How to handle non digest messeg if Auth-Type is set to Digest?
Hi
My Freeradius has to receive and process digest and non-digest message but
when freeradius receives and process nondigest message (I have only one
such message) I've got message:
ERROR: You set 'Auth-Type = Digest' for a request that did not contain any
digest attributes!
modcall[authenticate]: module "digest" returns invalid for request 1
modcall: leaving group authenticate (returns invalid) for request 1
and I cannot return attributes in reply message.
What should I do to process this message without ERROR ?
Full log bellow:
User-Name = "[EMAIL PROTECTED]"
Service-Type = SIP-Callee-AVPs
NAS-Port = 0
NAS-IP-Address = 153.19.130.250
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "digest" returns noop for request 1
rlm_realm: Looking up realm "server1.test.pl" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm "server1.test.pl"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 45
modcall[authorize]: module "files" returns ok for request 1
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -->
'[EMAIL PROTECTED]'
radius_xlat: 'SELECT * FROM
test.authorize_check('SIP-Callee-AVPs','[EMAIL PROTECTED]'
)'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_postgresql: query: SELECT * FROM
test.authorize_check('SIP-Callee-AVPs','[EMAIL PROTECTED]'
)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: '--authorize_group_check_query'
rlm_sql_postgresql: query: --authorize_group_check_query
rlm_sql_postgresql: Status: PGRES_EMPTY_QUERY
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT * FROM
test.authorize_reply('SIP-Callee-AVPs','[EMAIL PROTECTED]'
, '', '' )'
rlm_sql_postgresql: query: SELECT * FROM
test.authorize_reply('SIP-Callee-AVPs','[EMAIL PROTECTED]'
, '', '' )
SQL statement "SELECT * FROM test.find_sip_account_info( $1 , $2 , $3 )"
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: '--authorize_group_reply_query'
rlm_sql_postgresql: query: --authorize_group_reply_query
rlm_sql_postgresql: Status: PGRES_EMPTY_QUERY
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
ERROR: You set 'Auth-Type = Digest' for a request that did not contain any
digest attributes!
modcall[authenticate]: module "digest" returns invalid for request 1
modcall: leaving group authenticate (returns invalid) for request 1
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client server1 port 0)
Sending Access-Reject of id 162 to 153.19.130.250 port 45429
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle non digest messeg if Auth-Type is set to Digest?
GlobeInPhotos wrote: Hi My Freeradius has to receive and process digest and non-digest message but when freeradius receives and process nondigest message (I have only one such message) I've got message: ERROR: You set 'Auth-Type = Digest' for a request that did not contain any digest attributes! modcall[authenticate]: module "digest" returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 Don't set Auth-Type = digest. In fact, don't set Auth-Type at all, except in the rare cases of Reject or Accept. The "digest" and other modules will (should) set the Auth-Type for themselves in the authorize section, and only do it if it *is* a digest (or other) request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to handle non digest messeg if Auth-Type is set to Digest?
Sorry I wrote wrong. I do not set Auth-Type, simply in config I have set auth. Digest but beside digest message radius receives non digest message that I have to handle. I do not know why radius claims that it is digest message??? Maybe you know ? As I wrote before request was: rad_recv: Access-Request packet from host 153.19.130.250:45740, id=181, length=80 User-Name = "[EMAIL PROTECTED]" Service-Type = SIP-Callee-AVPs NAS-Port = 0 NAS-IP-Address = 153.19.130.250 And after: rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 ERROR: You set 'Auth-Type = Digest' for a request that did not contain any digest attributes! modcall[authenticate]: module "digest" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/] (from client erver1 port 0) Sending Access-Reject of id 181 to 153.19.130.250 port 45740 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Phil Mayers Sent: Thursday, July 27, 2006 10:18 PM To: FreeRadius users mailing list Subject: Re: How to handle non digest messeg if Auth-Type is set to Digest? Don't set Auth-Type = digest. In fact, don't set Auth-Type at all, except in the rare cases of Reject or Accept. The "digest" and other modules will (should) set the Auth-Type for themselves in the authorize section, and only do it if it *is* a digest (or other) request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle non digest messeg if Auth-Type is set to Digest?
"GlobeInPhotos" <[EMAIL PROTECTED]> wrote: > Sorry I wrote wrong. I do not set Auth-Type, simply in config I have set > auth. Digest What does that mean? > but beside digest message radius receives non digest message > that I have to handle. I do not know why radius claims that it is digest > message??? Maybe you know ? It's not claiming that. It's claiming that you set Auth-Type to Digest. The digest module only does that if there is, in fact, a digest request in the packet. So the conclusion is that you set Auth-Type = Digest somewhere. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to handle non digest messeg if Auth-Type is set to Digest?
