(RADIATOR) HTTP Digest

Deniz Aydin deniza at netone.net.tr
Fri Feb 10 09:40:04 CST 2006






But I dont have User-Password attribue in the Digest Request.When I tried this, radius searches for a User-Password attribue in the request and failed.

 DEBUG: Radius::AuthSQL looks for match with user1
 WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it?
 DEBUG: Radius::AuthSQL REJECT: Bad Password

I saw the hookfile examples, i guess this is the one you point,but is not defining the User-Password.


sub 
{
   my $p = ${$_[0]};

   if (defined($p->get_attr('Digest-Response'))) 
   {
      my ($username, $realm, $nonce, $uri, $qop, $method, $nc, $cnonce, $algorithm, $body_digest);

      my $sipattrs = join('', $p->get_attr('Digest-Attributes')); # May be multiple instances
      if (defined $sipattrs)
      {
         my @attrs;

         # Unpack inner attributes from Digest-Attributes as per draft-sterman-aaa-sip-00.txt
         while (length($sipattrs))
         {
             my ($subtype, $sublength) = unpack('C C', $sipattrs);
             last if $sublength < 3;
             my $vallen = $sublength - 2;
             $attrs[$subtype] = unpack("x x a$vallen", $sipattrs);
             substr($sipattrs, 0, $sublength) = undef; # Strip that one off
         }
         $realm       = $attrs[1];
         $nonce       = $attrs[2];
         $method      = $attrs[3];
         $uri         = $attrs[4];
         $qop         = $attrs[5];
         $algorithm   = $attrs[6];
         $body_digest = $attrs[7];
         $cnonce      = $attrs[8];
         $nc          = $attrs[9];
         $username    = $attrs[10];

         $p->add_attr('Digest-Realm', $realm) if defined $realm;
         $p->add_attr('Digest-Nonce', $nonce) if defined $nonce;
         $p->add_attr('Digest-Method', $method) if defined $method;
         $p->add_attr('Digest-URI', $uri) if defined $uri;
         $p->add_attr('Digest-QOP', $qop) if defined $qop;
         $p->add_attr('Digest-Algorithm', $algorithm) if defined $algorithm;
         $p->add_attr('Digest-Body-Digest', $body_digest) if defined $body_digest;
         $p->add_attr('Digest-CNonce', $cnonce) if defined $cnonce;
         $p->add_attr('Digest-Nonce-Count', $nc) if defined $nc;
         $p->add_attr('Digest-User-Name', $username) if defined $username;
         
         &main::log($main::LOG_DEBUG,"Digest-Attributes parsed to:");
         &main::log($main::LOG_DEBUG,"Digest-Realm = $realm");
         &main::log($main::LOG_DEBUG,"Digest-Nonce = $nonce");
         &main::log($main::LOG_DEBUG,"Digest-Method = $method");      
         &main::log($main::LOG_DEBUG,"Digest-URI = $uri");
         &main::log($main::LOG_DEBUG,"Digest-QOP = $qop");
         &main::log($main::LOG_DEBUG,"Digest-Algorithm = $algorithm");
         &main::log($main::LOG_DEBUG,"Digest-Body-Digest = $body_digest");
         &main::log($main::LOG_DEBUG,"Digest-CNonce = $cnonce");
         &main::log($main::LOG_DEBUG,"Digest-Nonce-Count = $nc");
         &main::log($main::LOG_DEBUG,"Digest-User-Name = $username");
      }
   }
   return;
}



-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Friday, February 10, 2006 1:14 PM
To: Deniz Aydin
Cc: Cem SEN; radiator at open.com.au
Subject: Re: (RADIATOR) HTTP Digest


Hello Deniz,


On Friday 10 February 2006 20:47, Deniz Aydin wrote:
> Thanks for every one. I'll get it done wiht new dictionary file. But
> now ı have a new problem:)
>
> I am tring to autheticate sip user via radiator from SQL database with
> HTTP Digest.
>
> I have Auth SQL statement like this (ı know simly digest-response
> cannot be the check item but i dont know what shoul ı check or there 
> is sth else need to be done on the radius);
>
> <AuthBy SQL>
>
> AuthSelect select PASSWORD from subscriber where USER_ID like '%U'
>
> AuthColumnDef 0, Digest-Response, check ...

That should be:
AuthColumnDef 0, User-Password, check

The User-Password check item is used to authenticate the  Digest-Attributes in 
the incoming request.

Cheers.

