[Users] Radius Authentication

Daniel-Constantin Mierla daniel at voice-system.ro
Sat Mar 4 12:24:29 CET 2006


Hello,

On 03/03/06 02:57, Edson wrote:
> The working SER installation uses radiusclient-ng 0.5.0-1. It was compiled
> after a CVS download maded on the beginning on jun/2005. Unfortunatly I miss
> the source code and am using an i686-RPM derived from that code.
>
> I already try to use this RPM (version 0.5.0-1) on the Xeon machine. The
> results are the same. Just same message on /var/log/messages:
>
> "Mar  2 21:45:54 sip openser: rc_check_reply: received invalid reply digest
> from RADIUS server"
>   
can you run the radius server in debug mode to see there what messages 
you get. Also, check the /var/log/syslog or /var/log/messages to see 
other error messages printed by radiusclient-ng library when you use 
debug mode with openser.

Cheers,
Daniel

> When I start "openser -TDdd I see:
> ...
>  0(16385) get_hdr_field: cseq <CSeq>: <4> <REGISTER>
>  0(16385) DEBUG:maxfwd:is_maxfwd_present: value = 70
>  0(16385) parse_headers: flags=200
>  0(16385) DEBUG: get_hdr_body : content_length=0
>  0(16385) found end of header
>  0(16385) find_first_route: No Route headers found
>  0(16385) loose_route: There is no Route HF
>  0(16385) grep_sock_info - checking if host==us: 13==13 &&  [ZZZ.ZZ.ZZZ.39]
> == [ZZZ.ZZ.ZZZ.39]
>  0(16385) grep_sock_info - checking if port 5060 matches port 5060
>  0(16385) parse_headers: flags=ffffffffffffffff
>  0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
>  0(16385) lookup(): '' Not found in usrloc
>  0(16385) check_nonce(): comparing
> [440792edd872b52b27f6dbee8ab2af7f61016704] and
> [440792edd872b52b27f6dbee8ab2af7f61016704]
>
>  0(16385) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>
>  0(16385) build_auth_hf(): 'WWW-Authenticate: Digest realm="ZZZ.ZZ.ZZZ.39",
> nonce="440792eeec1cb5b22b20c18355c2a9a71eeb1af7"'
>  0(16385) parse_headers: flags=ffffffffffffffff
>  0(16385) check_via_address(XXX.XX.XXX.120, 172.27.248.6, 0)
>  0(16385) DEBUG:destroy_avp_list: destroying list (nil)
>  0(16385) receive_msg: cleaning up
> ...
> I double checked all the "dictionary" definitions, triple checked my OpenSER
> and Radiusclient-NG config and were not able to find the mistake.
>
> So I'm really out of ideas... Maybe is the return value ("Authenticated")
> illegal?
>
> Edson.
>
>   
>> -----Original Message-----
>> From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro]
>> Sent: quinta-feira, 2 de março de 2006 09:29
>> To: Edson
>> Cc: 'OpenSER (E-mail)'
>> Subject: Re: [Users] Radius Authentication
>>
>> Hello,
>>
>> the error:
>>
>> Mar  1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received invalid
>> reply digest from RADIUS server
>>
>> comes from the radiusclient-ng library, in file "lib/sendserver.c" at
>> line 498. Did you use the same version of radiusclient-ng before?
>>
>> Cheers,
>> Daniel
>>
>> On 03/01/06 22:23, Edson wrote:
>>     
>>> Hi, Guys...
>>>
>>> As the MySQL problem is aparently solved I’m facing a Radius issue… I'm
>>>       
>> using FreeRadius 1.0.4, RadiusCliente-NG 0.5.2 and OpenSER 1.0.1.
>>     
>>> If I duplicate the configs used with SER (and that it works fine) I’m
>>>       
>> unable to authenticate my UA (the same that authenticate with SER). The
>> message with “debug=4” is:
>>     
>>> Mar  1 15:41:43 dell openser-TEST[20789]: check_nonce(): comparing
>>>       
>> [4405ec129258d5cf9c016ade69cf37e33b5af52b] and
>> [4405ec129258d5cf9c016ade69cf37e33b5af52b]
>>     
>>> Mar  1 15:41:43 dell openser-TEST[20789]: rc_check_reply: received
>>>       
>> invalid reply digest from RADIUS server
>>     
>>> Mar  1 15:41:43 dell openser-TEST[20789]:
>>>       
>> ERROR:auth_radius:radius_authorize_sterman: rc_auth failed
>>     
>>> So I supposed that there were some failed configuration, I looked at my
>>>       
>> “radiusd.conf” and finded:
>>     
>>>   modules {
>>>   ...
>>>     digest {
>>>     }
>>>   ...
>>>   }
>>>   authorize {
>>>           preprocess
>>>           auth_log
>>>           suffix
>>>           digest
>>>           sql
>>>   }
>>>   authenticate {
>>>           digest
>>>   }
>>>
>>> As my FreeRadius back-end is a MySQL database, the 'sql' statement in
>>>       
>> authorize seems ok. And so do 'digest' in 'autheticate' section.
>>     
>>> The question remains: Why are OpenSER complain on Radius response? Maybe
>>>       
>> it's because of the sterman schema (?)....
>>     
>>> Anyway, I try to test the server using the radtest tool. The output
>>>       
>> seems good to me:
>>     
>>> # radtest 8201 at DOMAIN.VALID 8201 127.0.0.1 12345 MyServerPassword
>>> Sending Access-Request of id 255 to 127.0.0.1:1812
>>>         User-Name = "8201 at DOMAIN.VALID"
>>>         User-Password = "8201"
>>>         NAS-IP-Address = sip
>>>         NAS-Port = 12345
>>> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=255,
>>>       
>> length=35
>>     
>>>         Reply-Message = "Authenticated"
>>>
>>> So I discard FreeRadius config. Is this related on the value of “Reply-
>>>       
>> Message”? I already read all Radius material that I found on OpenSER web-
>> page…
>>     
>>> What am I doing wrong? What am I missing? As this same configs work with
>>>       
>> SER 0.9.2, why did it not with OpenSER 1.0.x?
>>     
>>> Edson.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>       
>
>
>   




More information about the Users mailing list