[OpenSIPS-Users] No RADIUS traffic
Leon Li
Leon.Li at aarnet.edu.au
Tue Jun 23 07:28:48 CEST 2009
Uwe,
I got the following from RADIUS when issue the command you gave.
rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
length=38
WARNING: Ignoring Status-Server request due to security configuration
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
length=38
WARNING: Ignoring Status-Server request due to security configuration
--- Walking the entire request list ---
So I assume that the radius server is working?
Also, I cannot find file /var/run/radius.seq. Is it created
automatically?
Regards,
Leon
-----Original Message-----
From: Uwe Kastens [mailto:kiste at kiste.org]
Sent: Wednesday, 17 June 2009 6:01 PM
To: Leon Li
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] No RADIUS traffic
Leon,
mysql.so in opensips is not needed for the radius authentication.
Shared secrets for radius are correct? Anyway you should see some
traffic on the radius server.
Could you please test
echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812 status
<shared secret>
You should see then traffic on radiusd -X
If yes I would start checking permissions again
BR
uwe
Leon Li schrieb:
> Hi Ashwini,
>
>
>
> I have added param for aut_radius, but no luck. L
>
>
>
> Why do I need mysql.so if the radius server will host all users
credential?
>
>
>
> Regards,
>
> Leon
>
>
>
> *From:* ASHWINI NAIDU [mailto:ashwini.naidu at gmail.com]
> *Sent:* Monday, 15 June 2009 2:52 PM
> *To:* Leon Li
> *Cc:* Uwe Kastens; users at lists.opensips.org
> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic
>
>
>
>
>
> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU
<ashwini.naidu at gmail.com
> <mailto:ashwini.naidu at gmail.com>> wrote:
>
> hi leon,
>
> But i do not see your openser communicating with radiusclient.
>
> modparam("auth_radius", "radius_config",
> "/etc/radiusclient-ng/radiusclient.conf")
>
> mention the path of radiusclient.conf properly.
>
>
>
> Your mysql support is also commented.
>
> *loadmodule "mysql.so"*
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <Leon.Li at aarnet.edu.au
> <mailto:Leon.Li at aarnet.edu.au>> wrote:
>
> Here it is.
>
> ####### Global Parameters #########
>
> debug=3
> log_stderror=no
> log_facility=LOG_LOCAL0
>
> fork=yes
> children=4
>
> /* uncomment the following lines to enable debugging */
> debug=6
> fork=no
> log_stderror=yes
>
> /* uncomment the next line to disable TCP (default on) */
> #disable_tcp=yes
>
> /* uncomment the next line to enable the auto temporary
blacklisting of
> not available destinations (default disabled) */
> #disable_dns_blacklist=no
>
> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
> lookup failures (default disabled) */ #dns_try_ipv6=yes
>
> /* uncomment the next line to disable the auto discovery of local
> aliases
> based on revers DNS on IPs (default on) */ #auto_aliases=no
>
> /* uncomment the following lines to enable TLS support (default
off) */
> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server =
1
> #tls_verify_client = 1 #tls_require_client_certificate = 0
#tls_method =
> TLSv1 #tls_certificate =
"/usr/local/etc/openser/tls/user/user-cert.pem"
> #tls_private_key =
"/usr/local/etc/openser/tls/user/user-privkey.pem"
> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
>
> listen=202.158.197.134
> port=5060
>
> /* uncomment and configure the following line if you want openser
to
> bind on a specific interface/port/proto (default bind on all
> available) */ #listen=udp:192.168.1.2:5060
<http://192.168.1.2:5060>
>
>
> ####### Modules Section ########
>
> #set module path
> mpath="/usr/local/lib/openser/modules/"
>
> /* uncomment next line for MySQL DB support */ #loadmodule
"mysql.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "mi_fifo.so"
> loadmodule "uri_db.so"
