[OpenSIPS-Users] No RADIUS traffic
Uwe Kastens
kiste at kiste.org
Fri Jun 26 09:25:32 CEST 2009
Leon,
Could you post the output of the strace call? And could you please post
the output of ldd auth_radius.so ?
BR
Uwe
Leon Li schrieb:
> Uwe,
>
> I tried the strace tool but no line is trying to use radius.seq. I
> manually created radius.seq like "-rw-rw-rw- 1 root root
> 0 Jun 25 00:45 radius.seq" because it is not created for some reason.
> Will this be a problem?
>
> Regards,
> Leon
>
> -----Original Message-----
> From: Uwe Kastens [mailto:kiste at kiste.org]
> Sent: Tuesday, 23 June 2009 5:31 PM
> To: Leon Li
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>
> Li,
>
> I was wondering about the answer from radius:
> WARNING: Ignoring Status-Server request due to security configuration
>
> If I try the same I will get an answer like:
> Received response ID 196, code 2, length = 20
>
> Could you please check your shared secret.
>
>> Also, I cannot find file /var/run/radius.seq. Is it created
> automatically?
>
> I should be there if radius will work - but remember your permissions.
>
> You can try one thing: set fork=no in opensips.cfg, install strace and
> start opensips with "strace -f -e open opensips". Now start one attempt
> to register etc.pp. and watch the line with the seq.
>
> [pid 20680] open("/var/run/opensips/radius.seq",
> O_RDWR|O_CREAT|O_APPEND, 0666) = 13
>
>
> BR
>
> Uwe
>
>
> Leon Li schrieb:
>> Uwe,
>>
>> I got the following from RADIUS when issue the command you gave.
>>
>> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
>> length=38
>> WARNING: Ignoring Status-Server request due to security configuration
>> --- Walking the entire request list ---
>> Nothing to do. Sleeping until we see a request.
>> rad_recv: Status-Server packet from host 127.0.0.1:39297, id=17,
>> length=38
>> WARNING: Ignoring Status-Server request due to security configuration
>> --- Walking the entire request list ---
>>
>> So I assume that the radius server is working?
>>
>> Also, I cannot find file /var/run/radius.seq. Is it created
>> automatically?
>>
>> Regards,
>> Leon
>>
>>
>> -----Original Message-----
>> From: Uwe Kastens [mailto:kiste at kiste.org]
>> Sent: Wednesday, 17 June 2009 6:01 PM
>> To: Leon Li
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>>
>> Leon,
>>
>> mysql.so in opensips is not needed for the radius authentication.
>>
>> Shared secrets for radius are correct? Anyway you should see some
>> traffic on the radius server.
>>
>> Could you please test
>> echo "Message-Authenticator = 0x00" | radclient 127.0.0.1:1812
> status
>> <shared secret>
>>
>> You should see then traffic on radiusd -X
>>
>> If yes I would start checking permissions again
>>
>> BR
>>
>> uwe
>>
>>
>> Leon Li schrieb:
>>> Hi Ashwini,
>>>
>>>
>>>
>>> I have added param for aut_radius, but no luck. L
>>>
>>>
>>>
>>> Why do I need mysql.so if the radius server will host all users
>> credential?
>>>
>>>
>>> Regards,
>>>
>>> Leon
>>>
>>>
>>>
>>> *From:* ASHWINI NAIDU [mailto:ashwini.naidu at gmail.com]
>>> *Sent:* Monday, 15 June 2009 2:52 PM
>>> *To:* Leon Li
>>> *Cc:* Uwe Kastens; users at lists.opensips.org
>>> *Subject:* Re: [OpenSIPS-Users] No RADIUS traffic
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jun 15, 2009 at 10:19 AM, ASHWINI NAIDU
>> <ashwini.naidu at gmail.com
>>> <mailto:ashwini.naidu at gmail.com>> wrote:
>>>
>>> hi leon,
>>>
>>> But i do not see your openser communicating with radiusclient.
>>>
>>> modparam("auth_radius", "radius_config",
>>> "/etc/radiusclient-ng/radiusclient.conf")
>>>
>>> mention the path of radiusclient.conf properly.
>>>
>>>
>>>
>>> Your mysql support is also commented.
>>>
>>> *loadmodule "mysql.so"*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jun 15, 2009 at 5:13 AM, Leon Li <Leon.Li at aarnet.edu.au
>>> <mailto:Leon.Li at aarnet.edu.au>> wrote:
>>>
>>> Here it is.
