[OpenSIPS-Users] No RADIUS traffic
Leon Li
Leon.Li at aarnet.edu.au
Fri Jun 26 08:53:12 CEST 2009
Uwe,
I tried the strace tool but no line is trying to use radius.seq. I
manually created radius.seq like "-rw-rw-rw- 1 root root
0 Jun 25 00:45 radius.seq" because it is not created for some reason.
Will this be a problem?
Regards,
Leon
-----Original Message-----
From: Uwe Kastens [mailto:kiste at kiste.org]
Sent: Tuesday, 23 June 2009 5:31 PM
To: Leon Li
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] No RADIUS traffic
Li,
I was wondering about the answer from radius:
WARNING: Ignoring Status-Server request due to security configuration
If I try the same I will get an answer like:
Received response ID 196, code 2, length = 20
Could you please check your shared secret.
> Also, I cannot find file /var/run/radius.seq. Is it created
automatically?
I should be there if radius will work - but remember your permissions.
You can try one thing: set fork=no in opensips.cfg, install strace and
start opensips with "strace -f -e open opensips". Now start one attempt
to register etc.pp. and watch the line with the seq.
[pid 20680] open("/var/run/opensips/radius.seq",
O_RDWR|O_CREAT|O_APPEND, 0666) = 13
BR
Uwe
Leon Li schrieb:
> Uwe,
>
> I got the following from RADIUS when issue the command you gave.
>
> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
> length=38
> WARNING: Ignoring Status-Server request due to security configuration
> --- Walking the entire request list ---
> Nothing to do. Sleeping until we see a request.
> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
> length=38
> WARNING: Ignoring Status-Server request due to security configuration
> --- Walking the entire request list ---
>
> So I assume that the radius server is working?
>
> Also, I cannot find file /var/run/radius.seq. Is it created
> automatically?
>
> Regards,
> Leon
>
>
> -----Original Message-----
> From: Uwe Kastens [mailto:kiste at kiste.org]
> Sent: Wednesday, 17 June 2009 6:01 PM
> To: Leon Li
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>
> Leon,
>
> mysql.so in opensips is not needed for the radius authentication.
>
> Shared secrets for radius are correct? Anyway you should see some
> traffic on the radius server.
>
> Could you please test
> echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812
status
> <shared secret>
>
> You should see then traffic on radiusd -X
>
> If yes I would start checking permissions again
>
> BR
>
> uwe
>
>
> Leon Li schrieb:
>> Hi Ashwini,
>>
>>
>>
>> I have added param for aut_radius, but no luck. L
>>
>>
>>
>> Why do I need mysql.so if the radius server will host all users
> credential?
>>
>>
>> Regards,
>>
>> Leon
>>
>>
>>
>> *From:* ASHWINI NAIDU [mailto:ashwini.naidu at gmail.com]
>> *Sent:* Monday, 15 June 2009 2:52 PM
>> *To:* Leon Li
>> *Cc:* Uwe Kastens; users at lists.opensips.org
>> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic
>>
>>
>>
>>
>>
>> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU
> <ashwini.naidu at gmail.com
>> <mailto:ashwini.naidu at gmail.com>> wrote:
>>
>> hi leon,
>>
>> But i do not see your openser communicating with radiusclient.
>>
>> modparam("auth_radius", "radius_config",
>> "/etc/radiusclient-ng/radiusclient.conf")
>>
>> mention the path of radiusclient.conf properly.
>>
>>
>>
>> Your mysql support is also commented.
>>
>> *loadmodule "mysql.so"*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <Leon.Li at aarnet.edu.au
>> <mailto:Leon.Li at aarnet.edu.au>> wrote:
>>
>> Here it is.
