hi, For radius support these packages are needed.
*libradius-ng -libs and devel headers*- if you want to use functionalities with radius support - authentication, accounting, group support, etc On Wed, Jun 24, 2009 at 10:14 AM, Leon Li <[email protected]> wrote: > Hi Uwe, > > The file doesn't exist. :( > > Could you confirm my following installation is enough for OpenSIP + > RADIUS? > 1. FreeRADIUS 2.1.3 > 2. radiusclient-ng 0.5.6 > 3. openSIP 1.5.1 > > Do I need libradius-ng-dev or libradius-ng as well? My system is Red Hat > 5. > > Regards, > Leon > > > -----Original Message----- > From: Uwe Kastens [mailto:[email protected]] > Sent: Tuesday, 23 June 2009 5:31 PM > To: Leon Li > Cc: [email protected] > Subject: Re: [OpenSIPS-Users] No RADIUS traffic > > Li, > > I was wondering about the answer from radius: > WARNING: Ignoring Status-Server request due to security configuration > > If I try the same I will get an answer like: > Received response ID 196, code 2, length = 20 > > Could you please check your shared secret. > > > Also, I cannot find file /var/run/radius.seq. Is it created > automatically? > > I should be there if radius will work - but remember your permissions. > > You can try one thing: set fork=no in opensips.cfg, install strace and > start opensips with "strace -f -e open opensips". Now start one attempt > to register etc.pp. and watch the line with the seq. > > [pid 20680] open("/var/run/opensips/radius.seq", > O_RDWR|O_CREAT|O_APPEND, 0666) = 13 > > > BR > > Uwe > > > Leon Li schrieb: > > Uwe, > > > > I got the following from RADIUS when issue the command you gave. > > > > rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17, > > length=38 > > WARNING: Ignoring Status-Server request due to security configuration > > --- Walking the entire request list --- > > Nothing to do. Sleeping until we see a request. > > rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17, > > length=38 > > WARNING: Ignoring Status-Server request due to security configuration > > --- Walking the entire request list --- > > > > So I assume that the radius server is working? > > > > Also, I cannot find file /var/run/radius.seq. Is it created > > automatically? > > > > Regards, > > Leon > > > > > > -----Original Message----- > > From: Uwe Kastens [mailto:[email protected]] > > Sent: Wednesday, 17 June 2009 6:01 PM > > To: Leon Li > > Cc: [email protected] > > Subject: Re: [OpenSIPS-Users] No RADIUS traffic > > > > Leon, > > > > mysql.so in opensips is not needed for the radius authentication. > > > > Shared secrets for radius are correct? Anyway you should see some > > traffic on the radius server. > > > > Could you please test > > echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812 > status > > <shared secret> > > > > You should see then traffic on radiusd -X > > > > If yes I would start checking permissions again > > > > BR > > > > uwe > > > > > > Leon Li schrieb: > >> Hi Ashwini, > >> > >> > >> > >> I have added param for aut_radius, but no luck. L > >> > >> > >> > >> Why do I need mysql.so if the radius server will host all users > > credential? > >> > >> > >> Regards, > >> > >> Leon > >> > >> > >> > >> *From:* ASHWINI NAIDU [mailto:[email protected]] > >> *Sent:* Monday, 15 June 2009 2:52 PM > >> *To:* Leon Li > >> *Cc:* Uwe Kastens; [email protected] > >> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic > >> > >> > >> > >> > >> > >> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU > > <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> hi leon, > >> > >> But i do not see your openser communicating with radiusclient. > >> > >> modparam("auth_radius", "radius_config", > >> "/etc/radiusclient-ng/radiusclient.conf") > >> > >> mention the path