Re: [OpenSIPS-Users] ACC_RADIUS makes opensips crash
Hello Denis, Is the cisco specific dictionary included in the dictionary of the RADIUS server too? Also, to be able to extract a certain AVP from a RADIUS reply, you need to make sure you have configured the server to return the attributes you want. You can find a brief tutorial on this here [1]. Regards, Irina Stanescu [1] http://www.opensips.org/Resources/DocsTutRadius#toc4 On Fri, Jul 16, 2010 at 12:20 PM, Denis Putyato denis7...@mail.ru wrote: Hello, Irina Now it works, thank you. But, if you don't mind, one more question about RADIUS. I want to use Cisco dictionary for auth. subscribers. Dictionary is a main file used for radius in my opensips. I insert into this file such string $INCLUDE /etc/radiusclient-ng/dictionary.cisco where dictionary.cisco is a cisco specific dictionary. a little part of opensips.cfg {... ... modparam(aaa_radius, sets, set1 = (User-Name = $avp(i:20), User-Password=$avp(i:50))) modparam(aaa_radius, sets, set2 = (Cisco-AVPair = $var(duration))) ... ... radius_send_auth(set1,set2); ... ... } After made a call I can see such string in syslog /usr/local/opensips/sbin/opensips[7435]: ERROR:aaa_radius:send_auth_func: attribute was not found in received radius message # cat /etc/radiusclient-ng/dictionary.cisco | grep Cisco ... VENDOR Cisco 9 BEGIN-VENDOR Cisco ATTRIBUTE Cisco-AVPair 1 string vendor=Cisco ... -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Irina Stanescu Sent: Thursday, July 15, 2010 6:11 PM To: OpenSIPS users mailling list Subject: Re: [OpenSIPS-Users] ACC_RADIUS makes opensips crash Hello Denis, I think the problem in you case is that the radius dictionary does not contain an entry for SIP-AVP, and that is why attr is null, causing the crash. I added a fix on the trunk and i also attached the patch to this email in case you don't use the trunk version. Please let me know if there are any other issues. Regards, Irina Stanescu On Thu, Jul 15, 2010 at 3:29 PM, Denis Putyato denis7...@mail.ru wrote: Bogdan, i made another call which makes opensips crash ... Core was generated by `/usr/local/opensips/sbin/opensips -P /var/run/opensips.pid'. Program terminated with signal 11, Segmentation fault. [New process 8833] #0 0xb7a0adf1 in send_auth_func (msg=0x81c113c, s1=0x81bcd34, s2=0x81bcd48) at aaa_radius.c:369 369 for(; (vp = rc_avpair_get(vp, attr-value, 0)); vp = vp-next) (gdb) bt #0 0xb7a0adf1 in send_auth_func (msg=0x81c113c, s1=0x81bcd34, s2=0x81bcd48) at aaa_radius.c:369 #1 0x08056111 in do_action (a=0x81b7404, msg=0x81c113c) at action.c:967 #2 0x08054f9e in run_action_list (a=0x81b5e14, msg=0x81c113c) at action.c:139 #3 0x08057f97 in do_action (a=0x81b7680, msg=0x81c113c) at action.c:706 #4 0x08054f9e in run_action_list (a=0x81b5938, msg=0x81c113c) at action.c:139 #5 0x08057946 in do_action (a=0x81aa660, msg=0x81c113c) at action.c:119 #6 0x08054f9e in run_action_list (a=0x81aa660, msg=0x81c113c) at action.c:139 #7 0x08057f97 in do_action (a=0x81aa758, msg=0x81c113c) at action.c:706 #8 0x08054f9e in run_action_list (a=0x81aa758, msg=0x81c113c) at action.c:139 #9 0x08057f97 in do_action (a=0x81aaff4, msg=0x81c113c) at action.c:706 #10 0x08054f9e in run_action_list (a=0x81aaff4, msg=0x81c113c) at action.c:139 #11 0x08057f97 in do_action (a=0x81ac2d8, msg=0x81c113c) at action.c:706 #12 0x08054f9e in run_action_list (a=0x81a9f24, msg=0x81c113c) at action.c:139 #13 0x08057946 in do_action (a=0x81b428c, msg=0x81c113c) at action.c:119 #14 0x08054f9e in run_action_list (a=0x81b1ab0, msg=0x81c113c) at action.c:139 #15 0x08057946 in do_action (a=0x81b1308, msg=0x81c113c) at action.c:119 #16 0x08054f9e in run_action_list (a=0x81b1308, msg=0x81c113c) at action.c:139 #17 0x08057f97 in do_action (a=0x81b14cc, msg=0x81c113c) at action.c:706 #18 0x08054f9e in run_action_list (a=0x81b0a70, msg=0x81c113c) at action.c:139 #19 0x08057946 in do_action (a=0x81b078c, msg=0x81c113c) at action.c:119 #20 0x08054f9e in run_action_list (a=0x81ad9e0, msg=0x81c113c) at action.c:139 #21 0x08057946 in do_action (a=0x81ad50c, msg=0x81c113c) at action.c:119 #22 0x08054f9e in run_action_list (a=0x81aca9c, msg=0x81c113c) at action.c:139 #23 0x08057946 in do_action (a=0x81a9cb4, msg=0x81c113c) at action.c:119 #24 0x08054f9e in run_action_list (a=0x81a6c50, msg=0x81c113c) at action.c:139 #25 0x08057f97 in do_action (a=0x81a9d8c, msg=0x81c113c) at action.c:706 #26 0x08054f9e in run_action_list (a=0x81a47e0, msg=0x81c113c) at action.c:139 #27 0x080590bf in run_top_route (a=0x81a47e0, msg=0x81c113c) at action.c:119 #28 0x08098b9c in receive_msg ( buf=0x8178200 INVITE sip:4483...@213.170.75.90:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 213.170.75.90:5050;branch=z9hG4bK6912c413;rport\r\nMax
Re: [OpenSIPS-Users] ACC_RADIUS makes opensips crash
