Uwe, I tried the strace tool but no line is trying to use radius.seq. I manually created radius.seq like "-rw-rw-rw- 1 root root 0 Jun 25 00:45 radius.seq" because it is not created for some reason. Will this be a problem?
Regards, Leon -----Original Message----- From: Uwe Kastens [mailto:[email protected]] Sent: Tuesday, 23 June 2009 5:31 PM To: Leon Li Cc: [email protected] Subject: Re: [OpenSIPS-Users] No RADIUS traffic Li, I was wondering about the answer from radius: WARNING: Ignoring Status-Server request due to security configuration If I try the same I will get an answer like: Received response ID 196, code 2, length = 20 Could you please check your shared secret. > Also, I cannot find file /var/run/radius.seq. Is it created automatically? I should be there if radius will work - but remember your permissions. You can try one thing: set fork=no in opensips.cfg, install strace and start opensips with "strace -f -e open opensips". Now start one attempt to register etc.pp. and watch the line with the seq. [pid 20680] open("/var/run/opensips/radius.seq", O_RDWR|O_CREAT|O_APPEND, 0666) = 13 BR Uwe Leon Li schrieb: > Uwe, > > I got the following from RADIUS when issue the command you gave. > > rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17, > length=38 > WARNING: Ignoring Status-Server request due to security configuration > --- Walking the entire request list --- > Nothing to do. Sleeping until we see a request. > rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17, > length=38 > WARNING: Ignoring Status-Server request due to security configuration > --- Walking the entire request list --- > > So I assume that the radius server is working? > > Also, I cannot find file /var/run/radius.seq. Is it created > automatically? > > Regards, > Leon > > > -----Original Message----- > From: Uwe Kastens [mailto:[email protected]] > Sent: Wednesday, 17 June 2009 6:01 PM > To: Leon Li > Cc: [email protected] > Subject: Re: [OpenSIPS-Users] No RADIUS traffic > > Leon, > > mysql.so in opensips is not needed for the radius authentication. > > Shared secrets for radius are correct? Anyway you should see some > traffic on the radius server. > > Could you please test > echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812 status > <shared secret> > > You should see then traffic on radiusd -X > > If yes I would start checking permissions again > > BR > > uwe > > > Leon Li schrieb: >> Hi Ashwini, >> >> >> >> I have added param for aut_radius, but no luck. L >> >> >> >> Why do I need mysql.so if the radius server will host all users > credential? >> >> >> Regards, >> >> Leon >> >> >> >> *From:* ASHWINI NAIDU [mailto:[email protected]] >> *Sent:* Monday, 15 June 2009 2:52 PM >> *To:* Leon Li >> *Cc:* Uwe Kastens; [email protected] >> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic >> >> >> >> >> >> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU > <[email protected] >> <mailto:[email protected]>> wrote: >> >> hi leon, >> >> But i do not see your openser communicating with radiusclient. >> >> modparam("auth_radius", "radius_config", >> "/etc/radiusclient-ng/radiusclient.conf") >> >> mention the path of radiusclient.conf properly. >> >> >> >> Your mysql support is also commented. >> >> *loadmodule "mysql.so"* >> >> >> >> >> >> >> >> >> >> >> >> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <[email protected] >> <mailto:[email protected]>> wrote: >> >> Here it is. >> >> ####### Global Parameters ######### >> >> debug=3 >> log_stderror=no >> log_facility=LOG_LOCAL0 >> >> fork=yes >> children=4 >> >> /* uncomment the following lines to enable debugging */ >> debug=6 >> fork=no >> log_stderror=yes >> >> /* uncomment the next line to disable TCP (default on) */ >> #disable_tcp=yes >> >> /* uncomment the next line to enable the auto temporary > blacklisting of >> not available destinations (default disabled) */ >> #disable_dns_blacklist=no >> >> /* uncomment the next line to enable IPv6 lookup after IPv4 dns >> lookup failures (default disabled) */ #dns_try_ipv6=yes >> >> /* uncomment the next line to disable the auto discovery of local >> aliases >> based on revers DNS on IPs (default on) */ #auto_aliases=no >> >> /* uncomment the following lines to enable TLS support (default > off) */ >> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = > 1 >> #tls_verify_client = 1 #tls_require_client_certificate = 0 > #tls_method = >> TLSv1 #tls_certificate = > "/usr/local/etc/openser/tls/user/user-cert.pem" >> #tls_private_key = > "/usr/local/etc/openser/tls/user/user-privkey.pem" >> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem" >> >> listen=202.158.197.134 >> port=5060 >> >> /* uncomment and configure the following line if you want openser > to >> bind on a specific interface/port/proto (default bind on all >> available) */ #listen=udp:192.168.1.2:5060 > <http://192.168.1.2:5060> >> >> ####### Modules Section ######## >> >> #set module path >> mpath="/usr/local/lib/openser/modules/" >> >> /* uncomment next line for MySQL DB support */ #loadmodule > "mysql.so" >> loadmodule "sl.so" >> loadmodule "tm.so" >> loadmodule "rr.so" >> loadmodule "maxfwd.so" >> loadmodule "usrloc.so" >> loadmodule "registrar.so" >> loadmodule "textops.so" >> loadmodule "mi_fifo.so" >> loadmodule "uri_db.so" >> loadmodule "uri.so" >> loadmodule "xlog.so" >> loadmodule "acc.so" >> /* uncomment next lines for MySQL based authentication support >> NOTE: a DB (like mysql) module must be also loaded */ loadmodule >> "auth.so" >> loadmodule "auth_radius.so" >> #loadmodule "auth_db.so" >> /* uncomment next line for aliases support >> NOTE: a DB (like mysql) module must be also loaded */ > #loadmodule >> "alias_db.so" >> /* uncomment next line for multi-domain support >> NOTE: a DB (like mysql) module must be also loaded >> NOTE: be sure and enable multi-domain support in all used > modules >> (see "multi-module params" section ) */ #loadmodule > "domain.so" >> /* uncomment the next two lines for presence server support >> NOTE: a DB (like mysql) module must be also loaded */ > #loadmodule >> "presence.so" >> #loadmodule "presence_xml.so" >> >> >> # ----------------- setting module-specific parameters > --------------- >> >> # ----- mi_fifo params ----- >> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") >> >> >> # ----- rr params ----- >> # add value to ;lr param to cope with most of the UAs > modparam("rr", >> "enable_full_lr", 1) # do not append from tag to the RR (no need > for >> this script) modparam("rr", "append_fromtag", 0) >> >> >> # ----- rr params ----- >> modparam("registrar", "method_filtering", 1) >> /* uncomment the next line to disable parallel forking via > location */ # >> modparam("registrar", "append_branches", 0) >> /* uncomment the next line not to allow more than 10 contacts per > AOR */ >> #modparam("registrar", "max_contacts", 10) >> >> >> # ----- uri_db params ----- >> /* by default we disable the DB support in the module as we do not > need >> it >> in this configuration */ >> modparam("uri_db", "use_uri_table", 0) >> modparam("uri_db", "db_url", "") >> >> >> # ----- acc params ----- >> /* what sepcial events should be accounted ? */ modparam("acc", >> "early_media", 1) modparam("acc", "report_ack", 1) modparam("acc", >> "report_cancels", 1) >> /* by default ww do not adjust the direct of the sequential > requests. >> if you enable this parameter, be sure the enable > "append_fromtag" >> in "rr" module */ >> modparam("acc", "detect_direction", 0) >> /* account triggers (flags) */ >> modparam("acc", "failed_transaction_flag", 3) modparam("acc", >> "log_flag", 1) modparam("acc", "log_missed_flag", 2) >> /* uncomment the following lines to enable DB accounting also */ >> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 2) >> >> # ----- multi-module params ----- >> /* uncomment the following line if you want to enable multi-domain >> support >> in the modules (dafault off) */ >> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1) >> >> ####### Routing Logic ######## >> >> >> # main request routing logic >> >> route{ >> >> if (!mf_process_maxfwd_header("10")) { >> sl_send_reply("483","Too Many Hops"); >> exit; >> } >> >> if (has_totag()) { >> # sequential request withing a dialog should >> # take the path determined by record-routing >> if (loose_route()) { >> if (is_method("BYE")) { >> setflag(1); # do accouting ... >> setflag(3); # ... even if the >> transaction fails >> } >> route(1); >> } else { >> /* uncomment the following lines if you > want to >> enable presence */ >> ##if (is_method("SUBSCRIBE") && $rd == >> "your.server.ip.address") { >> ## # in-dialog subscribe requests >> ## route(2); >> ## exit; >> ##} >> if ( is_method("ACK") ) { >> if ( t_check_trans() ) { >> # non loose-route, but > stateful >> ACK; must be an ACK after a 487 or e.g. 404 from upstream server >> t_relay(); >> exit; >> } else { >> # ACK without matching >> transaction ... ignore and discard.