here you have my notes for Kamailio 1.4 Hope this help.
Regards Luciano Digest Autenticacion of users using Kamailio and freeRADIUS ============================================= freeRADIUS ----------------- - Add Kamailio host to freeRadius clients.conf - Include dictionary with kamailio avps. - Enable digest module in freeRadius http://wiki.freeradius.org/Digest - Add users to freeRadius users file 1...@lucio01.net Auth-Type := Digest, Cleartext-Password := "test123" Reply-Message = "Authenticated", Sip-Avp += "category:prepaid" 1...@lucio01.net Auth-Type := Digest, Cleartext-Password := "test123" Reply-Message = "Authenticated", Sip-Avp += "category:postpaid" Kamailio (1.4) --------------------- - Make sure radiusclient-ng is installed and configured in the machine running Kamailio. See radiusclient-ng_install_notes - How to configure for authentication using radius loadmodule "auth_radius.so" modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") radius_www_authorize("lucio01.net") radius_proxy_authorize("lucio01.net") - How to get and use Sip-Avp loadmodule "avp_radius.so" loadmodule "avpops.so" xlog("category = $avp(s:category)"); if (avp_check("$avp(s:category)", "eq/s:prepaid/ig")) radiusclient-ng_install_notes ----------------------------------------- - Install radiusclent-ng from source ~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz ~# cd radiusclient-ng-X.Y.Z ~# ./configure ~# make ~# make install - Configure authentication and accounting servers this client comunicates with. Edit /usr/local/etc/radiusclient-ng/radiusclient.conf and set address of authentication and accounting servers authserver homero.lucio01.net acctserver homero.lucio01.net - Configure shared secret to be used with servers this client comunicates with. Edit /usr/local/etc/radiusclient-ng/servers and add shared secret for each server the client comunicates with. homero.lucio01.net testing123 - Create dictionary to be used with kamailio and sippy b2bua Create a dictionary file and add the following attributes and values used in kamailio and sippy b2bua VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair 1 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id 24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin 26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time 29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-ivr-out 32 string Cisco ATTRIBUTE h323-credit-time 102 string Cisco ATTRIBUTE h323-return-code 103 string Cisco ATTRIBUTE h323-redirect-number 106 string Cisco ATTRIBUTE h323-preferred-lang 107 string Cisco ATTRIBUTE h323-billing-model 109 string Cisco ATTRIBUTE h323-currency 110 string Cisco # # Experiment SIP-specific attributes: # These attributes are tied between client & server # ATTRIBUTE Sip-Method 101 integer ATTRIBUTE Sip-Response-Code 102 integer ATTRIBUTE Sip-CSeq 103 string ATTRIBUTE Sip-To-Tag 104 string ATTRIBUTE Sip-From-Tag 105 string ATTRIBUTE Sip-Branch-ID 106 string ATTRIBUTE Sip-Translated-Request-URI 107 string ATTRIBUTE Sip-Source-IP-Address 108 ipaddr ATTRIBUTE Sip-Source-Port 109 integer ATTRIBUTE Sip-User-ID 110 string ATTRIBUTE Sip-User-Realm 111 string ATTRIBUTE Sip-User-Nonce 112 string ATTRIBUTE Sip-User-Method 113 string ATTRIBUTE Sip-User-Digest-URI 114 string ATTRIBUTE Sip-User-Nonce-Count 115 string ATTRIBUTE Sip-User-QOP 116 string ATTRIBUTE Sip-User-Opaque 117 string ATTRIBUTE Sip-User-Response 118 string ATTRIBUTE Sip-User-CNonce 119 string ATTRIBUTE Sip-URI-User 208 string ATTRIBUTE Sip-Group 211 string ATTRIBUTE Sip-RPId 213 string #### Kamailio #### ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string ATTRIBUTE Digest-User-Password 1073 string # # Integer Translations # # SIP types VALUE Sip-Method Other 0 VALUE Sip-Method Invite 1 VALUE Sip-Method Cancel 2 VALUE Sip-Method Ack 3 VALUE Sip-Method Bye 4 VALUE Sip-Response-Code Other 0 VALUE Sip-Response-Code Invite 1 VALUE Sip-Response-Code Cancel 2 VALUE Sip-Response-Code Ack 3 VALUE Sip-Response-Code Bye 4 # User Types VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Call-Check 10 VALUE Service-Type Group-Check 12 VALUE Service-Type Sip-Session 15 VALUE Service-Type Authorize-Only 17 VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius # Status Types VALUE Acct-Status-Type Failed 15 - Include dictionary defined in previous step to be used by radiusclient-ng Add to the end of radiusclient-ng dictionary file (/usr/local/etc/radiusclient-ng/dictionary) an include directive for the file created in the previous step $INCLUDE dictionary.luciano On Fri, Aug 6, 2010 at 7:06 AM, Daniel-Constantin Mierla <mico...