Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Thank you for the tip, Ovidiu! The problem was with my dictionary indeed. There were two attributes with duplicate values of 1. I've fixed the dictionary, and now everything works fine. Thanks again! Regards, Fedor. 2011/3/5 Ovidiu Sas o...@voipembedded.com You need to check the dictionaries on your kamailio server. Mos likely something is miss configured there. Check what value do you have for User-Name and see if you have any duplicates for that value. Regards, Ovidiu Sas On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor dangerko...@gmail.com wrote: Again for testing, I pointed Kamailio directly to my billing radius, bypassing Freeradius. The situation is the same, so the problem is definitely not with the Freeradius server. 2011/3/5 Kosilov Fedor dangerko...@gmail.com Hello, Daniel, thank you for your attention to my problem. I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set radius_extra param. Nothing has changed. Here is a part of my config: ... modparam(acc, radius_config, /etc/radiusclient-ng/radiusclient.conf) modparam(acc, radius_extra, User-Name=$Au) ... modparam(auth_radius, radius_config, /etc/radiusclient-ng/radiusclient.conf) modparam(auth_radius, auth_extra, NAS-Identifier=$var(ident)) ... route { #Definitions $var(ident) = kamserv.example.com; ... route(3); #Auth ... } ... route[3] { if (is_method(REGISTER)) { if (is_from_local()) { if (!radius_www_authorize($td)) { www_challenge($sel(to.uri.host), 1); exit; } else { avp_db_delete($sel(to.uri),$avp(s:ip)); avp_db_delete($sel(to.uri),$avp(s:dpid)); avp_db_delete($sel(to.uri),$avp(s:fr_timer)); avp_db_delete($sel(to.uri),$avp(s:calls_limit)); avp_db_store($sel(to.uri),$avp(s:ip)); avp_db_store($sel(to.uri),$avp(s:dpid)); avp_db_store($sel(to.uri),$avp(s:fr_timer)); avp_db_store($sel(to.uri),$avp(s:calls_limit)); if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } else { if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip)) { sl_send_reply(403,Forbidden); exit; } } } } else { sl_send_reply(403,Forbidden); exit; } } else { if ($sel(src.ip)==192.168.0.2) { return; } else if (is_from_local()) { if (!radius_proxy_authorize($sel(from.uri.host),$sel(from.uri.user))) { proxy_challenge($sel(from.uri.host), 1); exit; } if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip)) { sl_send_reply(403,Forbidden); exit; } if (is_method(PUBLISH)) { if ($au!=$sel(to.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } consume_credentials(); } else { sl_send_reply(403,Forbidden); exit; } } } ... And again a part of the freeradius log: rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 User-Name = 2219...@example.com Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = efdcf92b58f694b97928856614057436 Service-Type =
Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
You need to check the dictionaries on your kamailio server. Mos likely something is miss configured there. Check what value do you have for User-Name and see if you have any duplicates for that value. Regards, Ovidiu Sas On Sat, Mar 5, 2011 at 2:32 AM, Kosilov Fedor dangerko...@gmail.com wrote: Again for testing, I pointed Kamailio directly to my billing radius, bypassing Freeradius. The situation is the same, so the problem is definitely not with the Freeradius server. 2011/3/5 Kosilov Fedor dangerko...