>>>
>>> ####### Global Parameters #########
>>>
>>> debug=3
>>> log_stderror=no
>>> log_facility=LOG_LOCAL0
>>>
>>> fork=yes
>>> children=4
>>>
>>> /* uncomment the following lines to enable debugging */
>>> debug=6
>>> fork=no
>>> log_stderror=yes
>>>
>>> /* uncomment the next line to disable TCP (default on) */
>>> #disable_tcp=yes
>>>
>>> /* uncomment the next line to enable the auto temporary
>> blacklisting of
>>> not available destinations (default disabled) */
>>> #disable_dns_blacklist=no
>>>
>>> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
>>> lookup failures (default disabled) */ #dns_try_ipv6=yes
>>>
>>> /* uncomment the next line to disable the auto discovery of local
>>> aliases
>>> based on revers DNS on IPs (default on) */ #auto_aliases=no
>>>
>>> /* uncomment the following lines to enable TLS support (default
>> off) */
>>> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server =
>> 1
>>> #tls_verify_client = 1 #tls_require_client_certificate = 0
>> #tls_method =
>>> TLSv1 #tls_certificate =
>> "/usr/local/etc/openser/tls/user/user-cert.pem"
>>> #tls_private_key =
>> "/usr/local/etc/openser/tls/user/user-privkey.pem"
>>> #tls_ca_list = "/usr/local/etc/openser/tls/user/user-calist.pem"
>>>
>>> listen=202.158.197.134
>>> port=5060
>>>
>>> /* uncomment and configure the following line if you want openser
>> to
>>> bind on a specific interface/port/proto (default bind on all
>>> available) */ #listen=udp:192.168.1.2:5060
>> <http://192.168.1.2:5060>
>>> ####### Modules Section ########
>>>
>>> #set module path
>>> mpath="/usr/local/lib/openser/modules/"
>>>
>>> /* uncomment next line for MySQL DB support */ #loadmodule
>> "mysql.so"
>>> loadmodule "sl.so"
>>> loadmodule "tm.so"
>>> loadmodule "rr.so"
>>> loadmodule "maxfwd.so"
>>> loadmodule "usrloc.so"
>>> loadmodule "registrar.so"
>>> loadmodule "textops.so"
>>> loadmodule "mi_fifo.so"
>>> loadmodule "uri_db.so"
>>> loadmodule "uri.so"
>>> loadmodule "xlog.so"
>>> loadmodule "acc.so"
>>> /* uncomment next lines for MySQL based authentication support
>>> NOTE: a DB (like mysql) module must be also loaded */
> loadmodule
>>> "auth.so"
>>> loadmodule "auth_radius.so"
>>> #loadmodule "auth_db.so"
>>> /* uncomment next line for aliases support
>>> NOTE: a DB (like mysql) module must be also loaded */
>> #loadmodule
>>> "alias_db.so"
>>> /* uncomment next line for multi-domain support
>>> NOTE: a DB (like mysql) module must be also loaded
>>> NOTE: be sure and enable multi-domain support in all used
>> modules
>>> (see "multi-module params" section ) */ #loadmodule
>> "domain.so"
>>> /* uncomment the next two lines for presence server support
>>> NOTE: a DB (like mysql) module must be also loaded */
>> #loadmodule
>>> "presence.so"
>>> #loadmodule "presence_xml.so"
>>>
>>>
>>> # ----------------- setting module-specific parameters
>> ---------------
>>> # ----- mi_fifo params -----
>>> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>>>
>>>
>>> # ----- rr params -----
>>> # add value to ;lr param to cope with most of the UAs
>> modparam("rr",
>>> "enable_full_lr", 1) # do not append from tag to the RR (no need
>> for
>>> this script) modparam("rr", "append_fromtag", 0)
>>>
>>>
>>> # ----- rr params -----
>>> modparam("registrar", "method_filtering", 1)
>>> /* uncomment the next line to disable parallel forking via
>> location */ #
>>> modparam("registrar", "append_branches", 0)
>>> /* uncomment the next line not to allow more than 10 contacts per
>> AOR */
>>> #modparam("registrar", "max_contacts", 10)
>>>
>>>
>>> # ----- uri_db params -----
>>> /* by default we disable the DB support in the module as we do
> not
>> need
>>> it
>>> in this configuration */
>>> modparam("uri_db", "use_uri_table", 0)
>>> modparam("uri_db", "db_url", "")
>>>
>>>
>>> # ----- acc params -----
>>> /* what sepcial events should be accounted ? */ modparam("acc",
>>> "early_media", 1) modparam("acc", "report_ack", 1)
> modparam("acc",
>>> "report_cancels", 1)
>>> /* by default ww do not adjust the direct of the sequential
>> requests.
