Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Thank you for the tip, Ovidiu!
The problem was with my dictionary indeed. There were two attributes
with duplicate values of 1. I've fixed the dictionary, and now everything
works fine.
Thanks again!
Regards,
Fedor.
2011/3/5 Ovidiu Sas o...@voipembedded.com
You need to check the dictionaries on your kamailio server.
Mos likely something is miss configured there.
Check what value do you have for User-Name and see if you have any
duplicates for that value.
Regards,
Ovidiu Sas
On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor dangerko...@gmail.com
wrote:
Again for testing, I pointed Kamailio directly to my billing radius,
bypassing Freeradius. The situation is the same, so the problem is
definitely not with the Freeradius server.
2011/3/5 Kosilov Fedor dangerko...@gmail.com
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an
authorization using radius.
But for testing purposes, I loaded the acc module and set radius_extra
param. Nothing has changed.
Here is a part of my config:
...
modparam(acc, radius_config,
/etc/radiusclient-ng/radiusclient.conf)
modparam(acc, radius_extra, User-Name=$Au)
...
modparam(auth_radius, radius_config,
/etc/radiusclient-ng/radiusclient.conf)
modparam(auth_radius, auth_extra, NAS-Identifier=$var(ident))
...
route {
#Definitions
$var(ident) = kamserv.example.com;
...
route(3); #Auth
...
}
...
route[3] {
if (is_method(REGISTER))
{
if (is_from_local()) {
if (!radius_www_authorize($td))
{
www_challenge($sel(to.uri.host), 1);
exit;
} else {
avp_db_delete($sel(to.uri),$avp(s:ip));
avp_db_delete($sel(to.uri),$avp(s:dpid));
avp_db_delete($sel(to.uri),$avp(s:fr_timer));
avp_db_delete($sel(to.uri),$avp(s:calls_limit));
avp_db_store($sel(to.uri),$avp(s:ip));
avp_db_store($sel(to.uri),$avp(s:dpid));
avp_db_store($sel(to.uri),$avp(s:fr_timer));
avp_db_store($sel(to.uri),$avp(s:calls_limit));
if
($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
sl_send_reply(403,Forbidden
auth ID);
exit;
} else {
if ($avp(s:ip)!='any'
$sel(src.ip)!=$avp(s:ip)) {
sl_send_reply(403,Forbidden);
exit;
}
}
}
} else {
sl_send_reply(403,Forbidden);
exit;
}
} else {
if ($sel(src.ip)==192.168.0.2) {
return;
} else if (is_from_local()) {
if
(!radius_proxy_authorize($sel(from.uri.host),$sel(from.uri.user))) {
proxy_challenge($sel(from.uri.host),
1);
exit;
}
if ($avp(s:ip)!='any'
$sel(src.ip)!=$avp(s:ip))
{
sl_send_reply(403,Forbidden);
exit;
}
if (is_method(PUBLISH))
{
if ($au!=$sel(to.uri.user)) {
sl_send_reply(403,Forbidden
auth ID);
exit;
}
} else if ($au!=$sel(from.uri.user)) {
sl_send_reply(403,Forbidden auth
ID);
exit;
}
consume_credentials();
} else {
sl_send_reply(403,Forbidden);
exit;
}
}
}
...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
length=298
User-Name = 2219...@example.com
Digest-Attributes = 0x0a0932323139303031
Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
Digest-Attributes =
0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080c39636238383130616531
Digest-Response = efdcf92b58f694b97928856614057436
Service-Type =
Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
You need to check the dictionaries on your kamailio server.
Mos likely something is miss configured there.
Check what value do you have for User-Name and see if you have any
duplicates for that value.
Regards,
Ovidiu Sas
On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor dangerko...@gmail.com wrote:
Again for testing, I pointed Kamailio directly to my billing radius,
bypassing Freeradius. The situation is the same, so the problem is
definitely not with the Freeradius server.
2011/3/5 Kosilov Fedor dangerko...@gmail.com
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an
authorization using radius.
But for testing purposes, I loaded the acc module and set radius_extra
param. Nothing has changed.
Here is a part of my config:
...
modparam(acc, radius_config, /etc/radiusclient-ng/radiusclient.conf)
modparam(acc, radius_extra, User-Name=$Au)
...
modparam(auth_radius, radius_config,
/etc/radiusclient-ng/radiusclient.conf)
modparam(auth_radius, auth_extra, NAS-Identifier=$var(ident))
...
route {
#Definitions
$var(ident) = kamserv.example.com;
...
route(3); #Auth
...