@gmail.com Hello, Daniel, thank you for your attention to my problem. I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set radius_extra param. Nothing has changed. Here is a part of my config: ... modparam(acc, radius_config, /etc/radiusclient-ng/radiusclient.conf) modparam(acc, radius_extra, User-Name=$Au) ... modparam(auth_radius, radius_config, /etc/radiusclient-ng/radiusclient.conf) modparam(auth_radius, auth_extra, NAS-Identifier=$var(ident)) ... route { #Definitions $var(ident) = kamserv.example.com; ... route(3); #Auth ... } ... route[3] { if (is_method(REGISTER)) { if (is_from_local()) { if (!radius_www_authorize($td)) { www_challenge($sel(to.uri.host), 1); exit; } else { avp_db_delete($sel(to.uri),$avp(s:ip)); avp_db_delete($sel(to.uri),$avp(s:dpid)); avp_db_delete($sel(to.uri),$avp(s:fr_timer)); avp_db_delete($sel(to.uri),$avp(s:calls_limit)); avp_db_store($sel(to.uri),$avp(s:ip)); avp_db_store($sel(to.uri),$avp(s:dpid)); avp_db_store($sel(to.uri),$avp(s:fr_timer)); avp_db_store($sel(to.uri),$avp(s:calls_limit)); if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } else { if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip)) { sl_send_reply(403,Forbidden); exit; } } } } else { sl_send_reply(403,Forbidden); exit; } } else { if ($sel(src.ip)==192.168.0.2) { return; } else if (is_from_local()) { if (!radius_proxy_authorize($sel(from.uri.host),$sel(from.uri.user))) { proxy_challenge($sel(from.uri.host), 1); exit; } if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip)) { sl_send_reply(403,Forbidden); exit; } if (is_method(PUBLISH)) { if ($au!=$sel(to.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } consume_credentials(); } else { sl_send_reply(403,Forbidden); exit; } } } ... And again a part of the freeradius log: rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 User-Name = 2219...@example.com Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = efdcf92b58f694b97928856614057436 Service-Type = Sip-Session Sip-Uri-User = 2219001 User-Name = call-id=zomdnicqsndxrnh@koffe-work NAS-Identifier = kamserv.example.com NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Regards, Fedor. 2011/3/5 Daniel-Constantin Mierla mico...@gmail.com Hello, what is the value of parameter radius_extra for acc module? Cheers, Daniel On 3/4/11 1:06 PM, Kosilov Fedor wrote: Hello List!
Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Hello, what is the value of parameter radius_extra for acc module? Cheers, Daniel On 3/4/11 1:06 PM, Kosilov Fedor wrote: Hello List! I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem: The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server: rad_recv: Access-Request packet from host 127.0.0.1 port 59294, id=112, length=298 User-Name = 2219...@example.com mailto:2219...@example.com Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = e79b47955c02401fe52d05f7956609aa Service-Type = Sip-Session Sip-Uri-User = 2219001 *User-Name = call-id=domcmqmnychbwlp@koffe-work* NAS-Identifier = kamserv.example.com http://kamserv.example.com NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [digest] Checking for correctly formatted Digest-Attributes [digest] Digest-Attributes look OK. Converting them to something more usful. Digest-User-Name = 2219001 Digest-Realm = example.com http://example.com Digest-Nonce = TXDRcE1w0ERKshyo0hJpTOOjiBM8k2SJ Digest-URI = sip:example.com http://example.com Digest-Method = REGISTER Digest-QOP = auth Digest-Nonce-Count = 0001 Digest-CNonce = 2804ce5702 [digest] Adding Auth-Type = DIGEST ++[digest] returns ok [suffix] Looking up realm example.com http://example.com for User-Name = 2219...@example.com mailto:2219...@example.com [suffix] Found realm example.com http://example.com [suffix] Adding Realm = example.com http://example.com [suffix] Proxying request from user 2219001 to realm example.com http://example.com [suffix] Preparing to proxy authentication request to realm example.com http://example.com ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 250 to 127.0.0.1 port 1822 User-Name = 2219...@example.com mailto:2219...@example.com Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x022254584452634531773045524b7368796f30684a70544f4f6a69424d386b32534a Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c32383034636535373032 Digest-Response = e79b47955c02401fe52d05f7956609aa Service-Type = Sip-Session Sip-Uri-User = 2219001 *User-Name = call-id=domcmqmnychbwlp@koffe-work* NAS-Identifier = kamserv.example.com http://kamserv.example.com NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Proxy-State = 0x313132 Proxying request 1 to home server 127.0.0.1 port 1822 As I understand, this second User-Name attribute has to be a call-id attribute. ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla http://www.asipto.com ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Kamailio auth_radius: duplicate User-Name attribute
