OK. I have found the problem:
First I made some modifiacations:
in the radiusclient.conf
auth_order radius
authserver 192.168.1.3:1812
acctserver 192.168.1.3:1813
dictionary /usr/local/etc/radiusclient-ng/dictionary (this
files is the modified. dictionary.radius+dictionary = dictionary)
in the openser.cfg
if (!radius_www_authorize("")) {
www_challenge("", "1");
exit;
};
http://www.iptel.org/ser/doc/ser_radius/ser_radius.html --> good
reference
But there is still the same problem. rc_auth fails. Because when I
check radiusclient-ng.0.5.2 release notes, I see that
"Change default bindaddr from localhost to *, this is better default
choice; "
When I replaced "bindaddr *" with "bindaddr localhost" then openser
could send the radius authentication packet successfully.
But I have a new problem. I get access-reject from radius server.
Because Radius server does not like the authentication packet parameters.
Radius Access-Request packet
---------------------------------
Frame 4 (285 bytes on wire, 285 bytes captured)
Ethernet II, Src: 00:0c:29:66:be:30, Dst: 00:0f:66:bf:e3:26
Internet Protocol, Src Addr: 192.168.1.5 (192.168.1.5), Dst Addr:
192.168.1.3 (192.168.1.3)
User Datagram Protocol, Src Port: 33029 (33029), Dst Port: radius (1812)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x82 (130)
Length: 243
Authenticator: 0xD111DF9D4AB93482DDFE5494DA739935
Attribute value pairs
t:User Name(1) l:21, Value:"[EMAIL PROTECTED]"
User-Name: [EMAIL PROTECTED]
t:Unknown Type(207) l:11, Value:Unknown Value Type
t:Unknown Type(207) l:15, Value:Unknown Value Type
t:Unknown Type(207) l:44, Value:Unknown Value Type
t:Unknown Type(207) l:19, Value:Unknown Value Type
t:Unknown Type(207) l:12, Value:Unknown Value Type
t:Unknown Type(207) l:8, Value:Unknown Value Type
t:Unknown Type(207) l:12, Value:Unknown Value Type
t:Unknown Type(207) l:20, Value:Unknown Value Type
t:Unknown Type(206) l:34, Value:Unknown Value Type
t:Service Type(6) l:6, Value:IAPP-Register(15)
Service-Type: IAPP-Register (15)
t:Unknown Type(208) l:9, Value:Unknown Value Type
t:NAS Port(5) l:6, Value:5060
t:NAS IP Address(4) l:6, Value:192.168.1.5
Nas IP Address: 192.168.1.5 (192.168.1.5)
---------------------------------
Radius Access-Reject packet
---------------------------------
Frame 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:0f:66:bf:e3:26, Dst: 00:0c:29:66:be:30
Internet Protocol, Src Addr: 192.168.1.3 (192.168.1.3), Dst Addr:
192.168.1.5 (192.168.1.5)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 33029 (33029)
Radius Protocol
Code: Access Reject (3)
Packet identifier: 0x82 (130)
Length: 20
Authenticator: 0xD0427CE5ECB9E77369587E30B48D0B99
-------------------------------------
So I need to modify the outgoing packet params. Is it possible? And
Can I also send additional "Vendor Specific Attribute" parameters?
Regards
Arda
----- Original Message ----- From: "Arda Tekin" <[EMAIL PROTECTED]>
To: "Bogdan-Andrei Iancu" <[EMAIL PROTECTED]>
Cc: <[email protected]>
Sent: Saturday, November 26, 2005 2:40 PM
Subject: Re: [Users] How can I send radius authentication packet with
openser
I have also compiled "avp_radius" module and load it in openser.cfg.
Nothing
changed.
Sip Client IP: 192.168.1.2
OpenSER: 192.168.1.5
Radius Server: 192.168.1.3
Here is the openser debug log:
------------------------------------
[EMAIL PROTECTED] openser]# 6(2884) SIP Request:
6(2884) method: <REGISTER>
6(2884) uri: <sip:192.168.1.5>
6(2884) version: <SIP/2.0>
6(2884) parse_headers: flags=2
6(2884) DEBUG:parse_to:end of header reached, state=9
6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:[EMAIL PROTECTED]
6(2884) DEBUG: to body [arda_eyebeam<sip:[EMAIL PROTECTED]>
]
6(2884) Found param type 232, <branch> =
<z9hG4bK-d87543-622802375-1--d87543->; state=6
6(2884) Found param type 235, <rport> = <n/a>; state=17
6(2884) end of header reached, state=5
6(2884) parse_headers: Via found, flags=2
6(2884) parse_headers: this is the first via
6(2884) After parse_msg...
6(2884) preparing to run routing scripts...
