[OpenSIPS-Users] No RADIUS traffic

Uwe Kastens kiste at kiste.org
Wed Jun 17 10:00:49 CEST 2009


Leon,

mysql.so in opensips is not needed for the radius authentication.

Shared secrets for radius are correct? Anyway you should see some
traffic on the radius server.

Could you please test
 echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812  status
 <shared secret>

You should see then traffic on radiusd -X

If yes I would start checking permissions again

BR

uwe


Leon Li schrieb:
> Hi Ashwini,
> 
>  
> 
> I have added param for aut_radius, but no luck. L
> 
>  
> 
> Why do I need mysql.so if the radius server will host all users credential?
> 
>  
> 
> Regards,
> 
> Leon
> 
>  
> 
> *From:* ASHWINI NAIDU [mailto:ashwini.naidu at gmail.com]
> *Sent:* Monday, 15 June 2009 2:52 PM
> *To:* Leon Li
> *Cc:* Uwe Kastens; users at lists.opensips.org
> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic
> 
>  
> 
>  
> 
> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU <ashwini.naidu at gmail.com
> <mailto:ashwini.naidu at gmail.com>> wrote:
> 
> hi leon,
> 
> But i do not see your openser communicating with radiusclient.
> 
> modparam("auth_radius", "radius_config", 
> "/etc/radiusclient-ng/radiusclient.conf")
> 
> mention the path of radiusclient.conf properly.
> 
> 
> 
> Your mysql support is also commented.
> 
> *loadmodule "mysql.so"*
> 
> 
>      
> 
> 
> 
> 
> 
> 
>      
> 
>     On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <Leon.Li at aarnet.edu.au
>     <mailto:Leon.Li at aarnet.edu.au>> wrote:
> 
>     Here it is.
> 
>     ####### Global Parameters #########
> 
>     debug=3
>     log_stderror=no
>     log_facility=LOG_LOCAL0
> 
>     fork=yes
>     children=4
> 
>     /* uncomment the following lines to enable debugging */
>     debug=6
>     fork=no
>     log_stderror=yes
> 
>     /* uncomment the next line to disable TCP (default on) */
>     #disable_tcp=yes
> 
>     /* uncomment the next line to enable the auto temporary blacklisting of
>       not available destinations (default disabled) */
>     #disable_dns_blacklist=no
> 
>     /* uncomment the next line to enable IPv6 lookup after IPv4 dns
>       lookup failures (default disabled) */ #dns_try_ipv6=yes
> 
>     /* uncomment the next line to disable the auto discovery of local
>     aliases
>       based on revers DNS on IPs (default on) */ #auto_aliases=no
> 
>     /* uncomment the following lines to enable TLS support  (default off) */
>     #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = 1
>     #tls_verify_client = 1 #tls_require_client_certificate = 0 #tls_method =
>     TLSv1 #tls_certificate = "/usr/local/etc/openser/tls/user/user-cert.pem"
>     #tls_private_key = "/usr/local/etc/openser/tls/user/user-privkey.pem"
>     #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
> 
>     listen=202.158.197.134
>     port=5060
> 
>     /* uncomment and configure the following line if you want openser to
>       bind on a specific interface/port/proto (default bind on all
>     available) */ #listen=udp:192.168.1.2:5060 <http://192.168.1.2:5060>
> 
> 
>     ####### Modules Section ########
> 
>     #set module path
>     mpath="/usr/local/lib/openser/modules/"
> 
>     /* uncomment next line for MySQL DB support */ #loadmodule "mysql.so"
>     loadmodule "sl.so"
>     loadmodule "tm.so"
>     loadmodule "rr.so"
>     loadmodule "maxfwd.so"
>     loadmodule "usrloc.so"
>     loadmodule "registrar.so"
>     loadmodule "textops.so"
>     loadmodule "mi_fifo.so"
>     loadmodule "uri_db.so"
>     loadmodule "uri.so"
>     loadmodule "xlog.so"
>     loadmodule "acc.so"
>     /* uncomment next lines for MySQL based authentication support
>       NOTE: a DB (like mysql) module must be also loaded */ loadmodule
>     "auth.so"
>     loadmodule "auth_radius.so"
>     #loadmodule "auth_db.so"
>     /* uncomment next line for aliases support
>       NOTE: a DB (like mysql) module must be also loaded */ #loadmodule
>     "alias_db.so"
>     /* uncomment next line for multi-domain support
>       NOTE: a DB (like mysql) module must be also loaded
>       NOTE: be sure and enable multi-domain support in all used modules
>             (see "multi-module params" section ) */ #loadmodule "domain.so"
>     /* uncomment the next two lines for presence server support
>       NOTE: a DB (like mysql) module must be also loaded */ #loadmodule
>     "presence.so"
>     #loadmodule "presence_xml.so"
> 
> 
>     # ----------------- setting module-specific parameters ---------------
> 
> 
>     # ----- mi_fifo params -----
>     modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
> 
> 
>     # ----- rr params -----
>     # add value to ;lr param to cope with most of the UAs modparam("rr",
>     "enable_full_lr", 1) # do not append from tag to the RR (no need for
>     this script) modparam("rr", "append_fromtag", 0)
> 
> 
>     # ----- rr params -----
>     modparam("registrar", "method_filtering", 1)