}
...
route[3] {
if (is_method(REGISTER))
{
if (is_from_local()) {
if (!radius_www_authorize($td))
{
www_challenge($sel(to.uri.host), 1);
exit;
} else {
avp_db_delete($sel(to.uri),$avp(s:ip));
avp_db_delete($sel(to.uri),$avp(s:dpid));
avp_db_delete($sel(to.uri),$avp(s:fr_timer));
avp_db_delete($sel(to.uri),$avp(s:calls_limit));
avp_db_store($sel(to.uri),$avp(s:ip));
avp_db_store($sel(to.uri),$avp(s:dpid));
avp_db_store($sel(to.uri),$avp(s:fr_timer));
avp_db_store($sel(to.uri),$avp(s:calls_limit));
if
($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
sl_send_reply(403,Forbidden
auth ID);
exit;
} else {
if ($avp(s:ip)!='any'
$sel(src.ip)!=$avp(s:ip)) {
sl_send_reply(403,Forbidden);
exit;
}
}
}
} else {
sl_send_reply(403,Forbidden);
exit;
}
} else {
if ($sel(src.ip)==192.168.0.2) {
return;
} else if (is_from_local()) {
if
(!radius_proxy_authorize($sel(from.uri.host),$sel(from.uri.user))) {
proxy_challenge($sel(from.uri.host),
1);
exit;
}
if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip))
{
sl_send_reply(403,Forbidden);
exit;
}
if (is_method(PUBLISH))
{
if ($au!=$sel(to.uri.user)) {
sl_send_reply(403,Forbidden
auth ID);
exit;
}
} else if ($au!=$sel(from.uri.user)) {
sl_send_reply(403,Forbidden auth ID);
exit;
}
consume_credentials();
} else {
sl_send_reply(403,Forbidden);
exit;
}
}
}
...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
length=298
User-Name = 2219...@example.com
Digest-Attributes = 0x0a0932323139303031
Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
Digest-Attributes =
0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080c39636238383130616531
Digest-Response = efdcf92b58f694b97928856614057436
Service-Type = Sip-Session
Sip-Uri-User = 2219001
User-Name = call-id=zomdnicqsndxrnh@koffe-work
NAS-Identifier = kamserv.example.com
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
Regards,
Fedor.
2011/3/5 Daniel-Constantin Mierla mico...@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers,
Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Hello,
what is the value of parameter radius_extra for acc module?
Cheers,
Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius
server, using Freeradius as a proxy. Currently I'm experiencing the
following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name
attribute records
Here is a log from the Freeradius server:
rad_recv: Access-Request packet from host 127.0.0.1 port 59294,
id=112, length=298
User-Name = 2219...@example.com mailto:2219...@example.com
Digest-Attributes = 0x0a0932323139303031
Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
Digest-Attributes =
0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080c32383034636535373032
Digest-Response = e79b47955c02401fe52d05f7956609aa
Service-Type = Sip-Session
Sip-Uri-User = 2219001
*User-Name = call-id=domcmqmnychbwlp@koffe-work*
NAS-Identifier = kamserv.example.com http://kamserv.example.com
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[digest] Checking for correctly formatted Digest-Attributes
[digest] Digest-Attributes look OK. Converting them to something more
usful.
Digest-User-Name = 2219001
Digest-Realm = example.com http://example.com
Digest-Nonce = TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ
Digest-URI = sip:example.com http://example.com
Digest-Method = REGISTER
Digest-QOP = auth
Digest-Nonce-Count = 0001
Digest-CNonce = 2804ce5702
[digest] Adding Auth-Type = DIGEST
++[digest] returns ok
[suffix] Looking up realm example.com http://example.com for
User-Name = 2219...@example.com mailto:2219...@example.com
[suffix] Found realm example.com http://example.com
[suffix] Adding Realm = example.com http://example.com
[suffix] Proxying request from user 2219001 to realm example.com
http://example.com
[suffix] Preparing to proxy authentication request to realm
example.com http://example.com
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 250 to 127.0.0.1 port 1822
User-Name = 2219...@example.com mailto:2219...@example.com
Digest-Attributes = 0x0a0932323139303031
Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
Digest-Attributes =
0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080c32383034636535373032
Digest-Response = e79b47955c02401fe52d05f7956609aa
Service-Type = Sip-Session
Sip-Uri-User = 2219001
*User-Name = call-id=domcmqmnychbwlp@koffe-work*
NAS-Identifier = kamserv.example.com http://kamserv.example.com
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
Proxy-State = 0x313132
Proxying request 1 to home server 127.0.0.1 port 1822
As I understand, this second User-Name attribute has to be a call-id
attribute.
