(RADIATOR) HTTP Digest
Deniz Aydin
deniza at netone.net.tr
Fri Feb 10 09:40:04 CST 2006
But I dont have User-Password attribue in the Digest Request.When I tried this, radius searches for a User-Password attribue in the request and failed.
DEBUG: Radius::AuthSQL looks for match with user1
WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it?
DEBUG: Radius::AuthSQL REJECT: Bad Password
I saw the hookfile examples, i guess this is the one you point,but is not defining the User-Password.
sub
{
my $p = ${$_[0]};
if (defined($p->get_attr('Digest-Response')))
{
my ($username, $realm, $nonce, $uri, $qop, $method, $nc, $cnonce, $algorithm, $body_digest);
my $sipattrs = join('', $p->get_attr('Digest-Attributes')); # May be multiple instances
if (defined $sipattrs)
{
my @attrs;
# Unpack inner attributes from Digest-Attributes as per draft-sterman-aaa-sip-00.txt
while (length($sipattrs))
{
my ($subtype, $sublength) = unpack('C C', $sipattrs);
last if $sublength < 3;
my $vallen = $sublength - 2;
$attrs[$subtype] = unpack("x x a$vallen", $sipattrs);
substr($sipattrs, 0, $sublength) = undef; # Strip that one off
}
$realm = $attrs[1];
$nonce = $attrs[2];
$method = $attrs[3];
$uri = $attrs[4];
$qop = $attrs[5];
$algorithm = $attrs[6];
$body_digest = $attrs[7];
$cnonce = $attrs[8];
$nc = $attrs[9];
$username = $attrs[10];
$p->add_attr('Digest-Realm', $realm) if defined $realm;
$p->add_attr('Digest-Nonce', $nonce) if defined $nonce;
$p->add_attr('Digest-Method', $method) if defined $method;
$p->add_attr('Digest-URI', $uri) if defined $uri;
$p->add_attr('Digest-QOP', $qop) if defined $qop;
$p->add_attr('Digest-Algorithm', $algorithm) if defined $algorithm;
$p->add_attr('Digest-Body-Digest', $body_digest) if defined $body_digest;
$p->add_attr('Digest-CNonce', $cnonce) if defined $cnonce;
$p->add_attr('Digest-Nonce-Count', $nc) if defined $nc;
$p->add_attr('Digest-User-Name', $username) if defined $username;
&main::log($main::LOG_DEBUG,"Digest-Attributes parsed to:");
&main::log($main::LOG_DEBUG,"Digest-Realm = $realm");
&main::log($main::LOG_DEBUG,"Digest-Nonce = $nonce");
&main::log($main::LOG_DEBUG,"Digest-Method = $method");
&main::log($main::LOG_DEBUG,"Digest-URI = $uri");
&main::log($main::LOG_DEBUG,"Digest-QOP = $qop");
&main::log($main::LOG_DEBUG,"Digest-Algorithm = $algorithm");
&main::log($main::LOG_DEBUG,"Digest-Body-Digest = $body_digest");
&main::log($main::LOG_DEBUG,"Digest-CNonce = $cnonce");
&main::log($main::LOG_DEBUG,"Digest-Nonce-Count = $nc");
&main::log($main::LOG_DEBUG,"Digest-User-Name = $username");
}
}
return;
}
-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au]
Sent: Friday, February 10, 2006 1:14 PM
To: Deniz Aydin
Cc: Cem SEN; radiator at open.com.au
Subject: Re: (RADIATOR) HTTP Digest
Hello Deniz,
On Friday 10 February 2006 20:47, Deniz Aydin wrote:
> Thanks for every one. I'll get it done wiht new dictionary file. But
> now ı have a new problem:)
>
> I am tring to autheticate sip user via radiator from SQL database with
> HTTP Digest.
>
> I have Auth SQL statement like this (ı know simly digest-response
> cannot be the check item but i dont know what shoul ı check or there
> is sth else need to be done on the radius);
>
> <AuthBy SQL>
>
> AuthSelect select PASSWORD from subscriber where USER_ID like '%U'
>
> AuthColumnDef 0, Digest-Response, check ...
That should be:
AuthColumnDef 0, User-Password, check
The User-Password check item is used to authenticate the Digest-Attributes in
the incoming request.
Cheers.