>
>
>
> And my access request is like this,
>
> NAS-IP-Address = 193.192.99.87
>
> NAS-Port-Type = Virtual
>
> User-Name = "08110000003"
>
> Digest-Response = "c540ca4b72a58e7a6a1cc99ccffe52ad"
>
> Digest-Attributes = <1><7>CISCO
>
> Digest-Attributes = <2><10>43eca18f
>
> Digest-Attributes = <3><10>REGISTER
>
> Digest-Attributes = <4>'sip:193.192.99.87;transport=UDP;REG-1
>
> Digest-Attributes = <5><6>auth
>
> Digest-Attributes = <6><5>MD5
>
> Digest-Attributes = <8><9>42c079e
>
> Digest-Attributes = <9><10>00000001
>
> Digest-Attributes = <10><13>08110000003
>
> What should ı do for correct authentication!
>
>
> 	-----Original Message-----
> 	From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
> On Behalf Of Cem SEN Sent: Tuesday, January 31, 2006 11:29 PM
> 	To: radiator at open.com.au
> 	Cc: Deniz Aydin
> 	Subject: Re: (RADIATOR) HTTP Digest
>
>
> 	Hi Deniz,
> 	If you add appropriate attributes to your dictionary file, you'll get
> what you need. Here are some attribs that'll help you.
>
> 	Regards,
> 	Cem SEN
> 	Network Operations Manager
> 	DorukNet
>
> 	# Experimental SIP Attributes/Values (draft-sterman-aaa-sip-00.txt
> etc)
>
> 	#
>
> 	ATTRIBUTE Sip-Method 101 integer
>
> 	ATTRIBUTE Sip-Response-Code 102 integer
>
> 	ATTRIBUTE Sip-CSeq 103 string
>
> 	ATTRIBUTE Sip-To-Tag 104 string
>
> 	ATTRIBUTE Sip-From-Tag 105 string
>
> 	ATTRIBUTE Sip-Branch-ID 106 string
>
> 	ATTRIBUTE Sip-Translated-Request-URI 107 string
>
> 	ATTRIBUTE Sip-Source-IP-Address 108 ipaddr
>
> 	ATTRIBUTE Sip-Source-Port 109 integer
>
> 	ATTRIBUTE Sip-User-ID 110 string
>
> 	ATTRIBUTE Sip-User-Realm 111 string
>
> 	ATTRIBUTE Sip-User-Nonce 112 string
>
> 	ATTRIBUTE Sip-User-Method 113 string
>
> 	ATTRIBUTE Sip-User-Digest-URI 114 string
>
> 	ATTRIBUTE Sip-User-Nonce-Count 115 string
>
> 	ATTRIBUTE Sip-User-QOP 116 string
>
> 	ATTRIBUTE Sip-User-Opaque 117 string
>
> 	ATTRIBUTE Sip-User-Response 118 string
>
> 	ATTRIBUTE Sip-User-CNonce 119 string
>
> 	ATTRIBUTE Sip-URI-User 208 string
>
> 	ATTRIBUTE Sip-Req-URI 210 string
>
> 	ATTRIBUTE Sip-CC 212 string
>
> 	ATTRIBUTE Sip-RPId 213 string
>
> 	ATTRIBUTE Digest-Response 206 string
>
> 	ATTRIBUTE Digest-Attributes 207 string
>
> 	ATTRIBUTE Digest-Realm 1063 string
>
> 	ATTRIBUTE Digest-Nonce 1064 string
>
> 	ATTRIBUTE Digest-Method 1065 string
>
> 	ATTRIBUTE Digest-URI 1066 string
>
> 	ATTRIBUTE Digest-QOP 1067 string
>
> 	ATTRIBUTE Digest-Algorithm 1068 string
>
> 	ATTRIBUTE Digest-Body-Digest 1069 string
>
> 	ATTRIBUTE Digest-CNonce 1070 string
>
> 	ATTRIBUTE Digest-Nonce-Count 1071 string
>
> 	ATTRIBUTE Digest-User-Name 1072 string
>
> 	VALUE Service-Type SIP 15
>
> 	VALUE Sip-Method Other 0
>
> 	VALUE Sip-Method Invite 1
>
> 	VALUE Sip-Method Cancel 2
>
> 	VALUE Sip-Method Ack 3
>
> 	VALUE Sip-Method Bye 4
>
> 	VALUE Sip-Response-Code Other 0
>
> 	VALUE Sip-Response-Code Invite 1
>
> 	VALUE Sip-Response-Code Cancel 2
>
> 	VALUE Sip-Response-Code Ack 3
>
> 	VALUE Sip-Response-Code Bye 4
>
> 	#
>
> 	# $Id: dictionary.ser,v 1.5 2004/12/04 22:37:48 janakj Exp $
>
> 	#
>
> 	# SIP RADIUS attributes
>
> 	#
>
> 	# Schulzrinne indicates attributes according to
>
> 	# draft-schulzrinne-sipping-radius-accounting-00
>
> 	#
>
> 	# Sterman indicates attributes according to
>
> 	# draft-sterman-aaa-sip-00
>
> 	#
>
> 	# Proprietary indicates an attribute that hasn't
>
> 	# been standardized
>
> 	#
>
> 	# Check out http://www.iana.org/assignments/radius-types
>
> 	# for up-to-date list of standard RADIUS attributes
>
> 	# and values
>
> 	#
>
> 	#
>
> 	# NOTE: All standard (IANA registered) attributes are
