(RADIATOR) Radius and SER groups
Hugh Irvine
hugh at open.com.au
Thu Jul 15 20:47:55 CDT 2004
Hello Martin -
Does the first AuthBy FILE really have "filename" in it?
It should look like this:
<Handler Service-Type=Group-Check>
<AuthBy FILE>
Filename ./groups
</AuthBy>
</Handler>
Otherwise you will look for "users" by default.
regards
Hugh
On 15 Jul 2004, at 23:18, Martin Koenig wrote:
> Hi all,
>
> i'm trying to set up SER to make use of radius groups.
>
> radius.cfg (a test-bed):
> --
> <Client DEFAULT>
> Secret radius
> DupInterval 0
> </Client>
>
>
> <Handler Service-Type=Group-Check>
> <AuthBy FILE>
> filename ./groups
> </AuthBy>
> </Handler>
>
> <Handler Service-Type=Sip-Session>
> <AuthBy FILE>
> Filename ./users
> </AuthBy>
> </Handler>
> --
>
> groups:
> --
> 445 at domain Sip-Group = "a", Auth-Type=Accept
> Reply-Message = "Authorized"
>
> 410 at domain Sip-Group = "b", Auth-Type = Accept
> Reply-Message = "Authorized"
> --
>
> I get the following error msg:
>
> *** Received from 127.0.0.1 port 32907 ....
> Code: Access-Request
> Identifier: 249
> Authentic: <12>:vH<19>g<213><20>@<181><203><18><186><19><251><30>
> Attributes:
> User-Name = "445 at serafima.int.toplink-plannet.de"
> Sip-Group = "+49721"
> Service-Type = Group-Check
> NAS-IP-Address = 192.168.42.20
> NAS-Port = 0
>
> Thu Jul 15 15:16:24 2004: DEBUG: Handling request with Handler
> 'Service-Type=Group-Check'
> Thu Jul 15 15:16:24 2004: DEBUG: Deleting session for
> 445 at serafima.int.toplink-plannet.de, 192.168.42.20, 0
> Thu Jul 15 15:16:24 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 15 15:16:24 2004: DEBUG: Radius::AuthFILE looks for match with
> 445 at serafima.int.toplink-plannet.de
> Thu Jul 15 15:16:24 2004: WARNING: No CHAP-Password or User-Password
> in request: does your dictionary have User-Password in it?
> Thu Jul 15 15:16:24 2004: DEBUG: Radius::AuthFILE REJECT: Bad Password
> Thu Jul 15 15:16:24 2004: INFO: Access rejected for
> 445 at serafima.int.toplink-plannet.de: Bad Password
> Thu Jul 15 15:16:24 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32907 ....
> Code: Access-Reject
> Identifier: 249
> Authentic: <12>:vH<19>g<213><20>@<181><203><18><186><19><251><30>
> Attributes:
> Reply-Message = "Request Denied"
> Sip-Group = "+49721"
>
>
> But the whole idea of this group authorization is that there is no
> password and radius just reponds "Authorized" as soon as group and
> username at domain match? That's why there is Auth-Type="accept"? How can
> i make Radiator accept these requests?
>
> Thanks,
> Martin
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list