Re: [Users] Radius Authentication failed ?

Thu, 30 Mar 2006 05:36:01 -0800 

Hello,
please take care of the backward compatibility files, if you are using FreeRADIUS. There are two files to config the clients, "clients.conf" (new one and this is recommendable to be used) and "clients" (obsoleted but still kept for compatibility). 

Cheers,
Daniel


PS. Please keep cc-ing to mailing list so everybody can benefit of the 
answers or can come with solutions.



On 03/30/06 15:27, Nguyen Duc Phi wrote:

Hello,


I checked file config on radiusclient and Radius server again, shared 
secret on both server and client the same. I dont know why they not 
agree? Please help me out of this problem. thank in advance.


Best regards,
Nguyen

Here my config file

Freeradius run at  192.168.212.10

/usr/local/etc/raddb/clients.conf

client 192.168.212.9 {
secret  = testing123
shortname = 192.168.212.9
}

openser run at 192.168.212.9

/usr/local/etc/radiusclient-ng/servers

#Server Name or Client/Server pair  Key
#----------------    ---------------
#portmaster.elemental.net   hardlyasecret
#portmaster2.elemental.net       donttellanyone
192.168.212.10         testing123



----- Original Message ----- From: "Daniel-Constantin Mierla" 
<[EMAIL PROTECTED]>

To: "Nguyen Duc Phi" <[EMAIL PROTECTED]>; <[email protected]>
Sent: Thursday, March 30, 2006 6:36 PM
Subject: Re: [Users] Radius Authentication failed ?



Hello,

here you can find the description of this error:

http://docs.hp.com/en/T1428-90025/ch08s02.html


Received invalid reply digest from server => Server and client do not 
agree on shared secret => Verify the shared secret in the clients 
file agrees with the secret configured on the client.



I started an OpenSER-Radius tutorial, but due to time constraints it 
is not finished yet. Hopefully in next days will be ready. I will 
post it on the web and announce on the mailing list.


Cheers,
Daniel



On 03/30/06 14:24, Nguyen Duc Phi wrote:

Thanks for supporting, Here is syslog of radiusclient.


Mar 30 18:00:49 sipserver openser: rc_check_reply: received invalid 
reply digest from RADIUS server



----- Original Message ----- From: "Daniel-Constantin Mierla" 
<[EMAIL PROTECTED]>

To: "Nguyen Duc Phi" <[EMAIL PROTECTED]>
Cc: <[email protected]>
Sent: Thursday, March 30, 2006 6:12 PM
Subject: Re: [Users] Radius Authentication failed ?



Have you got any message is syslog coming from radiusclient-ng 
library? The FreeRadius server reports ok for authentication.


Cheers,
Daniel


On 03/30/06 05:15, Nguyen Duc Phi wrote:

I config openser authenticate from Radius. when softphone register 
to openser, Freeradius response "Sending Access-Accept" but 
openser inform "ERROR:auth_radius:radius_authorize_sterman: 
rc_auth failed" So softphone not registered. I search this title 
in google and find on "*OpenSER Users Mailing List*", I didnt find 
solution to fix problem. Could someone help me fix this problem ?

 Here is list of product's version I used.
openser-1.0.1
OS : CentOS-4 x86_64
radiusclient-ng-0.5.2
freeradius-1.0.5
 openser show debug :
 8(8985) parse_headers: flags=ffffffffffffffff
 8(8985) check_via_address(192.168.212.123, 192.168.212.123, 0)
 8(8985) DEBUG:destroy_avp_list: destroying list (nil)
 8(8985) receive_msg: cleaning up
 7(8982) SIP Request:
 7(8982)  method:  <REGISTER>
 7(8982)  uri:     <sip:vdc.com.vn>
 7(8982)  version: <SIP/2.0>
 7(8982) parse_headers: flags=2
 7(8982) DEBUG: get_hdr_body : content_length=0
 7(8982) get_hdr_field: cseq <CSeq>: <2> <REGISTER>
 7(8982) DEBUG:parse_to:end of header reached, state=9
 7(8982) DEBUG: get_hdr_field: <To> [23]; uri=[sip:[EMAIL PROTECTED]
 7(8982) DEBUG: to body [<sip:[EMAIL PROTECTED]>
]
 7(8982) Found param type 235, <rport> = <n/a>; state=6

 7(8982) Found param type 232, <branch> = 
<z9hG4bKc0a8d47b0131c9b1442b39c80000367c00000003>; state=16