>
> 	# commented out except those that are missing in
>
> 	# the default dictionary of the radiusclient-ng
>
> 	# library.
>
> 	#
>
>
>
> 	#### Attributes ###
>
> 	#ATTRIBUTE User-Name 1 string # RFC2865, acc, auth_radius,
> avp_radius, group_radius, uri_radius
>
> 	#ATTRIBUTE Service-Type 6 integer # RFC2865, acc, auth_radius,
> avp_radius, group_radius, uri_radius
>
> 	#ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc
>
> 	#ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc
>
> 	#ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc
>
> 	#ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc
>
> 	ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc
>
> 	ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius
>
> 	ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius
>
> 	ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius
>
> 	ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius
>
> 	ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius
>
> 	ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius
>
> 	### CISCO Vendor Specific Attributes ###
>
> 	#VENDOR Cisco 9
>
> 	#ATTRIBUTE Cisco-AVPair 1 string Cisco # VSA, auth_radius
>
> 	### Acct-Status-Type Values ###
>
> 	#VALUE Acct-Status-Type Start 1 # RFC2866, acc
>
> 	#VALUE Acct-Status-Type Stop 2 # RFC2866, acc
>
> 	VALUE Acct-Status-Type Failed 15 # RFC2866, acc
>
> 	### Service-Type Values ###
>
> 	VALUE Service-Type Call-Check 10 # RFC2865, uri_radius
>
> 	VALUE Service-Type Group-Check 12 # Proprietary, group_radius
>
> 	VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius
>
> 	VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius
>
> 	VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius
>
>
>
> 		----- Original Message -----
> 		From: Deniz Aydin <mailto:deniza at netone.net.tr>
> 		To: radiator at open.com.au
> 		Sent: Tuesday, January 31, 2006 6:23 PM
> 		Subject: (RADIATOR) HTTP Digest
>
>
>
> 		Hi,
>
> 		I have been tring to authenticate Cisco Sip Proxy requests with
> http-digest authentication.But in the logfile of radiator it seems 
> like this;
>
> 		Attributes:
> 		        NAS-IP-Address = xxxxxxxx
> 		        NAS-Port-Type = Virtual
> 		        User-Name = "user1"
> 		        Ascend-Menu-Item = "7ec574c399276a1e353c16e8a7376d4a"
> 		        Ascend-PW-Warntime = 17253193
> 		        Ascend-PW-Warntime = 34223155
> 		        Ascend-PW-Warntime = 50874702
> 		        Ascend-PW-Warntime = 70546281
> 		        Ascend-PW-Warntime = 84304245
> 		        Ascend-PW-Warntime = 101010756
> 		        Ascend-PW-Warntime = 134689587
> 		        Ascend-PW-Warntime = 151662640
> 		        Ascend-PW-Warntime = 168260979
>
>
> 		But raw radius requests is like this,
>
> 		NAS-IP-Address = xxxxx
> 		NAS-Port-Type = Virtual
> 		User-Name = "user1"
> 		Digest-Response = "941e7ee75864b7f9d2fcc69b1c2beef9"
> 		Digest-Attributes = 0x0107434953434f
> 		Digest-Attributes = 0x020a3366663230636238
> 		Digest-Attributes = 0x030a5245474953544552
> 		Digest-Attributes = 0x040f7369703a7676732d7669747261
> 		Digest-Attributes = 0x050661757468
> 		Digest-Attributes = 0x06056d6435
> 		Digest-Attributes = 0x080a3061653134323362
> 		Digest-Attributes = 0x090a3030303030303031
> 		Digest-Attributes = 0x0a0637393035
>
>
> 		İs this sth about the dictionary file or http digest support.Or
> about the configuration. My handler is like that.
> 		<Handler NAS-IP-Address = xxx>
> 		     Identifier sip
> 		     AuthBy sip_acconting
>
> 		</Handler>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list