hi,<br><br>For radius support these packages are needed.<br><br> <b>libradius-ng -libs and devel headers</b>- if you want to use functionalities<br> with radius support - authentication, accounting, group support, etc<br>
<br><br><br><br><div class="gmail_quote">On Wed, Jun 24, 2009 at 10:14 AM, Leon Li <span dir="ltr"><<a href="mailto:Leon.Li@aarnet.edu.au">Leon.Li@aarnet.edu.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Uwe,<br>
<br>
The file doesn't exist. :(<br>
<br>
Could you confirm my following installation is enough for OpenSIP +<br>
RADIUS?<br>
1. FreeRADIUS 2.1.3<br>
2. radiusclient-ng 0.5.6<br>
3. openSIP 1.5.1<br>
<br>
Do I need libradius-ng-dev or libradius-ng as well? My system is Red Hat<br>
5.<br>
<div class="im"><br>
Regards,<br>
Leon<br>
<br>
<br>
-----Original Message-----<br>
From: Uwe Kastens [mailto:<a href="mailto:kiste@kiste.org">kiste@kiste.org</a>]<br>
</div><div><div></div><div class="h5">Sent: Tuesday, 23 June 2009 5:31 PM<br>
To: Leon Li<br>
Cc: <a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a><br>
Subject: Re: [OpenSIPS-Users] No RADIUS traffic<br>
<br>
Li,<br>
<br>
I was wondering about the answer from radius:<br>
WARNING: Ignoring Status-Server request due to security configuration<br>
<br>
If I try the same I will get an answer like:<br>
Received response ID 196, code 2, length = 20<br>
<br>
Could you please check your shared secret.<br>
<br>
> Also, I cannot find file /var/run/radius.seq. Is it created<br>
automatically?<br>
<br>
I should be there if radius will work - but remember your permissions.<br>
<br>
You can try one thing: set fork=no in opensips.cfg, install strace and<br>
start opensips with "strace -f -e open opensips". Now start one attempt<br>
to register etc.pp. and watch the line with the seq.<br>
<br>
[pid 20680] open("/var/run/opensips/radius.seq",<br>
O_RDWR|O_CREAT|O_APPEND, 0666) = 13<br>
<br>
<br>
BR<br>
<br>
Uwe<br>
<br>
<br>
Leon Li schrieb:<br>
> Uwe,<br>
><br>
> I got the following from RADIUS when issue the command you gave.<br>
><br>
> rad_recv: Status-Server packet from host <a href="http://127.0.0.1:39297" target="_blank">127.0.0.1:39297</a>, id=17,<br>
> length=38<br>
> WARNING: Ignoring Status-Server request due to security configuration<br>
> --- Walking the entire request list ---<br>
> Nothing to do. Sleeping until we see a request.<br>
> rad_recv: Status-Server packet from host <a href="http://127.0.0.1:39297" target="_blank">127.0.0.1:39297</a>, id=17,<br>
> length=38<br>
> WARNING: Ignoring Status-Server request due to security configuration<br>
> --- Walking the entire request list ---<br>
><br>
> So I assume that the radius server is working?<br>
><br>
> Also, I cannot find file /var/run/radius.seq. Is it created<br>
> automatically?<br>
><br>
> Regards,<br>
> Leon<br>
><br>
><br>
> -----Original Message-----<br>
> From: Uwe Kastens [mailto:<a href="mailto:kiste@kiste.org">kiste@kiste.org</a>]<br>
> Sent: Wednesday, 17 June 2009 6:01 PM<br>
> To: Leon Li<br>
> Cc: <a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a><br>
> Subject: Re: [OpenSIPS-Users] No RADIUS traffic<br>
><br>
> Leon,<br>
><br>
> mysql.so in opensips is not needed for the radius authentication.<br>
><br>
> Shared secrets for radius are correct? Anyway you should see some<br>
> traffic on the radius server.<br>
><br>
> Could you please test<br>
> echo "Message-Authenticator = 0x00" | radclient <a href="http://127.0.0.1:1812" target="_blank">127.0.0.1:1812</a><br>
status<br>
> <shared secret><br>
><br>
> You should see then traffic on radiusd -X<br>
><br>
> If yes I would start checking permissions again<br>
><br>
> BR<br>
><br>
> uwe<br>
><br>
><br>
> Leon Li schrieb:<br>
>> Hi Ashwini,<br>
>><br>
>><br>
>><br>
>> I have added param for aut_radius, but no luck. L<br>
>><br>
>><br>
>><br>
>> Why do I need mysql.so if the radius server will host all users<br>
> credential?<br>
>><br>
>><br>
>> Regards,<br>
>><br>
>> Leon<br>
>><br>
>><br>
>><br>
>> *From:* ASHWINI NAIDU [mailto:<a href="mailto:ashwini.naidu@gmail.com">ashwini.naidu@gmail.com</a>]<br>
>> *Sent:* Monday, 15 June 2009 2:52 PM<br>
>> *To:* Leon Li<br>
>> *Cc:* Uwe Kastens; <a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a><br>
>> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU<br>
> <<a href="mailto:ashwini.naidu@gmail.com">ashwini.naidu@gmail.com</a><br>
>> <mailto:<a href="mailto:ashwini.naidu@gmail.com">ashwini.naidu@gmail.com</a>>> wrote:<br>
>><br>
>> hi leon,<br>
>><br>
>> But i do not see your openser communicating with radiusclient.<br>
>><br>
>> modparam("auth_radius", "radius_config",<br>
>> "/etc/radiusclient-ng/radiusclient.conf")<br>
>><br>
>> mention the path of radiusclient.conf properly.<br>
>><br>
>><br>
>><br>
>> Your mysql support is also commented.<br>
>><br>
>> *loadmodule "mysql.so"*<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <<a href="mailto:Leon.Li@aarnet.edu.au">Leon.Li@aarnet.edu.au</a><br>
>> <mailto:<a href="mailto:Leon.Li@aarnet.edu.au">Leon.Li@aarnet.edu.au</a>>> wrote:<br>
>><br>
>> Here it is.<br>
>><br>
>> ####### Global Parameters #########<br>
>><br>
>> debug=3<br>
>> log_stderror=no<br>
>> log_facility=LOG_LOCAL0<br>
>><br>
>> fork=yes<br>
>> children=4<br>
>><br>
>> /* uncomment the following lines to enable debugging */<br>
>> debug=6<br>
>> fork=no<br>
>> log_stderror=yes<br>
>><br>
>> /* uncomment the next line to disable TCP (default on) */<br>
>> #disable_tcp=yes<br>
>><br>
>> /* uncomment the next line to enable the auto temporary<br>
> blacklisting of<br>
>> not available destinations (default disabled) */<br>
>> #disable_dns_blacklist=no<br>
>><br>
>> /* uncomment the next line to enable IPv6 lookup after IPv4 dns<br>
>> lookup failures (default disabled) */ #dns_try_ipv6=yes<br>
>><br>
>> /* uncomment the next line to disable the auto discovery of local<br>
>> aliases<br>
>> based on revers DNS on IPs (default on) */ #auto_aliases=no<br>
>><br>
>> /* uncomment the following lines to enable TLS support (default<br>
> off) */<br>
>> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server =<br>
> 1<br>
>> #tls_verify_client = 1 #tls_require_client_certificate = 0<br>
> #tls_method =<br>
>> TLSv1 #tls_certificate =<br>
> "/usr/local/etc/openser/tls/user/user-cert.pem"<br>
>> #tls_private_key =<br>
> "/usr/local/etc/openser/tls/user/user-privkey.pem"<br>
>> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"<br>
>><br>
>> listen=202.158.197.134<br>
>> port=5060<br>
>><br>
>> /* uncomment and configure the following line if you want openser<br>
> to<br>
>> bind on a specific interface/port/proto (default bind on all<br>
>> available) */ #listen=udp:<a href="http://192.168.1.2:5060" target="_blank">192.168.1.2:5060</a><br>
> <<a href="http://192.168.1.2:5060" target="_blank">http://192.168.1.2:5060</a>><br>
>><br>
>> ####### Modules Section ########<br>
>><br>
>> #set module path<br>
>> mpath="/usr/local/lib/openser/modules/"<br>
>><br>
>> /* uncomment next line for MySQL DB support */ #loadmodule<br>
> "mysql.so"<br>
>> loadmodule "sl.so"<br>
>> loadmodule "tm.so"<br>
>> loadmodule "rr.so"<br>
>> loadmodule "maxfwd.so"<br>
>> loadmodule "usrloc.so"<br>
>> loadmodule "registrar.so"<br>
>> loadmodule "textops.so"<br>
>> loadmodule "mi_fifo.so"<br>
>> loadmodule "uri_db.so"<br>
>> loadmodule "uri.so"<br>
>> loadmodule "xlog.so"<br>
>> loadmodule "acc.so"<br>
>> /* uncomment next lines for MySQL based authentication support<br>
>> NOTE: a DB (like mysql) module must be also loaded */<br>
loadmodule<br>
>> "auth.so"<br>
>> loadmodule "auth_radius.so"<br>
>> #loadmodule "auth_db.so"<br>
>> /* uncomment next line for aliases support<br>
>> NOTE: a DB (like mysql) module must be also loaded */<br>
> #loadmodule<br>
>> "alias_db.so"<br>
>> /* uncomment next line for multi-domain support<br>
>> NOTE: a DB (like mysql) module must be also loaded<br>
>> NOTE: be sure and enable multi-domain support in all used<br>
> modules<br>
>> (see "multi-module params" section ) */ #loadmodule<br>
> "domain.so"<br>
>> /* uncomment the next two lines for presence server support<br>
>> NOTE: a DB (like mysql) module must be also loaded */<br>
> #loadmodule<br>
>> "presence.so"<br>
>> #loadmodule "presence_xml.so"<br>
>><br>
>><br>
>> # ----------------- setting module-specific parameters<br>
> ---------------<br>
>><br>
>> # ----- mi_fifo params -----<br>
>> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")<br>
>><br>
>><br>
>> # ----- rr params -----<br>
>> # add value to ;lr param to cope with most of the UAs<br>
> modparam("rr",<br>
>> "enable_full_lr", 1) # do not append from tag to the RR (no need<br>
> for<br>
>> this script) modparam("rr", "append_fromtag", 0)<br>
>><br>
>><br>
>> # ----- rr params -----<br>
>> modparam("registrar", "method_filtering", 1)<br>
>> /* uncomment the next line to disable parallel forking via<br>
> location */ #<br>
>> modparam("registrar", "append_branches", 0)<br>
>> /* uncomment the next line not to allow more than 10 contacts per<br>
> AOR */<br>
>> #modparam("registrar", "max_contacts", 10)<br>
>><br>
>><br>
>> # ----- uri_db params -----<br>
>> /* by default we disable the DB support in the module as we do<br>
not<br>
> need<br>
>> it<br>
>> in this configuration */<br>
>> modparam("uri_db", "use_uri_table", 0)<br>
>> modparam("uri_db", "db_url", "")<br>
>><br>
>><br>
>> # ----- acc params -----<br>
>> /* what sepcial events should be accounted ? */ modparam("acc",<br>
>> "early_media", 1) modparam("acc", "report_ack", 1)<br>
modparam("acc",<br>
>> "report_cancels", 1)<br>
>> /* by default ww do not adjust the direct of the sequential<br>
> requests.<br>
>> if you enable this parameter, be sure the enable<br>
> "append_fromtag"<br>
>> in "rr" module */<br>
>> modparam("acc", "detect_direction", 0)<br>
>> /* account triggers (flags) */<br>
>> modparam("acc", "failed_transaction_flag", 3) modparam("acc",<br>
>> "log_flag", 1) modparam("acc", "log_missed_flag", 2)<br>
>> /* uncomment the following lines to enable DB accounting also */<br>
>> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag",<br>
2)<br>
>><br>
>> # ----- multi-module params -----<br>
>> /* uncomment the following line if you want to enable<br>
multi-domain<br>
>> support<br>
>> in the modules (dafault off) */<br>
>> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)<br>
>><br>
>> ####### Routing Logic ########<br>
>><br>
>><br>
>> # main request routing logic<br>
>><br>
>> route{<br>
>><br>
>> if (!mf_process_maxfwd_header("10")) {<br>
>> sl_send_reply("483","Too Many Hops");<br>
>> exit;<br>
>> }<br>
>><br>
>> if (has_totag()) {<br>
>> # sequential request withing a dialog should<br>
>> # take the path determined by record-routing<br>
>> if (loose_route()) {<br>
>> if (is_method("BYE")) {<br>
>> setflag(1); # do accouting ...<br>
>> setflag(3); # ... even if the<br>
>> transaction fails<br>
>> }<br>
>> route(1);<br>
>> } else {<br>
>> /* uncomment the following lines if you<br>
> want to<br>
>> enable presence */<br>
>> ##if (is_method("SUBSCRIBE") && $rd ==<br>
>> "your.server.ip.address") {<br>
>> ## # in-dialog subscribe requests<br>
>> ## route(2);<br>
>> ## exit;<br>
>> ##}<br>
>> if ( is_method("ACK") ) {<br>
>> if ( t_check_trans() ) {<br>
>> # non loose-route, but<br>
> stateful<br>
>> ACK; must be an ACK after a 487 or e.g. 404 from upstream server<br>
>> t_relay();<br>
>> exit;<br>
>> } else {<br>
>> # ACK without matching<br>
>> transaction ... ignore and discard.\n");<br>
>> exit;<br>
>> }<br>
>> }<br>
>> sl_send_reply("404","Not here");<br>
>> }<br>
>> exit;<br>
>> }<br>
>><br>
>> #initial requests<br>
>><br>
>> # CANCEL processing<br>
>> if (is_method("CANCEL"))<br>
>> {<br>
>> if (t_check_trans())<br>
>> t_relay();<br>
>> exit;<br>
>> }<br>
>><br>
>> t_check_trans();<br>
>><br>
>> # authenticate if from local subscriber (uncomment to<br>
> enable<br>
>> auth)<br>
>> ##if (!(method=="REGISTER") && from_uri==myself)<br>
>> ##{<br>
>> ## if (!proxy_authorize("", "subscriber")) {<br>
>> ## proxy_challenge("", "0");<br>
>> ## exit;<br>
>> ## }<br>
>> ## if (!check_from()) {<br>
>> ## sl_send_reply("403","Forbidden auth ID");<br>
>> ## exit;<br>
>> ## }<br>
>> ##<br>
>> ## consume_credentials();<br>
>> ## # caller authenticated<br>
>> ##}<br>
>><br>
>> # record routing<br>
>> if (!is_method("REGISTER|MESSAGE"))<br>
>> record_route();<br>
>><br>
>> # account only INVITEs<br>
>> if (is_method("INVITE")) {<br>
>> setflag(1); # do accouting<br>
>> }<br>
>> if (!uri==myself)<br>
>> /* replace with following line if multi-domain support is<br>
> used<br>
>> */<br>
>> ##if (!is_uri_host_local())<br>
>> {<br>
>> append_hf("P-hint: outbound\r\n");<br>
>> # if you have some interdomain connections via TLS<br>
>> ##if($rd=="<a href="http://tls_domain1.net" target="_blank">tls_domain1.net</a><br>
> <<a href="http://tls_domain1.net" target="_blank">http://tls_domain1.net</a>>") {<br>
>> ## t_relay("tls:<a href="http://domain1.net" target="_blank">domain1.net</a><br>
> <<a href="http://domain1.net" target="_blank">http://domain1.net</a>>");<br>
>> ## exit;<br>
>> ##} else if($rd=="<a href="http://tls_domain2.net" target="_blank">tls_domain2.net</a><br>
>> <<a href="http://tls_domain2.net" target="_blank">http://tls_domain2.net</a>>") {<br>
>> ## t_relay("tls:<a href="http://domain2.net" target="_blank">domain2.net</a><br>
> <<a href="http://domain2.net" target="_blank">http://domain2.net</a>>");<br>
>> ## exit;<br>
>> ##}<br>
>> route(1);<br>
>> }<br>
>><br>
>> # requests for my domain<br>
>><br>
>> /* uncomment this if you want to enable presence server<br>
>> and comment the next 'if' block<br>
>> NOTE: uncomment also the definition of route[2] from<br>
> below<br>
>> */<br>
>> ##if( is_method("PUBLISH|SUBSCRIBE"))<br>
>> ## route(2);<br>
>><br>
>> if (is_method("PUBLISH"))<br>
>> {<br>
>> sl_send_reply("503", "Service Unavailable");<br>
>> exit;<br>
>> }<br>
>><br>
>><br>
>> if (is_method("REGISTER"))<br>
>> {<br>
>> # authenticate the REGISTER requests (uncomment to<br>
>> enable auth)<br>
>> ##if (!www_authorize("", "subscriber"))<br>
>> ##{<br>
>> ## www_challenge("", "0");<br>
>> ## exit;<br>
>> ##}<br>
>> ##<br>
>> ##if (!check_to())<br>
>> ##{<br>
>> ## sl_send_reply("403","Forbidden auth ID");<br>
>> ## exit;<br>
>> ##}<br>
>><br>
>> xlog("L_INFO", "REGISTER for ($fU) $ru\n");<br>
>> if (!radius_www_authorize(""))<br>
>> {<br>
>> log(1, "Proxy Authentication Required<br>
>> (Digest)\n");<br>
>> www_challenge("", "0");<br>
>> exit;<br>
>> };<br>
>><br>
>> if (!save("location"))<br>
>> sl_reply_error();<br>
>><br>
>> exit;<br>
>> }<br>
>><br>
>> if ($rU==NULL) {<br>
>> # request with no Username in RURI<br>
>> sl_send_reply("484","Address Incomplete");<br>
>> exit;<br>
>> }<br>
>><br>
>> # apply DB based aliases (uncomment to enable)<br>
>> ##alias_db_lookup("dbaliases");<br>
>><br>
>> if (!lookup("location")) {<br>
>> switch ($retcode) {<br>
>> case -1:<br>
>> case -3:<br>
>> t_newtran();<br>
>> t_reply("404", "Not Found");<br>
>> exit;<br>
>> case -2:<br>
>> sl_send_reply("405", "Method Not<br>
>> Allowed");<br>
>> exit;<br>
>> }<br>
>> }<br>
>><br>
>> # when routing via usrloc, log the missed calls also<br>
>> setflag(2);<br>
>><br>
>> route(1);<br>
>> }<br>
>><br>
>><br>
>> route[1] {<br>
>> # for INVITEs enable some additional helper routes<br>
>> if (is_method("INVITE")) {<br>
>> t_on_branch("2");<br>
>> t_on_reply("2");<br>
>> t_on_failure("1");<br>
>> }<br>
>><br>
>> if (!t_relay()) {<br>
>> sl_reply_error();<br>
>> };<br>
>> exit;<br>
>> }<br>
>><br>
>> branch_route[2] {<br>
>> xlog("new branch at $ru\n");<br>
>> }<br>
>><br>
>><br>
>> onreply_route[2] {<br>
>> xlog("incoming reply\n");<br>
>> }<br>
>><br>
>><br>
>> failure_route[1] {<br>
>> if (t_was_cancelled()) {<br>
>> exit;<br>
>> }<br>
>><br>
>> # uncomment the following lines if you want to block<br>
client<br>
>> # redirect based on 3xx replies.<br>
>> ##if (t_check_status("3[0-9][0-9]")) {<br>
>> ##t_reply("404","Not found");<br>
>> ## exit;<br>
>> ##}<br>
>><br>
>> # uncomment the following lines if you want to redirect<br>
the<br>
>> failed<br>
>> # calls to a different new destination<br>
>> ##if (t_check_status("486|408")) {<br>
>> ## sethostport("<a href="http://192.168.2.100:5060" target="_blank">192.168.2.100:5060</a><br>
>> <<a href="http://192.168.2.100:5060" target="_blank">http://192.168.2.100:5060</a>>");<br>
>> ## append_branch();<br>
>> ## # do not set the missed call flag again<br>
>> ## t_relay();<br>
>> ##}<br>
>><br>
>> }<br>
>><br>
>> Regards,<br>
>> Leon<br>
>><br>
>> -----Original Message-----<br>
>> From: Uwe Kastens [mailto:<a href="mailto:kiste@kiste.org">kiste@kiste.org</a><br>
> <mailto:<a href="mailto:kiste@kiste.org">kiste@kiste.org</a>>]<br>
>> Sent: Friday, 12 June 2009 4:51 PM<br>
>> To: Leon Li<br>
>> Cc: <a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a> <mailto:<a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>><br>
>> Subject: Re: [OpenSIPS-Users] No RADIUS traffic<br>
>><br>
>> Hi,<br>
>><br>
>> This is strange. Could you post your opensips.cfg or send it to<br>
me<br>
>> directly?<br>
>><br>
>> BR<br>
>><br>
>> Uwe<br>
>><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a> <mailto:<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>><br>
>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Thanking You,<br>
>> Ashwini BR Naidu<br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> Thanking You,<br>
>> Ashwini BR Naidu<br>
>><br>
><br>
><br>
<br>
<br>
--<br>
<br>
kiste lat: 54.322684, lon: 10.13586<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Thanking You,<br>Ashwini BR Naidu<br>