Hi Daniel, I don't use radius since ages but I think I can install a small PoC and update the tutorial.
Cheers, Alfonso On Mon, May 22, 2017 at 3:00 PM, Daniel-Constantin Mierla <mico...@gmail.com> wrote: > Hello, > > thanks for sharing back the solution. It will be useful in the future for > people facing the same issue. > > Probably we should update the very old tutorial for using Radius > (https://www.kamailio.org/docs/openser-radius-1.0.x.html). I can take the > time to put it on gihub (probably as markdown file so we can use mkdocs to > publish it in nice html output), but I need people using Radius these days > to contribute updates, because I don't use Radius anymore for many years. > > Is anyone interested in helping with it? > > Cheers, > Daniel > > On Mon, May 22, 2017 at 8:56 AM, Donat Zenichev <donat.zenic...@gmail.com> > wrote: >> >> What did you mean, when you ask for 'backend'? >> If you meant an storage, so it's not a .txt users file, I'm using db - >> radcheck table. >> >> So guys, the I've solved the problem. >> It wasn't consisted of kamailio functions or radius configuration. >> >> So you're free to use: www_challenge("$fd", "1"), until up >> radius_www_authorize("$fd","$fU") comes up. >> Qop parameter does what he does and changes nothing within radius >> authentication process. >> >> >> My problem was about username column in radcheck table. >> It's not enough to insert an username, you ought to use full URI, like: >> username@my.proxy.domain >> Also don't forget about attributes of the row that belongs to a certain >> user agent. >> >> So my part of table for one of users looks like that: >> >> ;-------------------------------------------------------------------------------------------------------------------; >> >> ;---id---;---username-------;------attribute---------;------op-------;----------value---------------------; >> >> ;-------------------------------------------------------------------------------------------------------------------; >> ;__1__;__ua@dom.com_;__User-Password_;___==_____;_____hereuapassowrd____; >> ;__2__;__ua@dom.com_;__Auth-Type_____;___:=______;_____Digest____________; >> ;__.... >> >> Actually, I don't know why, but there is just a few articles all over the >> net, that describes a bit the functionality and processing with auth_radius >> module. >> I hope my case will be useful for others, who uses kamailio + radius/db >> >> But I have a problem how to request AVPs for a certain user from RADIUS, I >> found some solutions with SIP-AVP attribute, but still haven't done it. >> Now I have to databases, one for Kamailio (that contains users AVPs, that >> Kamailio gets by avp_db_query) and second for users credentials (that are >> used while authorization on INVITE, REGISTER requests). >> >> And as for the future, I have a goal to store passwords in ha1, haven't >> started to discover this. >> >> >> >> >> 2017-05-18 17:11 GMT+03:00 Donat Zenichev <donat.zenic...@gmail.com>: >>> >>> Hi all. >>> Have a problem with radius authorization. >>> >>> I'm using auth_radius.so >>> >>> modparams, only path to client file: >>> modparam("auth_radius", "radius_config", >>> "/etc/radiusclient/radiusclient.conf") >>> >>> Freeradius installed and is working properly, radtest authentication from >>> kamailio host succeed . >>> >>> How authorization block looks like: >>> >>> if (!is_present_hf("Authorization")) { >>> xlog("L_NOTICE", "----- Athorization HF is not found - passing the >>> challenge -----\n"); >>> >>> if (nat_uac_test("2")) { >>> force_rport(); >>> } >>> >>> www_challenge("$fd", "1"); >>> exit; >>> >>> >>> if (!radius_www_authorize("$fd","$fU")) { >>> >>> if (nat_uac_test("2")) { >>> force_rport(); >>> } >>> xlog("L_NOTICE", "----- Registeration $au@$ar ($fU) from $si:$sp >>> Rejected. Code: $rc -----\n"); >>> >>> sl_send_reply("401","Unauthorized"); >>> exit; >>> >>> Radius log is filled by rows like: >>> Auth: [digest] Cleartext-Password or Digest-HA1 is required for >>> authentication. >>> >>> Tried to use radius_www_authorize without $fU - didn't change anything. >>> Tried to use www_challenge without qop - didn't change anything. >>> >>> So, this solution is quite simple, but I have a fail while digest >>> authentication. >>> Any ideas? >>> >>> >>> -- >>> -- >>> BR, Donat Zenichev >>> Wnet VoIP team >>> Tel: +380(44) 5-900-808 >>> http://wnet.ua >> >> >> >> >> -- >> -- >> BR, Donat Zenichev >> Wnet VoIP team >> Tel: +380(44) 5-900-808 >> http://wnet.ua >> >> _______________________________________________ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > > > > -- > Daniel-Constantin Mierla - http://www.asipto.com > http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda > > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users