Hello Denis, I think the problem in you case is that the radius dictionary does not contain an entry for SIP-AVP, and that is why attr is null, causing the crash. I added a fix on the trunk and i also attached the patch to this email in case you don't use the trunk version. Please let me know if there are any other issues. Regards, Irina Stanescu On Thu, Jul 15, 2010 at 3:29 PM, Denis Putyato denis7...@mail.ru wrote: Bogdan, i made another call which makes opensips crash ... Core was generated by `/usr/local/opensips/sbin/opensips -P /var/run/opensips.pid'. Program terminated with signal 11, Segmentation fault. [New process 8833] #0 0xb7a0adf1 in send_auth_func (msg=0x81c113c, s1=0x81bcd34, s2=0x81bcd48) at aaa_radius.c:369 369 for(; (vp = rc_avpair_get(vp, attr-value, 0)); vp = vp-next) (gdb) bt #0 0xb7a0adf1 in send_auth_func (msg=0x81c113c, s1=0x81bcd34, s2=0x81bcd48) at aaa_radius.c:369 #1 0x08056111 in do_action (a=0x81b7404, msg=0x81c113c) at action.c:967 #2 0x08054f9e in run_action_list (a=0x81b5e14, msg=0x81c113c) at action.c:139 #3 0x08057f97 in do_action (a=0x81b7680, msg=0x81c113c) at action.c:706 #4 0x08054f9e in run_action_list (a=0x81b5938, msg=0x81c113c) at action.c:139 #5 0x08057946 in do_action (a=0x81aa660, msg=0x81c113c) at action.c:119 #6 0x08054f9e in run_action_list (a=0x81aa660, msg=0x81c113c) at action.c:139 #7 0x08057f97 in do_action (a=0x81aa758, msg=0x81c113c) at action.c:706 #8 0x08054f9e in run_action_list (a=0x81aa758, msg=0x81c113c) at action.c:139 #9 0x08057f97 in do_action (a=0x81aaff4, msg=0x81c113c) at action.c:706 #10 0x08054f9e in run_action_list (a=0x81aaff4, msg=0x81c113c) at action.c:139 #11 0x08057f97 in do_action (a=0x81ac2d8, msg=0x81c113c) at action.c:706 #12 0x08054f9e in run_action_list (a=0x81a9f24, msg=0x81c113c) at action.c:139 #13 0x08057946 in do_action (a=0x81b428c, msg=0x81c113c) at action.c:119 #14 0x08054f9e in run_action_list (a=0x81b1ab0, msg=0x81c113c) at action.c:139 #15 0x08057946 in do_action (a=0x81b1308, msg=0x81c113c) at action.c:119 #16 0x08054f9e in run_action_list (a=0x81b1308, msg=0x81c113c) at action.c:139 #17 0x08057f97 in do_action (a=0x81b14cc, msg=0x81c113c) at action.c:706 #18 0x08054f9e in run_action_list (a=0x81b0a70, msg=0x81c113c) at action.c:139 #19 0x08057946 in do_action (a=0x81b078c, msg=0x81c113c) at action.c:119 #20 0x08054f9e in run_action_list (a=0x81ad9e0, msg=0x81c113c) at action.c:139 #21 0x08057946 in do_action (a=0x81ad50c, msg=0x81c113c) at action.c:119 #22 0x08054f9e in run_action_list (a=0x81aca9c, msg=0x81c113c) at action.c:139 #23 0x08057946 in do_action (a=0x81a9cb4, msg=0x81c113c) at action.c:119 #24 0x08054f9e in run_action_list (a=0x81a6c50, msg=0x81c113c) at action.c:139 #25 0x08057f97 in do_action (a=0x81a9d8c, msg=0x81c113c) at action.c:706 #26 0x08054f9e in run_action_list (a=0x81a47e0, msg=0x81c113c) at action.c:139 #27 0x080590bf in run_top_route (a=0x81a47e0, msg=0x81c113c) at action.c:119 #28 0x08098b9c in receive_msg ( buf=0x8178200 INVITE sip:4483...@213.170.75.90:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 213.170.75.90:5050;branch=z9hG4bK6912c413;rport\r\nMax-Forwards: 70\r\nFrom: \3364079\ sip:3364...@213.170.75.90:5050;tag=as477593c3\r\nTo: ..., len=826, rcv_info=0xbfeaed48) at receive.c:162 #29 0x080da834 in udp_rcv_loop () at udp_server.c:492 #30 0x0806ee80 in main (argc=3, argv=0xbfeaeee4) at main.c:818 (gdb) print vp $1 = (VALUE_PAIR *) 0x854c8f8 (gdb) print attr $2 = (DICT_ATTR *) 0x0 (gdb) -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Bogdan-Andrei Iancu Sent: Thursday, July 15, 2010 3:48 PM To: OpenSIPS users mailling list Subject: Re: [OpenSIPS-Users] ACC_RADIUS makes opensips crash Hi Denis, That's perfect - thank you. Could you print in GDB the following values : vp , attr. Regards, Bogdan Denis Putyato wrote: Hello, Bogdan Is this information you asked? gdb /usr/local/opensips/sbin/opensips /core GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as i486-linux-gnu... warning: Can't read pathname for load map: Input/output error. ... ... Core was generated by `/usr/local/opensips/sbin/opensips -P /var/run/opensips.pid'. Program terminated with signal 11, Segmentation fault. [New process 24328] #0 0xb79b7df1 in send_auth_func (msg=0x81c0fd4, s1=0x81bcbcc, s2=0x81bcbe0) at aaa_radius.c:369 369 for(; (vp = rc_avpair_get(vp, attr-value, 0)); vp = vp-next) (gdb) bt #0 0xb79b7df1 in send_auth_func (msg=0x81c0fd4, s1=0x81bcbcc, s2=0x81bcbe0) at aaa_radius.c:369 #1 0x08056111 in do_action
Re: [OpenSIPS-Users] Issue with permission module in opensip 1.6