>>
>> ####### Global Parameters #########
>>
>> debug=3
>> log_stderror=no
>> log_facility=LOG_LOCAL0
>>
>> fork=yes
>> children=4
>>
>> /* uncomment the following lines to enable debugging */
>> debug=6
>> fork=no
>> log_stderror=yes
>>
>> /* uncomment the next line to disable TCP (default on) */
>> #disable_tcp=yes
>>
>> /* uncomment the next line to enable the auto temporary
> blacklisting of
>> not available destinations (default disabled) */
>> #disable_dns_blacklist=no
>>
>> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
>> lookup failures (default disabled) */ #dns_try_ipv6=yes
>>
>> /* uncomment the next line to disable the auto discovery of local
>> aliases
>> based on revers DNS on IPs (default on) */ #auto_aliases=no
>>
>> /* uncomment the following lines to enable TLS support (default
> off) */
>> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server =
> 1
>> #tls_verify_client = 1 #tls_require_client_certificate = 0
> #tls_method =
>> TLSv1 #tls_certificate =
> "/usr/local/etc/openser/tls/user/user-cert.pem"
>> #tls_private_key =
> "/usr/local/etc/openser/tls/user/user-privkey.pem"
>> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
>>
>> listen=202.158.197.134
>> port=5060
>>
>> /* uncomment and configure the following line if you want openser
> to
>> bind on a specific interface/port/proto (default bind on all
>> available) */ #listen=udp:192.168.1.2:5060
> <http://192.168.1.2:5060>
>>
>> ####### Modules Section ########
>>
>> #set module path
>> mpath="/usr/local/lib/openser/modules/"
>>
>> /* uncomment next line for MySQL DB support */ #loadmodule
> "mysql.so"
>> loadmodule "sl.so"
>> loadmodule "tm.so"
>> loadmodule "rr.so"
>> loadmodule "maxfwd.so"
>> loadmodule "usrloc.so"
>> loadmodule "registrar.so"
>> loadmodule "textops.so"
>> loadmodule "mi_fifo.so"
>> loadmodule "uri_db.so"
>> loadmodule "uri.so"
>> loadmodule "xlog.so"
>> loadmodule "acc.so"
>> /* uncomment next lines for MySQL based authentication support
>> NOTE: a DB (like mysql) module must be also loaded */
loadmodule
>> "auth.so"
>> loadmodule "auth_radius.so"
>> #loadmodule "auth_db.so"
>> /* uncomment next line for aliases support
>> NOTE: a DB (like mysql) module must be also loaded */
> #loadmodule
>> "alias_db.so"
>> /* uncomment next line for multi-domain support
>> NOTE: a DB (like mysql) module must be also loaded
>> NOTE: be sure and enable multi-domain support in all used
> modules
>> (see "multi-module params" section ) */ #loadmodule
> "domain.so"
>> /* uncomment the next two lines for presence server support
>> NOTE: a DB (like mysql) module must be also loaded */
> #loadmodule
>> "presence.so"
>> #loadmodule "presence_xml.so"
>>
>>
>> # ----------------- setting module-specific parameters
> ---------------
>>
>> # ----- mi_fifo params -----
>> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>>
>>
>> # ----- rr params -----
>> # add value to ;lr param to cope with most of the UAs
> modparam("rr",
>> "enable_full_lr", 1) # do not append from tag to the RR (no need
> for
>> this script) modparam("rr", "append_fromtag", 0)
>>
>>
>> # ----- rr params -----
>> modparam("registrar", "method_filtering", 1)
>> /* uncomment the next line to disable parallel forking via
> location */ #
>> modparam("registrar", "append_branches", 0)
>> /* uncomment the next line not to allow more than 10 contacts per
> AOR */
>> #modparam("registrar", "max_contacts", 10)
>>
>>
>> # ----- uri_db params -----
>> /* by default we disable the DB support in the module as we do
not
> need
>> it
>> in this configuration */
>> modparam("uri_db", "use_uri_table", 0)
>> modparam("uri_db", "db_url", "")
>>
>>
>> # ----- acc params -----
>> /* what sepcial events should be accounted ? */ modparam("acc",
>> "early_media", 1) modparam("acc", "report_ack", 1)
modparam("acc",
>> "report_cancels", 1)
>> /* by default ww do not adjust the direct of the sequential
> requests.
>> if you enable this parameter, be sure the enable
> "append_fromtag"
>> in "rr" module */
>> modparam("acc", "detect_direction", 0)
>> /* account triggers (flags) */
>> modparam("acc", "failed_transaction_flag", 3) modparam("acc",
>> "log_flag", 1) modparam("acc", "log_missed_flag", 2)
>> /* uncomment the following lines to enable DB accounting also */
>> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag",
2)
>>
>> # ----- multi-module params -----
>> /* uncomment the following line if you want to enable
multi-domain
>> support
>> in the modules (dafault off) */
>> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
>>
>> ####### Routing Logic ########
>>
>>
>> # main request routing logic
>>
>> route{
>>
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> exit;
>> }
>>
>> if (has_totag()) {
>> # sequential request withing a dialog should
>> # take the path determined by record-routing
>> if (loose_route()) {
>> if (is_method("BYE")) {
>> setflag(1); # do accouting ...
>> setflag(3); # ... even if the
>> transaction fails
>> }
>> route(1);
>> } else {
>> /* uncomment the following lines if you
> want to
>> enable presence */
>> ##if (is_method("SUBSCRIBE") && $rd ==
>> "your.server.ip.address") {
>> ## # in-dialog subscribe requests
>> ## route(2);
>> ## exit;
>> ##}
>> if ( is_method("ACK") ) {
>> if ( t_check_trans() ) {
>> # non loose-route, but
> stateful
>> ACK; must be an ACK after a 487 or e.g. 404 from upstream server
>> t_relay();
>> exit;
>> } else {
>> # ACK without matching
>> transaction ... ignore and discard.\n");
>> exit;
>> }
>> }
>> sl_send_reply("404","Not here");
>> }
>> exit;
>> }
>>
>> #initial requests
>>
>> # CANCEL processing
>> if (is_method("CANCEL"))
>> {
>> if (t_check_trans())
>> t_relay();
>> exit;
>> }
>>
>> t_check_trans();
>>
>> # authenticate if from local subscriber (uncomment to
> enable
>> auth)
>> ##if (!(method=="REGISTER") && from_uri==myself)
>> ##{
>> ## if (!proxy_authorize("", "subscriber")) {
>> ## proxy_challenge("", "0");
>> ## exit;
>> ## }
>> ## if (!check_from()) {
>> ## sl_send_reply("403","Forbidden auth ID");
>> ## exit;
>> ## }
>> ##
>> ## consume_credentials();
>> ## # caller authenticated
>> ##}
>>
>> # record routing
>> if (!is_method("REGISTER|MESSAGE"))
>> record_route();
>>
>> # account only INVITEs
>> if (is_method("INVITE")) {
>> setflag(1); # do accouting
>> }
>> if (!uri==myself)
>> /* replace with following line if multi-domain support is
> used
>> */
>> ##if (!is_uri_host_local())
>> {
>> append_hf("P-hint: outbound\r\n");
>> # if you have some interdomain connections via TLS
>> ##if($rd=="tls_domain1.net
> <http://tls_domain1.net>") {
>> ## t_relay("tls:domain1.net
> <http://domain1.net>");
>> ## exit;
>> ##} else if($rd=="tls_domain2.net
>> <http://tls_domain2.net>") {
>> ## t_relay("tls:domain2.net
> <http://domain2.net>");
>> ## exit;
>> ##}
>> route(1);
>> }
>>
>> # requests for my domain
>>
>> /* uncomment this if you want to enable presence server
>> and comment the next 'if' block
>> NOTE: uncomment also the definition of route[2] from
> below
>> */
>> ##if( is_method("PUBLISH|SUBSCRIBE"))
>> ## route(2);
>>
>> if (is_method("PUBLISH"))
>> {
>> sl_send_reply("503", "Service Unavailable");
>> exit;
>> }
>>
>>
>> if (is_method("REGISTER"))
>> {
>> # authenticate the REGISTER requests (uncomment to
>> enable auth)
>> ##if (!www_authorize("", "subscriber"))
>> ##{
>> ## www_challenge("", "0");
>> ## exit;
>> ##}
>> ##
>> ##if (!check_to())
>> ##{
>> ## sl_send_reply("403","Forbidden auth ID");
>> ## exit;
>> ##}
>>
>> xlog("L_INFO", "REGISTER for ($fU) $ru\n");
>> if (!radius_www_authorize(""))
>> {
>> log(1, "Proxy Authentication Required
>> (Digest)\n");
>> www_challenge("", "0");
>> exit;
>> };
>>
>> if (!save("location"))
>> sl_reply_error();
>>
>> exit;
>> }
>>
>> if ($rU==NULL) {
>> # request with no Username in RURI
>> sl_send_reply("484","Address Incomplete");
>> exit;
>> }
>>
>> # apply DB based aliases (uncomment to enable)
>> ##alias_db_lookup("dbaliases");
>>
>> if (!lookup("location")) {
>> switch ($retcode) {
>> case -1:
>> case -3:
>> t_newtran();
>> t_reply("404", "Not Found");
>> exit;
>> case -2:
>> sl_send_reply("405", "Method Not
>> Allowed");
>> exit;
>> }
>> }
>>
>> # when routing via usrloc, log the missed calls also
>> setflag(2);
>>
>> route(1);
>> }
>>
>>
>> route[1] {
>> # for INVITEs enable some additional helper routes
>> if (is_method("INVITE")) {
>> t_on_branch("2");
>> t_on_reply("2");
>> t_on_failure("1");
>> }
>>
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>> exit;
>> }
>>
>> branch_route[2] {
>> xlog("new branch at $ru\n");
>> }
>>
>>
>> onreply_route[2] {
>> xlog("incoming reply\n");
>> }
>>
>>
>> failure_route[1] {
>> if (t_was_cancelled()) {
>> exit;
>> }
>>
>> # uncomment the following lines if you want to block
client
>> # redirect based on 3xx replies.
>> ##if (t_check_status("3[0-9][0-9]")) {
>> ##t_reply("404","Not found");
>> ## exit;
>> ##}
>>
>> # uncomment the following lines if you want to redirect
the
>> failed
>> # calls to a different new destination
>> ##if (t_check_status("486|408")) {
>> ## sethostport("192.168.2.100:5060
>> <http://192.168.2.100:5060>");
>> ## append_branch();
>> ## # do not set the missed call flag again
>> ## t_relay();
>> ##}
>>
>> }
>>
>> Regards,
>> Leon
>>
>> -----Original Message-----
>> From: Uwe Kastens [mailto:kiste at kiste.org
> <mailto:kiste at kiste.org>]
>> Sent: Friday, 12 June 2009 4:51 PM
>> To: Leon Li
>> Cc: users at lists.opensips.org <mailto:users at lists.opensips.org>
>> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>>
>> Hi,
>>
>> This is strange. Could you post your opensips.cfg or send it to
me
>> directly?
>>
>> BR
>>
>> Uwe
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>> --
>> Thanking You,
>> Ashwini BR Naidu
>>
>>
>>
>>
>> --
>> Thanking You,
>> Ashwini BR Naidu
>>
>
>
--
kiste lat: 54.322684, lon: 10.13586
More information about the Users
mailing list