(RADIATOR) HTTP Digest

Deniz Aydin deniza at netone.net.tr
Wed Feb 15 06:12:07 CST 2006


Hi guys,

My problem is solved with the help of radiator team.

I am trying to authenticate sip request via Cisco Sip Proxy Server (CSPS) with HTTP Digest from SQL. I am using original SQL database structure of CSPS. First problem was about the sip attributes.It's solved with the using dictionary.sip. And the second problem is the original sql structure of csps.In the database password file was 255 long varchart. While selecting from sql password seems ok but radius was not authenticating the users. After this we changed the password type in database to text and exact length of the password. Then radiator authenticates the use.

Here is the sample configs;

LogDir          /extra/downloads/Radiator-3.14
DbDir           /etc/radiator
AuthPort        xxx
AcctPort        xxx
BindAddress     xxx


include /etc/radiator/authschemes.cfg


PreClientHook file:"/etc/radiator/digestavpatt.pl" # for naming the digest attributes.it can be found in the goodies.
DictionaryFile  %D/dictionary, %D/dictionary.sip  # for new digest attributes


<Handler NAS-IP-Address = xxxxxx>
     Identifier sip
     AuthBy sip_acconting
</Handler>

<AuthBy SQL>
    Identifier      sip_acconting
    Timeout     10
    FailureBackoffTime 10
    DBSource        xxxxx
    DBUsername      xxxxx
    DBAuth          xxxxx

 AuthSelect select PASSWORD from subscriber where USERNAME='%U'

AuthColumnDef 0, User-Password, check

AccountingTable SIPACCOUNTING

</AuthBy>


Here is the trace;

Authentic:  t<231><228>a<127><206>+<26><161><1><28>w@<20><176><12>
Attributes:
        NAS-IP-Address = xxxxxx
        NAS-Port-Type = Virtual
        User-Name = "yyyyy"
        Digest-Response = "a07c4a4d8ce738d7ee84de3f72831425"
        Digest-Attributes = <1><7>CISCO
        Digest-Attributes = <2><10>43f35c00
        Digest-Attributes = <3><10>REGISTER
        Digest-Attributes = <4>'aaaa
        Digest-Attributes = <5><6>auth
        Digest-Attributes = <6><5>MD5
        Digest-Attributes = <8><9>5e3cd4b
        Digest-Attributes = <9><10>00000001
        Digest-Attributes = <10><13>08110000002

Wed Feb 15 14:06:13 2006: DEBUG: Digest-Attributes parsed to:
Wed Feb 15 14:06:13 2006: DEBUG: Digest-Realm = CISCO
Wed Feb 15 14:06:13 2006: DEBUG: Digest-Nonce = 43f35c00
Wed Feb 15 14:06:13 2006: DEBUG: Digest-Method = REGISTER
Wed Feb 15 14:06:13 2006: DEBUG: Digest-URI = aaaa
Wed Feb 15 14:06:13 2006: DEBUG: Digest-QOP = auth
Wed Feb 15 14:06:13 2006: DEBUG: Digest-Algorithm = MD5
Wed Feb 15 14:06:13 2006: DEBUG: Digest-Body-Digest = 
Wed Feb 15 14:06:13 2006: DEBUG: Digest-CNonce = 5e3cd4b
Wed Feb 15 14:06:13 2006: DEBUG: Digest-Nonce-Count = 00000001
Wed Feb 15 14:06:13 2006: DEBUG: Digest-User-Name = yyyyy
Wed Feb 15 14:06:13 2006: DEBUG: Handling request with Handler 'NAS-IP-Address = xxxx'
Wed Feb 15 14:06:13 2006: DEBUG: Handling with Radius::AuthSQL
Wed Feb 15 14:06:13 2006: DEBUG: Handling with Radius::AuthSQL: sip_acconting
Wed Feb 15 14:06:13 2006: DEBUG: Query is: 'select PASSWORD from subscriber where USERNAME='yyyyy'': 
Wed Feb 15 14:06:13 2006: DEBUG: Radius::AuthSQL looks for match with yyyy [yyyyy]
Wed Feb 15 14:06:13 2006: DEBUG: Radius::AuthSQL ACCEPT: : yyyyy [yyyy]
Wed Feb 15 14:06:13 2006: DEBUG: AuthBy SQL result: ACCEPT, 
Wed Feb 15 14:06:13 2006: DEBUG: Access accepted for yyyy
Wed Feb 15 14:06:13 2006: DEBUG: Packet dump:
*** Sending to 193.192.99.87 port 56191 ....