@gmail.com> wrote: > Hello, > > the radius client library has a file where you configure the servers, have > you configure it? > http://www.kamailio.org/docs/openser-radius-1.0.x.html#radiusclient_ng_servers > > Cheers, > Daniel > > > On 8/3/10 10:13 AM, Pratik Shrestha wrote: > > Dear Daniel, > Yeah right. I totally forgot, its a reverse dns. > Now I checked the radius server in debug mode and I cannot see any request > from openser trying to connect to radius server. So, the request from > openser is not reaching the radius server. > Then I installed wireshark and checked the ip address 128.185.38.162 (radius > server ip add) in the server where openser was installed. There also I did > not find any entry related to 128.185.38.16. > So, it seems my configuration is wrong. I am sending you the configuration > of openser.cfg and radiusclient.conf. > openser.cfg > SSH Secure Shell 3.2.3 (Build 279) > Copyright (c) 2000-2003 SSH Communications Security Corp - > http://www.ssh.com/ > This copy of SSH Secure Shell is a non-commercial version. > This version does not include PKI and PKCS #11 functionality. > > Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 > UTC 2010 i686 GNU/Linux > Ubuntu 10.04 LTS > Welcome to Ubuntu! > * Documentation: https://help.ubuntu.com/ > Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148 > isof...@isoftel-desktop:~$ cd /usr/local/etc/openser/ > isof...@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg > # > # $Id$ > # > # radius config script > # > # ----------- global configuration parameters ------------------------ > debug=6 # debug level (cmd line: -dddddddddd) > log_stderror=yes # (cmd line: -E) > check_via=no # (cmd. line: -v) > dns=no # (cmd. line: -r) > rev_dns=no # (cmd. line: -R) > port=5060 > children=4 > #listen=udp:localhost > #alias="kamailio.org" > fifo="/tmp/openser_fifo" > # ------------------ module loading ---------------------------------- > mpath="/usr/local/lib/openser/modules" > loadmodule "mysql.so" > loadmodule "sl.so" > loadmodule "tm.so" > loadmodule "rr.so" > loadmodule "maxfwd.so" > loadmodule "avpops.so" > loadmodule "usrloc.so" > loadmodule "registrar.so" > loadmodule "textops.so" > loadmodule "xlog.so" > loadmodule "uri.so" > loadmodule "acc.so" > loadmodule "auth.so" > loadmodule "auth_radius.so" > loadmodule "group_radius.so" > loadmodule "avp_radius.so" > # ----------------- setting module-specific parameters --------------- > # -- usrloc params -- > #modparam("usrloc","db_url","mysql://openser:opense...@localhost/openser") > modparam("usrloc", "db_mode", 2) > # -- acc params -- > modparam("acc", "radius_flag", 1) > modparam("acc", "radius_missed_flag", 2) > modparam("acc", "log_flag", 1) > modparam("acc", "log_missed_flag", 1) > modparam("acc", "service_type", 15) > modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") > modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", > "/etc/radiusclient-ng/radiusclient.conf") > # -- group_radius params -- > modparam("group_radius", "use_domain", 1) > # -- avpops params -- > modparam("avpops", "avp_aliases", "day=i:101;time=i:102") > # -- rr params -- > # add value to ;lr param to make some broken UAs happy > modparam("rr", "enable_full_lr", 1) > # ------------------------- request routing logic ------------------- > # main routing logic > route{ > # initial sanity checks -- messages with > # max_forwards==0, or excessively long requests > if (!mf_process_maxfwd_header("10")) { > sl_send_reply("483","Too Many Hops"); > exit; > }; > if (msg:len >= 2048 ) { > sl_send_reply("513", "Message too big"); > exit; > }; > # check if user is suspended > if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")) > { > if (radius_is_user_in("From", "suspended")) { > sl_send_reply("403", "Forbidden - suspended"); > exit; > }; > }; > > # we record-route all messages -- to make sure that > # subsequent messages will go through our proxy; that's > # particularly good if upstream and downstream entities > # use different transport protocol > if (!method=="REGISTER") > record_route(); > # subsequent messages withing a dialog should take the > # path determined by record-routing > if (loose_route()) { > # mark routing logic in request > append_hf("P-hint: rr-enforced\r\n"); > if(is_method("BYE")) > { # log it all the time > acc_rad_request("200 ok"); > acc_log_request("200 ok"); > } > route(1); > }; > if(is_method("INVITE") && !has_totag()) > { # set the acc flags > setflag(1); > setflag(2); > }; > if (!uri==myself) { > # check if user is allowed to do voip calls to other domains > if(is_method("INVITE|MESSAGE")) { > if (!radius_is_user_in("From", "voip")) { > sl_send_reply("403", "Forbidden VoIP"); > exit; > }; > }; > # mark routing logic in request > append_hf("P-hint: outbound\r\n"); > route(1); > }; > # if the request is for other domain use UsrLoc > # (in case, it does not work, use the following command > # with proper names and addresses in it) > if (uri==myself) { > # authenticate registers > if (method=="REGISTER") { > if (!radius_www_authorize("")) { > www_challenge("", "1"); > exit; > }; > # check the src ip address > if(!avp_check("i:2", "eq/$src_ip/ig")) > { > sl_send_reply("403", "Forbidden IP"); > exit; > }; > save("location"); > exit; > }; > # calls to pstn > if(uri=~"sip:00[1-9][0-9]+@") { > if(is_method("INVITE") && !has_totag()) { > if (!radius_is_user_in("From", "pstn")) { > sl_send_reply("403", "Forbidden PSTN"); > exit; > }; > }; > # set gateway address > rewritehostport("localhost:5090"); > route(1); > }; > > # load callee's avps > if(avp_load_radius("callee")) > { > # check if user has time filter enabled > if(avp_check("i:3", "eq/i:1")) > { > # print time in an avp > avp_printf("i:100", "$Tf"); > # extract day > avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/"); > if(!avp_check("i:6", "fm/$day")) { > sl_send_reply("403", "Forbidden - day"); > exit; > }; > # extract 'hours:minutes' > avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/"); > if((is_avp_set("i:4") && avp_check("i:4", "gt/$time")) > || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) { > sl_send_reply("403", "Forbidden - time"); > exit; > }; > }; > }; > > # native SIP destinations are handled using our USRLOC DB > if (!lookup("location")) { > # log to acc as missed call > acc_rad_request("404 Not Found"); > acc_log_request("404 Not Found"); > sl_send_reply("404", "Not Found"); > exit; > }; > append_hf("P-hint: usrloc applied\r\n"); > }; > route(1); > } > # generic forward > route[1] { > # send it out now; use stateful forwarding as it works reliably > # even for UDP2TCP > if (!t_relay()) { > sl_reply_error(); > }; > exit; > } > > radiusclient-ng.conf > # General settings > # specify which authentication comes first respectively which > # authentication is used. possible values are: "radius" and "local". > # if you specify "radius,local" then the RADIUS server is asked > # first then the local one. if only one keyword is specified only > # this server is asked. > auth_order radius > #add 'local' with comma > # maximum login tries a user has > login_tries 4 > # timeout for all login tries > # if this time is exceeded the user is kicked out > login_timeout 60 > # name of the nologin file which when it exists disables logins. > # it may be extended by the ttyname which will result in > # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable > # logins on /dev/ttyS2) > nologin /etc/nologin > # name of the issue file. it's only display when no username is passed > # on the radlogin command line > issue /etc/radiusclient-ng/issue > # RADIUS settings > # RADIUS server