On Tue, 2007-07-24 at 13:54 +0300, FreeRadius-ML wrote: > Ok, > > It would appear that I'm a little silly, due to the way FreeRadius logs the > information > on the console. I've been debugging the information that I get, and I can see > that the > Digest-Attributes actually contain the information, in accordance to the > following: > > The first Digest Attribute is the User-Name, > The second Digest Attribute is the Realm, > The third Digest Attribute is the nonce, > The fourth Digest Attribute is the uri, > The fifth Digest Attribute is the SIP-METHOD request. > > I didn't realize this in the begining, as it was all HEX dumped, so I > couldn't see > that I'm actually looking at the information. > > Now, my question is this, what is the formula to calculate the digest from > all of the > above information? I've tried backtracking the code, but ended up with a > slight headache. > If anyone has information, that would be highly appreciated.
The "formula" is to do this: authorize { preprocess digest files } authenticate { Auth-Type DIGEST { digest } } HA1="0x`echo -n user:example.com:foobar | md5sum | cut -d ' ' -f 1`" in users: foo Digest-HA1 := 0xd07911de2b6cfea295166b56e8cecfa2 or better yet: foo Cleartext-Password := "foobar" ...and FreeRadius should just work. > > Regards, > Z2L > > ----- Original Message ----- > From: "FreeRadius-ML" <[EMAIL PROTECTED]> > To: "freeradius-users" <freeradius-users@lists.freeradius.org> > Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem > Subject: Re: rml_perl question > > Ok, > > I think I'm getting somewhere on this. After running wireshark and > capturing the traffic, > I actually realized that the Authentication/Authorization headers consists of > a random hash > that is identified by the nonce number. Following is an example: > > Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, > uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", > response="1efb1851e1e96ce6855bf406735af4b6" > > Now, if I understand correctly, the digest will be calculated from the > combination of the > username, uri and nonce. Problem is, it would appear that I'm unable to > access the nonce field > from rlm_perl, unless, I'm missing something. > > Regards, > Z2L > > ----- Original Message ----- > From: "FreeRadius-ML" <[EMAIL PROTECTED]> > To: "freeradius-users" <freeradius-users@lists.freeradius.org> > Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem > Subject: Re: rml_perl question > > Hi Peter, > > Well, according to the RFC, the string should be: > username:realm:password and then into the md5sum. > > Now, according to my logs, I can see the following: > > Packet-Type = Access-Request > Thu Jul 19 09:37:23 2007 > User-Name = "[EMAIL PROTECTED]" > Digest-Attributes = 0x0a05313031 > Digest-Attributes = 0x010e3139322e3136382e322e3830 > Digest-Attributes = > 0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733 > Digest-Attributes = 0x04127369703a3139322e3136382e322e3830 > Digest-Attributes = 0x030a5245474953544552 > Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b" > Service-Type = IAPP-Register > Sip-Uri-User = "101" > NAS-Port = 5060 > NAS-IP-Address = 192.168.2.80 > Client-IP-Address = 192.168.2.80 > > Now, the password for that user is 101. > > So, I did the following: echo '[EMAIL PROTECTED]:192.168.2.80:101' | > md5sum, which generated > the following output: ec6cec8f0b5904ba56401b1e305638b5. > > Now, examining the log file shows that a few minutes before that, the > Access-Request looks > like this: > > Packet-Type = Access-Request > Thu Jul 19 09:29:54 2007 > User-Name = "[EMAIL PROTECTED]" > Digest-Attributes = 0x0a05313031 > Digest-Attributes = 0x010e3139322e3136382e322e3830 > Digest-Attributes = > 0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632 > Digest-Attributes = 0x04127369703a3139322e3136382e322e3830 > Digest-Attributes = 0x030a5245474953544552 > Digest-Response = "a15ff7de436bada1093be663290f8ad8" > Service-Type = IAPP-Register > Sip-Uri-User = "101" > NAS-Port = 5060 > NAS-IP-Address = 192.168.2.80 > Client-IP-Address = 192.168.2.80 > > As you can see, the Digest here is different, so I'm surely missing > something here. > > Regards, > Z2L > > > ----- Original Message ----- > From: "Peter Nixon" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], "FreeRadius users mailing list" > <freeradius-users@lists.freeradius.org> > Sent: Tuesday, July 24, 2007 11:30:25 AM (GMT+0200) Asia/Jerusalem > Subject: Re: rml_perl question > > On Tue 24 Jul 2007, FreeRadius-ML wrote: > > Thanks, that helps a bunch. > > > > Another question, may be non related. Anyone has an idea how does OpenSER > > and FreeRadius calculate the Digest response for rlm_digest? > > > > According to the output of my rlm_perl RAD_REQUEST, I'm getting the > > following request from the OpenSER server: > > > > rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80 > > rlm_perl: RAD_REQUEST: Digest-Response = 80d23e66bd4d667eb445c89b74ff7a6b > > rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] > > rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register > > rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80 > > rlm_perl: RAD_REQUEST: NAS-Port = 5060 > > rlm_perl: RAD_REQUEST: Sip-Uri-User = 101 > > rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x84e7a90) > > rlm_perl: Added pair Auth-Type = perl > > > > If I understand correctly, I need to calculate the digest response, > > according to the information I hold in my AAA database, which should match > > the Digest-Response request. My question is, what is the actual string > > format that is required for the calculation of the Digest-Response? > > Read RFC 2617 > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html