> So the conclusion is that you set Auth-Type = Digest somewhere. Probably OpenSer which is a sender set Auth-Type=Digest in request. By the way is it possible to make workaround for such situation to be honest I do not need authorize message but only I have to send some values to OpenSer - this non-digest (which seems to be a digest) message is our internal message. Or maybe it is a possibilities to accept this special message which is digest but has no digest attributes? Michal Szymanski -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle non digest messeg if Auth-Type is set to Digest?
"GlobeInPhotos" <[EMAIL PROTECTED]> wrote: > > So the conclusion is that you set Auth-Type = Digest somewhere. > > Probably OpenSer which is a sender set Auth-Type=Digest in request. No. It is IMPOSSIBLE for Auth-Type to be in a RADIUS packet. Go back and read the debug log. Check your configuration. YOU set Auth-Type in YOUR configuration. Stop arguing, and go check it. > I do not need authorize message but only I have to send some values to > OpenSer - this non-digest (which seems to be a digest) message is our > internal message. Or maybe it is a possibilities to accept this special > message which is digest but has no digest attributes? That makes no sense to me. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to handle non digest messeg if Auth-Type is set to Digest?
> Go back and read the debug log. Check your configuration. YOU set
>Auth-Type in YOUR configuration.
Are you talking about radius config?
In my config I have something like this.
authorize {
Digest
}
I can send
> Stop arguing, and go check it.
For sure I'm not arguing but I'm trying to find solution to my problem :)
>> I do not need authorize message but only I have to send some values to
>> OpenSer - this non-digest (which seems to be a digest) message is our
>> internal message. Or maybe it is a possibilities to accept this special
>> message which is digest but has no digest attributes?
> That makes no sense to me.
Well, it makes sense :) After real digest message (INVITE request from
OpenSer), our script in OpenSer sends special request for extra processing.
This extra request is sent only in special situation. OpenSer can decide is
this special situation happen when it receives data after INVITE request. We
can sent all necessary data in reply for INVITE message but retrieving extra
data is processor expensive and that is why we retrieve data only when it is
really needed - using next nondigest request. I hope it is clear now.
What we implement it is not typical Voip solution that is why we need
special handling.
Michal Szymanski
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle non digest messeg if Auth-Type is set to Digest?
"GlobeInPhotos" <[EMAIL PROTECTED]> wrote:
> > Go back and read the debug log. Check your configuration. YOU set
> >Auth-Type in YOUR configuration.
>
> Are you talking about radius config?
> In my config I have something like this.
> authorize {
>
> Digest
>
> }
That doesn't have the text "Auth-Type" in it, therefore it's not the
piece setting that.
> For sure I'm not arguing but I'm trying to find solution to my problem :)
You're disagreeing with what you're being told, and not following
instructions.
Go back and read EVERYTHING you've configured. You're setting
Auth-Type somewhere. And PLEASE stop discussing this, or posting
questions to the list until you've found that, and fixed it. It IS
there.
> Well, it makes sense :) After real digest message (INVITE request from
> OpenSer), our script in OpenSer sends special request for extra processing.
Special request? That has no meaning to me.
> This extra request is sent only in special situation. OpenSer can decide is
> this special situation happen when it receives data after INVITE request. We
> can sent all necessary data in reply for INVITE message but retrieving extra
> data is processor expensive and that is why we retrieve data only when it is
> really needed - using next nondigest request. I hope it is clear now.
No.
You've said "special processing" a number of times. That's
meaningless to anyone who isn't reading your mind.
You said "digest message without digest", which is a contradiction.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to handle non digest messeg if Auth-Type is set to Digest?
I have also this in 'user' file DEFAULT Auth-Type := Digest Michal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: Friday, July 28, 2006 12:39 AM To: FreeRadius users mailing list Subject: Re: How to handle non digest messeg if Auth-Type is set to Digest? "GlobeInPhotos" <[EMAIL PROTECTED]> wrote: > > So the conclusion is that you set Auth-Type = Digest somewhere. > > Probably OpenSer which is a sender set Auth-Type=Digest in request. No. It is IMPOSSIBLE for Auth-Type to be in a RADIUS packet. Go back and read the debug log. Check your configuration. YOU set Auth-Type in YOUR configuration. Stop arguing, and go check it. > I do not need authorize message but only I have to send some values to > OpenSer - this non-digest (which seems to be a digest) message is our > internal message. Or maybe it is a possibilities to accept this special > message which is digest but has no digest attributes? That makes no sense to me. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to handle non digest messeg if Auth-Type is set to Digest?
