[OpenSIPS-Users] Radius auth / opensips last version : not working anymore ?

Bogdan-Andrei Iancu bogdan at opensips.org
Thu Nov 7 12:28:48 CET 2013 

Hello Sam,

Looking back at your first email - it is strange that the RADIUS AVPs
are listed as generic "Digest-Attributes" - are you sure you have proper
dictionary ? Maybe you can send me the pcap for the RADIUS request, to
check it.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 11/05/2013 03:36 PM, Samuel Muller wrote:
> Hello Bogdan,
>
> Thanks a lot again to be always there :)
> I'm using this config :
>
> ### routing logic
>
> [.....]
>
>
>
> Finally I got it working after compiling in a Squeeze distrib. As I'm
> not system engineer, I can't explain what was wrong ...
>
> As you mentioned , I'm looking if there's any "load_credentials()"
> function in the auth_aaa module, as in auth_db.
> I would like to do password caching to prevent radius overload : my
> problem is that I've to manage hundreds of SIP/FXO gateways, who send
> hundreds of REGISTER in the same time :(
>
> Thanks,
>
> .Sam.
>
>
>
> Samuel MULLER
> Telecom & Media Consultant
> co-owner
> L33 NETWORKS
> +33 663 128 505
> sml at l33.fr
> www.l33.fr
>
>
> On Fri, Nov 1, 2013 at 12:47 PM, Bogdan-Andrei Iancu
> <bogdan at opensips.org> wrote:
>> Hello Samuel,
>>
>> Using the aaa_www_authorize() function from script ?
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>> OpenSIPS Founder and Developer
>> http://www.opensips-solutions.com
>>
>>
>> On 10/30/2013 04:25 PM, Samuel Muller wrote:
>>> Hello,
>>>
>>> I'm trying actually to update OpenSips to the v.1.10-tls, and now
>>> radius auth is not working anymore : radius server is rejecting the
>>> request.
>>> "Auth: [digest] Cleartext-Password or Digest-HA1 is required for
>>> authentication."
>>>
>>> environment : new registrar server in a dev environment.
>>>
>>> 1/ configs are exactly the same (strict copy of everything) - except
>>> necessary changes from opensips 1.8.1 to opensips 1.10 (alphanumerical
>>> flags, and so on)
>>> 2/ the os is a new one : updated squeeze to wheezy (so several libs
>>> are updated, like openssl, ...)
>>> 3/ libradiusclient-ng is the same version (0.5.6-1.1), dics are identical
>>> 4/ the auth is made against the same freeradius server used in the
>>> production (so, same sip accounts, etc ... in the back-end)
>>>
>>>
>>> ==> Radius server logs : <==
>>>
>>> Wed Oct 30 13:51:43 2013
>>>     Packet-Type = Access-Request
>>>     User-Name = "10133 at anydomain.com"
>>>     Digest-Attributes = "\n\00710133"
>>>     Digest-Attributes = "\001\025anydomain.com"
>>>     Digest-Attributes = "\002252710f0c0000000380e712a81e132fb9fb25b6e7079a90ea"
>>>     Digest-Attributes = "\004\031sip:anydomain.com"
>>>     Digest-Attributes = "\003\nREGISTER"
>>>     Digest-Attributes = "\005\006auth"
>>>     Digest-Attributes = "\t\n00000001"
>>>     Digest-Attributes = "\010\n718b1c07"
>>>     Digest-Response = "9c080c96ce9f553af167d96b9045605f"
>>>     Service-Type = Sip-Session
>>>     Sip-URI-User = "10133"
>>>     Acct-Session-Id = "e3d46f526b7a-zfy2ru5j4wxb"
>>>     Cisco-AVPair = "call-id=e3d46f526b7a-zfy2ru5j4wxb"
>>>     NAS-Port-Id = 5060
>>>     NAS-IP-Address = 10.10.10.100
>>>
>>> Wed Oct 30 13:51:43 2013 : Auth: [digest] Cleartext-Password or
>>> Digest-HA1 is required for authentication.
>>> Wed Oct 30 13:51:43 2013 : Auth: Login incorrect:
>>> [10133 at anydomain.com/<via Auth-Type = DIGEST>] (from client
>>> registrar.anydomain.com port 5060)
>>>
>>>
>>> ==> Opensips debug logs <==
>>>
>>> REGISTER sip:anydomain.com SIP/2.0
>>> Via: SIP/2.0/UDP
>>> 10.0.0.10:5060;branch=z9hG4bK42a7.81e32d7403fde0265a279f6f1af9f223.0
>>> v: SIP/2.0/UDP 192.168.1.61:3072;received=172.21.8.126;branch=z9hG4bK-pg3sz33w7irx;rport=19779
>>> f: "Red is Dead" <sip:10133 at anydomain.com>;tag=0vc6kaq7q7
>>> t: "Red is Dead" <sip:10133 at anydomain.com>
>>> i: e3d46f526b7a-zfy2ru5j4wxb
>>> CSeq: 812 REGISTER
>>> Max-Forwards: 32
>>> m: <sip:10133 at 192.168.1.61:3072>;reg-id=1;q=1.0
>>> User-Agent: snom821/8.7.3.19
>>> Allow-Events: dialog
>>> X-Real-IP: 192.168.1.61
>>> Supported: path
>>> Authorization: Digest
>>> username="10133",realm="anydomain.com",nonce="52710e8300000000bf18b8ca585d8021ac4de4bf5c6c5111",uri="sip:anydomain.com",qop=auth,nc=00000001,cnonce="19ec9410",response="89bf7e58d81541ea6d3d4cf643d7d0e1",algorithm=MD5
>>> Expires: 360
>>> l: 0
>>> P-Visited-Network-ID: 5411
>>> Path: <sip:10.0.0.10;lr;received=sip:172.21.8.126:19779>
>>>
>>> Oct 30 13:49:25 registrar opensips[17021]: DBG:auth:check_nonce:
>>> comparing [52710e8300000000bf18b8ca585d8021ac4de4bf5c6c5111] and
>>> [52710e8300000000bf18b8ca585d8021ac4de4bf5c6c5111]
>>> Oct 30 13:49:26 registrar opensips[17021]:
>>> DBG:aaa_radius:rad_send_message: rc_auth function succeded with result
>>> REJECT_RC
>>> Oct 30 13:49:26 registrar opensips[17021]:
>>> ERROR:auth_aaa:aaa_authorize_sterman: authorization failed
>>> Oct 30 13:49:26 registrar opensips[17021]:
>>> DBG:auth:reserve_nonce_index: second= 0, sec_monit= -1,  index= 1
>>> Oct 30 13:49:26 registrar opensips[17021]: DBG:auth:build_auth_hf:
>>> nonce index= 1
>>> Oct 30 13:49:26 registrar opensips[17021]: DBG:auth:build_auth_hf:
>>> 'WWW-Authenticate: Digest realm="anydomain.com",
>>> nonce="52710e840000000161b61dea385526f8bf7ca0e47041e8c6", qop="auth"
>>>
>>>
>>> If anyone has any idea, thanks a lot !
>>>
>>>
>>> Samuel MULLER
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>

More information about the Users mailing list