> loadmodule "uri.so"
> loadmodule "xlog.so"
> loadmodule "acc.so"
> /* uncomment next lines for MySQL based authentication support
> NOTE: a DB (like mysql) module must be also loaded */ loadmodule
> "auth.so"
> loadmodule "auth_radius.so"
> #loadmodule "auth_db.so"
> /* uncomment next line for aliases support
> NOTE: a DB (like mysql) module must be also loaded */
#loadmodule
> "alias_db.so"
> /* uncomment next line for multi-domain support
> NOTE: a DB (like mysql) module must be also loaded
> NOTE: be sure and enable multi-domain support in all used
modules
> (see "multi-module params" section ) */ #loadmodule
"domain.so"
> /* uncomment the next two lines for presence server support
> NOTE: a DB (like mysql) module must be also loaded */
#loadmodule
> "presence.so"
> #loadmodule "presence_xml.so"
>
>
> # ----------------- setting module-specific parameters
---------------
>
>
> # ----- mi_fifo params -----
> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>
>
> # ----- rr params -----
> # add value to ;lr param to cope with most of the UAs
modparam("rr",
> "enable_full_lr", 1) # do not append from tag to the RR (no need
for
> this script) modparam("rr", "append_fromtag", 0)
>
>
> # ----- rr params -----
> modparam("registrar", "method_filtering", 1)
> /* uncomment the next line to disable parallel forking via
location */ #
> modparam("registrar", "append_branches", 0)
> /* uncomment the next line not to allow more than 10 contacts per
AOR */
> #modparam("registrar", "max_contacts", 10)
>
>
> # ----- uri_db params -----
> /* by default we disable the DB support in the module as we do not
need
> it
> in this configuration */
> modparam("uri_db", "use_uri_table", 0)
> modparam("uri_db", "db_url", "")
>
>
> # ----- acc params -----
> /* what sepcial events should be accounted ? */ modparam("acc",
> "early_media", 1) modparam("acc", "report_ack", 1) modparam("acc",
> "report_cancels", 1)
> /* by default ww do not adjust the direct of the sequential
requests.
> if you enable this parameter, be sure the enable
"append_fromtag"
> in "rr" module */
> modparam("acc", "detect_direction", 0)
> /* account triggers (flags) */
> modparam("acc", "failed_transaction_flag", 3) modparam("acc",
> "log_flag", 1) modparam("acc", "log_missed_flag", 2)
> /* uncomment the following lines to enable DB accounting also */
> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 2)
>
> # ----- multi-module params -----
> /* uncomment the following line if you want to enable multi-domain
> support
> in the modules (dafault off) */
> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
>
> ####### Routing Logic ########
>
>
> # main request routing logic
>
> route{
>
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> exit;
> }
>
> if (has_totag()) {
> # sequential request withing a dialog should
> # take the path determined by record-routing
> if (loose_route()) {
> if (is_method("BYE")) {
> setflag(1); # do accouting ...
> setflag(3); # ... even if the
> transaction fails
> }
> route(1);
> } else {
> /* uncomment the following lines if you
want to
> enable presence */
> ##if (is_method("SUBSCRIBE") && $rd ==
> "your.server.ip.address") {
> ## # in-dialog subscribe requests
> ## route(2);
> ## exit;
> ##}
> if ( is_method("ACK") ) {
> if ( t_check_trans() ) {
> # non loose-route, but
stateful
> ACK; must be an ACK after a 487 or e.g. 404 from upstream server
> t_relay();
> exit;
> } else {
> # ACK without matching
> transaction ... ignore and discard.\n");
> exit;
> }
> }
> sl_send_reply("404","Not here");
> }
> exit;
> }
>
> #initial requests
>
> # CANCEL processing
> if (is_method("CANCEL"))
> {
> if (t_check_trans())
> t_relay();
> exit;
> }
>
> t_check_trans();
>
> # authenticate if from local subscriber (uncomment to
enable
> auth)
> ##if (!(method=="REGISTER") && from_uri==myself)