6(2884) parse_headers: flags=100
6(2884) get_hdr_field: cseq <CSeq>: <1> <REGISTER>
6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
6(2884) parse_headers: flags=200
6(2884) DEBUG: get_hdr_body : content_length=0
6(2884) found end of header
6(2884) find_first_route: No Route headers found
6(2884) loose_route: There is no Route HF
6(2884) grep_sock_info - checking if host==us: 11==9 &&
[192.168.1.5] == [127.0.0.1]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) grep_sock_info - checking if host==us: 11==11 &&
[192.168.1.5] == [192.168.1.5]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) grep_sock_info - checking if host==us: 11==9 &&
[192.168.1.5] == [127.0.0.1]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) grep_sock_info - checking if host==us: 11==11 &&
[192.168.1.5] == [192.168.1.5]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) parse_headers: flags=2000
6(2884) pre_auth(): Credentials with given realm not found
6(2884) REGISTER: challenging user2
6(2884) build_auth_hf(): 'WWW-Authenticate: Digest
realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
'
6(2884) parse_headers: flags=ffffffffffffffff
6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
6(2884) DEBUG:destroy_avp_list: destroying list (nil)
6(2884) receive_msg: cleaning up
6(2884) SIP Request:
6(2884) method: <REGISTER>
6(2884) uri: <sip:192.168.1.5>
6(2884) version: <SIP/2.0>
6(2884) parse_headers: flags=2
6(2884) DEBUG:parse_to:end of header reached, state=9
6(2884) DEBUG: get_hdr_field: <To> [36]; uri=[sip:[EMAIL PROTECTED]
6(2884) DEBUG: to body [arda_eyebeam<sip:[EMAIL PROTECTED]>
]
6(2884) Found param type 232, <branch> =
<z9hG4bK-d87543-907902613-1--d87543->; state=6
6(2884) Found param type 235, <rport> = <n/a>; state=17
6(2884) end of header reached, state=5
6(2884) parse_headers: Via found, flags=2
6(2884) parse_headers: this is the first via
6(2884) After parse_msg...
6(2884) preparing to run routing scripts...
6(2884) parse_headers: flags=100
6(2884) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
6(2884) DEBUG:maxfwd:is_maxfwd_present: value = 70
6(2884) parse_headers: flags=200
6(2884) DEBUG: get_hdr_body : content_length=0
6(2884) found end of header
6(2884) find_first_route: No Route headers found
6(2884) loose_route: There is no Route HF
6(2884) grep_sock_info - checking if host==us: 11==9 &&
[192.168.1.5] == [127.0.0.1]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) grep_sock_info - checking if host==us: 11==11 &&
[192.168.1.5] == [192.168.1.5]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) grep_sock_info - checking if host==us: 11==9 &&
[192.168.1.5] == [127.0.0.1]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) grep_sock_info - checking if host==us: 11==11 &&
[192.168.1.5] == [192.168.1.5]
6(2884) grep_sock_info - checking if port 5060 matches port 5060
6(2884) check_nonce(): comparing
[438222d8c7aac499351c46bad60c32a2c03eb751] and
[438222d8c7aac499351c46bad60c32a2c03eb751]
6(2884) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
6(2884) REGISTER: challenging user2
6(2884) build_auth_hf(): 'WWW-Authenticate: Digest
realm="192.168.1.5", nonce="438222d8c7aac499351c46bad60c32a2c03eb751"
'
6(2884) parse_headers: flags=ffffffffffffffff
6(2884) check_via_address(192.168.1.2, 192.168.1.2, 0)
6(2884) DEBUG:destroy_avp_list: destroying list (nil)
6(2884) receive_msg: cleaning up
-------------------------------------------
As I see in the sterman.c source rc_auth fails:
/* Send request */
if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) {
DBG("DEBUG:auth_radius:radius_authorize_sterman: Success\n");
rc_avpair_free(send);
send = 0;
generate_avps(received);
rc_avpair_free(received);
return 1;
} else {
LOG(L_ERR,"ERROR:auth_radius:radius_authorize_sterman: "
"rc_auth failed\n");
goto err;
}
Any opinion?
Thanks in advance
Arda
----- Original Message ----- From: "Bogdan-Andrei Iancu"
<[EMAIL PROTECTED]>
To: "Arda Tekin" <[EMAIL PROTECTED]>
Cc: <[email protected]>
Sent: Friday, November 25, 2005 5:00 PM
Subject: Re: [Users] How can I send radius authentication packet with
openser
Hi Arda,
you need to use auth_radius for this purpose. See:
http://www.openser.org/docs/modules/1.1.x/auth_radius.html
regards,
bogdan
Arda Tekin wrote:
Hi,
I have installed openser, mysql, radiusclient-ng-0.5.2
successfully on REL3.0. openser works well with mysql. I need to
send a radius authentication packet to a radius server(according to
RFC2865).
Packet contains base params:
User-name (attr.1) $Username
Password (attr.2) $Password
NAS-Identifier (attr.4) (auto-generated)
NAS-Port (attr.5) $uref
State (attr.24) 0
Client-Port-DNIS (attr.30) NONE
Caller-Id (attr.31) $calling
I can not find a clear sample about radius. Which module is used
for this purpose?
Regards
Arda
------------------------------------------------------------------------
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