of radiusclient.conf properly. > >> > >> > >> > >> Your mysql support is also commented. > >> > >> *loadmodule "mysql.so"* > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> Here it is. > >> > >> ####### Global Parameters ######### > >> > >> debug=3 > >> log_stderror=no > >> log_facility=LOG_LOCAL0 > >> > >> fork=yes > >> children=4 > >> > >> /* uncomment the following lines to enable debugging */ > >> debug=6 > >> fork=no > >> log_stderror=yes > >> > >> /* uncomment the next line to disable TCP (default on) */ > >> #disable_tcp=yes > >> > >> /* uncomment the next line to enable the auto temporary > > blacklisting of > >> not available destinations (default disabled) */ > >> #disable_dns_blacklist=no > >> > >> /* uncomment the next line to enable IPv6 lookup after IPv4 dns > >> lookup failures (default disabled) */ #dns_try_ipv6=yes > >> > >> /* uncomment the next line to disable the auto discovery of local > >> aliases > >> based on revers DNS on IPs (default on) */ #auto_aliases=no > >> > >> /* uncomment the following lines to enable TLS support (default > > off) */ > >> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = > > 1 > >> #tls_verify_client = 1 #tls_require_client_certificate = 0 > > #tls_method = > >> TLSv1 #tls_certificate = > > "/usr/local/etc/openser/tls/user/user-cert.pem" > >> #tls_private_key = > > "/usr/local/etc/openser/tls/user/user-privkey.pem" > >> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem" > >> > >> listen=202.158.197.134 > >> port=5060 > >> > >> /* uncomment and configure the following line if you want openser > > to > >> bind on a specific interface/port/proto (default bind on all > >> available) */ #listen=udp:192.168.1.2:5060 > > <http://192.168.1.2:5060> > >> > >> ####### Modules Section ######## > >> > >> #set module path > >> mpath="/usr/local/lib/openser/modules/" > >> > >> /* uncomment next line for MySQL DB support */ #loadmodule > > "mysql.so" > >> loadmodule "sl.so" > >> loadmodule "tm.so" > >> loadmodule "rr.so" > >> loadmodule "maxfwd.so" > >> loadmodule "usrloc.so" > >> loadmodule "registrar.so" > >> loadmodule "textops.so" > >> loadmodule "mi_fifo.so" > >> loadmodule "uri_db.so" > >> loadmodule "uri.so" > >> loadmodule "xlog.so" > >> loadmodule "acc.so" > >> /* uncomment next lines for MySQL based authentication support > >> NOTE: a DB (like mysql) module must be also loaded */ > loadmodule > >> "auth.so" > >> loadmodule "auth_radius.so" > >> #loadmodule "auth_db.so" > >> /* uncomment next line for aliases support > >> NOTE: a DB (like mysql) module must be also loaded */ > > #loadmodule > >> "alias_db.so" > >> /* uncomment next line for multi-domain support > >> NOTE: a DB (like mysql) module must be also loaded > >> NOTE: be sure and enable multi-domain support in all used > > modules > >> (see "multi-module params" section ) */ #loadmodule > > "domain.so" > >> /* uncomment the next two lines for presence server support > >> NOTE: a DB (like mysql) module must be also loaded */ > > #loadmodule > >> "presence.so" > >> #loadmodule "presence_xml.so" > >> > >> > >> # ----------------- setting module-specific parameters > > --------------- > >> > >> # ----- mi_fifo params ----- > >> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") > >> > >> > >> # ----- rr params ----- > >> # add value to ;lr param to cope with most of the UAs > > modparam("rr", > >> "enable_full_lr", 1) # do not append from tag to the RR (no need > > for > >> this script) modparam("rr", "append_fromtag", 0) > >> > >> > >> # ----- rr params ----- > >> modparam("registrar", "method_filtering", 1) > >> /* uncomment the next line to disable parallel forking via > > location */ # > >> modparam("registrar", "append_branches", 