>
>
>
> And my access request is like this,
>
> NAS-IP-Address = 193.192.99.87
>
> NAS-Port-Type = Virtual
>
> User-Name = "08110000003"
>
> Digest-Response = "c540ca4b72a58e7a6a1cc99ccffe52ad"
>
> Digest-Attributes = <1><7>CISCO
>
> Digest-Attributes = <2><10>43eca18f
>
> Digest-Attributes = <3><10>REGISTER
>
> Digest-Attributes = <4>'sip:193.192.99.87;transport=UDP;REG-1
>
> Digest-Attributes = <5><6>auth
>
> Digest-Attributes = <6><5>MD5
>
> Digest-Attributes = <8><9>42c079e
>
> Digest-Attributes = <9><10>00000001
>
> Digest-Attributes = <10><13>08110000003
>
> What should ı do for correct authentication!
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
> On Behalf Of Cem SEN Sent: Tuesday, January 31, 2006 11:29 PM
> To: radiator at open.com.au
> Cc: Deniz Aydin
> Subject: Re: (RADIATOR) HTTP Digest
>
>
> Hi Deniz,
> If you add appropriate attributes to your dictionary file, you'll get
> what you need. Here are some attribs that'll help you.
>
> Regards,
> Cem SEN
> Network Operations Manager
> DorukNet
>
> # Experimental SIP Attributes/Values (draft-sterman-aaa-sip-00.txt
> etc)
>
> #
>
> ATTRIBUTE Sip-Method 101 integer
>
> ATTRIBUTE Sip-Response-Code 102 integer
>
> ATTRIBUTE Sip-CSeq 103 string
>
> ATTRIBUTE Sip-To-Tag 104 string
>
> ATTRIBUTE Sip-From-Tag 105 string
>
> ATTRIBUTE Sip-Branch-ID 106 string
>
> ATTRIBUTE Sip-Translated-Request-URI 107 string
>
> ATTRIBUTE Sip-Source-IP-Address 108 ipaddr
>
> ATTRIBUTE Sip-Source-Port 109 integer
>
> ATTRIBUTE Sip-User-ID 110 string
>
> ATTRIBUTE Sip-User-Realm 111 string
>
> ATTRIBUTE Sip-User-Nonce 112 string
>
> ATTRIBUTE Sip-User-Method 113 string
>
> ATTRIBUTE Sip-User-Digest-URI 114 string
>
> ATTRIBUTE Sip-User-Nonce-Count 115 string
>
> ATTRIBUTE Sip-User-QOP 116 string
>
> ATTRIBUTE Sip-User-Opaque 117 string
>
> ATTRIBUTE Sip-User-Response 118 string
>
> ATTRIBUTE Sip-User-CNonce 119 string
>
> ATTRIBUTE Sip-URI-User 208 string
>
> ATTRIBUTE Sip-Req-URI 210 string
>
> ATTRIBUTE Sip-CC 212 string
>
> ATTRIBUTE Sip-RPId 213 string
>
> ATTRIBUTE Digest-Response 206 string
>
> ATTRIBUTE Digest-Attributes 207 string
>
> ATTRIBUTE Digest-Realm 1063 string
>
> ATTRIBUTE Digest-Nonce 1064 string
>
> ATTRIBUTE Digest-Method 1065 string
>
> ATTRIBUTE Digest-URI 1066 string
>
> ATTRIBUTE Digest-QOP 1067 string
>
> ATTRIBUTE Digest-Algorithm 1068 string
>
> ATTRIBUTE Digest-Body-Digest 1069 string
>
> ATTRIBUTE Digest-CNonce 1070 string
>
> ATTRIBUTE Digest-Nonce-Count 1071 string
>
> ATTRIBUTE Digest-User-Name 1072 string
>
> VALUE Service-Type SIP 15
>
> VALUE Sip-Method Other 0
>
> VALUE Sip-Method Invite 1
>
> VALUE Sip-Method Cancel 2
>
> VALUE Sip-Method Ack 3
>
> VALUE Sip-Method Bye 4
>
> VALUE Sip-Response-Code Other 0
>
> VALUE Sip-Response-Code Invite 1
>
> VALUE Sip-Response-Code Cancel 2
>
> VALUE Sip-Response-Code Ack 3
>
> VALUE Sip-Response-Code Bye 4
>
> #
>
> # $Id: dictionary.ser,v 1.5 2004/12/04 22:37:48 janakj Exp $
>
> #
>
> # SIP RADIUS attributes
>
> #
>
> # Schulzrinne indicates attributes according to
>
> # draft-schulzrinne-sipping-radius-accounting-00
>
> #
>
> # Sterman indicates attributes according to
>
> # draft-sterman-aaa-sip-00
>
> #
>
> # Proprietary indicates an attribute that hasn't
>
> # been standardized
>
> #
>
> # Check out http://www.iana.org/assignments/radius-types
>
> # for up-to-date list of standard RADIUS attributes
>
> # and values
>
> #
>
> #
>
> # NOTE: All standard (IANA registered) attributes are
>
> # commented out except those that are missing in
>
> # the default dictionary of the radiusclient-ng
>
> # library.