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Again for testing, I pointed Kamailio directly to my billing radius,
bypassing Freeradius. The situation is the same, so the problem is
definitely not with the Freeradius server.
2011/3/5 Kosilov Fedor dangerko...@gmail.com
Hello, Daniel, thank you for your attention to my problem.
I actually don't need accounting support, I just want to implement an
authorization using radius.
But for testing purposes, I loaded the acc module and set radius_extra
param. Nothing has changed.
Here is a part of my config:
...
modparam(acc, radius_config, /etc/radiusclient-ng/radiusclient.conf)
modparam(acc, radius_extra, User-Name=$Au)
...
modparam(auth_radius, radius_config,
/etc/radiusclient-ng/radiusclient.conf)
modparam(auth_radius, auth_extra, NAS-Identifier=$var(ident))
...
route {
#Definitions
$var(ident) = kamserv.example.com;
...
route(3); #Auth
...
}
...
route[3] {
if (is_method(REGISTER))
{
if (is_from_local()) {
if (!radius_www_authorize($td))
{
www_challenge($sel(to.uri.host), 1);
exit;
} else {
avp_db_delete($sel(to.uri),$avp(s:ip));
avp_db_delete($sel(to.uri),$avp(s:dpid));
avp_db_delete($sel(to.uri),$avp(s:fr_timer));
avp_db_delete($sel(to.uri),$avp(s:calls_limit));
avp_db_store($sel(to.uri),$avp(s:ip));
avp_db_store($sel(to.uri),$avp(s:dpid));
avp_db_store($sel(to.uri),$avp(s:fr_timer));
avp_db_store($sel(to.uri),$avp(s:calls_limit));
if
($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) {
sl_send_reply(403,Forbidden auth
ID);
exit;
} else {
if ($avp(s:ip)!='any'
$sel(src.ip)!=$avp(s:ip)) {
sl_send_reply(403,Forbidden);
exit;
}
}
}
} else {
sl_send_reply(403,Forbidden);
exit;
}
} else {
if ($sel(src.ip)==192.168.0.2) {
return;
} else if (is_from_local()) {
if
(!radius_proxy_authorize($sel(from.uri.host),$sel(from.uri.user))) {
proxy_challenge($sel(from.uri.host),
1);
exit;
}
if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip))
{
sl_send_reply(403,Forbidden);
exit;
}
if (is_method(PUBLISH))
{
if ($au!=$sel(to.uri.user)) {
sl_send_reply(403,Forbidden auth
ID);
exit;
}
} else if ($au!=$sel(from.uri.user)) {
sl_send_reply(403,Forbidden auth ID);
exit;
}
consume_credentials();
} else {
sl_send_reply(403,Forbidden);
exit;
}
}
}
...
And again a part of the freeradius log:
rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135,
length=298
*User-Name = 2219...@example.com*
Digest-Attributes = 0x0a0932323139303031
Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275
Digest-Attributes =
0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634
Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080c39636238383130616531
Digest-Response = efdcf92b58f694b97928856614057436
Service-Type = Sip-Session
Sip-Uri-User = 2219001
*User-Name = call-id=zomdnicqsndxrnh@koffe-work*
NAS-Identifier = kamserv.example.com
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
Regards,
Fedor.
2011/3/5 Daniel-Constantin Mierla mico...@gmail.com
Hello,
what is the value of parameter radius_extra for acc module?
Cheers,
Daniel
On 3/4/11 1:06 PM, Kosilov Fedor wrote:
Hello List!
I'm trying to set up authorization with our billing proprietary radius
server, using Freeradius as a proxy. Currently I'm experiencing the
following problem:
The Access-Request packet, sent by Kamailio, contains two User-Name
attribute records
Here is a log from the Freeradius server:
