[OpenSIPS-Users] No RADIUS traffic
ASHWINI NAIDU
ashwini.naidu at gmail.com
Wed Jun 24 06:58:08 CEST 2009
hi,
For radius support these packages are needed.
*libradius-ng -libs and devel headers*- if you want to use functionalities
with radius support - authentication, accounting, group support, etc
On Wed, Jun 24, 2009 at 10:14 AM, Leon Li <Leon.Li at aarnet.edu.au> wrote:
> Hi Uwe,
>
> The file doesn't exist. :(
>
> Could you confirm my following installation is enough for OpenSIP +
> RADIUS?
> 1. FreeRADIUS 2.1.3
> 2. radiusclient-ng 0.5.6
> 3. openSIP 1.5.1
>
> Do I need libradius-ng-dev or libradius-ng as well? My system is Red Hat
> 5.
>
> Regards,
> Leon
>
>
> -----Original Message-----
> From: Uwe Kastens [mailto:kiste at kiste.org]
> Sent: Tuesday, 23 June 2009 5:31 PM
> To: Leon Li
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>
> Li,
>
> I was wondering about the answer from radius:
> WARNING: Ignoring Status-Server request due to security configuration
>
> If I try the same I will get an answer like:
> Received response ID 196, code 2, length = 20
>
> Could you please check your shared secret.
>
> > Also, I cannot find file /var/run/radius.seq. Is it created
> automatically?
>
> I should be there if radius will work - but remember your permissions.
>
> You can try one thing: set fork=no in opensips.cfg, install strace and
> start opensips with "strace -f -e open opensips". Now start one attempt
> to register etc.pp. and watch the line with the seq.
>
> [pid 20680] open("/var/run/opensips/radius.seq",
> O_RDWR|O_CREAT|O_APPEND, 0666) = 13
>
>
> BR
>
> Uwe
>
>
> Leon Li schrieb:
> > Uwe,
> >
> > I got the following from RADIUS when issue the command you gave.
> >
> > rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
> > length=38
> > WARNING: Ignoring Status-Server request due to security configuration
> > --- Walking the entire request list ---
> > Nothing to do. Sleeping until we see a request.
> > rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
> > length=38
> > WARNING: Ignoring Status-Server request due to security configuration
> > --- Walking the entire request list ---
> >
> > So I assume that the radius server is working?
> >
> > Also, I cannot find file /var/run/radius.seq. Is it created
> > automatically?
> >
> > Regards,
> > Leon
> >
> >
> > -----Original Message-----
> > From: Uwe Kastens [mailto:kiste at kiste.org]
> > Sent: Wednesday, 17 June 2009 6:01 PM
> > To: Leon Li
> > Cc: users at lists.opensips.org
> > Subject: Re: [OpenSIPS-Users] No RADIUS traffic
> >
> > Leon,
> >
> > mysql.so in opensips is not needed for the radius authentication.
> >
> > Shared secrets for radius are correct? Anyway you should see some
> > traffic on the radius server.
> >
> > Could you please test
> > echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812
> status
> > <shared secret>
> >
> > You should see then traffic on radiusd -X
> >
> > If yes I would start checking permissions again
> >
> > BR
> >
> > uwe
> >
> >
> > Leon Li schrieb:
> >> Hi Ashwini,
> >>
> >>
> >>
> >> I have added param for aut_radius, but no luck. L
> >>
> >>
> >>
> >> Why do I need mysql.so if the radius server will host all users
> > credential?
> >>
> >>
> >> Regards,
> >>
> >> Leon
> >>
> >>
> >>
> >> *From:* ASHWINI NAIDU [mailto:ashwini.naidu at gmail.com]
> >> *Sent:* Monday, 15 June 2009 2:52 PM
> >> *To:* Leon Li
> >> *Cc:* Uwe Kastens; users at lists.opensips.org
> >> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic
> >>
> >>
> >>
> >>
> >>
> >> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU
> > <ashwini.naidu at gmail.com
> >> <mailto:ashwini.naidu at gmail.com>> wrote:
> >>
> >> hi leon,
> >>
> >> But i do not see your openser communicating with radiusclient.
> >>
> >> modparam("auth_radius", "radius_config",
> >> "/etc/radiusclient-ng/radiusclient.conf")
> >>
> >> mention the path of radiusclient.conf properly.
> >>
> >>
> >>
> >> Your mysql support is also commented.
> >>
> >> *loadmodule "mysql.so"*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <Leon.Li at aarnet.edu.au
> >> <mailto:Leon.Li at aarnet.edu.au>> wrote:
> >>
> >> Here it is.
> >>
> >> ####### Global Parameters #########
> >>
> >> debug=3
> >> log_stderror=no
> >> log_facility=LOG_LOCAL0
> >>
> >> fork=yes
> >> children=4
> >>
> >> /* uncomment the following lines to enable debugging */
> >> debug=6
> >> fork=no
> >> log_stderror=yes
> >>
> >> /* uncomment the next line to disable TCP (default on) */
> >> #disable_tcp=yes
> >>
> >> /* uncomment the next line to enable the auto temporary
> > blacklisting of
> >> not available destinations (default disabled) */
> >> #disable_dns_blacklist=no
> >>
> >> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
> >> lookup failures (default disabled) */ #dns_try_ipv6=yes
> >>
> >> /* uncomment the next line to disable the auto discovery of local
> >> aliases
> >> based on revers DNS on IPs (default on) */ #auto_aliases=no
> >>
> >> /* uncomment the following lines to enable TLS support (default
> > off) */
> >> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server =
> > 1
> >> #tls_verify_client = 1 #tls_require_client_certificate = 0
> > #tls_method =
> >> TLSv1 #tls_certificate =
> > "/usr/local/etc/openser/tls/user/user-cert.pem"
> >> #tls_private_key =
> > "/usr/local/etc/openser/tls/user/user-privkey.pem"
> >> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
> >>
> >> listen=202.158.197.134
> >> port=5060
> >>
> >> /* uncomment and configure the following line if you want openser
> > to
> >> bind on a specific interface/port/proto (default bind on all
> >> available) */ #listen=udp:192.168.1.2:5060
> > <http://192.168.1.2:5060>
> >>
> >> ####### Modules Section ########
> >>
> >> #set module path
> >> mpath="/usr/local/lib/openser/modules/"
> >>
> >> /* uncomment next line for MySQL DB support */ #loadmodule
> > "mysql.so"
> >> loadmodule "sl.so"
> >> loadmodule "tm.so"
> >> loadmodule "rr.so"
> >> loadmodule "maxfwd.so"
> >> loadmodule "usrloc.so"
> >> loadmodule "registrar.so"
> >> loadmodule "textops.so"
> >> loadmodule "mi_fifo.so"
> >> loadmodule "uri_db.so"
> >> loadmodule "uri.so"
> >> loadmodule "xlog.so"
> >> loadmodule "acc.so"
> >> /* uncomment next lines for MySQL based authentication support
> >> NOTE: a DB (like mysql) module must be also loaded */
> loadmodule
> >> "auth.so"
> >> loadmodule "auth_radius.so"
> >> #loadmodule "auth_db.so"
> >> /* uncomment next line for aliases support
> >> NOTE: a DB (like mysql) module must be also loaded */
> > #loadmodule
> >> "alias_db.so"
> >> /* uncomment next line for multi-domain support
> >> NOTE: a DB (like mysql) module must be also loaded
> >> NOTE: be sure and enable multi-domain support in all used
> > modules
> >> (see "multi-module params" section ) */ #loadmodule
> > "domain.so"
> >> /* uncomment the next two lines for presence server support
> >> NOTE: a DB (like mysql) module must be also loaded */
> > #loadmodule
> >> "presence.so"
> >> #loadmodule "presence_xml.so"
> >>
> >>
> >> # ----------------- setting module-specific parameters
> > ---------------
> >>
> >> # ----- mi_fifo params -----
> >> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
> >>
> >>
> >> # ----- rr params -----
> >> # add value to ;lr param to cope with most of the UAs
> > modparam("rr",
> >> "enable_full_lr", 1) # do not append from tag to the RR (no need
> > for
> >> this script) modparam("rr", "append_fromtag", 0)
> >>
> >>
> >> # ----- rr params -----
> >> modparam("registrar", "method_filtering", 1)
> >> /* uncomment the next line to disable parallel forking via
> > location */ #
> >> modparam("registrar", "append_branches", 0)
> >> /* uncomment the next line not to allow more than 10 contacts per
> > AOR */
> >> #modparam("registrar", "max_contacts", 10)
> >>
> >>
> >> # ----- uri_db params -----
> >> /* by default we disable the DB support in the module as we do
> not
> > need
> >> it
> >> in this configuration */
> >> modparam("uri_db", "use_uri_table", 0)
> >> modparam("uri_db", "db_url", "")
> >>
> >>
> >> # ----- acc params -----
> >> /* what sepcial events should be accounted ? */ modparam("acc",
> >> "early_media", 1) modparam("acc", "report_ack", 1)
> modparam("acc",
> >> "report_cancels", 1)
> >> /* by default ww do not adjust the direct of the sequential
> > requests.
> >> if you enable this parameter, be sure the enable
> > "append_fromtag"
> >> in "rr" module */
> >> modparam("acc", "detect_direction", 0)
> >> /* account triggers (flags) */
> >> modparam("acc", "failed_transaction_flag", 3) modparam("acc",
> >> "log_flag", 1) modparam("acc", "log_missed_flag", 2)
> >> /* uncomment the following lines to enable DB accounting also */
> >> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag",
> 2)
> >>
> >> # ----- multi-module params -----
> >> /* uncomment the following line if you want to enable
> multi-domain
> >> support
> >> in the modules (dafault off) */
> >> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
> >>
> >> ####### Routing Logic ########
> >>
> >>
> >> # main request routing logic
> >>
> >> route{
> >>
> >> if (!mf_process_maxfwd_header("10")) {
> >> sl_send_reply("483","Too Many Hops");
> >> exit;
> >> }
> >>
> >> if (has_totag()) {
> >> # sequential request withing a dialog should
> >> # take the path determined by record-routing
> >> if (loose_route()) {
> >> if (is_method("BYE")) {
> >> setflag(1); # do accouting ...
> >> setflag(3); # ... even if the
> >> transaction fails
> >> }
> >> route(1);
> >> } else {
> >> /* uncomment the following lines if you
> > want to
> >> enable presence */
> >> ##if (is_method("SUBSCRIBE") && $rd ==
> >> "your.server.ip.address") {
> >> ## # in-dialog subscribe requests
> >> ## route(2);
> >> ## exit;
> >> ##}
> >> if ( is_method("ACK") ) {
> >> if ( t_check_trans() ) {
> >> # non loose-route, but
> > stateful
> >> ACK; must be an ACK after a 487 or e.g. 404 from upstream server
> >> t_relay();
> >> exit;
> >> } else {
> >> # ACK without matching
> >> transaction ... ignore and discard.\n");
> >> exit;
> >> }
> >> }
> >> sl_send_reply("404","Not here");
> >> }
> >> exit;
> >> }
> >>
> >> #initial requests
> >>
> >> # CANCEL processing
> >> if (is_method("CANCEL"))
> >> {
> >> if (t_check_trans())
> >> t_relay();
> >> exit;
> >> }
> >>
> >> t_check_trans();
> >>
> >> # authenticate if from local subscriber (uncomment to
> > enable
> >> auth)
> >> ##if (!(method=="REGISTER") && from_uri==myself)
> >> ##{
> >> ## if (!proxy_authorize("", "subscriber")) {
> >> ## proxy_challenge("", "0");
> >> ## exit;
> >> ## }
> >> ## if (!check_from()) {
> >> ## sl_send_reply("403","Forbidden auth ID");
> >> ## exit;
> >> ## }
> >> ##
> >> ## consume_credentials();
> >> ## # caller authenticated
> >> ##}
> >>
> >> # record routing
> >> if (!is_method("REGISTER|MESSAGE"))
> >> record_route();
> >>
> >> # account only INVITEs
> >> if (is_method("INVITE")) {
> >> setflag(1); # do accouting
> >> }
> >> if (!uri==myself)
> >> /* replace with following line if multi-domain support is
> > used
> >> */
> >> ##if (!is_uri_host_local())
> >> {
> >> append_hf("P-hint: outbound\r\n");
> >> # if you have some interdomain connections via TLS
> >> ##if($rd=="tls_domain1.net
> > <http://tls_domain1.net>") {
> >> ## t_relay("tls:domain1.net
> > <http://domain1.net>");
> >> ## exit;
> >> ##} else if($rd=="tls_domain2.net
> >> <http://tls_domain2.net>") {
> >> ## t_relay("tls:domain2.net
> > <http://domain2.net>");
> >> ## exit;
> >> ##}
> >> route(1);
> >> }
> >>
> >> # requests for my domain
> >>
> >> /* uncomment this if you want to enable presence server
> >> and comment the next 'if' block
> >> NOTE: uncomment also the definition of route[2] from
> > below
> >> */
> >> ##if( is_method("PUBLISH|SUBSCRIBE"))
> >> ## route(2);
> >>
> >> if (is_method("PUBLISH"))
> >> {
> >> sl_send_reply("503", "Service Unavailable");
> >> exit;
> >> }
> >>
> >>
> >> if (is_method("REGISTER"))
> >> {
> >> # authenticate the REGISTER requests (uncomment to
> >> enable auth)
> >> ##if (!www_authorize("", "subscriber"))
> >> ##{
> >> ## www_challenge("", "0");
> >> ## exit;
> >> ##}
> >> ##
> >> ##if (!check_to())
> >> ##{
> >> ## sl_send_reply("403","Forbidden auth ID");
> >> ## exit;
> >> ##}
> >>
> >> xlog("L_INFO", "REGISTER for ($fU) $ru\n");
> >> if (!radius_www_authorize(""))
> >> {
> >> log(1, "Proxy Authentication Required
> >> (Digest)\n");
> >> www_challenge("", "0");
> >> exit;
> >> };
> >>
> >> if (!save("location"))
> >> sl_reply_error();
> >>
> >> exit;
> >> }
> >>
> >> if ($rU==NULL) {
> >> # request with no Username in RURI
> >> sl_send_reply("484","Address Incomplete");
> >> exit;
> >> }
> >>
> >> # apply DB based aliases (uncomment to enable)
> >> ##alias_db_lookup("dbaliases");
> >>
> >> if (!lookup("location")) {
> >> switch ($retcode) {
> >> case -1:
> >> case -3:
> >> t_newtran();
> >> t_reply("404", "Not Found");
> >> exit;
> >> case -2:
> >> sl_send_reply("405", "Method Not
> >> Allowed");
> >> exit;
> >> }
> >> }
> >>
> >> # when routing via usrloc, log the missed calls also
> >> setflag(2);
> >>
> >> route(1);
> >> }
> >>
> >>
> >> route[1] {
> >> # for INVITEs enable some additional helper routes
> >> if (is_method("INVITE")) {
> >> t_on_branch("2");
> >> t_on_reply("2");
> >> t_on_failure("1");
> >> }
> >>
> >> if (!t_relay()) {
> >> sl_reply_error();
> >> };
> >> exit;
> >> }
> >>
> >> branch_route[2] {
> >> xlog("new branch at $ru\n");
> >> }
> >>
> >>
> >> onreply_route[2] {
> >> xlog("incoming reply\n");
> >> }
> >>
> >>
> >> failure_route[1] {
> >> if (t_was_cancelled()) {
> >> exit;
> >> }
> >>
> >> # uncomment the following lines if you want to block
> client
> >> # redirect based on 3xx replies.
> >> ##if (t_check_status("3[0-9][0-9]")) {
> >> ##t_reply("404","Not found");
> >> ## exit;
> >> ##}
> >>
> >> # uncomment the following lines if you want to redirect
> the
> >> failed
> >> # calls to a different new destination
> >> ##if (t_check_status("486|408")) {
> >> ## sethostport("192.168.2.100:5060
> >> <http://192.168.2.100:5060>");
> >> ## append_branch();
> >> ## # do not set the missed call flag again
> >> ## t_relay();
> >> ##}
> >>
> >> }
> >>
> >> Regards,
> >> Leon
> >>
> >> -----Original Message-----
> >> From: Uwe Kastens [mailto:kiste at kiste.org
> > <mailto:kiste at kiste.org>]
> >> Sent: Friday, 12 June 2009 4:51 PM
> >> To: Leon Li
> >> Cc: users at lists.opensips.org <mailto:users at lists.opensips.org>
> >> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
> >>
> >> Hi,
> >>
> >> This is strange. Could you post your opensips.cfg or send it to
> me
> >> directly?
> >>
> >> BR
> >>
> >> Uwe
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >>
> >> --
> >> Thanking You,
> >> Ashwini BR Naidu
> >>
> >>
> >>
> >>
> >> --
> >> Thanking You,
> >> Ashwini BR Naidu
> >>
> >
> >
>
>
> --
>
> kiste lat: 54.322684, lon: 10.13586
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
--
Thanking You,
Ashwini BR Naidu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20090624/3d0fb626/attachment-0001.htm
More information about the Users
mailing list