>
> #
>
>
>
> #### Attributes ###
>
> #ATTRIBUTE User-Name 1 string # RFC2865, acc, auth_radius,
> avp_radius, group_radius, uri_radius
>
> #ATTRIBUTE Service-Type 6 integer # RFC2865, acc, auth_radius,
> avp_radius, group_radius, uri_radius
>
> #ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc
>
> #ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc
>
> #ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc
>
> #ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc
>
> ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc
>
> ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc
>
> ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc
>
> ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc
>
> ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc
>
> ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc
>
> ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius
>
> ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius
>
> ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius
>
> ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius
>
> ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius
>
> ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius
>
> ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius
>
> ### CISCO Vendor Specific Attributes ###
>
> #VENDOR Cisco 9
>
> #ATTRIBUTE Cisco-AVPair 1 string Cisco # VSA, auth_radius
>
> ### Acct-Status-Type Values ###
>
> #VALUE Acct-Status-Type Start 1 # RFC2866, acc
>
> #VALUE Acct-Status-Type Stop 2 # RFC2866, acc
>
> VALUE Acct-Status-Type Failed 15 # RFC2866, acc
>
> ### Service-Type Values ###
>
> VALUE Service-Type Call-Check 10 # RFC2865, uri_radius
>
> VALUE Service-Type Group-Check 12 # Proprietary, group_radius
>
> VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius
>
> VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius
>
> VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius
>
>
>
> ----- Original Message -----
> From: Deniz Aydin <mailto:deniza at netone.net.tr>
> To: radiator at open.com.au
> Sent: Tuesday, January 31, 2006 6:23 PM
> Subject: (RADIATOR) HTTP Digest
>
>
>
> Hi,
>
> I have been tring to authenticate Cisco Sip Proxy requests with
> http-digest authentication.But in the logfile of radiator it seems
> like this;
>
> Attributes:
> NAS-IP-Address = xxxxxxxx
> NAS-Port-Type = Virtual
> User-Name = "user1"
> Ascend-Menu-Item = "7ec574c399276a1e353c16e8a7376d4a"
> Ascend-PW-Warntime = 17253193
> Ascend-PW-Warntime = 34223155
> Ascend-PW-Warntime = 50874702
> Ascend-PW-Warntime = 70546281
> Ascend-PW-Warntime = 84304245
> Ascend-PW-Warntime = 101010756
> Ascend-PW-Warntime = 134689587
> Ascend-PW-Warntime = 151662640
> Ascend-PW-Warntime = 168260979
>
>
> But raw radius requests is like this,
>
> NAS-IP-Address = xxxxx
> NAS-Port-Type = Virtual
> User-Name = "user1"
> Digest-Response = "941e7ee75864b7f9d2fcc69b1c2beef9"
> Digest-Attributes = 0x0107434953434f
> Digest-Attributes = 0x020a3366663230636238
> Digest-Attributes = 0x030a5245474953544552
> Digest-Attributes = 0x040f7369703a7676732d7669747261
> Digest-Attributes = 0x050661757468
> Digest-Attributes = 0x06056d6435
> Digest-Attributes = 0x080a3061653134323362
> Digest-Attributes = 0x090a3030303030303031
> Digest-Attributes = 0x0a0637393035
>
>
> İs this sth about the dictionary file or http digest support.Or
> about the configuration. My handler is like that.
> <Handler NAS-IP-Address = xxx>
> Identifier sip
> AuthBy sip_acconting
>
> </Handler>
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list