>>> if you enable this parameter, be sure the enable
>> "append_fromtag"
>>> in "rr" module */
>>> modparam("acc", "detect_direction", 0)
>>> /* account triggers (flags) */
>>> modparam("acc", "failed_transaction_flag", 3) modparam("acc",
>>> "log_flag", 1) modparam("acc", "log_missed_flag", 2)
>>> /* uncomment the following lines to enable DB accounting also */
>>> modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag",
> 2)
>>> # ----- multi-module params -----
>>> /* uncomment the following line if you want to enable
> multi-domain
>>> support
>>> in the modules (dafault off) */
>>> #modparam("alias_db|auth_db|usrloc|uri_db", "use_domain", 1)
>>>
>>> ####### Routing Logic ########
>>>
>>>
>>> # main request routing logic
>>>
>>> route{
>>>
>>> if (!mf_process_maxfwd_header("10")) {
>>> sl_send_reply("483","Too Many Hops");
>>> exit;
>>> }
>>>
>>> if (has_totag()) {
>>> # sequential request withing a dialog should
>>> # take the path determined by record-routing
>>> if (loose_route()) {
>>> if (is_method("BYE")) {
>>> setflag(1); # do accouting ...
>>> setflag(3); # ... even if the
>>> transaction fails
>>> }
>>> route(1);
>>> } else {
>>> /* uncomment the following lines if you
>> want to
>>> enable presence */
>>> ##if (is_method("SUBSCRIBE") && $rd ==
>>> "your.server.ip.address") {
>>> ## # in-dialog subscribe requests
>>> ## route(2);
>>> ## exit;
>>> ##}
>>> if ( is_method("ACK") ) {
>>> if ( t_check_trans() ) {
>>> # non loose-route, but
>> stateful
>>> ACK; must be an ACK after a 487 or e.g. 404 from upstream server
>>> t_relay();
>>> exit;
>>> } else {
>>> # ACK without matching
>>> transaction ... ignore and discard.\n");
>>> exit;
>>> }
>>> }
>>> sl_send_reply("404","Not here");
>>> }
>>> exit;
>>> }
>>>
>>> #initial requests
>>>
>>> # CANCEL processing
>>> if (is_method("CANCEL"))
>>> {
>>> if (t_check_trans())
>>> t_relay();
>>> exit;
>>> }
>>>
>>> t_check_trans();
>>>
>>> # authenticate if from local subscriber (uncomment to
>> enable
>>> auth)
>>> ##if (!(method=="REGISTER") && from_uri==myself)
>>> ##{
>>> ## if (!proxy_authorize("", "subscriber")) {
>>> ## proxy_challenge("", "0");
>>> ## exit;
>>> ## }
>>> ## if (!check_from()) {
>>> ## sl_send_reply("403","Forbidden auth ID");
>>> ## exit;
>>> ## }
>>> ##
>>> ## consume_credentials();
>>> ## # caller authenticated
>>> ##}
>>>
>>> # record routing
>>> if (!is_method("REGISTER|MESSAGE"))
>>> record_route();
>>>
>>> # account only INVITEs
>>> if (is_method("INVITE")) {
>>> setflag(1); # do accouting
>>> }
>>> if (!uri==myself)
>>> /* replace with following line if multi-domain support is
>> used
>>> */
>>> ##if (!is_uri_host_local())
>>> {
>>> append_hf("P-hint: outbound\r\n");
>>> # if you have some interdomain connections via TLS
>>> ##if($rd=="tls_domain1.net
>> <http://tls_domain1.net>") {
>>> ## t_relay("tls:domain1.net
>> <http://domain1.net>");
>>> ## exit;
>>> ##} else if($rd=="tls_domain2.net
>>> <http://tls_domain2.net>") {
>>> ## t_relay("tls:domain2.net
>> <http://domain2.net>");
>>> ## exit;
>>> ##}
>>> route(1);
>>> }
>>>
>>> # requests for my domain
>>>
>>> /* uncomment this if you want to enable presence server