\n"); >> exit; >> } >> } >> sl_send_reply("404","Not here"); >> } >> exit; >> } >> >> #initial requests >> >> # CANCEL processing >> if (is_method("CANCEL")) >> { >> if (t_check_trans()) >> t_relay(); >> exit; >> } >> >> t_check_trans(); >> >> # authenticate if from local subscriber (uncomment to > enable >> auth) >> ##if (!(method=="REGISTER") && from_uri==myself) >> ##{ >> ## if (!proxy_authorize("", "subscriber")) { >> ## proxy_challenge("", "0"); >> ## exit; >> ## } >> ## if (!check_from()) { >> ## sl_send_reply("403","Forbidden auth ID"); >> ## exit; >> ## } >> ## >> ## consume_credentials(); >> ## # caller authenticated >> ##} >> >> # record routing >> if (!is_method("REGISTER|MESSAGE")) >> record_route(); >> >> # account only INVITEs >> if (is_method("INVITE")) { >> setflag(1); # do accouting >> } >> if (!uri==myself) >> /* replace with following line if multi-domain support is > used >> */ >> ##if (!is_uri_host_local()) >> { >> append_hf("P-hint: outbound\r\n"); >> # if you have some interdomain connections via TLS >> ##if($rd=="tls_domain1.net > <http://tls_domain1.net>") { >> ## t_relay("tls:domain1.net > <http://domain1.net>"); >> ## exit; >> ##} else if($rd=="tls_domain2.net >> <http://tls_domain2.net>") { >> ## t_relay("tls:domain2.net > <http://domain2.net>"); >> ## exit; >> ##} >> route(1); >> } >> >> # requests for my domain >> >> /* uncomment this if you want to enable presence server >> and comment the next 'if' block >> NOTE: uncomment also the definition of route[2] from > below >> */ >> ##if( is_method("PUBLISH|SUBSCRIBE")) >> ## route(2); >> >> if (is_method("PUBLISH")) >> { >> sl_send_reply("503", "Service Unavailable"); >> exit; >> } >> >> >> if (is_method("REGISTER")) >> { >> # authenticate the REGISTER requests (uncomment to >> enable auth) >> ##if (!www_authorize("", "subscriber")) >> ##{ >> ## www_challenge("", "0"); >> ## exit; >> ##} >> ## >> ##if (!check_to()) >> ##{ >> ## sl_send_reply("403","Forbidden auth ID"); >> ## exit; >> ##} >> >> xlog("L_INFO", "REGISTER for ($fU) $ru\n"); >> if (!radius_www_authorize("")) >> { >> log(1, "Proxy Authentication Required >> (Digest)\n"); >> www_challenge("", "0"); >> exit; >> }; >> >> if (!save("location")) >> sl_reply_error(); >> >> exit; >> } >> >> if ($rU==NULL) { >> # request with no Username in RURI >> sl_send_reply("484","Address Incomplete"); >> exit; >> } >> >> # apply DB based aliases (uncomment to enable) >> ##alias_db_lookup("dbaliases"); >> >> if (!lookup("location")) { >> switch ($retcode) { >> case -1: >> case -3: >> t_newtran(); >> t_reply("404", "Not Found"); >> exit; >> case -2: >> sl_send_reply("405", "Method Not >> Allowed"); >> exit; >> } >> } >> >> # when routing via usrloc, log the missed calls also >> setflag(2); >> >> route(1); >> } >> >> >> route[1] { >> # for INVITEs enable some additional helper routes >> if (is_method("INVITE")) { >> t_on_branch("2"); >> t_on_reply("2"); >> t_on_failure("1"); >> } >> >> if (!t_relay()) { >> sl_reply_error(); >> }; >> exit; >> } >> >> branch_route[2] { >> xlog("new branch at $ru\n"); >> } >> >> >> onreply_route[2] { >> xlog("incoming reply\n"); >> } >> >> >> failure_route[1] { >> if (t_was_cancelled()) { >> exit; >> } >> >> # uncomment the following lines if you want to block client >> # redirect based on 3xx replies. >> ##if (t_check_status("3[0-9][0-9]")) { >> ##t_reply("404","Not found"); >> ## exit; >> ##} >> >> # uncomment the following lines if you want to redirect the >> failed >> # calls to a different new destination >> ##if (t_check_status("486|408")) { >> ## sethostport("192.168.2.100:5060 >> <http://192.168.2.100:5060>"); >> ## append_branch(); >> ## # do not set the missed call flag again >> ## t_relay(); >> ##} >> >> } >> >> Regards, >> Leon >> >> -----Original Message----- >> From: Uwe Kastens [mailto:[email protected] > <mailto:[email protected]>] >> Sent: Friday, 12 June 2009 4:51 PM >> To: Leon Li >> Cc: [email protected] <mailto:[email protected]> >> Subject: Re: [OpenSIPS-Users] No RADIUS traffic >> >> Hi, >> >> This is strange. Could you post your opensips.cfg or send it to me >> directly? >> >> BR >> >> Uwe >> >> >> _______________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> >> -- >> Thanking You, >> Ashwini BR Naidu >> >> >> >> >> -- >> Thanking You, >> Ashwini BR Naidu >> > > -- kiste lat: 54.322684, lon: 10.13586 _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