to use for authentication requests. this config > # item can appear more then one time. if multiple servers are > # defined they are tried in a round robin fashion if one > # server is not answering. > # optionally you can specify a the port number on which is remote > # RADIUS listens separated by a colon from the hostname. if > # no port is specified /etc/services is consulted of the radius > # service. if this fails also a compiled in default is used. > authserver 128.185.38.162 > # RADIUS server to use for accouting requests. All that I > # said for authserver applies, too. > # > acctserver 128.185.38.162 > # file holding shared secrets used for the communication > # between the RADIUS client and server > servers /etc/radiusclient-ng/servers > # dictionary of allowed attributes and values > # just like in the normal RADIUS distributions > dictionary /etc/radiusclient-ng/dictionary > # program to call for a RADIUS authenticated login > login_radius /usr/sbin/login.radius > # file which holds sequence number for communication with the > # RADIUS server > seqfile /var/run/radius.seq > # file which specifies mapping between ttyname and NAS-Port attribute > mapfile /etc/radiusclient-ng/port-id-map > # default authentication realm to append to all usernames if no > # realm was explicitly specified by the user > # the radiusd directly form Livingston doesnt use any realms, so leave > # it blank then > default_realm > # time to wait for a reply from the RADIUS server > radius_timeout 10 > # resend request this many times before trying the next server > radius_retries 3 > # local address from which radius packets have to be sent > bindaddr localhost > #change with 'localhost' > # LOCAL settings > # program to execute for local login > # it must support the -f flag for preauthenticated login > login_local /bin/login > > I have edited servers file also with the servername and secret. > Thank you very much. > Regards, > Pratik > On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla > <mico...@gmail.com> wrote: >> >> Hello, >> >> On 8/2/10 12:36 PM, Pratik Shrestha wrote: >> >> Dear Daniel, >> Now the new issue. Seems now openser is trying to talk with radius server. >> But still I am getting the one error in syslog which is as follows. >> >> rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812 >> >> Actually I have written only 128.185.38.162 in auth_server in >> radiusclient.conf. I don't know how this totisp.net is added. I haven't >> mentioned it anywhere. >> >> probably reverse dns is done in the library, it is not relevant anyhow. >> Can you start radius server in debug mode and see if it got some request? >> You can also do a ngrep/wireshark on port 1812 of your radius server to >> watch for network packets coming from kamailio. >> >> Cheers, >> Daniel >> >> >> Please help me. >> Thanks. >> >> Regards, >> Pratik >> >> On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha <pratik...@gmail.com> >> wrote: >>> >>> Dear Daniel, >>> >>> Before I work for the new version, I am first trying to configure old >>> version of openser and radius. I am using openser version 1.0.1 and radius >>> client version 0.5.1 and I am following the tutorial given in >>> http://kamailio.net/docs/openser-radius-1.0.x.html. >>> >>> My freeradius server is in another machine and when I use radclient to >>> check the user I made, I get the "Authenticated" message. >>> But when I use X-lite and connect to openser, it seems openser is not >>> talking with freeradius servers. I am sure the "secret" I am using is right >>> as I have already tested from radclient. The log which I am getting in >>> openser is as shown below >>> >>> 9(1986) SIP Request: >>> 9(1986) method: <REGISTER> >>> 9(1986) uri: <sip:192.168.0.56> >>> 9(1986) version: <SIP/2.0> >>> 9(1986) parse_headers: flags=2 >>> 9(1986) Found param type 232, <branch> = >>> <z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6 >>> 9(1986) Found param type 235, <rport> = <n/a>; state=17 >>> 9(1986) end of header reached, state=5 >>> 9(1986) parse_headers: Via found, flags=2 >>> 9(1986) parse_headers: this is the first via >>> 9(1986) After parse_msg... >>> 9(1986) preparing to run routing scripts... >>> 9(1986) parse_headers: flags=100 >>> 9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70 >>> 9(1986) parse_headers: flags=10 >>> 9(1986) DEBUG:parse_to:end of header reached, state=9 >>> 9(1986) DEBUG: get_hdr_field: <To> [44]; >>> uri=[sip:101%40kamailio....