Hi Jai, As you suggested, i added the id of the entry to the debug info for ignored entries . Also, i committed a fix for the other problem you had with check_source_address. Please update from SVN and let me know if you find any other issues. Regards, Irina Stanescu Jai Rangi wrote: Excellent, I owe you one. As always users always want more and more ;) I got this in the logs when I try to Dec 10 13:55:02 [11176] DBG:permissions:reload_address_table: invalid ip field in address table, ignoring entry 0 Dec 10 13:55:02 [11176] DBG:permissions:reload_address_table: invalid ip field in address table, ignoring entry 1 Here ID or IPAddress will be more useful for debugging purpose. Here is the trace for the failing call form same IP. Dec 10 14:03:09 [11772] DBG:core:parse_via: end of header reached, state=5 Dec 10 14:03:09 [11772] DBG:core:parse_headers: via found, flags=200 Dec 10 14:03:09 [11772] DBG:core:get_hdr_field: content_length=235 Dec 10 14:03:09 [11772] DBG:core:get_hdr_field: found end of header Dec 10 14:03:09 [11772] DBG:rr:find_first_route: No Route headers found Dec 10 14:03:09 [11772] DBG:rr:loose_route: There is no Route HF source ip is 65.211.120.237 and protocol is udp avp is null Dec 10 14:03:09 [11772] DBG:permissions:check_src_addr_3: Looking for : 0, 65.211.120.237, 5060, 1 in tables Dec 10 14:03:09 [11772] DBG:permissions:hash_match: no match in the hash table Dec 10 14:03:09 [11772] DBG:permissions:match_subnet_table: subnet table is empty Monitor Request not from trusted source from sip:+19496794...@199.173.94.144:5060;user=phone to sip:+19493334...@209.216.2.213:5060;user=phone;transport=UDP from IP 65.211.120.237 Dec 10 14:03:09 [11772] DBG:core:parse_headers: flags= Dec 10 14:03:09 [11772] DBG:core:parse_headers: flags= Dec 10 14:03:09 [11772] DBG:core:check_ip_address: params 65.211.120.237, 65.211.120.237, 0 Dec 10 14:03:09 [11772] DBG:core:destroy_avp_list: destroying list (nil) Dec 10 14:03:09 [11772] DBG:core:receive_msg: cleaning up Dec 10 14:03:09 [11771] DBG:core:parse_msg: SIP Request: Dump from address cache ../../sbin/opensipsctl fifo address_dump | grep 65.211.120.237 12 65.211.120.237,0, 0, 0, ^sip:.*$, NULL Code in cfg file xlog( source ip is $si and protocol is $proto avp is $avp(i:9)); if (check_source_address(0,$avp(i:9))) { Same Call from other IP works juts IP Dec 10 14:08:16 [11776] DBG:rr:loose_route: There is no Route HF source ip is 65.217.40.210 and protocol is udp avp is null Dec 10 14:08:16 [11776] DBG:permissions:check_src_addr_3: Looking for : 0, 65.217.40.210, 5060, 1 in tables Dec 10 14:08:16 [11776] DBG:permissions:hash_match: match found in the hash table ../../sbin/opensipsctl fifo address_dump | grep 65.217.40.210 9 65.217.40.210,0, 0, 0, ^sip:.*$, NULL Best, -Jai On Thu, Dec 10, 2009 at 8:19 AM, Irina Stanescu istane...@opensips.org mailto:istane...@opensips.org wrote: Hi Jai, I modified the permissions module so that now any invalid db entry from the address table is skipped. I committed the change on trunk and also on the 1.6 branch. About the other issue you have found, what does the log say? Regards, Irina Stanescu Jai Rangi wrote: Bogda, Wow that was quick. Thank you, I found one more issue, I have this entry in address table 944 0 65.211.120.237 32 0 any ^sip:.*$ /NULL/ 0 some descriptiond Here is a check in my route block if (check_source_address(0,$avp(i:9))) { t_rely(); } else { xlog(Monitor Request not from trusted source from $fu to $ru from IP $si ); sl_send_reply(403, Forbidden, we dont trust you); } ../../sbin/opensipsctl fifo address_dump | grep 65.211.120.237 12 65.211.120.237,0, 0, 0, ^sip:.*$, NULL I always get 403. Is there a limit in address table. -Jai On Thu, Dec 10, 2009 at 12:24 AM, Bogdan-Andrei Iancu bog...@voice-system.ro mailto:bog...@voice-system.ro mailto:bog...@voice-system.ro mailto:bog...@voice-system.ro wrote: Hi Jai, I think you are correct - the permission table should also be more permissive when comes to the errors and skip bogus entries. I will ask the maintainer (Irina) to fix this problem. Thanks for the report, Bogdan Jai Rangi wrote: Not sure if this this the right place for this post. May be I should post it on developers mailing list. Please suggest. Just installed opensip1.6 with Mysql, drouting and permissions module. Did not take long to get it configure and get it going. Documentations
Re: [OpenSIPS-Users] Issue with permission module in opensip 1.6
Hi Jai, I modified the permissions module so that now any invalid db entry from the address table is skipped. I committed the change on trunk and also on the 1.6 branch. About the other issue you have found, what does the log say? Regards, Irina Stanescu Jai Rangi wrote: Bogda, Wow that was quick. Thank you, I found one more issue, I have this entry in address table 944 0 65.211.120.237 32 0 any ^sip:.*$/NULL/ 0 some descriptiond Here is a check in my route block if (check_source_address(0,$avp(i:9))) { t_rely(); } else { xlog(Monitor Request not from trusted source from $fu to $ru from IP $si ); sl_send_reply(403, Forbidden, we dont trust you); } ../../sbin/opensipsctl fifo address_dump | grep 65.211.120.237 12 65.211.120.237,0, 0, 0, ^sip:.*$, NULL I always get 403. Is there a limit in address table. -Jai On Thu, Dec 10, 2009 at 12:24 AM, Bogdan-Andrei Iancu bog...