Yes. And I learnt it hard way this time - couple of days of debug-like work. It turned out that group checking entries in Radius configs need to be before any user specific ones - generally speaking.
SER module works correctly all the way (in my experience). Thanks for your indication though. /Vel -----Original Message----- From: Bogdan-Andrei Iancu [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 11:21 AM To: Velimir Novkovic Cc: 'OpenSER ((E-mail))' Subject: Re: [Users] ser with radius group checking - something amiss Hi Velimir, not an expert on RADIUS, but my guess the problem is in the RADIUS server configuration - it should not request authentication for the "Service-Type = Group-Check" regards, bogdan Velimir Novkovic wrote: > Hi, > > I run SER with Radius/MySQL for authentication and accounting. > > Things are pretty much in place except for group checking. I have > something like this in my ser.cfg: > > .... > > modparam("auth_radius", "radius_config", > "/etc/radiusclient-ng/radiusclient.conf") > > modparam("group_radius", "use_domain", 1) > > ..... > > if (uri=~"^sip:[0-9]{8}@") { # Domestic PSTN > > if (!radius_is_user_in("credentials", "ld")) { > > sl_send_reply("403", "No permission for domestic calls"); > > return; > > }; > > route(4); > > return; > > }; > > .... > > When I look at Radius debug log I can see that when ser sends a > request to radius, radius wants to do digest on it and then the > complete request fails and call can't go through. Output looks > something like this: > > .. > > rad_recv: Access-Request packet from host 127.0.0.1:34027, id=18, > length=72 > > User-Name = "[EMAIL PROTECTED]" > > Sip-Group = "voicemail" > > Service-Type = Group-Check > > NAS-Port = 0 > > NAS-IP-Address = 127.0.0.1 > > Processing the authorize section of radiusd.conf > > .. > > ** bunch of sql statements ... > > .. > > modcall: group authorize returns ok for request 17 > > rad_check_password: Found Auth-Type Digest > > auth: type "digest" > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 17 > > ERROR: No Digest-Nonce: Cannot perform Digest authentication > > modcall[authenticate]: module "digest" returns invalid for request 17 > > modcall: group authenticate returns invalid for request 17 > > auth: Failed to validate the user. > > In databases I have following: > > mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE > Username = '[EMAIL PROTECTED]' ORDER BY id; > > +----+-----------------------+--------------+-------------+----+ > > | id | UserName | Attribute | Value | op | > > +----+-----------------------+--------------+-------------+----+ > > | 18 | [EMAIL PROTECTED] | Service-Type | Group-Check | := | > > +----+-----------------------+--------------+-------------+----+ > > 1 row in set (0.00 sec) > > mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = '[EMAIL PROTECTED]' ORDER BY id; > > +----+-----------------------+---------------+------------------------------ ------+----+ > > | id | UserName | Attribute | Value | op | > > +----+-----------------------+---------------+------------------------------ ------+----+ > > | 23 | [EMAIL PROTECTED] | User-Password | > $1$d7XAeahG$9f17cb8JaKj8R1z9GpwG4/ | := | > > | 25 | [EMAIL PROTECTED] | Sip-Rpid | 81000 | = | > > | 30 | [EMAIL PROTECTED] | Auth-Type | Digest | := | > > +----+-----------------------+---------------+------------------------------ ------+----+ > > mysql> SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op > FR > > OM radgroupcheck,usergroup WHERE usergroup.Username = > '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.G > > roupName ORDER BY radgroupcheck.id; > > +----+-----------+-----------+--------+----+ > > | id | GroupName | Attribute | Value | op | > > +----+-----------+-----------+--------+----+ > > | 12 | voicemail | Auth-Type | Accept | := | > > +----+-----------+-----------+--------+----+ > > Has anyone had a chance to do something like this with success? I am > stuck at the moment - any help is greatly appreciated. > > Thanks. > > /Vel > >------------------------------------------------------------------------ > >_______________________________________________ >Users mailing list >[email protected] >http://openser.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ Users mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/users