>>> and comment the next 'if' block
>>> NOTE: uncomment also the definition of route[2] from
>> below
>>> */
>>> ##if( is_method("PUBLISH|SUBSCRIBE"))
>>> ## route(2);
>>>
>>> if (is_method("PUBLISH"))
>>> {
>>> sl_send_reply("503", "Service Unavailable");
>>> exit;
>>> }
>>>
>>>
>>> if (is_method("REGISTER"))
>>> {
>>> # authenticate the REGISTER requests (uncomment to
>>> enable auth)
>>> ##if (!www_authorize("", "subscriber"))
>>> ##{
>>> ## www_challenge("", "0");
>>> ## exit;
>>> ##}
>>> ##
>>> ##if (!check_to())
>>> ##{
>>> ## sl_send_reply("403","Forbidden auth ID");
>>> ## exit;
>>> ##}
>>>
>>> xlog("L_INFO", "REGISTER for ($fU) $ru\n");
>>> if (!radius_www_authorize(""))
>>> {
>>> log(1, "Proxy Authentication Required
>>> (Digest)\n");
>>> www_challenge("", "0");
>>> exit;
>>> };
>>>
>>> if (!save("location"))
>>> sl_reply_error();
>>>
>>> exit;
>>> }
>>>
>>> if ($rU==NULL) {
>>> # request with no Username in RURI
>>> sl_send_reply("484","Address Incomplete");
>>> exit;
>>> }
>>>
>>> # apply DB based aliases (uncomment to enable)
>>> ##alias_db_lookup("dbaliases");
>>>
>>> if (!lookup("location")) {
>>> switch ($retcode) {
>>> case -1:
>>> case -3:
>>> t_newtran();
>>> t_reply("404", "Not Found");
>>> exit;
>>> case -2:
>>> sl_send_reply("405", "Method Not
>>> Allowed");
>>> exit;
>>> }
>>> }
>>>
>>> # when routing via usrloc, log the missed calls also
>>> setflag(2);
>>>
>>> route(1);
>>> }
>>>
>>>
>>> route[1] {
>>> # for INVITEs enable some additional helper routes
>>> if (is_method("INVITE")) {
>>> t_on_branch("2");
>>> t_on_reply("2");
>>> t_on_failure("1");
>>> }
>>>
>>> if (!t_relay()) {
>>> sl_reply_error();
>>> };
>>> exit;
>>> }
>>>
>>> branch_route[2] {
>>> xlog("new branch at $ru\n");
>>> }
>>>
>>>
>>> onreply_route[2] {
>>> xlog("incoming reply\n");
>>> }
>>>
>>>
>>> failure_route[1] {
>>> if (t_was_cancelled()) {
>>> exit;
>>> }
>>>
>>> # uncomment the following lines if you want to block
> client
>>> # redirect based on 3xx replies.
>>> ##if (t_check_status("3[0-9][0-9]")) {
>>> ##t_reply("404","Not found");
>>> ## exit;
>>> ##}
>>>
>>> # uncomment the following lines if you want to redirect
> the
>>> failed
>>> # calls to a different new destination
>>> ##if (t_check_status("486|408")) {
>>> ## sethostport("192.168.2.100:5060
>>> <http://192.168.2.100:5060>");
>>> ## append_branch();
>>> ## # do not set the missed call flag again
>>> ## t_relay();
>>> ##}
>>>
>>> }
>>>
>>> Regards,
>>> Leon
>>>
>>> -----Original Message-----
>>> From: Uwe Kastens [mailto:kiste at kiste.org
>> <mailto:kiste at kiste.org>]
>>> Sent: Friday, 12 June 2009 4:51 PM
>>> To: Leon Li
>>> Cc: users at lists.opensips.org <mailto:users at lists.opensips.org>
>>> Subject: Re: [OpenSIPS-Users] No RADIUS traffic
>>>
>>> Hi,
>>>
>>> This is strange. Could you post your opensips.cfg or send it to
> me
>>> directly?
>>>
>>> BR
>>>
>>> Uwe
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>> --
>>> Thanking You,
>>> Ashwini BR Naidu
>>>
>>>
>>>
>>>
>>> --
>>> Thanking You,
>>> Ashwini BR Naidu
>>>
>>
>
>
--
kiste lat: 54.322684, lon: 10.13586
More information about the Users
mailing list