@voice-system.ro mailto:bog...@voice-system.ro wrote: Hi Jai, I think you are correct - the permission table should also be more permissive when comes to the errors and skip bogus entries. I will ask the maintainer (Irina) to fix this problem. Thanks for the report, Bogdan Jai Rangi wrote: Not sure if this this the right place for this post. May be I should post it on developers mailing list. Please suggest. Just installed opensip1.6 with Mysql, drouting and permissions module. Did not take long to get it configure and get it going. Documentations is wonderful. While testing I noticed that, 1. If there is any invalid entry in dr_routing tables, and I reload the dr_routing it spit the error for the mistyped/wrong entry and loads rest of the valid entries. Same thing with startup. Opensip will start up just fine even if there are some invalid rules in the table and throws the error with ruleid. 2. On the other hand address table does not work that way. If there is any space (Typo) in the IP address, opensip wont start and wont reload the address table. I have to put the valid IP address, there is not option for dynamic domain names. (For people who does not have static IP). Not only that it does not even tell which IP has a problem that makes it even harder to debug when you have thousands of IPs in the trusted tables. I was wondering if there is a work around for this. I would like opensip to startup (or successful address_reload) with all the valid entries and throw an error for invalid entries. Also having the ability to add an domain would be nice. Any thoughts?? -Jai ___ Users mailing list Users@lists.opensips.org mailto:Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Bogdan-Andrei Iancu www.voice-system.ro http://www.voice-system.ro ___ Users mailing list Users@lists.opensips.org mailto:Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Help with group radius errors please
Hi Brian, When the group_radius module was integrated into group, a debug print message accidentally became an error print message . So your hunch was correct, the Failure was actually the result for the query, not an actual error. I committed the fix on trunk and also the 1.6 branch. Please update and let me know if there are any other problems. Regards, Irina Stanescu opensipsl...@encambio.com wrote: Hello List, On tues., dec 08, 2009, opensipsl...@encambio.com wrote: In my config file I have (a few times): # check if user is suspended if (aaa_is_user_in(From, suspended)) { send_reply(403, Forbidden); exit; } ...and I see in the log: Dec 08 23:03:47 name.host.tld error opensips[14400]: ERROR:group:aaa_is_user_in: Failure I'm using: Radiusclient-ng 0.5.6 Freeradius 2.1.3 OpenSIPS 1.6.0 with TLS ...on Solaris 11 x86 (nv-b91). I'm trying to migrate from 1.3.X to 1.6.0, but don't see what I'm doing wrong. Any ideas? Can it be that 'ERROR' and 'Failure' in the log file describe the result of the aaa_is_user_in query instead of its exit status? I can't imagine it, but maybe the module writer decided that this function reports errors when it simply finds no user in the group? Thanks, Brian ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS with FreeRadius
Hi Saeed, Did you load the aaa_radius module? Regards, Irina Stanescu On Wed, Nov 25, 2009 at 1:37 PM, Saeed Akhtar saeedakhtar@gmail.comwrote: hi all, i'm trying to connect OpenSIPS with FreeRadius on Ubuntu Server 9.04. I've installed radius client and free radius server and then opensips. and I've following error lines when i run opensips. DBG:core:find_*mod_*export: aaa_*bind_*api in module aaa_radius not found ERROR:core:aaa_prot: aaa_radius has no bind api function ERROR:acc:init*acc*aaa: AAA protocol bind failure ERROR:acc:mod_init:failed to init radius ERROR:core:init_mod: failed to initialize module acc ERROR:core:main: error while initializeing modules Can someone please help me to resolve this issue Regards, Saeed Akhtar ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS with FreeRadius
You have to load the aaa_radius module because it provides an implementation for the aaa api used by several other modules. You did not find the aaa_radius.so because the aaa_radius module is not compiled by default. You have to compile it yourself ( using make modules modules=modules/aaa_radius ). Regards, Irina Stanescu On Wed, Nov 25, 2009 at 2:19 PM, Saeed Akhtar saeedakhtar@gmail.comwrote: Hi, Thanks for your reply. First time I tried to load aaa_radius module. I used following command: loadmodule aaa_radius.so and it gave me error: ERROR:core:yyparse: module 'aaa_radius.so' not found in '/usr/local/lib/opensips/modules/' So i thought that may be aaa_radius module is not exactly a module to load seperatly in opensips. because i couldn't find aaa_radius.so file in my modules folder. Now i think i've done some terribly wrong in installing OpenSIPS with radius access. Can you please help me out to correct it. Regards, Saeed Akhtar On Wed, Nov 25, 2009 at 5:11 PM, Irina Stanescu ironmi...