[OpenSIPS-Users] Problem using radius_send_auth

John Quick john.quick at smartvox.co.uk
Tue Mar 25 10:19:11 CET 2014 

Hi Qasim,

Ah, so you are using radius_send_auth without any problems. This is
interesting.
What version of OpenSIPS are you using? ...and what version of
radiusclient-ng?
Do you have a packet capture (e.g. wireshark) or server log that shows what
attributes are actually sent to the Radius server?
If one of the attributes is Message-Authenticator, in which dictionary is it
defined and does your dictionary declare it to be of type “octets”?

Maybe my problem is in the sets. Can you post an example of the parameter
initialisation you are using for set1 please?
Mine currently looks like this:
modparam("aaa_radius", "sets", "set1 = (User-Name=$avp(98),
User-Password=$avp(99), Password=$avp(99))")
modparam("aaa_radius", "sets", "set2 = (Sip-Group=$avp(authretvals))")

I found that it wants to use the Message-Authenticator attribute when there
is an attribute called Password in set1.
The dictionaries I am using are a mix of the ones installed as part of
radiusclient-ng package, dictionary.opensips installed as part of OpenSIPS,
a dictionary.cisco that I downloaded from the web and selected dictionaries
from FreeRadius server (which is installed and I sometimes use when testing,
but it is not my main target server).

Thanks,
John

From: qasimakhan at gmail.com [mailto:qasimakhan at gmail.com] 
Sent: 24 March 2014 17:59
To: John Q
Cc: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] Problem using radius_send_auth

Hi John,
I am successfully using these functions (radius_send_auth)/dictionaries with
FreeRadius as radius server, I dont know about your particular radius setup.
As far as i know you dont need to load any other dictionary for your radius
related modules/functions to work. If your Opensip's dictionary is properly
loaded that should cater all your radius related functionality in opensips. 
Having said that you should make sure that the dictionary is loaded on both
Radius Server as well as on Client end that is the only requirement as far
as dictionaries are concerned.

Regards,
Qasim

On Mon, Mar 24, 2014 at 10:23 PM, John Quick <john.quick at smartvox.co.uk>
wrote:
Hi Quasim,

I appreciate your help. However, I am not using FreeRadius as the Radius
server and have already got all the basic dictionaries loaded (like
dictionary.opensips, dictionary.sip)
aaa_www_authorize and writing of Radius CDR's is working ok. That is not the
problem.

It is only when I try to use the radius_send_auth(set1, set2) function that
I had problems.
Please can you confirm if you have used this function?

I just tried a change to the dictionaries I use. No longer using
dictionary.rfc2869. Instead using dictionary.rfc2865.
In set1, the attribs that are sent to the server, I now specify 'User-Name'
and 'User-Password'. This seems to have fixed the problem whereby OpenSIPS
required the Message-Authenticator attribute. However, to get
dictionary.rfc2865 to work, I had to comment out all the attributes of type
"octets".

I still have the second problem: OpenSIPS and radiusclient-ng does not
recognise the attribute type "octets".

John Quick
Smartvox Limited


From: qasimakhan at gmail.com [mailto:qasimakhan at gmail.com]
Sent: 24 March 2014 16:27
To: john.quick at smartvox.co.uk
Cc: OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] Problem using radius_send_auth

hmm... here are the settings that i am using that works perfectly for me:
These files are required on opensips radiusclient-ng side:
/etc/radiusclient-ng/dictionary
...
$INCLUDE        /etc/radiusclient-ng/dictionary.sip
...
ATTRIBUTE       User-Name               1       string
ATTRIBUTE       Password                2       string
ATTRIBUTE       CHAP-Password           3       string
...
/etc/radiusclient-ng/dictionary.sip (This is the opensips dictionary)
## $Id: dictionary.opensips 7139 2010-08-17 14:06:00Z razvancrainea $
...
ATTRIBUTE Sip-Uri-User         208  string     # Proprietary, auth_radius
ATTRIBUTE Sip-Group            211  string     # Proprietary, group_radius
ATTRIBUTE Sip-Rpid             213  string     # Proprietary, auth_radius
ATTRIBUTE SIP-AVP              225  string     # Proprietary, avp_radius
ATTRIBUTE Sip-Call-Duration    227  integer
ATTRIBUTE Sip-Call-Setuptime   228  integer
...

On freeradius end:
/usr/local/etc/raddb

$INCLUDE        /usr/local/share/freeradius/dictionary


/usr/local/share/freeradius/dictionary
...
$INCLUDE dictionary.sip
...

/usr/local/share/freeradius/dictionary.sip (This is the opensips dictionary)

## $Id: dictionary.opensips 7139 2010-08-17 14:06:00Z razvancrainea $
...
P.S. If you need these dictionary files just PM me and i will send them to
you i think these are not required on the forum it will just clutter things
if anything.

Regards,
Qasim

On Mon, Mar 24, 2014 at 6:05 PM, John Quick <john.quick at smartvox.co.uk>
wrote:
I am already using the opensips dictionary.
It does not contain the Message-Authenticator attribute.

When I do not use dictionary.rfc2869, I get this error every time the
radius_send_auth function is called:
rc_avpair_gen: received unknown attribute 80 of length 18: 0x..

When I include dictionary.rfc2869, I get this error on startup:
rc_read_dictionary: invalid type on line 13 of dictionary
/usr/local/etc/radiusclient-ng/dictionary.rfc2869

John


From: qasimakhan at gmail.com [mailto:qasimakhan at gmail.com]
Sent: 24 March 2014 11:57
To: john.quick at smartvox.co.uk; OpenSIPS users mailling list
Subject: Re: [OpenSIPS-Users] Problem using radius_send_auth

Try using opensips dictionary.
Regards,
Qasim


On Mon, Mar 24, 2014 at 4:37 PM, John Quick <john.quick at smartvox.co.uk>
wrote:
I'm using OpenSIPS version 1.8.2 with radiusclient-ng.
I need to be able to make custom radius authentication requests using
radius_send_auth (a function in the aaa_radius module).

The first time I tried, it failed and reported an error that
Message-Authenticator was an unknown attribute.
I found the missing attribute in dictionary.rfc2869, but when I include this
dictionary, OpenSIPS fails to start and reports an error that seems to point
to the "octets" attribute type being unrecognised.

Any help with this would be greatly appreciated.

John Quick
Smartvox Limited
Web: www.smartvox.co.uk




_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list