Code:       Access-Accept
Identifier: 209
Authentic:  t<231><228>a<127><206>+<26><161><1><28>w@<20><176><1


-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On Behalf Of Deniz Aydin
Sent: Friday, February 10, 2006 5:40 PM
To: Deniz Aydin; Mike McCauley
Cc: Cem SEN; radiator at open.com.au
Subject: RE: (RADIATOR) HTTP Digest







But I dont have User-Password attribue in the Digest Request.When I tried this, radius searches for a User-Password attribue in the request and failed.

 DEBUG: Radius::AuthSQL looks for match with user1
 WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it?
 DEBUG: Radius::AuthSQL REJECT: Bad Password

I saw the hookfile examples, i guess this is the one you point,but is not defining the User-Password.


sub 
{
   my $p = ${$_[0]};

   if (defined($p->get_attr('Digest-Response'))) 
   {
      my ($username, $realm, $nonce, $uri, $qop, $method, $nc, $cnonce, $algorithm, $body_digest);

      my $sipattrs = join('', $p->get_attr('Digest-Attributes')); # May be multiple instances
      if (defined $sipattrs)
      {
         my @attrs;

         # Unpack inner attributes from Digest-Attributes as per draft-sterman-aaa-sip-00.txt
         while (length($sipattrs))
         {
             my ($subtype, $sublength) = unpack('C C', $sipattrs);
             last if $sublength < 3;
             my $vallen = $sublength - 2;
             $attrs[$subtype] = unpack("x x a$vallen", $sipattrs);
             substr($sipattrs, 0, $sublength) = undef; # Strip that one off
         }
         $realm       = $attrs[1];
         $nonce       = $attrs[2];
         $method      = $attrs[3];
         $uri         = $attrs[4];
         $qop         = $attrs[5];
         $algorithm   = $attrs[6];
         $body_digest = $attrs[7];
         $cnonce      = $attrs[8];
         $nc          = $attrs[9];
         $username    = $attrs[10];

         $p->add_attr('Digest-Realm', $realm) if defined $realm;
         $p->add_attr('Digest-Nonce', $nonce) if defined $nonce;
         $p->add_attr('Digest-Method', $method) if defined $method;
         $p->add_attr('Digest-URI', $uri) if defined $uri;
         $p->add_attr('Digest-QOP', $qop) if defined $qop;
         $p->add_attr('Digest-Algorithm', $algorithm) if defined $algorithm;
         $p->add_attr('Digest-Body-Digest', $body_digest) if defined $body_digest;
         $p->add_attr('Digest-CNonce', $cnonce) if defined $cnonce;
         $p->add_attr('Digest-Nonce-Count', $nc) if defined $nc;
         $p->add_attr('Digest-User-Name', $username) if defined $username;
         
         &main::log($main::LOG_DEBUG,"Digest-Attributes parsed to:");
         &main::log($main::LOG_DEBUG,"Digest-Realm = $realm");
         &main::log($main::LOG_DEBUG,"Digest-Nonce = $nonce");
         &main::log($main::LOG_DEBUG,"Digest-Method = $method");      
         &main::log($main::LOG_DEBUG,"Digest-URI = $uri");
         &main::log($main::LOG_DEBUG,"Digest-QOP = $qop");
         &main::log($main::LOG_DEBUG,"Digest-Algorithm = $algorithm");
         &main::log($main::LOG_DEBUG,"Digest-Body-Digest = $body_digest");
         &main::log($main::LOG_DEBUG,"Digest-CNonce = $cnonce");
         &main::log($main::LOG_DEBUG,"Digest-Nonce-Count = $nc");
         &main::log($main::LOG_DEBUG,"Digest-User-Name = $username");
      }
   }
   return;
}



-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Friday, February 10, 2006 1:14 PM
To: Deniz Aydin
Cc: Cem SEN; radiator at open.com.au
Subject: Re: (RADIATOR) HTTP Digest


Hello Deniz,


On Friday 10 February 2006 20:47, Deniz Aydin wrote:
> Thanks for every one. I'll get it done wiht new dictionary file. But 
> now ı have a new problem:)
>
> I am tring to autheticate sip user via radiator from SQL database with 
> HTTP Digest.
>
> I have Auth SQL statement like this (ı know simly digest-response 
> cannot be the check item but i dont know what shoul ı check or there 
> is sth else need to be done on the radius);
>
> <AuthBy SQL>
>
> AuthSelect select PASSWORD from subscriber where USER_ID like '%U'
>
> AuthColumnDef 0, Digest-Response, check ...

That should be:
AuthColumnDef 0, User-Password, check

The User-Password check item is used to authenticate the  Digest-Attributes in 
the incoming request.

Cheers.