0) > >> /* uncomment the next line not to allow more than 10 contacts per > > AOR */ > >> #modparam("registrar", "max_contacts", 10) > >> > >> > >> # ----- uri_db params ----- > >> /* by default we disable the DB support in the module as we do > not > > need > >> it > >> in this configuration */ > >> modparam("uri_db", "use_uri_table", 0) > >> modparam("uri_db", "db_url", "") > >> > >> > >> # ----- acc params ----- > >> /* what sepcial events should be accounted ? */ modparam("acc", > >> "early_media", 1) modparam("acc", "report_ack", 1) > modparam("acc", > >> "report_cancels", 1) > >> /* by default ww do not adjust the direct of the sequential > > requests. > >> if you enable this parameter, be sure the enable > > "append_fromtag" > >> in "rr" module */ > >> modparam("acc", "detect_direction", 0) > >> /* account triggers (flags) */ > >> modparam("acc", "failed_transaction_flag", 3) modparam("acc", > >> "log_flag", 1) modparam("acc", "log_missed_flag", 2) > >> /* uncomment the following lines to enable DB accounting also */ > >> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", > 2) > >> > >> # ----- multi-module params ----- > >> /* uncomment the following line if you want to enable > multi-domain > >> support > >> in the modules (dafault off) */ > >> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1) > >> > >> ####### Routing Logic ######## > >> > >> > >> # main request routing logic > >> > >> route{ > >> > >> if (!mf_process_maxfwd_header("10")) { > >> sl_send_reply("483","Too Many Hops"); > >> exit; > >> } > >> > >> if (has_totag()) { > >> # sequential request withing a dialog should > >> # take the path determined by record-routing > >> if (loose_route()) { > >> if (is_method("BYE")) { > >> setflag(1); # do accouting ... > >> setflag(3); # ... even if the > >> transaction fails > >> } > >> route(1); > >> } else { > >> /* uncomment the following lines if you > > want to > >> enable presence */ > >> ##if (is_method("SUBSCRIBE") && $rd == > >> "your.server.ip.address") { > >> ## # in-dialog subscribe requests > >> ## route(2); > >> ## exit; > >> ##} > >> if ( is_method("ACK") ) { > >> if ( t_check_trans() ) { > >> # non loose-route, but > > stateful > >> ACK; must be an ACK after a 487 or e.g. 404 from upstream server > >> t_relay(); > >> exit; > >> } else { > >> # ACK without matching > >> transaction ... ignore and discard.\n"); > >> exit; > >> } > >> } > >> sl_send_reply("404","Not here"); > >> } > >> exit; > >> } > >> > >> #initial requests > >> > >> # CANCEL processing > >> if (is_method("CANCEL")) > >> { > >> if (t_check_trans()) > >> t_relay(); > >> exit; > >> } > >> > >> t_check_trans(); > >> > >> # authenticate if from local subscriber (uncomment to > > enable > >> auth) > >> ##if (!(method=="REGISTER") && from_uri==myself) > >> ##{ > >> ## if (!proxy_authorize("", "subscriber")) { > >> ## proxy_challenge("", "0"); > >> ## exit; > >> ## } > >> ## if (!check_from()) { > >> ## sl_send_reply("403","Forbidden auth ID"); > >> ## exit; > >> ## } > >> ## > >> ## consume_credentials(); > >> ## # caller authenticated > >> ##} > >> > >> # record routing > >> if (!is_method("REGISTER|MESSAGE")) > >> record_route(); > >> > >> # account only INVITEs > >> if (is_method("INVITE")) { > >> setflag(1); # do accouting > >> } > >> if (!uri==myself) > >> /* replace with following line if multi-domain support is > > used > >> */ > >> ##if (!is_uri_host_local()) > >> { > >> append_hf("P-hint: outbound\r\n"); > >> # if you have some interdomain connections via TLS > >> ##if($rd=="tls_domain1.net > > <http://tls_domain1.net>") { > >> ## t_relay("tls:domain1.net > > <http://domain1.net>"); > >> ## exit; > >> ##} else if($rd=="tls_domain2.net > >> <http://tls_domain2.net>") { > >> ## t_relay("tls:domain2.net > > <http://domain2.net>"); > >> ## exit; > >> ##} > >> route(1); > >> } > >> > >> # requests for my domain > >> > >> /* uncomment this if you want to enable presence server > >> and comment the next 'if' block > >> NOTE: uncomment also the definition of route[2] from > > below > >> */ > >> ##if( is_method("PUBLISH|SUBSCRIBE")) > >> ## route(2); > >> > >> if (is_method("PUBLISH")) > >> { > >> sl_send_reply("503", "Service Unavailable"); > >> exit; > >> } > >> > >> > >> if (is_method("REGISTER")) > >> { > >> # authenticate the REGISTER requests (uncomment to > >> enable auth) > >> ##if (!www_authorize("", "subscriber")) > >> ##{ > >> ## www_challenge("", "0"); > >> ## exit; > >> ##} > >> ## > >> ##if (!check_to()) > >> ##{ > >> ## sl_send_reply("403","Forbidden auth ID"); > >> ## exit; > >> ##} > >> > >> xlog("L_INFO", "REGISTER for ($fU) $ru\n"); > >> if (!radius_www_authorize("")) > >> { > >> log(1, "Proxy Authentication Required > >> (Digest)\n"); > >> www_challenge("", "0"); > >> exit; > >> }; > >> > >> if (!save("location")) > >> sl_reply_error(); > >> > >> exit; > >> } > >> > >> if ($rU==NULL) { > >> # request with no Username in RURI > >> sl_send_reply("484","Address Incomplete"); > >> exit; > >> } > >> > >> # apply DB based aliases (uncomment to enable) > >> ##alias_db_lookup("dbaliases"); > >> > >> if (!lookup("location")) { > >> switch ($retcode) { > >> case -1: > >> case -3: > >> t_newtran(); > >> t_reply("404", "Not Found"); > >> exit; > >> case -2: > >> sl_send_reply("405", "Method Not > >> Allowed"); > >> exit; > >> } > >> } > >> > >> # when routing via usrloc, log the missed calls also > >> setflag(2); > >> > >> route(1); > >> } > >> > >> > >> route[1] { > >> # for INVITEs enable some additional helper routes > >> if (is_method("INVITE")) { > >> t_on_branch("2"); > >> t_on_reply("2"); > >> t_on_failure("1"); > >> } > >> > >> if (!t_relay()) { > >> sl_reply_error(); > >> }; > >> exit; > >> } > >> > >> branch_route[2] { > >> xlog("new branch at $ru\n"); > >> } > >> > >> > >> onreply_route[2] { > >> xlog("incoming reply\n"); > >> } > >> > >> > >> failure_route[1] { > >> if (t_was_cancelled()) { > >> exit; > >> } > >> > >> # uncomment the following lines if you want to block > client > >> # redirect based on 3xx replies. > >> ##if (t_check_status("3[0-9][0-9]")) { > >> ##t_reply("404","Not found"); > >> ## exit; > >> ##} > >> > >> # uncomment the following lines if you want to redirect > the > >> failed > >> # calls to a different new destination > >> ##if (t_check_status("486|408")) { > >> ## sethostport("192.168.2.100:5060 > >> <http://192.168.2.100:5060>"); > >> ## append_branch(); > >> ## # do not set the missed call flag again > >> ## t_relay(); > >> ##} > >> > >> } > >> > >> Regards, > >> Leon > >> > >> -----Original Message----- > >> From: Uwe Kastens [mailto:[email protected] > > <mailto:[email protected]>] > >> Sent: Friday, 12 June 2009 4:51 PM > >> To: Leon Li > >> Cc: [email protected] <mailto:[email protected]> > >> Subject: Re: [OpenSIPS-Users] No RADIUS traffic > >> > >> Hi, > >> > >> This is strange. Could you post your opensips.cfg or send it to > me > >> directly? > >> > >> BR > >> > >> Uwe > >> > >> > >> _______________________________________________ > >> Users mailing list > >> [email protected] <mailto:[email protected]> > >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> > >> > >> > >> -- > >> Thanking You, > >> Ashwini BR Naidu > >> > >> > >> > >> > >> -- > >> Thanking You, > >> Ashwini BR Naidu > >> > > > > > > > -- > > kiste lat: 54.322684, lon: 10.13586 > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Thanking You, Ashwini BR Naidu
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