@gmail.comwrote: Hi Saeed, Did you load the aaa_radius module? Regards, Irina Stanescu On Wed, Nov 25, 2009 at 1:37 PM, Saeed Akhtar saeedakhtar@gmail.comwrote: hi all, i'm trying to connect OpenSIPS with FreeRadius on Ubuntu Server 9.04. I've installed radius client and free radius server and then opensips. and I've following error lines when i run opensips. DBG:core:find_*mod_*export: aaa_*bind_*api in module aaa_radius not found ERROR:core:aaa_prot: aaa_radius has no bind api function ERROR:acc:init*acc*aaa: AAA protocol bind failure ERROR:acc:mod_init:failed to init radius ERROR:core:init_mod: failed to initialize module acc ERROR:core:main: error while initializeing modules Can someone please help me to resolve this issue Regards, Saeed Akhtar ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS with FreeRadius
I recommend you to read the documentation of the auth_aaa module http://www.opensips.org/html/docs/modules/devel/auth_aaa.html because you are not using the aaa_www_authorize function correctly (the realm parameter is usually the domain of the host the server is running on). To find the cause of the seg fault, i need to have a full backtrace from the core dump. Regards, Irina Stanescu On Wed, Nov 25, 2009 at 3:45 PM, Saeed Akhtar saeedakhtar@gmail.comwrote: Thank you. Now aaa_radius module is there and I've added it in configuration file. But now I have a new error. It says: Nov 25 17:41:06 [30313] ERROR:aaa_radius:mod_init: radius configuration file not set Nov 25 17:41:06 [30313] ERROR:core:init_mod: failed to initialize module aaa_radius Nov 25 17:41:06 [30313] ERROR:core:main: error while initializing modules So I added: modparam(aaa_radius, radius_config, /etc/radiusclient-ng/radiusclient.conf) (ref: http://www.opensips.org/Resources/DocsTutRadius) and it removed the error. But another problem now: I added if (!aaa_www_authorize(opensips.org)) { www_challenge(opensips.org, 1); }; in my configuration files. Then I ran freeradius and opensips and used xlite sip phone to connect to my test server. I can see my freeradius that it authenticated my request but my opensips just closed with this messages in end: Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: to body [testdig sip:test...@192.168.2.18 sip%3atest...@192.168.2.18 ] Nov 25 18:36:43 [6494] DBG:uri:has_totag: no totag Nov 25 18:36:43 [6494] DBG:core:parse_headers: flags=4000 Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: cseq CSeq: 1 REGISTER Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: content_length=0 Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: found end of header Nov 25 18:36:43 [6494] DBG:auth:pre_auth: credentials with given realm not found Nov 25 18:36:43 [6494] DBG:auth:reserve_nonce_index: second= 22, sec_monit= -1, index= 6 Nov 25 18:36:43 [6494] DBG:auth:build_auth_hf: nonce index= 6 Nov 25 18:36:43 [6494] DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm=opensips.org, nonce=4b0d33090006867ba8b2cfc8135a697ac20566d6e7e6, qop=auth ' Nov 25 18:36:43 [6494] DBG:core:parse_headers: flags= Nov 25 18:36:43 [6494] DBG:core:check_ip_address: params 192.168.2.12, 192.168.2.12, 0 Nov 25 18:36:43 [6494] DBG:core:destroy_avp_list: destroying list (nil) Nov 25 18:36:43 [6494] DBG:core:receive_msg: cleaning up Nov 25 18:36:43 [6494] DBG:core:parse_msg: SIP Request: Nov 25 18:36:43 [6494] DBG:core:parse_msg: method: REGISTER Nov 25 18:36:43 [6494] DBG:core:parse_msg: uri: sip:192.168.2.18 Nov 25 18:36:43 [6494] DBG:core:parse_msg: version: SIP/2.0 Nov 25 18:36:43 [6494] DBG:core:parse_headers: flags=2 Nov 25 18:36:43 [6494] DBG:core:parse_via_param: found param type 232, branch = z9hG4bK-d8754z-08647909f42cfa04-1---d8754z-; state=6 Nov 25 18:36:43 [6494] DBG:core:parse_via_param: found param type 235, rport = n/a; state=17 Nov 25 18:36:43 [6494] DBG:core:parse_via: end of header reached, state=5 Nov 25 18:36:43 [6494] DBG:core:parse_headers: via found, flags=2 Nov 25 18:36:43 [6494] DBG:core:parse_headers: this is the first via Nov 25 18:36:43 [6494] DBG:core:receive_msg: After parse_msg... Nov 25 18:36:43 [6494] DBG:core:receive_msg: preparing to run routing scripts... Nov 25 18:36:43 [6494] DBG:core:parse_headers: flags=100 Nov 25 18:36:43 [6494] DBG:maxfwd:is_maxfwd_present: value = 70 Nov 25 18:36:43 [6494] DBG:core:parse_headers: flags=8 Nov 25 18:36:43 [6494] DBG:core:parse_to: end of header reached, state=10 Nov 25 18:36:43 [6494] DBG:core:parse_to: display={testdig}, ruri={ sip:test...@192.168.2.18 sip%3atest...@192.168.2.18} Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: To [37]; uri=[ sip:test...@192.168.2.18 sip%3atest...@192.168.2.18] Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: to body [testdig sip:test...@192.168.2.18 sip%3atest...@192.168.2.18 ] Nov 25 18:36:43 [6494] DBG:uri:has_totag: no totag Nov 25 18:36:43 [6494] DBG:core:parse_headers: flags=4000 Nov 25 18:36:43 [6494] DBG:core:get_hdr_field: cseq CSeq: 2 REGISTER Nov 25 18:36:43 [6494] DBG:auth:check_nonce: comparing [4b0d33090006867ba8b2cfc8135a697ac20566d6e7e6] and [4b0d33090006867ba8b2cfc8135a697ac20566d6e7e6] Segmentation fault (core dumped) 1 thing i didn't include in my freeradius users file is: SIP-AVP = sems:ann-account_locked, and i didn't include following lines in opensips config file too. if (!aaa_proxy_authorize()) { # Realm and URI user will be auto-generated proxy_challenge(, 1); }; if (!aaa_proxy_authorize($pd, $pU)) { # Realm and URI user are taken proxy_challenge($pd, 1); # from P-Preferred-Identity }; because it generated some error. (I can't exactly remember it now). Please someone tell me what i did wrong. Regards, Saeed Akhtar On Wed, Nov 25, 2009 at 5:24 PM, Irina Stanescu ironmi...@gmail.comwrote
Re: [OpenSIPS-Users] AAA sets with radius_send_acct()
Hi Jeff, Actually, you are getting that error because the brackets are not properly closed. You missed one ')' for sets1. I see nothing wrong other than that. The radius_send_acct function makes acc_aaa_request used with aaa_extra some how redundant. Regards, Irina Stanescu On Wed, Oct 28, 2009 at 10:24 AM, Alex Massover a...@jajah.com wrote: Hi! You're mixing 2 different functions from 2 different modules: aaa_radius::radius_send_acct() which takes parameters from modparam(aaa_radius,sets and acc::acc_aaa_request() which takes parameters from modparam(acc, aaa_extra, Probably you need to use acc_aaa_request() (and not radius_send_acct()) inside a local route and it will take a parameters from aaa_extra. -- Best Regards, Alex Massover VoIP RD TL Jajah Inc. -Original Message- From: users-boun...@lists.opensips.org [mailto:users- boun...@lists.opensips.org] On Behalf Of Jeff Pyle Sent: Wednesday, October 28, 2009 12:05 AM To: OpenSIPS users mailling list Subject: [OpenSIPS-Users] AAA sets with radius_send_acct() Hello, I am attempting to make use of radius_send_acct() inside local_route to account for BYEs generated by the dialog module. I have a question about the set it references. The documentation does a good job explaining how to create a set. It doesn't say whether radius_send_acct() uses the existing aaa_extra module parameter definitions. I already have the following defined: modparam(acc, aaa_extra, User-Name=$Au; \ Calling-Station-Id=$fu; \ Called-Station-Id=$tu; \ Sip-Translated-Request-URI=$ru; \ Sip-RPid=$avp(s:rpid); \ Source-IP=$si; \ Source-Port=$sp; \ SIP-Proxy-IP=$Ri; \ Canonical-URI=$avp(s:can_uri); \ Billing-Party=$avp(s:billing_party); \ Divert-Reason=$avp(s:divert_reason); \ User-Agent=$hdr(user-agent); \ Contact=$hdr(contact); \ Event=$hdr(event); \ ENUM-TLD=$avp(s:enum_tld)) Would I need to reference this all again for the new set to be used with radius_send_acct()? Or, do I create a mostly empty set and all this aaa_extra will be there already? - Jeff ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users This mail was received via Mail-SeCure System. This mail was sent via Mail-SeCure System. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] aaa_radius and ipaddr type
Hi Alex, The type for the Login-IP-Host attribute is ipaddr, which means 4 octets in network byte order. I hope this helps. Regards, Irina Stanescu On Sun, Oct 25, 2009 at 12:21 PM, Alex Massover a...@jajah.com wrote: Hi! I wonder is it possible to send IP address with radius_send_auth(set1,set2). For example I want to send Login-IP-Host inside set1. Login-IP-Host is ipaddr type, configured in the dictionary like this: ATTRIBUTE Login-IP-Host 14 ipaddr Let’s say I have the desired value in $avp(s:ip) like a string. If I put inside set1 like this: Login-IP-Host=$avp(s:ip), I get a wrong value in the radius message. If I convert it to int I also get a wrong value. Is there a way to correctly pass ipaddr radius attribute with aaa_radius? -- Best Regards, Alex Massover VoIP RD TL Jajah Inc. This mail was sent via Mail-SeCure System. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] check_address() causes crash
Hello Jeff, I managed to get a core dump only when the second parameter of the check_address is empty. I added a check for that (rev. 6272), so it shouldn't crash anymore. Also, you can use $rd as the second parameter only if the domain name is an ip address, otherwise it won't work. Thanks! Irina Stanescu On Wed, Oct 14, 2009 at 10:43 PM, Jeff Pyle jp...@fidelityvoice.com wrote: Hello, I have the following: if (check_address(10, $rd, 0, $proto)) { setflag(7); } In many cases, and I can't seem to determine what those cases are, this causes the system to run very slowly for about 30 seconds, and then Opensips exits. I need to know if the source or destination IP addresses fall into one of the blocks included in group 10 of the address table. check_source_address() works great with Irina's fix; this is the destination half. It tanks the system. On the doc page it says: Transport protocol is either ANY or any valid transport protocol value: UDP, TCP, TLS, and SCTP. Is case relevant? Is lowercase just as valid as the uppercase examples? - Jeff ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] check_source_address() failures
Hi Jeff, There was a problem with the check_address_source function. It has been fixed starting with rev 6262. Please update and let me know if you find any other problems. Thank you! Irina Stanescu On Wed, Oct 14, 2009 at 1:19 AM, Brad Bendy brad.be...@benganetworks.comwrote: I know on mine I had to set port to 5060 (5068 in your case) or whatever you want, otherwise it would not work for me. Im sure you can use a * for any port number as well, but I have not tried that. Jeff Pyle wrote: Hello, A request arrives at Opensips 1.6 from address 175.88.228.19:5068 on UDP. The address table contains: ++-+--+--+--+---+--+--+ | id | grp | ip | mask | port | proto | pattern | context_info | ++-+--+--+--+---+--+--+ | 38 | 10 | 175.88.228.0 | 24 |0 | udp | ^sip:.*$ | src_test | ++-+--+--+--+---+--+--+ I would expect if(check_source_address(10)) to succeed, yet it does not. Any thoughts? I'm using check_source_address() elsewhere in my config to emulate the old allow_trusted, and that works just fine. Thanks, Jeff ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] permissions module since [6150]
Hello Konstantin, Try: if (!check_source_address()) { if (!proxy_authorize(, subscriber)) { } } Don't forget to update your database to use the new schema for the address table. More information: http://www.opensips.org/html/docs/modules/devel/permissions.html Irina Stanescu On Tue, Sep 22, 2009 at 2:20 AM, Konstantin Cherkasov c...@imarto.netwrote: Hi All! http://opensips.svn.sourceforge.net/viewvc/opensips?view=revrevision=6150 Since revision 6150 in permissions module there is not allow_trusted() function. How can I change my config to save functionality of allow_trusted? if(!allow_trusted()) { if (!proxy_authorize(, subscriber)) { -- Konstantin Cherkasov ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Access to Radius AVP's and radius_extra parameter
Hello John, On Tue, Sep 8, 2009 at 5:43 PM, John Quick john.qu...@smartvox.co.ukwrote: I have been experimenting with Radius authentication on an older version of OpenSIPS (actually my test unit has OpenSER v1.3.2, but I don't think it will be much different to 1.5.x for this). I want to be able to read several values returned from the Radius server. Is this what the modparam radius_extra is for? Or is it to allow extra values to be passed to the Radius server for accounting? The radius_extra parameter only allows you to send extra values to the Radius server, to be logged for accounting. You cannot fetch any value from an accounting reply. My Radius server is configured to return three AVP's like this: Reply-Message = Opensips rules!, Sip-RPId = sip:123...@mysip.com sip%3a123...@mysip.com, SIP-AVP = #14:012...@mynumber.biz 14%3a012...@mynumber.biz Using Wireshark, I can see that the values are all being sent back to the OpenSIPS server, but I have only had success in accessing the value in SIP-AVP. Is there a trick to this or are those other values unavailable in the OpenSIPS script? Is the functionality I'm looking for only available in the new AAA modules? The functionality you are looking for is provided by the new AAA_RADIUS module. Using the functions exported by this module you can yield directly from the script any type of Radius query and also inspect replies for certain attributes. For more information, check out the tutorialhttp://www.opensips.org/Resources/DocsTutRadiusand the documentationhttp://www.opensips.org/html/docs/modules/devel/aaa_radius.html . If you have any other uncertainties, please let me know. Any other suggestions are welcome as well. John Quick Smartvox Limited Web: www.smartvox.co.uk Smartvox is a limited company, registered in England and Wales, number 5005263. Registered office: Spectrum House, Dunstable Road, Redbourn, St.Albans, Herts AL3 7PR ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users Best regards, Irina Stanescu ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] [NEW] AAA API and Radius enhancement
Hi, A new tutorial is available to explain how to install and configure RADIUS server and client and how to use the ported modules and the new AAA_RADIUS module. The tutorial can be found herehttp://www.opensips.org/Resources/DocsTutRadius . I hope you will find it useful. Regards, Irina Stanescu Irina Stanescu wrote: The following new features have been added to OpenSIPS: 1. Generic AAA API The AAA API represents a set of generic callbacks and structures needed for AAA operations. The purpose of the API is to move all the AAA specific (Radius) implementations in a single module. The AAA API will hide the implementations details from the modules that want to use AAA support, making it easier to use. Currently, only one module implements the AAA API - aaa_radius, offering Radius support. Because both standardized AAA protocols, Radius and Diameter, use lists of attribute-value pairs, the API is designed based on attribute-value pairs, as well. One of the advantages of using the API is that any module that wishes to do AAA operations does not depend on a certain protocol implementation, therefore it is not linked with a certain AAA library. Hence, any module that was previously using Radius, for example, is not linked with the radiusclient library any more, which is obviously an advantage, especially when the module uses more than one API (DB, AAA, etc). The AAA protocol to be used by a module is specified from the script using a so called aaa_url that encodes the protocol used and other useful information depending on the protocol. The way the generic AAA API is used makes it very similar to the generic database API. 2. The ability to make custom Radius requests directly from the script This feature is very useful because of its flexibility. Basically, any type of Radius queries can be yielded directly from the script, and also, Radius replies can be inspected for certain attributes. 3. Radius implementation for the generic AAA API The handling of Radius AVP SIP-AVP (used for fetching variables from the Radius server) was integrated in this module. All SIP-AVPs are automatically and transparently handled by the module, so that this functionality is by default available for all the modules that use Radius. Due to the fact that the modules that were previously using Radius were ported to the generic AAA API, the following changes have been made: - auth_radius became auth_aaa - group_radius was merged with group - uri_radius was merged with uri ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] error regarding group
Hello Ashwini, When have you last updated your trunk version? There were a problem with db_is_user_in but it was fixed starting with revision 6034. Regards, Irina On Wed, Sep 2, 2009 at 2:24 PM, ASHWINI NAIDU ashwini.na...@gmail.comwrote: hi all, I am trying to use the db_is_user_in function for checking whether the user is in the group. but i see the following error * ERROR:group:is_user_in: Invalid parameter grp* The opensips installed is from the trunk. -- Thanking You, Ashwini BR Naidu ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] [NEW] AAA API and Radius enhancement
The following new features have been added to OpenSIPS: 1. Generic AAA API The AAA API represents a set of generic callbacks and structures needed for AAA operations. The purpose of the API is to move all the AAA specific (Radius) implementations in a single module. The AAA API will hide the implementations details from the modules that want to use AAA support, making it easier to use. Currently, only one module implements the AAA API - aaa_radius, offering Radius support. Because both standardized AAA protocols, Radius and Diameter, use lists of attribute-value pairs, the API is designed based on attribute-value pairs, as well. One of the advantages of using the API is that any module that wishes to do AAA operations does not depend on a certain protocol implementation, therefore it is not linked with a certain AAA library. Hence, any module that was previously using Radius, for example, is not linked with the radiusclient library any more, which is obviously an advantage, especially when the module uses more than one API (DB, AAA, etc). The AAA protocol to be used by a module is specified from the script using a so called aaa_url that encodes the protocol used and other useful information depending on the protocol. The way the generic AAA API is used makes it very similar to the generic database API. 2. The ability to make custom Radius requests directly from the script This feature is very useful because of its flexibility. Basically, any type of Radius queries can be yielded directly from the script, and also, Radius replies can be inspected for certain attributes. 3. Radius implementation for the generic AAA API The handling of Radius AVP SIP-AVP (used for fetching variables from the Radius server) was integrated in this module. All SIP-AVPs are automatically and transparently handled by the module, so that this functionality is by default available for all the modules that use Radius. Due to the fact that the modules that were previously using Radius were ported to the generic AAA API, the following changes have been made: - auth_radius became auth_aaa - group_radius was merged with group - uri_radius was merged with uri ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users