Re: [Users] Radius Authentication

Daniel-Constantin Mierla Wed, 08 Mar 2006 11:26:14 -0800

Hello,

On 03/07/06 04:16, Edson wrote:

I run it, now with FreeRadius in debug mode (see results in attached file),
but nothing changed... I run with the two versions of radiusclient that I
have...


Any idea?

I have seen that radius server returned authenticated, but thelibradiusclient-ng returns failure. You should get some error message inthe syslog file from libradiusclient-ng.


I will set up a radius server and play with it in my environment.

Cheers,
Daniel

Edson.

PS: in attached file, You will find debug from OpenSER, FreeRadius and logs
from /var/log/message and
/var/log/radius/radacct/127.0.0.1/reply-detail-20060306.

-----Original Message-----
From: Daniel-Constantin Mierla [mailto:[EMAIL PROTECTED]
Sent: sábado, 4 de março de 2006 08:24
To: Edson
Cc: 'OpenSER (E-mail)'
Subject: Re: [Users] Radius Authentication

Hello,

On 03/03/06 02:57, Edson wrote:

The working SER installation uses radiusclient-ng 0.5.0-1. It was

compiled

after a CVS download maded on the beginning on jun/2005. Unfortunatly I

miss

the source code and am using an i686-RPM derived from that code.

I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The
results are the same. Just same message on /var/log/messages:

"Mar  2 21:45:54 sip openser: rc_check_reply: received invalid reply

digest

from RADIUS server"

can you run the radius server in debug mode to see there what messages
you get. Also, check the /var/log/syslog or /var/log/messages to see
other error messages printed by radiusclient-ng library when you use
debug mode with openser.

Cheers,
Daniel

When I start "openser -TDdd I see:
...
 0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER>
 0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70
 0(16385) parse_headers: flags=200
 0(16385) DEBUG: get_hdr_body : content_length=0
 0(16385) found end of header
 0(16385) find_first_route: No Route headers found
 0(16385) loose_route: There is no Route HF
 0(16385) grep_sock_info - checking if host==us: 13==13 &&

[ZZZ.ZZ.ZZZ.39]

== [ZZZ.ZZ.ZZZ.39]
 0(16385) grep_sock_info - checking if port 5060 matches port 5060
 0(16385) parse_headers: flags=ffffffffffffffff
 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
 0(16385) lookup(): '' Not found in usrloc
 0(16385) check_nonce(): comparing
[440792edd872b52b27f6dbee8ab2af7f61016704] and
[440792edd872b52b27f6dbee8ab2af7f61016704]

 0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed

 0(16385) build_auth_hf(): 'WWW-Authenticate: Digest

realm="ZZZ.ZZ.ZZZ.39",

nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"'
 0(16385) parse_headers: flags=ffffffffffffffff
 0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
 0(16385) DEBUG:destroy_avp_list: destroying list (nil)
 0(16385) receive_msg: cleaning up
...
I double checked all the "dictionary" definitions, triple checked my

OpenSER

and Radiusclient-NG config and were not able to find the mistake.

So I'm really out of ideas... Maybe is the return value

("Authenticated")

illegal?

Edson.

-----Original Message-----
From: Daniel-Constantin Mierla [mailto:[EMAIL PROTECTED]
Sent: quinta-feira, 2 de março de 2006 09:29
To: Edson
Cc: 'OpenSER (E-mail)'
Subject: Re: [Users] Radius Authentication

Hello,

the error:

Mar  1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received

invalid

reply digest from RADIUS server

comes from the radiusclient-ng library, in file "lib/sendserver.c" at
line 498. Did you use the same version of radiusclient-ng before?

Cheers,
Daniel

On 03/01/06 22:23, Edson wrote:

Hi, Guys...

As the MySQL problem is aparently solved I’m facing a Radius issue…

I'm

using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.

If I duplicate the configs used with SER (and that it works fine) I’m

unable to authenticate my UA (the same that authenticate with SER). The
message with “debug=4” is:

Mar  1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing

[4405ec129258d5cf9c016ade69cf37e33b5af52b] and
[4405ec129258d5cf9c016ade69cf37e33b5af52b]

Mar  1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received

invalid reply digest from RADIUS server

Mar  1 15:41:43 dell openser-TEST[20789]:

ERROR:auth_radius:radius_authorize_sterman: rc_auth failed

So I supposed that there were some failed configuration, I looked at

my

“radiusd.conf” and finded:

  modules {
  ...
    digest {
    }
  ...
  }
  authorize {
          preprocess
          auth_log
          suffix
          digest
          sql
  }
  authenticate {
          digest
  }

As my FreeRadius back-end is a MySQL database, the 'sql' statement in

authorize seems ok. And so do 'digest' in 'autheticate' section.

The question remains: Why are OpenSER complain on Radius response?

Maybe

it's because of the sterman schema (?)....

Anyway, I try to test the server using the radtest tool. The output

seems good to me:

# radtest [EMAIL PROTECTED] 8201 127.0.0.1 12345 MyServerPassword
Sending Access-Request of id 255 to 127.0.0.1:1812
        User-Name = "[EMAIL PROTECTED]"
        User-Password = "8201"
        NAS-IP-Address = sip
        NAS-Port = 12345
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,

length=35

        Reply-Message = "Authenticated"

So I discard FreeRadius config. Is this related on the value of

“Reply-

Message”? I already read all Radius material that I found on OpenSER

web-

page…

What am I doing wrong? What am I missing? As this same configs work

with

SER 0.9.2, why did it not with OpenSER 1.0.x?

Edson.





_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users

Re: [Users] Radius Authentication

Reply via email to