="http://i2cat.net">i2cat.net</a>",
nonce="TWZJLk1mSAKFVzL0b+dVPzkuyyAnZHQs", qop="auth" <br
style="margin: 0px; padding: 0px;">
</td>
</tr>
</tbody>
</table>
<br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
I guess it has something to do with this SER-UID attribute and
thus something about the dictonary? It is weird seeing that the
radius server says 'ok' but then openser is not authenticating
it. <br style="margin: 0px; padding: 0px;">
<br style="margin: 0px; padding: 0px;">
I need some clues! Thank you!.</span><br clear="all">
<br>
-- <br>
Pablo Ros<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a></pre>
</body>
</html>