 7(8982) end of header reached, state=5
 7(8982) parse_headers: Via found, flags=2
 7(8982) parse_headers: this is the first via
 7(8982) After parse_msg...
 7(8982) preparing to run routing scripts...
 7(8982) DEBUG:maxfwd:is_maxfwd_present: value = 70
 7(8982) parse_headers: flags=200
 7(8982) found end of header
 7(8982) find_first_route: No Route headers found
 7(8982) loose_route: There is no Route HF

 7(8982) grep_sock_info - checking if host==us: 10==9 &&  
[vdc.com.vn] == [127.0.0.1]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==13 &&  
[vdc.com.vn] == [192.168.212.9]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==9 &&  
[vdc.com.vn] == [127.0.0.1]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==13 &&  
[vdc.com.vn] == [192.168.212.9]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==9 &&  
[vdc.com.vn] == [127.0.0.1]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==13 &&  
[vdc.com.vn] == [192.168.212.9]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==9 &&  
[vdc.com.vn] == [127.0.0.1]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) grep_sock_info - checking if host==us: 10==13 &&  
[vdc.com.vn] == [192.168.212.9]

 7(8982) grep_sock_info - checking if port 5060 matches port 5060

 7(8982) check_nonce(): comparing 
[442b360523cece6362803c97fa7fb10b37680cd8] and 
[442b360523cece6362803c97fa7fb10b37680cd8]

 7(8982) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed

 7(8982) build_auth_hf(): 'WWW-Authenticate: Digest 
realm="vdc.com.vn", nonce="442b360523cece6362803c97fa7fb10b37680cd8"

'
 7(8982) parse_headers: flags=ffffffffffffffff
 7(8982) check_via_address(192.168.212.123, 192.168.212.123, 0)
 7(8982) DEBUG:destroy_avp_list: destroying list (nil)
 7(8982) receive_msg: cleaning up
 Radius show debug:

 rad_recv: Access-Request packet from host 192.168.212.9:32826, 
id=205, length=203

        User-Name = "[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>"
        Digest-Attributes = 0x0a0635303031
        Digest-Attributes = 0x010c7664632e636f6d2e766e

        Digest-Attributes = 
0x022a34343262333630353233636563653633363238303363393766613766623130623337363830636438 


        Digest-Attributes = 0x04107369703a7664632e636f6d2e766e
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "1c3d532fc6c1c37004c6df6027e6242c"
        Service-Type = 0x0000000f00000000
        Sip-Uri-User = "5001"
        NAS-Port = 0x000013c400000000
        NAS-IP-Address = 0xc0a8d40900000000
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
  hints: Matched DEFAULT at 82
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "5001"
        Digest-Realm = "vdc.com.vn"
        Digest-Nonce = "442b360523cece6362803c97fa7fb10b37680cd8"
        Digest-URI = "sip:vdc.com.vn"
        Digest-Method = "REGISTER"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 0

    rlm_realm: No '@' <mailto:[EMAIL PROTECTED]> in User-Name = "5001", 
looking up realm NULL

    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat:  '5001'
rlm_sql (sql): sql_set_user escaped user --> '5001'

radius_xlat:  'SELECT 1 as id,'5001' as UserName,'User-Password' 
as Attribute,subscriber_password as Value,'==' as op FROM 
subscribers WHERE subscriber_username = '5001'AND 
subscriber_status=1'

rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  ''

radius_xlat:  'SELECT 1 as id,'5001' as UserName,'Session-Timeout' 
as Attribute,getSessionTime('5001','')as Value,'=' as op FROM dual'

radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
A1 = 5001:vdc.com.vn:test
A2 = REGISTER:sip:vdc.com.vn
H(A1) = 454e15015603bd4bd79faf0c5ddd3346
H(A2) = ac5bd79ed3d6bd2bddcb1cffafbbd09a

KD = 
454e15015603bd4bd79faf0c5ddd3346:442b360523cece6362803c97fa7fb10b37680cd8:ac5bd79ed3d6bd2bddcb1cffafbbd09a 


EXPECTED 1c3d532fc6c1c37004c6df6027e6242c
RECEIVED 1c3d532fc6c1c37004c6df6027e6242c
  modcall[authenticate]: module "digest" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [5001] (from client 192.168.212.9 port 3134307025)
Sending Access-Accept of id 205 to 192.168.212.9:32826
        Session-Timeout = 60
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 205 with timestamp 442b3adf
Nothing to do.  Sleeping until we see a request.
 Best regards,
Nguyen

------------------------------------------------------------------------ 




_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users













_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users






















					Reply via email to