(RADIATOR) Help Digest authentication!
Mike McCauley
mikem at open.com.au
Mon Oct 24 07:06:12 CDT 2005
Hello Jhonny,
SIP Digest cannot work with AuthBy NTLM, because it needs the plaintext
password in order to authenticate SIP Digest, and AuthBy NTLM cannot get the
plaintext password from AD.
For the same reason, SIP Digest wont work with AuthBy UNIX, DIGIPASS, KRB5,
NISPLUS, LDAP2 (with ServerChecksPassword), PAM, LSA or NT.
But any AuthBy that has access to the users correct plaintext passsword suport
SIP Digest, such as FILE, SQL, LDAP2, DBFILE, EMERALD* etc.
Hope that helps.
Cheers.
On Monday 24 October 2005 21:40, Jhonny Freire de Oliveira wrote:
> Hi, I'm trying to authenticate users through Digest on Radiator, this works
> for AuthBy File:
>
>
>
> Mon Oct 24 11:43:40 2005: DEBUG: Packet dump:
>
> *** Received from 194.117.1.222 port 32785 ....
>
> Code: Access-Request
>
> Identifier: 64
>
> Authentic: <209><6>\<156>F^}<200><201>k<199><12><195><220><225>i
>
> Attributes:
>
> User-Name = "teste-nic at ul.pt"
>
> Digest-Attributes = "<10><11>teste-nic"
>
> Digest-Attributes = "<1><7>ul.pt"
>
> Digest-Attributes = "<2>*435cb5b3f40a18f80ab2768637741782fbf9963a"
>
> Digest-Attributes = "<4><11>sip:ul.pt"
>
> Digest-Attributes = "<3><10>REGISTER"
>
> Digest-Attributes = "<5><6>auth"
>
> Digest-Attributes = "<9><10>00000002"
>
> Digest-Attributes = "<8>"244DBC3268FF47EA838341A808EAFF51"
>
> Digest-Response = "9629212ab25ced744ec86db8dacaf248"
>
> Service-Type = SIP
>
> Sip-URI-User = "teste-nic"
>
> NAS-IP-Address = 194.117.1.222
>
> NAS-Port = 5060
>
>
>
> Mon Oct 24 11:43:40 2005: DEBUG: Handling request with Handler
> 'Service-Type=SIP'
>
> Mon Oct 24 11:43:40 2005: DEBUG: Deleting session for teste-nic at ul.pt,
> 194.117.1.222, 5060
>
> Mon Oct 24 11:43:40 2005: DEBUG: Handling with Radius::AuthFILE:
>
> Mon Oct 24 11:43:40 2005: DEBUG: Radius::AuthFILE looks for match with
> teste-nic at ul.pt
>
> Mon Oct 24 11:43:40 2005: DEBUG: Radius::AuthFILE ACCEPT:
>
> Mon Oct 24 11:43:40 2005: DEBUG: AuthBy FILE result: ACCEPT,
>
> Mon Oct 24 11:43:40 2005: DEBUG: Access accepted for teste-nic at ul.pt
>
> Mon Oct 24 11:43:40 2005: DEBUG: Packet dump:
>
> *** Sending to 194.117.1.222 port 32785 ....
>
> Code: Access-Accept
>
> Identifier: 64
>
> Authentic: <209><6>\<156>F^}<200><201>k<199><12><195><220><225>i
>
> Attributes:
>
> Service-Type = Framed-User
>
> Framed-Protocol = PPP
>
> Framed-IP-Netmask = 255.255.255.255
>
> Framed-Routing = None
>
> Framed-MTU = 1500
>
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
> When I try to authenticate with AuthBy NTLM, it doesn't work.
>
>
>
> With name re-writing:
>
>
>
> Mon Oct 24 12:18:13 2005: DEBUG: Packet dump:
>
> *** Received from 194.117.1.222 port 32787 ....