>     /* uncomment the next line to disable parallel forking via location */ #
>     modparam("registrar", "append_branches", 0)
>     /* uncomment the next line not to allow more than 10 contacts per AOR */
>     #modparam("registrar", "max_contacts", 10)
> 
> 
>     # ----- uri_db params -----
>     /* by default we disable the DB support in the module as we do not need
>     it
>       in this configuration */
>     modparam("uri_db", "use_uri_table", 0)
>     modparam("uri_db", "db_url", "")
> 
> 
>     # ----- acc params -----
>     /* what sepcial events should be accounted ? */ modparam("acc",
>     "early_media", 1) modparam("acc", "report_ack", 1) modparam("acc",
>     "report_cancels", 1)
>     /* by default ww do not adjust the direct of the sequential requests.
>       if you enable this parameter, be sure the enable "append_fromtag"
>       in "rr" module */
>     modparam("acc", "detect_direction", 0)
>     /* account triggers (flags) */
>     modparam("acc", "failed_transaction_flag", 3) modparam("acc",
>     "log_flag", 1) modparam("acc", "log_missed_flag", 2)
>     /* uncomment the following lines to enable DB accounting also */
>     modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 2)
> 
>     # ----- multi-module params -----
>     /* uncomment the following line if you want to enable multi-domain
>     support
>       in the modules (dafault off) */
>     #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
> 
>     ####### Routing Logic ########
> 
> 
>     # main request routing logic
> 
>     route{
> 
>            if (!mf_process_maxfwd_header("10")) {
>                    sl_send_reply("483","Too Many Hops");
>                    exit;
>            }
> 
>            if (has_totag()) {
>                    # sequential request withing a dialog should
>                    # take the path determined by record-routing
>                    if (loose_route()) {
>                            if (is_method("BYE")) {
>                                    setflag(1); # do accouting ...
>                                    setflag(3); # ... even if the
>     transaction fails
>                            }
>                            route(1);
>                    } else {
>                            /* uncomment the following lines if you want to
>     enable presence */
>                            ##if (is_method("SUBSCRIBE") && $rd ==
>     "your.server.ip.address") {
>                            ##      # in-dialog subscribe requests
>                            ##      route(2);
>                            ##      exit;
>                            ##}
>                            if ( is_method("ACK") ) {
>                                    if ( t_check_trans() ) {
>                                            # non loose-route, but stateful
>     ACK; must be an ACK after a 487 or e.g. 404 from upstream server
>                                            t_relay();
>                                            exit;
>                                    } else {
>                                            # ACK without matching
>     transaction ... ignore and discard.\n");
>                                            exit;
>                                    }
>                            }
>                            sl_send_reply("404","Not here");
>                    }
>                    exit;
>            }
> 
>            #initial requests
> 
>            # CANCEL processing
>            if (is_method("CANCEL"))
>            {
>                    if (t_check_trans())
>                            t_relay();
>                    exit;
>            }
> 
>            t_check_trans();
> 
>            # authenticate if from local subscriber (uncomment to enable
>     auth)
>            ##if (!(method=="REGISTER") && from_uri==myself)
>            ##{
>            ##      if (!proxy_authorize("", "subscriber")) {
>            ##              proxy_challenge("", "0");
>            ##              exit;
>            ##      }
>            ##      if (!check_from()) {
>            ##              sl_send_reply("403","Forbidden auth ID");
>            ##              exit;
>            ##      }
>            ##
>            ##      consume_credentials();
>            ##      # caller authenticated
>            ##}
> 
>            # record routing
>            if (!is_method("REGISTER|MESSAGE"))
>                    record_route();
> 
>            # account only INVITEs
>            if (is_method("INVITE")) {
>                    setflag(1); # do accouting
>            }
>            if (!uri==myself)
>            /* replace with following line if multi-domain support is used
>     */
>            ##if (!is_uri_host_local())
>            {
>                    append_hf("P-hint: outbound\r\n");
>                    # if you have some interdomain connections via TLS
>                    ##if($rd=="tls_domain1.net <http://tls_domain1.net>") {
>                    ##      t_relay("tls:domain1.net <http://domain1.net>");
>                    ##      exit;
>                    ##} else if($rd=="tls_domain2.net
>     <http://tls_domain2.net>") {
>                    ##      t_relay("tls:domain2.net <http://domain2.net>");
>                    ##      exit;
>                    ##}
>                    route(1);
>            }
> 
>            # requests for my domain
> 
>            /* uncomment this if you want to enable presence server
>               and comment the next 'if' block
>               NOTE: uncomment also the definition of route[2] from  below
>     */
>            ##if( is_method("PUBLISH|SUBSCRIBE"))
>            ##              route(2);
> 
>            if (is_method("PUBLISH"))
>            {
>                    sl_send_reply("503", "Service Unavailable");
>                    exit;
>            }
> 
> 
>            if (is_method("REGISTER"))
>            {
>                    # authenticate the REGISTER requests (uncomment to
>     enable auth)
>                    ##if (!www_authorize("", "subscriber"))
>                    ##{
>                    ##      www_challenge("", "0");
>                    ##      exit;
>                    ##}
>                    ##
>                    ##if (!check_to())
>                    ##{
>                    ##      sl_send_reply("403","Forbidden auth ID");
>                    ##      exit;
>                    ##}
> 
>                    xlog("L_INFO", "REGISTER for ($fU) $ru\n");
>                    if (!radius_www_authorize(""))
>                    {
>                            log(1, "Proxy Authentication Required
>     (Digest)\n");
>                            www_challenge("", "0");
>                            exit;
>                    };
> 
>                    if (!save("location"))
>                            sl_reply_error();
> 
>                    exit;
>            }
> 
>            if ($rU==NULL) {
>                    # request with no Username in RURI
>                    sl_send_reply("484","Address Incomplete");
>                    exit;
>            }
> 
>            # apply DB based aliases (uncomment to enable)
>            ##alias_db_lookup("dbaliases");
> 
>            if (!lookup("location")) {
>                    switch ($retcode) {
>                            case -1:
>                            case -3:
>                                    t_newtran();
>                                    t_reply("404", "Not Found");
>                                    exit;
>                            case -2:
>                                    sl_send_reply("405", "Method Not
>     Allowed");
>                                    exit;
>                    }
>            }
> 
>            # when routing via usrloc, log the missed calls also
>            setflag(2);
> 
>            route(1);
>     }
> 
> 
>     route[1] {
>            # for INVITEs enable some additional helper routes
>            if (is_method("INVITE")) {
>                    t_on_branch("2");
>                    t_on_reply("2");
>                    t_on_failure("1");
>            }
> 
>            if (!t_relay()) {
>                    sl_reply_error();
>            };
>            exit;
>     }
> 
>     branch_route[2] {
>            xlog("new branch at $ru\n");
>     }
> 
> 
>     onreply_route[2] {
>            xlog("incoming reply\n");
>     }
> 
> 
>     failure_route[1] {
>            if (t_was_cancelled()) {
>                    exit;
>            }
> 
>            # uncomment the following lines if you want to block client
>            # redirect based on 3xx replies.
>            ##if (t_check_status("3[0-9][0-9]")) {
>            ##t_reply("404","Not found");
>            ##      exit;
>            ##}
> 
>            # uncomment the following lines if you want to redirect the
>     failed
>            # calls to a different new destination
>            ##if (t_check_status("486|408")) {
>            ##      sethostport("192.168.2.100:5060
>     <http://192.168.2.100:5060>");
>            ##      append_branch();
>            ##      # do not set the missed call flag again
>            ##      t_relay();
>            ##}
> 
>     }
> 
>     Regards,
>     Leon
> 
>     -----Original Message-----
>     From: Uwe Kastens [mailto:kiste at kiste.org <mailto:kiste at kiste.org>]
> 
>     Sent: Friday, 12 June 2009 4:51 PM
>     To: Leon Li
>     Cc: users at lists.opensips.org <mailto:users at lists.opensips.org>
>     Subject: Re: [OpenSIPS-Users] No RADIUS traffic
> 
>     Hi,
> 
>     This is strange. Could you post your opensips.cfg or send it to me
>     directly?
> 
>     BR
> 
>     Uwe
> 
> 
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 
> 
> 
>     -- 
>     Thanking You,
>     Ashwini BR Naidu
> 
> 
> 
> 
> -- 
> Thanking You,
> Ashwini BR Naidu
> 


-- 

kiste lat: 54.322684, lon: 10.13586



More information about the Users mailing list