Leon, Could you post the output of the strace call? And could you please post the output of ldd auth_radius.so ?
BR Uwe Leon Li schrieb: > Uwe, > > I tried the strace tool but no line is trying to use radius.seq. I > manually created radius.seq like "-rw-rw-rw- 1 root root > 0 Jun 25 00:45 radius.seq" because it is not created for some reason. > Will this be a problem? > > Regards, > Leon > > -----Original Message----- > From: Uwe Kastens [mailto:[email protected]] > Sent: Tuesday, 23 June 2009 5:31 PM > To: Leon Li > Cc: [email protected] > Subject: Re: [OpenSIPS-Users] No RADIUS traffic > > Li, > > I was wondering about the answer from radius: > WARNING: Ignoring Status-Server request due to security configuration > > If I try the same I will get an answer like: > Received response ID 196, code 2, length = 20 > > Could you please check your shared secret. > >> Also, I cannot find file /var/run/radius.seq. Is it created > automatically? > > I should be there if radius will work - but remember your permissions. > > You can try one thing: set fork=no in opensips.cfg, install strace and > start opensips with "strace -f -e open opensips". Now start one attempt > to register etc.pp. and watch the line with the seq. > > [pid 20680] open("/var/run/opensips/radius.seq", > O_RDWR|O_CREAT|O_APPEND, 0666) = 13 > > > BR > > Uwe > > > Leon Li schrieb: >> Uwe, >> >> I got the following from RADIUS when issue the command you gave. >> >> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17, >> length=38 >> WARNING: Ignoring Status-Server request due to security configuration >> --- Walking the entire request list --- >> Nothing to do. Sleeping until we see a request. >> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17, >> length=38 >> WARNING: Ignoring Status-Server request due to security configuration >> --- Walking the entire request list --- >> >> So I assume that the radius server is working? >> >> Also, I cannot find file /var/run/radius.seq. Is it created >> automatically? >> >> Regards, >> Leon >> >> >> -----Original Message----- >> From: Uwe Kastens [mailto:[email protected]] >> Sent: Wednesday, 17 June 2009 6:01 PM >> To: Leon Li >> Cc: [email protected] >> Subject: Re: [OpenSIPS-Users] No RADIUS traffic >> >> Leon, >> >> mysql.so in opensips is not needed for the radius authentication. >> >> Shared secrets for radius are correct? Anyway you should see some >> traffic on the radius server. >> >> Could you please test >> echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812 > status >> <shared secret> >> >> You should see then traffic on radiusd -X >> >> If yes I would start checking permissions again >> >> BR >> >> uwe >> >> >> Leon Li schrieb: >>> Hi Ashwini, >>> >>> >>> >>> I have added param for aut_radius, but no luck. L >>> >>> >>> >>> Why do I need mysql.so if the radius server will host all users >> credential? >>> >>> >>> Regards, >>> >>> Leon >>> >>> >>> >>> *From:* ASHWINI NAIDU [mailto:[email protected]] >>> *Sent:* Monday, 15 June 2009 2:52 PM >>> *To:* Leon Li >>> *Cc:* Uwe Kastens; [email protected] >>> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic >>> >>> >>> >>> >>> >>> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU >> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> hi leon, >>> >>> But i do not see your openser communicating with radiusclient. >>> >>> modparam("auth_radius", "radius_config", >>> "/etc/radiusclient-ng/radiusclient.conf") >>> >>> mention the path of radiusclient.conf properly. >>> >>> >>> >>> Your