@192.168.0.56] >>> 9(1986) DEBUG: to body ["101"<sip:101%40kamailio....@192.168.0.56> >>> ] >>> 9(1986) DEBUG: add_param: tag=cc6e4259 >>> 9(1986) DEBUG:parse_to:end of header reached, state=29 >>> 9(1986) radius_is_user_in(): Failure >>> 9(1986) parse_headers: flags=200 >>> 9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER> >>> 9(1986) DEBUG: get_hdr_body : content_length=0 >>> 9(1986) found end of header >>> 9(1986) find_first_route: No Route headers found >>> 9(1986) loose_route: There is no Route HF >>> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] >>> == [127.0.0.1] >>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >>> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] >>> == [192.168.0.56] >>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >>> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] >>> == [127.0.0.1] >>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >>> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] >>> == [192.168.0.56] >>> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >>> 9(1986) check_nonce(): comparing >>> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and >>> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] >>> 9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed >>> 9(1986) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.0.56", >>> nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c" >>> ' >>> 9(1986) parse_headers: flags=ffffffffffffffff >>> 9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0) >>> 9(1986) DEBUG:destroy_avp_list: destroying list (nil) >>> 9(1986) receive_msg: cleaning up >>> >>> At freeradius also, no request goes from openser. >>> >>> Please advise me how to get rid of this problem. >>> >>> Best Regards, >>> Pratik >>> >>> On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha <pratik...@gmail.com> >>> wrote: >>>> >>>> Thanks a lot. I will give it a try >>>> >>>> Pratik >>>> >>>> On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla >>>> <mico...@gmail.com> wrote: >>>>> >>>>> Hello, >>>>> >>>>> On 7/22/10 6:06 AM, Pratik Shrestha wrote: >>>>>> >>>>>> Dear All, >>>>>> >>>>>> I am very new to OpenSer. I want to use latest version of OpenSer with >>>>>> Radius. I need the documentation/tutorial on how to do this. Googling, >>>>>> Ionly >>>>>> found for the old version. Please help me. >>>>> >>>>> indeed, there is a rather old version: >>>>> >>>>> http://www.kamailio.org/docs/openser-radius-1.0.x.html >>>>> >>>>> What I can say now is that you can skip the part of installing kamailio >>>>> and use next link instead: >>>>> >>>>> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git >>>>> >>>>> Radius client library is now in most of common Linux distributions, so >>>>> you can install it with the package manager (you need the devel headers as >>>>> well, the -dev package). >>>>> >>>>> FreeRadius configuration should be more or less the same. >>>>> >>>>> The config of kamailio has changed quite a lot. Use the default one >>>>> from kamailio, follow the WITH_AUTH define conditions and replace auth_db >>>>> with auth_radius modules and functions. Also, the rest of radius modules >>>>> were merged into misc_radius. For enabling radius acc, you need to >>>>> recompile >>>>> acc module after editing the Makefile in module directory. >>>>> >>>>> Hope it helps to start, ask here if you get stuck. >>>>> >>>>> Cheers, >>>>> Daniel >>>>> >>>>> -- >>>>> Daniel-Constantin Mierla >>>>> http://www.asipto.com/ >>>>> >>>> >>> >> >> >> -- >> Daniel-Constantin Mierla >> http://www.asipto.com/ >> > > -- > Daniel-Constantin Mierla > http://www.asipto.com/ > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