> ##{
> ## if (!proxy_authorize("", "subscriber")) {
> ## proxy_challenge("", "0");
> ## exit;
> ## }
> ## if (!check_from()) {
> ## sl_send_reply("403","Forbidden auth ID");
> ## exit;
> ## }
> ##
> ## consume_credentials();
> ## # caller authenticated
> ##}
>
> # record routing
> if (!is_method("REGISTER|MESSAGE"))
> record_route();
>
> # account only INVITEs
> if (is_method("INVITE")) {
> setflag(1); # do accouting
> }
> if (!uri==myself)
> /* replace with following line if multi-domain support is
used
> */
> ##if (!is_uri_host_local())
> {
> append_hf("P-hint: outbound\r\n");
> # if you have some interdomain connections via TLS
> ##if($rd=="tls_domain1.net
<http://tls_domain1.net>") {
> ## t_relay("tls:domain1.net
<http://domain1.net>");
> ## exit;
> ##} else if($rd=="tls_domain2.net
> <http://tls_domain2.net>") {
> ## t_relay("tls:domain2.net
<http://domain2.net>");
> ## exit;
> ##}
> route(1);
> }
>
> # requests for my domain
>
> /* uncomment this if you want to enable presence server
> and comment the next 'if' block
> NOTE: uncomment also the definition of route[2] from
below
> */
> ##if( is_method("PUBLISH|SUBSCRIBE"))
> ## route(2);
>
> if (is_method("PUBLISH"))
> {
> sl_send_reply("503", "Service Unavailable");
> exit;
> }
>
>
> if (is_method("REGISTER"))
> {
> # authenticate the REGISTER requests (uncomment to
> enable auth)
> ##if (!www_authorize("", "subscriber"))
> ##{
> ## www_challenge("", "0");
> ## exit;
> ##}
> ##
> ##if (!check_to())
> ##{
> ## sl_send_reply("403","Forbidden auth ID");
> ## exit;
> ##}
>
> xlog("L_INFO", "REGISTER for ($fU) $ru\n");
> if (!radius_www_authorize(""))
> {
> log(1, "Proxy Authentication Required
> (Digest)\n");
> www_challenge("", "0");
> exit;
> };
>
> if (!save("location"))
> sl_reply_error();
>
> exit;
> }
>
> if ($rU==NULL) {
> # request with no Username in RURI
> sl_send_reply("484","Address Incomplete");
> exit;
> }
>
> # apply DB based aliases (uncomment to enable)
> ##alias_db_lookup("dbaliases");
>
> if (!lookup("location")) {
> switch ($retcode) {
> case -1:
> case -3:
> t_newtran();
> t_reply("404", "Not Found");
> exit;
> case -2:
> sl_send_reply("405", "Method Not
> Allowed");
> exit;
> }
> }
>
> # when routing via usrloc, log the missed calls also
> setflag(2);
>
> route(1);
> }
>
>
> route[1] {
> # for INVITEs enable some additional helper routes
> if (is_method("INVITE")) {
> t_on_branch("2");
> t_on_reply("2");
> t_on_failure("1");
> }
>
> if (!t_relay()) {
> sl_reply_error();
> };
> exit;
> }
>
> branch_route[2] {
> xlog("new branch at $ru\n");
> }
>
>
> onreply_route[2] {
> xlog("incoming reply\n");
> }
>
>
> failure_route[1] {
> if (t_was_cancelled()) {
> exit;
> }
>
> # uncomment the following lines if you want to block client
> # redirect based on 3xx replies.
> ##if (t_check_status("3[0-9][0-9]")) {
> ##t_reply("404","Not found");
> ## exit;
> ##}
>
> # uncomment the following lines if you want to redirect the
> failed
> # calls to a different new destination
> ##if (t_check_status("486|408")) {
> ## sethostport("192.168.2.100:5060
> <http://192.168.2.100:5060>");
> ## append_branch();
> ## # do not set the missed call flag again
> ## t_relay();
> ##}
>
> }
>
> Regards,
> Leon
>
> -----Original Message-----
> From: Uwe Kastens [mailto:kiste at kiste.org
<mailto:kiste at kiste.org>]
>
> Sent: Friday, 12 June 2009 4:51 PM
> To: Leon Li
> Cc: users at lists.opensips.org <mailto:users at lists.opensips.org>
> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>
> Hi,
>
> This is strange. Could you post your opensips.cfg or send it to me
> directly?
>
> BR
>
> Uwe
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> --
> Thanking You,
> Ashwini BR Naidu
>
>
>
>
> --
> Thanking You,
> Ashwini BR Naidu
>
--
kiste lat: 54.322684, lon: 10.13586
More information about the Users
mailing list