Perhaps you need to return some SIP attributes. Ivan Kalik Kalik Informatika ISP
Dana 18/7/2007, "FreeRadius-ML" <[EMAIL PROTECTED]> piše: >Hi Alan, > > Ok, I managed to solve the dual request thingy, apparently that was caused > by a config on >the OpenSER server. All requests now are coming out as: > > >rad_recv: Access-Request packet from host 192.168.2.80:34908, id=213, >length=232 > User-Name = "[EMAIL PROTECTED]" > Digest-Attributes = 0x0a05313031 > Digest-Attributes = 0x010d6f70656e7365722e6f7267 > Digest-Attributes = > 0x022a34363961623634663863363039653664303632303135363461336237666137663633383433346462 > Digest-Attributes = 0x04127369703a3139322e3136382e322e3830 > Digest-Attributes = 0x030a5245474953544552 > Digest-Attributes = 0x050661757468 > Digest-Attributes = 0x090a3030303031303636 > Digest-Attributes = 0x081237323633376361643532353930373938 > Digest-Response = "408602140746b6fab2c70881242f7513" > Service-Type = IAPP-Register > X-Ascend-PW-Lifetime = 0x313031 > NAS-Port = 5060 > NAS-IP-Address = 192.168.2.80 > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 831 > modcall[authorize]: module "preprocess" returns ok for request 831 >radius_xlat: >'/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716' >rlm_detail: >/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to >/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716 > modcall[authorize]: module "auth_log" returns ok for request 831 >rlm_digest: Adding Auth-Type = DIGEST > modcall[authorize]: module "digest" returns ok for request 831 > users: Matched entry [EMAIL PROTECTED] at line 53 > modcall[authorize]: module "files" returns ok for request 831 >modcall: leaving group authorize (returns ok) for request 831 > rad_check_password: Found Auth-Type DIGEST >auth: type "digest" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 831 > rlm_digest: Converting Digest-Attributes to something sane... > Digest-User-Name = "101" > Digest-Realm = "openser.org" > Digest-Nonce = "469ab64f8c609e6d06201564a3b7fa7f638434db" > Digest-URI = "sip:192.168.2.80" > Digest-Method = "REGISTER" > Digest-QOP = "auth" > Digest-Nonce-Count = "00001066" > Digest-CNonce = "72637cad52590798" >A1 = 101:openser.org:101 >A2 = REGISTER:sip:192.168.2.80 >H(A1) = f195c177997cee336c919be9279c5703 >H(A2) = 046d0643f281affab19fe62ffc848ab5 >KD = >f195c177997cee336c919be9279c5703:469ab64f8c609e6d06201564a3b7fa7f638434db:00001066:72637cad52590798:auth:046d0643f281affab19fe62ffc848ab5 >EXPECTED 408602140746b6fab2c70881242f7513 >RECEIVED 408602140746b6fab2c70881242f7513 > modcall[authenticate]: module "digest" returns ok for request 831 >modcall: leaving group authenticate (returns ok) for request 831 >Login OK: [EMAIL PROTECTED]/<no User-Password attribute>] (from client >192.168.2.80 port 5060) >Sending Access-Accept of id 213 to 192.168.2.80 port 34908 >Finished request 831 >Going to the next request >Waking up in 6 seconds... > >Which as much as I can tell, indicate that the digest >authentication/authorization process had completed correctly, >and our users had been successfully authed by the Radius Server. Currently, I >have an issue indicating that the >user is actually not registered on the OpenSER server, but i believe that is >caused by something else. Unless you have >some form of pointer tip here... > >z2l > >----- Original Message ----- >From: "FreeRadius-ML" <[EMAIL PROTECTED]> >To: "Alan DeKok" <[EMAIL PROTECTED]> >Cc: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> >Sent: Wednesday, July 18, 2007 11:26:38 AM (GMT+0200) Asia/Jerusalem >Subject: Re: RLM_PERL Integration Issue > >Hi Alan, > > Ok, I did as you instructed, and I admit that I appear to be getting > somewhere. >The debug log now shows the following: > > >-------------------------------- SNIP ----------------------------------------- >rad_recv: Access-Request packet from host 192.168.2.80:33365, id=47, length=192 > User-Name = "[EMAIL PROTECTED]" > Digest-Attributes = 0x0a05313031 > Digest-Attributes = 0x010d6f70656e7365722e6f7267 > Digest-Attributes = > 0x022a34363961613063323661386631313165393066336161303533353430393661323631336462343736 > Digest-Attributes = 0x04127369703a3139322e3136382e322e3830 > Digest-Attributes = 0x030a5245474953544552 > Digest-Response = "3f66a7a38c9d6ff05d9d633063085a0c" > Service-Type = IAPP-Register > X-Ascend-PW-Lifetime = 0x313031 > NAS-Port = 5060 > NAS-IP-Address = 192.168.2.80 > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 17 > modcall[authorize]: module "preprocess" returns ok for request 17 >radius_xlat: >'/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716' >rlm_detail: >/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to >/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716 > modcall[authorize]: module "auth_log" returns ok for request 17 >rlm_digest: Adding Auth-Type = DIGEST > modcall[authorize]: module "digest" returns ok for request 17 > users: Matched entry [EMAIL PROTECTED] at line 54 > modcall[authorize]: module "files" returns ok for request 17 >modcall: leaving group authorize (returns ok) for request 17 > rad_check_password: Found Auth-Type DIGEST >auth: type "digest" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 17 > rlm_digest: Converting Digest-Attributes to something sane... > Digest-User-Name = "101" > Digest-Realm = "openser.org" > Digest-Nonce = "469aa0c26a8f111e90f3aa05354096a2613db476" > Digest-URI = "sip:192.168.2.80" > Digest-Method = "REGISTER" >A1 = 101:openser.org:101 >A2 = REGISTER:sip:192.168.2.80 >H(A1) = f195c177997cee336c919be9279c5703 >H(A2) = 046d0643f281affab19fe62ffc848ab5 >KD = >f195c177997cee336c919be9279c5703:469aa0c26a8f111e90f3aa05354096a2613db476:046d0643f281affab19fe62ffc848ab5 >EXPECTED 3f66a7a38c9d6ff05d9d633063085a0c >RECEIVED 3f66a7a38c9d6ff05d9d633063085a0c > modcall[authenticate]: module "digest" returns ok for request 17 >modcall: leaving group authenticate (returns ok) for request 17 >Login OK: [EMAIL PROTECTED]/<no User-Password attribute>] (from client >openser-network port 5060) >Sending Access-Accept of id 47 to 192.168.2.80 port 33365 >Finished request 17 >Going to the next request >Waking up in 4 seconds... >rad_recv: Access-Request packet from host 192.168.2.80:33366, id=48, length=67 > User-Name = "[EMAIL PROTECTED]" > X-Ascend-PPP-VJ-1172 = 0x73757370656e646564 > Service-Type = Voice > NAS-Port = 0 > NAS-IP-Address = 192.168.2.80 > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 18 > modcall[authorize]: module "preprocess" returns ok for request 18 >radius_xlat: >'/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716' >rlm_detail: >/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to >/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070716 > modcall[authorize]: module "auth_log" returns ok for request 18 > modcall[authorize]: module "digest" returns noop for request 18 > users: Matched entry [EMAIL PROTECTED] at line 53 > modcall[authorize]: module "files" returns ok for request 18 >modcall: leaving group authorize (returns ok) for request 18 >auth: type Local >auth: No User-Password or CHAP-Password attribute in the request >auth: Failed to validate the user. >Login incorrect: [EMAIL PROTECTED]/<no User-Password attribute>] (from client >openser-network port 0) >Delaying request 18 for 1 seconds >Finished request 18 >Going to the next request >Waking up in 4 seconds... >-------------------------------- SNIP ----------------------------------------- > >If you were to examine the log, you would see that request number 17 is >receiving the >LOGIN OK, while request 18 is rejected. The silly part here is this, there is >only a single >IP Phone on the network, which is using a single OpenSER server. I'm kind'a >struck with a >silly question, where is the second request coming from? > >Z2L > > >----- Original Message ----- >From: "Alan DeKok" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Cc: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> >Sent: Wednesday, July 18, 2007 11:24:19 AM (GMT+0200) Asia/Jerusalem >Subject: Re: RLM_PERL Integration Issue > >FreeRadius-ML wrote: >> Now, I'm basically re-learning everything, as the world of OpenSER + >> FreeRadius is a little new to me, >> and sometimes frustrates me. The amount of documentation in the >> configuration files is great, but the lack >> of updated examples is somewhat annoying. Even Asterisk, which is one of the >> most undocumented environments >> in the world, has more configuration examples available. > > The majority of FreeRADIUS installations put users & password into SQL >or LDAP, and then don't touch it ever again. For them, the existing >examples are mostly OK. > > For *complex* scenarios, RADIUS quickly gets more complicated than >DNS, DHCP, Web servers, and (I suspect) Asterisk. There just isn't >enough space in the world to document every configuration that everyone >needs. > >> In any case, lets go back to what we were discussing. If I understand you >> correctly, on the FreeRadius side, >> I only need to enable digest based authentication and authorization, define >> the user in the users file - and that >> should be working just fine? > > Yes. The entire *point* of the default configuration is to have as >many authentication protocols as possible work... just by defining a >user and password. See: > >http://deployingradius.com/documents/configuration/pap.html > > When 2.0 is released, defining a username & password will cause the >following authentication methods to work: > > * PAP > * CHAP > * MS-CHAP > * Digest > * EAP-MD5 > * EAP-MSCHAPv2 > * Cisco LEAP > * PEAP-MSCHAPv2 > * PEAP-GTC > * EAP-TTLS with > * PAP > * CHAP > * MS-CHAP > * EAP-MD5 > * EAP-MSCHAPv2 > > Try *that* with any other program: "I added one line in a >configuration file, and VOIP works, WiFi works, dial-up works, PPPoE >works, VPN's work, for Apple, Windows, and Linux". No fighting, no fuss. > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html