>
> Code: Access-Request
>
> Identifier: 96
>
> Authentic:
> F<153><165>h<21><221><136><219><12><19><244><161><152><11><143>{
>
> Attributes:
>
> User-Name = "teste-nic at ul.pt"
>
> Digest-Attributes = "<10><11>teste-nic"
>
> Digest-Attributes = "<1><7>ul.pt"
>
> Digest-Attributes = "<2>*435cba5a9ef5c74f92fcec16304e0ec3e1f74683"
>
> Digest-Attributes = "<4><11>sip:ul.pt"
>
> Digest-Attributes = "<3><10>REGISTER"
>
> Digest-Attributes = "<5><6>auth"
>
> Digest-Attributes = "<9><10>00000032"
>
> Digest-Attributes = "<8>"1A1F8D6067F949D291549F805DB7CC78"
>
> Digest-Response = "f09af4c5d9d371ae39de10f697c8e9a8"
>
> Service-Type = SIP
>
> Sip-URI-User = "teste-nic"
>
> NAS-IP-Address = 194.117.1.222
>
> NAS-Port = 5060
>
>
>
> Mon Oct 24 12:18:13 2005: DEBUG: Handling request with Handler 'Realm =
> /ul\.pt/i'
>
> Mon Oct 24 12:18:13 2005: DEBUG: Rewrote user name to ul.pt\teste-nic
>
> Mon Oct 24 12:18:13 2005: DEBUG: Deleting session for teste-nic at ul.pt,
> 194.117.1.222, 5060
>
> Mon Oct 24 12:18:13 2005: DEBUG: Handling with Radius::AuthNTLM:
>
> Mon Oct 24 12:18:13 2005: DEBUG: Radius::AuthNTLM looks for match with
> ul.pt\teste-nic
>
> Mon Oct 24 12:18:13 2005: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
> Password check failed
>
> Mon Oct 24 12:18:13 2005: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
> Password check failed
>
> Mon Oct 24 12:18:13 2005: INFO: Access rejected for ul.pt\teste-nic: AuthBy
> NTLM Password check failed
>
> Mon Oct 24 12:18:13 2005: DEBUG: Packet dump:
>
> *** Sending to 194.117.1.222 port 32787 ....
>
> Code: Access-Reject
>
> Identifier: 96
>
> Authentic:
> F<153><165>h<21><221><136><219><12><19><244><161><152><11><143>{
>
> Attributes:
>
> Reply-Message = "Request Denied"
>
>
>
> Without name re-writing:
>
>
>
> Mon Oct 24 12:38:17 2005: DEBUG: Packet dump:
>
> *** Received from 194.117.1.222 port 32787 ....
>
> Code: Access-Request
>
> Identifier: 110
>
> Authentic: <156><20><138>f(X u<191><22>b<231><252><22><157><24>
>
> Attributes:
>
> User-Name = "teste-nic at ul.pt"
>
> Digest-Attributes = "<10><11>teste-nic"
>
> Digest-Attributes = "<1><7>ul.pt"
>
> Digest-Attributes = "<2>*435cbd2ff6470d5eced2803bf07d707e93236080"
>
> Digest-Attributes = "<4><11>sip:ul.pt"
>
> Digest-Attributes = "<3><10>REGISTER"
>
> Digest-Attributes = "<5><6>auth"
>
> Digest-Attributes = "<9><10>00000002"
>
> Digest-Attributes = "<8>"65C440E8290A4FFABA3D62E678053603"
>
> Digest-Response = "8e571d9675616025d77823c2797119f8"
>
> Service-Type = SIP
>
> Sip-URI-User = "teste-nic"
>
> NAS-IP-Address = 194.117.1.222
>
> NAS-Port = 5060
>
>
>
> Mon Oct 24 12:38:18 2005: DEBUG: Handling request with Handler 'Realm =
> /ul\.pt/i'
>
> Mon Oct 24 12:38:18 2005: DEBUG: Deleting session for teste-nic at ul.pt,
> 194.117.1.222, 5060
>
> Mon Oct 24 12:38:18 2005: DEBUG: Handling with Radius::AuthNTLM:
>
> Mon Oct 24 12:38:18 2005: DEBUG: Radius::AuthNTLM looks for match with
> teste-nic at ul.pt
>
> Mon Oct 24 12:38:18 2005: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM
> Password check failed
>
> Mon Oct 24 12:38:18 2005: DEBUG: AuthBy NTLM result: REJECT, AuthBy NTLM
> Password check failed
>
> Mon Oct 24 12:38:18 2005: INFO: Access rejected for teste-nic at ul.pt: AuthBy
> NTLM Password check failed
>
> Mon Oct 24 12:38:18 2005: DEBUG: Packet dump:
>
> *** Sending to 194.117.1.222 port 32787 ....
>
> Code: Access-Reject
>
> Identifier: 110
>
> Authentic: <156><20><138>f(X u<191><22>b<231><252><22><157><24>
>
> Attributes:
>
> Reply-Message = "Request Denied"
>
>
>
>
>
>
>
> My conf is this:
>
>
>
> #Para autenticar os utilizadores na AD
>
> <Handler Realm = /ul\.pt/i>
>
> # remover o realm ao nome
>
> # RewriteUsername s/^([^@]+).*/$1/
>
> # re-escreve na forma DOMAIN\user
>
> # RewriteUsername s/(.*)@(.*)/$2\\$1/
>
>
>
> <AuthBy NTLM>
>
> </AuthBy>
>
>
>
> AcctLogFileName %L/ser-%R-%m-%Y.detail
>
> </Handler>
>
>
>
> What can I do to make it work?
>
>
>
> Regards,
>
> --
>
> ____________________________________________________________________
>
> Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
>
> joliveira at nic.ul.pt Reitoria da UL, Alameda da Universidade
>
> Tel: +351 210113447 Campo Grande - 1649-004 Lisboa, Portugal
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list