<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello,<br>
<br>
you should just use www_challenge() to send back the 401 response.<br>
<br>
Here is a old tutorial, from the time when the project was named
openser, but could be a good reading anyhow:<br>
<br>
- <a class="moz-txt-link-freetext" href="http://www.kamailio.org/docs/openser-radius-1.0.x.html">http://www.kamailio.org/docs/openser-radius-1.0.x.html</a><br>
<br>
The authentication part is pretty much the same.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
On 05/05/14 12:00, Måns Nilsson wrote:<br>
</div>
<blockquote cite="mid:20140505100041.GS13966@besserwisser.org"
type="cite">
<pre wrap="">[first post to list]
Greetings,
I'm in the process of getting a Kamailio 3.3.2 installation authenticating
its SIP accounts against a RADIUS database. There are -- at the moment --
no plans to do any fancy accounting nor any authorisation beyond simple
authentication.
I've set up and tested a FreeRadius 2.2.3_1 server on a dedicated server.
After a fairly steep learning curve involving RADIUS dictionaries I've
come so far that kamailio sends out a RADIUS Access-Request message
that is received by FreeRadius, processed, and returned to Kamailio
which promptly ignores it and continues to send 401 to the client;
the SIP message exchange with the client being:
(some identifing info has been redacted)
</pre>
<blockquote type="cite">
<pre wrap=""> REGISTER <a class="moz-txt-link-freetext" href="sip:my.domain">sip:my.domain</a> SIP/2.0
</pre>
</blockquote>
<pre wrap="">< SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-eac09e6c626d4c4d-1---d8754z-;rport=41688
</pre>
<blockquote type="cite">
<pre wrap=""> REGISTER <a class="moz-txt-link-freetext" href="sip:my.domain">sip:my.domain</a> SIP/2.0
</pre>
</blockquote>
<pre wrap=""> Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport
< SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.25.191.24:41688;branch=z9hG4bK-d8754z-4f25c643f4b93465-1---d8754z-;rport=41688
The RADIUS exchange:
10:07:10.861063 IP (tos 0x0, ttl 64, id 14964, offset 0, flags [none], proto UDP (17), length 270)
10.24.194.198.63712 > 10.24.194.196.1812: [udp sum ok] RADIUS, length: 242
Access Request (1), id: 0x05, Authenticator: 4215e95809551826eda76972be4106c4
Username Attribute (1), length: 18, Value: <a class="moz-txt-link-abbreviated" href="mailto:mtu-06@my.domain">mtu-06@my.domain</a>
0x0000: 6d74 752d 3036 4069 706b 2e73 722e 7365
Unknown Attribute (207), length: 10, Value:
0x0000: 0a08 6d74 752d 3036
Unknown Attribute (207), length: 13, Value:
0x0000: 010b 6970 6b2e 7372 2e73 65
Unknown Attribute (207), length: 36, Value:
0x0000: 0222 5532 6448 326c 4e6e 5271 3677 4353
0x0010: 6463 6775 5056 3050 516e 3936 324d 5635
0x0020: 6d34
Unknown Attribute (207), length: 17, Value:
0x0000: 040f 7369 703a 6970 6b2e 7372 2e73 65
Unknown Attribute (207), length: 12, Value:
0x0000: 030a 5245 4749 5354 4552
Unknown Attribute (207), length: 8, Value:
0x0000: 0506 6175 7468
Unknown Attribute (207), length: 12, Value:
0x0000: 090a 3030 3030 3030 3031
Unknown Attribute (207), length: 36, Value:
0x0000: 0822 3933 3832 3333 3333 3530 3162 3238
0x0010: 6439 3236 3739 3863 3964 3038 6539 3134
0x0020: 3733
Unknown Attribute (206), length: 34, Value:
0x0000: 3538 3665 3336 3763 3230 3163 3137 6438
0x0010: 6261 3265 3830 3533 3763 6433 3562 3761
Service Type Attribute (6), length: 6, Value: #15
0x0000: 0000 000f
Unknown Attribute (208), length: 8, Value:
0x0000: 6d74 752d 3036
NAS Port Attribute (5), length: 6, Value: 5060
0x0000: 0000 13c4
NAS IP Address Attribute (4), length: 6, Value: 10.24.194.198
0x0000: c079 c2c6
10:07:10.863964 IP (tos 0x0, ttl 64, id 28916, offset 0, flags [none], proto UDP (17), length 48)
10.24.194.196.1812 > 10.24.194.198.63712: [bad udp cksum 0x06ac -> 0x44c0!] RADIUS, length: 20
Access Accept (2), id: 0x05, Authenticator: 8f07de871a066aacfbe822e20a9b96c1
The RADIUS part of the Kamailio config is:
if (is_method("REGISTER") || from_uri==myself)
#if (is_method("REGISTER") )
{
# authenticate requests
xlog("L_INFO", "authenticate [$fd]\n");
### RADIUS ###
if (!radius_www_authorize("my.domain")) {
$var(ret) = $rc;
xlog("L_INFO", "response code: [$var(ret)]\n");
switch ($var(ret)) {
case -7:
send_reply("500", "Server Internal Error");
exit;
case -1:
send_reply("400", "Bad Request");
exit;
default:
};
if (defined($avp(digest_challenge)) &&
($avp(digest_challenge) != "")) {
append_to_reply("$avp(digest_challenge)");
};
send_reply("401", "Unauthorized");
exit;
};
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}
Any clues? What is missing from my narrative?
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a></pre>
</body>
</html>