mysql support is also commented. >>> >>> *loadmodule "mysql.so"* >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Here it is. >>> >>> ####### Global Parameters ######### >>> >>> debug=3 >>> log_stderror=no >>> log_facility=LOG_LOCAL0 >>> >>> fork=yes >>> children=4 >>> >>> /* uncomment the following lines to enable debugging */ >>> debug=6 >>> fork=no >>> log_stderror=yes >>> >>> /* uncomment the next line to disable TCP (default on) */ >>> #disable_tcp=yes >>> >>> /* uncomment the next line to enable the auto temporary >> blacklisting of >>> not available destinations (default disabled) */ >>> #disable_dns_blacklist=no >>> >>> /* uncomment the next line to enable IPv6 lookup after IPv4 dns >>> lookup failures (default disabled) */ #dns_try_ipv6=yes >>> >>> /* uncomment the next line to disable the auto discovery of local >>> aliases >>> based on revers DNS on IPs (default on) */ #auto_aliases=no >>> >>> /* uncomment the following lines to enable TLS support (default >> off) */ >>> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = >> 1 >>> #tls_verify_client = 1 #tls_require_client_certificate = 0 >> #tls_method = >>> TLSv1 #tls_certificate = >> "/usr/local/etc/openser/tls/user/user-cert.pem" >>> #tls_private_key = >> "/usr/local/etc/openser/tls/user/user-privkey.pem" >>> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem" >>> >>> listen=202.158.197.134 >>> port=5060 >>> >>> /* uncomment and configure the following line if you want openser >> to >>> bind on a specific interface/port/proto (default bind on all >>> available) */ #listen=udp:192.168.1.2:5060 >> <http://192.168.1.2:5060> >>> ####### Modules Section ######## >>> >>> #set module path >>> mpath="/usr/local/lib/openser/modules/" >>> >>> /* uncomment next line for MySQL DB support */ #loadmodule >> "mysql.so" >>> loadmodule "sl.so" >>> loadmodule "tm.so" >>> loadmodule "rr.so" >>> loadmodule "maxfwd.so" >>> loadmodule "usrloc.so" >>> loadmodule "registrar.so" >>> loadmodule "textops.so" >>> loadmodule "mi_fifo.so" >>> loadmodule "uri_db.so" >>> loadmodule "uri.so" >>> loadmodule "xlog.so" >>> loadmodule "acc.so" >>> /* uncomment next lines for MySQL based authentication support >>> NOTE: a DB (like mysql) module must be also loaded */ > loadmodule >>> "auth.so" >>> loadmodule "auth_radius.so" >>> #loadmodule "auth_db.so" >>> /* uncomment next line for aliases support >>> NOTE: a DB (like mysql) module must be also loaded */ >> #loadmodule >>> "alias_db.so" >>> /* uncomment next line for multi-domain support >>> NOTE: a DB (like mysql) module must be also loaded >>> NOTE: be sure and enable multi-domain support in all used >> modules >>> (see "multi-module params" section ) */ #loadmodule >> "domain.so" >>> /* uncomment the next two lines for presence server support >>> NOTE: a DB (like mysql) module must be also loaded */ >> #loadmodule >>> "presence.so" >>> #loadmodule "presence_xml.so" >>> >>> >>> # ----------------- setting module-specific parameters >> --------------- >>> # ----- mi_fifo params ----- >>> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") >>> >>> >>> # ----- rr params ----- >>> # add value to ;lr param to cope with most of the UAs >> modparam("rr", >>> "enable_full_lr", 1) # do not append from tag to the RR (no need >> for >>> this script) modparam("rr", "append_fromtag", 0) >>> >>> >>> # ----- rr params ----- >>> modparam("registrar", "method_filtering", 1) >>> /* uncomment the next line to disable parallel forking via >> location */ # >>> modparam("registrar", "append_branches", 0) >>> /* uncomment the next line not to allow more than 10 contacts per >> AOR */ >>> #modparam("registrar", "max_contacts", 10) >>> >>> >>> # ----- uri_db params ----- >>> /* by default we disable the DB support in the module as we do > not >> need >>> it >>> in this configuration */ >>> modparam("uri_db", "use_uri_table", 0) >>> modparam("uri_db", "db_url", "") >>> >>> >>> # ----- acc params ----- >>> /* what sepcial events should be accounted ? */ modparam("acc", >>> "early_media", 1) modparam("acc", "report_ack", 1) > modparam("acc", >>> "report_cancels", 1) >>> /* by default ww do not adjust the direct of the sequential >> requests. >>> if you enable this parameter, be sure the enable >> "append_fromtag" >>> in "rr" module */ >>> modparam("acc", "detect_direction", 0) >>> /* account triggers (flags) */ >>> modparam("acc", "failed_transaction_flag", 3) modparam("acc", >>> "log_flag", 1) modparam("acc", "log_missed_flag", 2) >>> /* uncomment the following lines to enable DB accounting also */ >>> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", > 2) >>> # ----- multi-module params ----- >>> /* uncomment the following line if you want to enable > multi-domain >>> support >>> in the modules (dafault off) */ >>> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1) >>> >>> ####### Routing Logic ######## >>> >>> >>> # main request routing logic >>> >>> route{ >>> >>> if (!mf_process_maxfwd_header("10")) { >>> sl_send_reply("483","Too Many Hops"); >>> exit; >>> } >>> >>> if (has_totag()) { >>> # sequential request withing a dialog should >>> # take the path determined by record-routing >>> if (loose_route()) { >>> if (is_method("BYE")) { >>> setflag(1); # do accouting ... >>> setflag(3); # ... even if the >>> transaction fails >>> } >>> route(1); >>> } else { >>> /* uncomment the following lines if you >> want to >>> enable presence */ >>> ##if (is_method("SUBSCRIBE") && $rd == >>> "your.server.ip.address") { >>> ## # in-dialog subscribe requests >>> ## route(2); >>> ## exit; >>> ##} >>> if ( is_method("ACK") ) { >>> if ( t_check_trans() ) { >>> # non loose-route, but >> stateful >>> ACK; must be an ACK after a 487 or e.g. 404 from upstream server >>> t_relay(); >>> exit; >>> } else { >>> # ACK without matching >>> transaction ... ignore and discard.\n"); >>> exit; >>> } >>> } >>> sl_send_reply("404","Not here"); >>> } >>> exit; >>> } >>> >>> #initial requests >>> >>> # CANCEL processing >>> if (is_method("CANCEL")) >>> { >>> if (t_check_trans()) >>> t_relay(); >>> exit; >>> } >>> >>> t_check_trans(); >>> >>> # authenticate if from local subscriber (uncomment to >> enable >>> auth) >>> ##if (!(method=="REGISTER") && from_uri==myself) >>> ##{ >>> ## if (!proxy_authorize("", "subscriber")) { >>> ## proxy_challenge("", "0"); >>> ## exit; >>> ## } >>> ## if (!check_from()) { >>> ## sl_send_reply("403","Forbidden auth ID"); >>> ## exit; >>> ## } >>> ## >>> ## consume_credentials(); >>> ## # caller authenticated >>> ##} >>> >>> # record routing >>> if (!is_method("REGISTER|MESSAGE")) >>> record_route(); >>> >>> # account only INVITEs >>> if (is_method("INVITE")) { >>> setflag(1); # do accouting >>> } >>> if (!uri==myself) >>> /* replace with following line if multi-domain support is >> used >>> */ >>> ##if (!is_uri_host_local()) >>> { >>> append_hf("P-hint: outbound\r\n"); >>> # if you have some interdomain connections via TLS >>> ##if($rd=="tls_domain1.net >> <http://tls_domain1.net>") { >>> ## t_relay("tls:domain1.net >> <http://domain1.net>"); >>> ## exit; >>> ##} else if($rd=="tls_domain2.net >>> <http://tls_domain2.net>") { >>> ## t_relay("tls:domain2.net >> <http://domain2.net>"); >>> ## exit; >>> ##} >>> route(1); >>> } >>> >>> # requests for my domain >>> >>> /* uncomment this if you want to enable presence server >>> and comment the next 'if' block >>> NOTE: uncomment also the definition of route[2] from >> below >>> */ >>> ##if( is_method("PUBLISH|SUBSCRIBE")) >>> ## route(2); >>> >>> if (is_method("PUBLISH")) >>> { >>> sl_send_reply("503", "Service Unavailable"); >>> exit; >>> } >>> >>> >>> if (is_method("REGISTER")) >>> { >>> # authenticate the REGISTER requests (uncomment to >>> enable auth) >>> ##if (!www_authorize("", "subscriber")) >>> ##{ >>> ## www_challenge("", "0"); >>> ## exit; >>> ##} >>> ## >>> ##if (!check_to()) >>> ##{ >>> ## sl_send_reply("403","Forbidden auth ID"); >>> ## exit; >>> ##} >>> >>> xlog("L_INFO", "REGISTER for ($fU) $ru\n"); >>> if (!radius_www_authorize("")) >>> { >>> log(1, "Proxy Authentication Required >>> (Digest)\n"); >>> www_challenge("", "0"); >>> exit; >>> }; >>> >>> if (!save("location")) >>> sl_reply_error(); >>> >>> exit; >>> } >>> >>> if ($rU==NULL) { >>> # request with no Username in RURI >>> sl_send_reply("484","Address Incomplete"); >>> exit; >>> } >>> >>> # apply DB based aliases (uncomment to enable) >>> ##alias_db_lookup("dbaliases"); >>> >>> if (!lookup("location")) { >>> switch ($retcode) { >>> case -1: >>> case -3: >>> t_newtran(); >>> t_reply("404", "Not Found"); >>> exit; >>> case -2: >>> sl_send_reply("405", "Method Not >>> Allowed"); >>> exit; >>> } >>> } >>> >>> # when routing via usrloc, log the missed calls also >>> setflag(2); >>> >>> route(1); >>> } >>> >>> >>> route[1] { >>> # for INVITEs enable some additional helper routes >>> if (is_method("INVITE")) { >>> t_on_branch("2"); >>> t_on_reply("2"); >>> t_on_failure("1"); >>> } >>> >>> if (!t_relay()) { >>> sl_reply_error(); >>> }; >>> exit; >>> } >>> >>> branch_route[2] { >>> xlog("new branch at $ru\n"); >>> } >>> >>> >>> onreply_route[2] { >>> xlog("incoming reply\n"); >>> } >>> >>> >>> failure_route[1] { >>> if (t_was_cancelled()) { >>> exit; >>> } >>> >>> # uncomment the following lines if you want to block > client >>> # redirect based on 3xx replies. >>> ##if (t_check_status("3[0-9][0-9]")) { >>> ##t_reply("404","Not found"); >>> ## exit; >>> ##} >>> >>> # uncomment the following lines if you want to redirect > the >>> failed >>> # calls to a different new destination >>> ##if (t_check_status("486|408")) { >>> ## sethostport("192.168.2.100:5060 >>> <http://192.168.2.100:5060>"); >>> ## append_branch(); >>> ## # do not set the missed call flag again >>> ## t_relay(); >>> ##} >>> >>> } >>> >>> Regards, >>> Leon >>> >>> -----Original Message----- >>> From: Uwe Kastens [mailto:[email protected] >> <mailto:[email protected]>] >>> Sent: Friday, 12 June 2009 4:51 PM >>> To: Leon Li >>> Cc: [email protected] <mailto:[email protected]> >>> Subject: Re: [OpenSIPS-Users] No RADIUS traffic >>> >>> Hi, >>> >>> This is strange. Could you post your opensips.cfg or send it to > me >>> directly? >>> >>> BR >>> >>> Uwe >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] <mailto:[email protected]> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >>> >>> >>> -- >>> Thanking You, >>> Ashwini BR Naidu >>> >>> >>> >>> >>> -- >>> Thanking You, >>> Ashwini BR Naidu >>> >> > > -- kiste lat: 54.322684, lon: 10.13586 _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