> No. It is IMPOSSIBLE for Auth-Type to be in a RADIUS packet. I've commented line in users file #DEFAULT Auth-Type := Digest But now I've got following message if non-digest message arrive: rad_recv: Access-Request packet from host 153.19.130.250:46963, id=190, length=80 User-Name = "[EMAIL PROTECTED]" Service-Type = SIP-Callee-AVPs NAS-Port = 0 NAS-IP-Address = 153.19.130.250 [cut] auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/] (from client server1 port 0) Sending Access-Reject of id 190 to 153.19.130.250 port 46963 and probably there is no user-password in request but we cannot add this field to request in openser :( Michal -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 2006-07-26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle non digest messeg if Auth-Type is set to Digest?
GlobeInPhotos wrote:
I've commented line in users file
#DEFAULT Auth-Type := Digest
Finally.
That line? That *was* you setting Auth-Type to Digest.
But now I've got following message if non-digest message arrive:
rad_recv: Access-Request packet from host 153.19.130.250:46963, id=190,
length=80
User-Name = "[EMAIL PROTECTED]"
Service-Type = SIP-Callee-AVPs
NAS-Port = 0
NAS-IP-Address = 153.19.130.250
[cut]
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
Ok, so for these non-digest requests, you'll have to configure the
server to authenticate them without a password being present. This is
one of those rare cases where you *do* set auth-type.
So, something like in radiusd.conf:
authorize {
preprocess
# digest will set Auth-Type=Digest IF AND ONLY IF this
# request is a real digest one
digest
files
# maybe other modules
}
...and in "users":
# Since the Auth-Type = Accept is a conditional set, this
# entry will NOT MATCH if the "digest" module has already
# set Auth-Type=Digest
#
# Therefore, it should only match your "special" requests
DEFAULT Service-Type==SIP-Callee-AVPs, Auth-Type = Accept
VoIP-Attribute-1 = value1,
Other-Attribute = otherval
That is: If a request comes in with Service-Type == SIP-Callee-AVPs,
then set Auth-Type to accept IF AND ONLY IF it isn't already set (= is
conditional set; := which you were using earlier is unconditional set -
see "man users"). Then set some attributes on the reply.
You didn't show one of your other (the "real" digest) requests so I
can't be sure what they look like, but something like the above should work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle non digest messeg if Auth-Type is set to Digest?
You are absolutly right :) Today in the mornign we set Auth-Type exactly the
same way as you propose :) Now it works.
Thanx
Quoting Phil Mayers <[EMAIL PROTECTED]>:
GlobeInPhotos wrote:
I've commented line in users file
#DEFAULT Auth-Type := Digest
Finally.
That line? That *was* you setting Auth-Type to Digest.
But now I've got following message if non-digest message arrive:
rad_recv: Access-Request packet from host 153.19.130.250:46963, id=190,
length=80
User-Name = "[EMAIL PROTECTED]"
Service-Type = SIP-Callee-AVPs
NAS-Port = 0
NAS-IP-Address = 153.19.130.250
[cut]
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
Ok, so for these non-digest requests, you'll have to configure the
server to authenticate them without a password being present. This is
one of those rare cases where you *do* set auth-type.
So, something like in radiusd.conf:
authorize {
preprocess
# digest will set Auth-Type=Digest IF AND ONLY IF this
# request is a real digest one
digest
files
# maybe other modules
}
...and in "users":
# Since the Auth-Type = Accept is a conditional set, this
# entry will NOT MATCH if the "digest" module has already
# set Auth-Type=Digest
#
# Therefore, it should only match your "special" requests
DEFAULT Service-Type==SIP-Callee-AVPs, Auth-Type = Accept
VoIP-Attribute-1 = value1,
Other-Attribute = otherval
That is: If a request comes in with Service-Type == SIP-Callee-AVPs,
then set Auth-Type to accept IF AND ONLY IF it isn't already set (=
is conditional set; := which you were using earlier is unconditional
set - see "man users"). Then set some attributes on the reply.
You didn't show one of your other (the "real" digest) requests so I
can't be sure what they look like, but something like the above
should work.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