Again for testing, I pointed Kamailio directly to my billing radius, bypassing Freeradius. The situation is the same, so the problem is definitely not with the Freeradius server. 2011/3/5 Kosilov Fedor dangerko...@gmail.com Hello, Daniel, thank you for your attention to my problem. I actually don't need accounting support, I just want to implement an authorization using radius. But for testing purposes, I loaded the acc module and set radius_extra param. Nothing has changed. Here is a part of my config: ... modparam(acc, radius_config, /etc/radiusclient-ng/radiusclient.conf) modparam(acc, radius_extra, User-Name=$Au) ... modparam(auth_radius, radius_config, /etc/radiusclient-ng/radiusclient.conf) modparam(auth_radius, auth_extra, NAS-Identifier=$var(ident)) ... route { #Definitions $var(ident) = kamserv.example.com; ... route(3); #Auth ... } ... route[3] { if (is_method(REGISTER)) { if (is_from_local()) { if (!radius_www_authorize($td)) { www_challenge($sel(to.uri.host), 1); exit; } else { avp_db_delete($sel(to.uri),$avp(s:ip)); avp_db_delete($sel(to.uri),$avp(s:dpid)); avp_db_delete($sel(to.uri),$avp(s:fr_timer)); avp_db_delete($sel(to.uri),$avp(s:calls_limit)); avp_db_store($sel(to.uri),$avp(s:ip)); avp_db_store($sel(to.uri),$avp(s:dpid)); avp_db_store($sel(to.uri),$avp(s:fr_timer)); avp_db_store($sel(to.uri),$avp(s:calls_limit)); if ($au!=$sel(to.uri.user))||($au!=$sel(from.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } else { if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip)) { sl_send_reply(403,Forbidden); exit; } } } } else { sl_send_reply(403,Forbidden); exit; } } else { if ($sel(src.ip)==192.168.0.2) { return; } else if (is_from_local()) { if (!radius_proxy_authorize($sel(from.uri.host),$sel(from.uri.user))) { proxy_challenge($sel(from.uri.host), 1); exit; } if ($avp(s:ip)!='any' $sel(src.ip)!=$avp(s:ip)) { sl_send_reply(403,Forbidden); exit; } if (is_method(PUBLISH)) { if ($au!=$sel(to.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } } else if ($au!=$sel(from.uri.user)) { sl_send_reply(403,Forbidden auth ID); exit; } consume_credentials(); } else { sl_send_reply(403,Forbidden); exit; } } } ... And again a part of the freeradius log: rad_recv: Access-Request packet from host 127.0.0.1 port 58933, id=135, length=298 *User-Name = 2219...@example.com* Digest-Attributes = 0x0a0932323139303031 Digest-Attributes = 0x01106c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x0222545848676630317833314f7076767759512b6b73674c63554d51784f6c347634 Digest-Attributes = 0x04147369703a6c696e6b2d726567696f6e2e7275 Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x080c39636238383130616531 Digest-Response = efdcf92b58f694b97928856614057436 Service-Type = Sip-Session Sip-Uri-User = 2219001 *User-Name = call-id=zomdnicqsndxrnh@koffe-work* NAS-Identifier = kamserv.example.com NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 Regards, Fedor. 2011/3/5 Daniel-Constantin Mierla mico...@gmail.com Hello, what is the value of parameter radius_extra for acc module? Cheers, Daniel On 3/4/11 1:06 PM, Kosilov Fedor wrote: Hello List! I'm trying to set up authorization with our billing proprietary radius server, using Freeradius as a proxy. Currently I'm experiencing the following problem: The Access-Request packet, sent by Kamailio, contains two User-Name attribute records Here is a log from the Freeradius server: