[OpenSIPS-Users] No RADIUS traffic

Uwe Kastens kiste at kiste.org
Tue Jun 23 09:31:09 CEST 2009


Li,

I was wondering about the answer from radius:
WARNING: Ignoring Status-Server request due to security configuration

If I try the same I will get an answer like:
Received response ID 196, code 2, length = 20

Could you please check your shared secret.

> Also, I cannot find file /var/run/radius.seq. Is it created
automatically?

I should be there if radius will work - but remember your permissions.

You can try one thing: set fork=no  in opensips.cfg, install strace and
start opensips with "strace -f -e open opensips". Now start one attempt
to register etc.pp. and watch the line with the seq.

[pid 20680] open("/var/run/opensips/radius.seq",
O_RDWR|O_CREAT|O_APPEND, 0666) = 13


BR

Uwe


Leon Li schrieb:
> Uwe,
> 
> I got the following from RADIUS when issue the command you gave.
> 
> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
> length=38
> WARNING: Ignoring Status-Server request due to security configuration
> --- Walking the entire request list ---
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
> length=38
> WARNING: Ignoring Status-Server request due to security configuration
> --- Walking the entire request list ---
> 
> So I assume that the radius server is working? 
> 
> Also, I cannot find file /var/run/radius.seq. Is it created
> automatically?
> 
> Regards,
> Leon 
> 
> 
> -----Original Message-----
> From: Uwe Kastens [mailto:kiste at kiste.org] 
> Sent: Wednesday, 17 June 2009 6:01 PM
> To: Leon Li
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
> 
> Leon,
> 
> mysql.so in opensips is not needed for the radius authentication.
> 
> Shared secrets for radius are correct? Anyway you should see some
> traffic on the radius server.
> 
> Could you please test
>  echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812  status
>  <shared secret>
> 
> You should see then traffic on radiusd -X
> 
> If yes I would start checking permissions again
> 
> BR
> 
> uwe
> 
> 
> Leon Li schrieb:
>> Hi Ashwini,
>>
>>  
>>
>> I have added param for aut_radius, but no luck. L
>>
>>  
>>
>> Why do I need mysql.so if the radius server will host all users
> credential?
>>  
>>
>> Regards,
>>
>> Leon
>>
>>  
>>
>> *From:* ASHWINI NAIDU [mailto:ashwini.naidu at gmail.com]
>> *Sent:* Monday, 15 June 2009 2:52 PM
>> *To:* Leon Li
>> *Cc:* Uwe Kastens; users at lists.opensips.org
>> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic
>>
>>  
>>
>>  
>>
>> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU
> <ashwini.naidu at gmail.com
>> <mailto:ashwini.naidu at gmail.com>> wrote:
>>
>> hi leon,
>>
>> But i do not see your openser communicating with radiusclient.
>>
>> modparam("auth_radius", "radius_config", 
>> "/etc/radiusclient-ng/radiusclient.conf")
>>
>> mention the path of radiusclient.conf properly.
>>
>>
>>
>> Your mysql support is also commented.
>>
>> *loadmodule "mysql.so"*
>>
>>
>>      
>>
>>
>>
>>
>>
>>
>>      
>>
>>     On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <Leon.Li at aarnet.edu.au
>>     <mailto:Leon.Li at aarnet.edu.au>> wrote:
>>
>>     Here it is.
>>
>>     ####### Global Parameters #########
>>
>>     debug=3
>>     log_stderror=no
>>     log_facility=LOG_LOCAL0
>>
>>     fork=yes
>>     children=4
>>
>>     /* uncomment the following lines to enable debugging */
>>     debug=6
>>     fork=no
>>     log_stderror=yes
>>
>>     /* uncomment the next line to disable TCP (default on) */
>>     #disable_tcp=yes
>>
>>     /* uncomment the next line to enable the auto temporary
> blacklisting of
>>       not available destinations (default disabled) */
>>     #disable_dns_blacklist=no
>>
>>     /* uncomment the next line to enable IPv6 lookup after IPv4 dns
>>       lookup failures (default disabled) */ #dns_try_ipv6=yes
>>
>>     /* uncomment the next line to disable the auto discovery of local
>>     aliases
>>       based on revers DNS on IPs (default on) */ #auto_aliases=no
>>
>>     /* uncomment the following lines to enable TLS support  (default
> off) */
>>     #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server =
> 1
>>     #tls_verify_client = 1 #tls_require_client_certificate = 0
> #tls_method =
>>     TLSv1 #tls_certificate =
> "/usr/local/etc/openser/tls/user/user-cert.pem"
>>     #tls_private_key =
> "/usr/local/etc/openser/tls/user/user-privkey.pem"
>>     #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
>>
>>     listen=202.158.197.134
>>     port=5060
>>
>>     /* uncomment and configure the following line if you want openser
> to
>>       bind on a specific interface/port/proto (default bind on all
>>     available) */ #listen=udp:192.168.1.2:5060
> <http://192.168.1.2:5060>
>>
>>     ####### Modules Section ########
>>
>>     #set module path
>>     mpath="/usr/local/lib/openser/modules/"
>>
>>     /* uncomment next line for MySQL DB support */ #loadmodule
> "mysql.so"
>>     loadmodule "sl.so"
>>     loadmodule "tm.so"
>>     loadmodule "rr.so"
>>     loadmodule "maxfwd.so"
>>     loadmodule "usrloc.so"
>>     loadmodule "registrar.so"
>>     loadmodule "textops.so"
>>     loadmodule "mi_fifo.so"
>>     loadmodule "uri_db.so"
>>     loadmodule "uri.so"
>>     loadmodule "xlog.so"
>>     loadmodule "acc.so"
>>     /* uncomment next lines for MySQL based authentication support
>>       NOTE: a DB (like mysql) module must be also loaded */ loadmodule
>>     "auth.so"
>>     loadmodule "auth_radius.so"
>>     #loadmodule "auth_db.so"
>>     /* uncomment next line for aliases support
>>       NOTE: a DB (like mysql) module must be also loaded */
> #loadmodule
>>     "alias_db.so"
>>     /* uncomment next line for multi-domain support
>>       NOTE: a DB (like mysql) module must be also loaded
>>       NOTE: be sure and enable multi-domain support in all used
> modules
>>             (see "multi-module params" section ) */ #loadmodule
> "domain.so"
>>     /* uncomment the next two lines for presence server support
>>       NOTE: a DB (like mysql) module must be also loaded */
> #loadmodule
>>     "presence.so"
>>     #loadmodule "presence_xml.so"
>>
>>
>>     # ----------------- setting module-specific parameters
> ---------------
>>
>>     # ----- mi_fifo params -----
>>     modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>>
>>
>>     # ----- rr params -----
>>     # add value to ;lr param to cope with most of the UAs
> modparam("rr",
>>     "enable_full_lr", 1) # do not append from tag to the RR (no need
> for
>>     this script) modparam("rr", "append_fromtag", 0)
>>
>>
>>     # ----- rr params -----
>>     modparam("registrar", "method_filtering", 1)
>>     /* uncomment the next line to disable parallel forking via
> location */ #
>>     modparam("registrar", "append_branches", 0)
>>     /* uncomment the next line not to allow more than 10 contacts per
> AOR */
>>     #modparam("registrar", "max_contacts", 10)
>>
>>
>>     # ----- uri_db params -----
>>     /* by default we disable the DB support in the module as we do not
> need
>>     it
>>       in this configuration */
>>     modparam("uri_db", "use_uri_table", 0)
>>     modparam("uri_db", "db_url", "")
>>
>>
>>     # ----- acc params -----
>>     /* what sepcial events should be accounted ? */ modparam("acc",
>>     "early_media", 1) modparam("acc", "report_ack", 1) modparam("acc",
>>     "report_cancels", 1)
>>     /* by default ww do not adjust the direct of the sequential
> requests.
>>       if you enable this parameter, be sure the enable
> "append_fromtag"
>>       in "rr" module */
>>     modparam("acc", "detect_direction", 0)
>>     /* account triggers (flags) */
>>     modparam("acc", "failed_transaction_flag", 3) modparam("acc",
>>     "log_flag", 1) modparam("acc", "log_missed_flag", 2)
>>     /* uncomment the following lines to enable DB accounting also */
>>     modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 2)
>>
>>     # ----- multi-module params -----
>>     /* uncomment the following line if you want to enable multi-domain
>>     support
>>       in the modules (dafault off) */
>>     #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
>>
>>     ####### Routing Logic ########
>>
>>
>>     # main request routing logic
>>
>>     route{
>>
>>            if (!mf_process_maxfwd_header("10")) {
>>                    sl_send_reply("483","Too Many Hops");
>>                    exit;
>>            }
>>
>>            if (has_totag()) {
>>                    # sequential request withing a dialog should
>>                    # take the path determined by record-routing
>>                    if (loose_route()) {
>>                            if (is_method("BYE")) {
>>                                    setflag(1); # do accouting ...
>>                                    setflag(3); # ... even if the
>>     transaction fails
>>                            }
>>                            route(1);
>>                    } else {
>>                            /* uncomment the following lines if you
> want to
>>     enable presence */
>>                            ##if (is_method("SUBSCRIBE") && $rd ==
>>     "your.server.ip.address") {
>>                            ##      # in-dialog subscribe requests
>>                            ##      route(2);
>>                            ##      exit;
>>                            ##}
>>                            if ( is_method("ACK") ) {
>>                                    if ( t_check_trans() ) {
>>                                            # non loose-route, but
> stateful
>>     ACK; must be an ACK after a 487 or e.g. 404 from upstream server
>>                                            t_relay();
>>                                            exit;
>>                                    } else {
>>                                            # ACK without matching
>>     transaction ... ignore and discard.\n");
>>                                            exit;
>>                                    }
>>                            }
>>                            sl_send_reply("404","Not here");
>>                    }
>>                    exit;
>>            }
>>
>>            #initial requests
>>
>>            # CANCEL processing
>>            if (is_method("CANCEL"))
>>            {
>>                    if (t_check_trans())
>>                            t_relay();
>>                    exit;
>>            }
>>
>>            t_check_trans();
>>
>>            # authenticate if from local subscriber (uncomment to
> enable
>>     auth)
>>            ##if (!(method=="REGISTER") && from_uri==myself)
>>            ##{
>>            ##      if (!proxy_authorize("", "subscriber")) {
>>            ##              proxy_challenge("", "0");
>>            ##              exit;
>>            ##      }
>>            ##      if (!check_from()) {
>>            ##              sl_send_reply("403","Forbidden auth ID");
>>            ##              exit;
>>            ##      }
>>            ##
>>            ##      consume_credentials();
>>            ##      # caller authenticated
>>            ##}
>>
>>            # record routing
>>            if (!is_method("REGISTER|MESSAGE"))
>>                    record_route();
>>
>>            # account only INVITEs
>>            if (is_method("INVITE")) {
>>                    setflag(1); # do accouting
>>            }
>>            if (!uri==myself)
>>            /* replace with following line if multi-domain support is
> used
>>     */
>>            ##if (!is_uri_host_local())
>>            {
>>                    append_hf("P-hint: outbound\r\n");
>>                    # if you have some interdomain connections via TLS
>>                    ##if($rd=="tls_domain1.net
> <http://tls_domain1.net>") {
>>                    ##      t_relay("tls:domain1.net
> <http://domain1.net>");
>>                    ##      exit;
>>                    ##} else if($rd=="tls_domain2.net
>>     <http://tls_domain2.net>") {
>>                    ##      t_relay("tls:domain2.net
> <http://domain2.net>");
>>                    ##      exit;
>>                    ##}
>>                    route(1);
>>            }
>>
>>            # requests for my domain
>>
>>            /* uncomment this if you want to enable presence server
>>               and comment the next 'if' block
>>               NOTE: uncomment also the definition of route[2] from
> below
>>     */
>>            ##if( is_method("PUBLISH|SUBSCRIBE"))
>>            ##              route(2);
>>
>>            if (is_method("PUBLISH"))
>>            {
>>                    sl_send_reply("503", "Service Unavailable");
>>                    exit;
>>            }
>>
>>
>>            if (is_method("REGISTER"))
>>            {
>>                    # authenticate the REGISTER requests (uncomment to
>>     enable auth)
>>                    ##if (!www_authorize("", "subscriber"))
>>                    ##{
>>                    ##      www_challenge("", "0");
>>                    ##      exit;
>>                    ##}
>>                    ##
>>                    ##if (!check_to())
>>                    ##{
>>                    ##      sl_send_reply("403","Forbidden auth ID");
>>                    ##      exit;
>>                    ##}
>>
>>                    xlog("L_INFO", "REGISTER for ($fU) $ru\n");
>>                    if (!radius_www_authorize(""))
>>                    {
>>                            log(1, "Proxy Authentication Required
>>     (Digest)\n");
>>                            www_challenge("", "0");
>>                            exit;
>>                    };
>>
>>                    if (!save("location"))
>>                            sl_reply_error();
>>
>>                    exit;
>>            }
>>
>>            if ($rU==NULL) {
>>                    # request with no Username in RURI
>>                    sl_send_reply("484","Address Incomplete");
>>                    exit;
>>            }
>>
>>            # apply DB based aliases (uncomment to enable)
>>            ##alias_db_lookup("dbaliases");
>>
>>            if (!lookup("location")) {
>>                    switch ($retcode) {
>>                            case -1:
>>                            case -3:
>>                                    t_newtran();
>>                                    t_reply("404", "Not Found");
>>                                    exit;
>>                            case -2:
>>                                    sl_send_reply("405", "Method Not
>>     Allowed");
>>                                    exit;
>>                    }
>>            }
>>
>>            # when routing via usrloc, log the missed calls also
>>            setflag(2);
>>
>>            route(1);
>>     }
>>
>>
>>     route[1] {
>>            # for INVITEs enable some additional helper routes
>>            if (is_method("INVITE")) {
>>                    t_on_branch("2");
>>                    t_on_reply("2");
>>                    t_on_failure("1");
>>            }
>>
>>            if (!t_relay()) {
>>                    sl_reply_error();
>>            };
>>            exit;
>>     }
>>
>>     branch_route[2] {
>>            xlog("new branch at $ru\n");
>>     }
>>
>>
>>     onreply_route[2] {
>>            xlog("incoming reply\n");
>>     }
>>
>>
>>     failure_route[1] {
>>            if (t_was_cancelled()) {
>>                    exit;
>>            }
>>
>>            # uncomment the following lines if you want to block client
>>            # redirect based on 3xx replies.
>>            ##if (t_check_status("3[0-9][0-9]")) {
>>            ##t_reply("404","Not found");
>>            ##      exit;
>>            ##}
>>
>>            # uncomment the following lines if you want to redirect the
>>     failed
>>            # calls to a different new destination
>>            ##if (t_check_status("486|408")) {
>>            ##      sethostport("192.168.2.100:5060
>>     <http://192.168.2.100:5060>");
>>            ##      append_branch();
>>            ##      # do not set the missed call flag again
>>            ##      t_relay();
>>            ##}
>>
>>     }
>>
>>     Regards,
>>     Leon
>>
>>     -----Original Message-----
>>     From: Uwe Kastens [mailto:kiste at kiste.org
> <mailto:kiste at kiste.org>]
>>     Sent: Friday, 12 June 2009 4:51 PM
>>     To: Leon Li
>>     Cc: users at lists.opensips.org <mailto:users at lists.opensips.org>
>>     Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>>
>>     Hi,
>>
>>     This is strange. Could you post your opensips.cfg or send it to me
>>     directly?
>>
>>     BR
>>
>>     Uwe
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>>     -- 
>>     Thanking You,
>>     Ashwini BR Naidu
>>
>>
>>
>>
>> -- 
>> Thanking You,
>> Ashwini BR Naidu
>>
> 
> 


-- 

kiste lat: 54.322684, lon: 10.13586



More information about the Users mailing list