>
>
>
> And my access request is like this,
>
> NAS-IP-Address = 193.192.99.87
>
> NAS-Port-Type = Virtual
>
> User-Name = "08110000003"
>
> Digest-Response = "c540ca4b72a58e7a6a1cc99ccffe52ad"
>
> Digest-Attributes = <1><7>CISCO
>
> Digest-Attributes = <2><10>43eca18f
>
> Digest-Attributes = <3><10>REGISTER
>
> Digest-Attributes = <4>'sip:193.192.99.87;transport=UDP;REG-1
>
> Digest-Attributes = <5><6>auth
>
> Digest-Attributes = <6><5>MD5
>
> Digest-Attributes = <8><9>42c079e
>
> Digest-Attributes = <9><10>00000001
>
> Digest-Attributes = <10><13>08110000003
>
> What should ı do for correct authentication!
>
>
> 	-----Original Message-----
> 	From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
> On Behalf Of Cem SEN Sent: Tuesday, January 31, 2006 11:29 PM
> 	To: radiator at open.com.au
> 	Cc: Deniz Aydin
> 	Subject: Re: (RADIATOR) HTTP Digest
>
>
> 	Hi Deniz,
> 	If you add appropriate attributes to your dictionary file, you'll get 
> what you need. Here are some attribs that'll help you.
>
> 	Regards,
> 	Cem SEN
> 	Network Operations Manager
> 	DorukNet
>
> 	# Experimental SIP Attributes/Values (draft-sterman-aaa-sip-00.txt
> etc)
>
> 	#
>
> 	ATTRIBUTE Sip-Method 101 integer
>
> 	ATTRIBUTE Sip-Response-Code 102 integer
>
> 	ATTRIBUTE Sip-CSeq 103 string
>
> 	ATTRIBUTE Sip-To-Tag 104 string
>
> 	ATTRIBUTE Sip-From-Tag 105 string
>
> 	ATTRIBUTE Sip-Branch-ID 106 string
>
> 	ATTRIBUTE Sip-Translated-Request-URI 107 string
>
> 	ATTRIBUTE Sip-Source-IP-Address 108 ipaddr
>
> 	ATTRIBUTE Sip-Source-Port 109 integer
>
> 	ATTRIBUTE Sip-User-ID 110 string
>
> 	ATTRIBUTE Sip-User-Realm 111 string
>
> 	ATTRIBUTE Sip-User-Nonce 112 string
>
> 	ATTRIBUTE Sip-User-Method 113 string
>
> 	ATTRIBUTE Sip-User-Digest-URI 114 string
>
> 	ATTRIBUTE Sip-User-Nonce-Count 115 string
>
> 	ATTRIBUTE Sip-User-QOP 116 string
>
> 	ATTRIBUTE Sip-User-Opaque 117 string
>
> 	ATTRIBUTE Sip-User-Response 118 string
>
> 	ATTRIBUTE Sip-User-CNonce 119 string
>
> 	ATTRIBUTE Sip-URI-User 208 string
>
> 	ATTRIBUTE Sip-Req-URI 210 string
>
> 	ATTRIBUTE Sip-CC 212 string
>
> 	ATTRIBUTE Sip-RPId 213 string
>
> 	ATTRIBUTE Digest-Response 206 string
>
> 	ATTRIBUTE Digest-Attributes 207 string
>
> 	ATTRIBUTE Digest-Realm 1063 string
>
> 	ATTRIBUTE Digest-Nonce 1064 string
>
> 	ATTRIBUTE Digest-Method 1065 string
>
> 	ATTRIBUTE Digest-URI 1066 string
>
> 	ATTRIBUTE Digest-QOP 1067 string
>
> 	ATTRIBUTE Digest-Algorithm 1068 string
>
> 	ATTRIBUTE Digest-Body-Digest 1069 string
>
> 	ATTRIBUTE Digest-CNonce 1070 string
>
> 	ATTRIBUTE Digest-Nonce-Count 1071 string
>
> 	ATTRIBUTE Digest-User-Name 1072 string
>
> 	VALUE Service-Type SIP 15
>
> 	VALUE Sip-Method Other 0
>
> 	VALUE Sip-Method Invite 1
>
> 	VALUE Sip-Method Cancel 2
>
> 	VALUE Sip-Method Ack 3
>
> 	VALUE Sip-Method Bye 4
>
> 	VALUE Sip-Response-Code Other 0
>
> 	VALUE Sip-Response-Code Invite 1
>
> 	VALUE Sip-Response-Code Cancel 2
>
> 	VALUE Sip-Response-Code Ack 3
>
> 	VALUE Sip-Response-Code Bye 4
>
> 	#
>
> 	# $Id: dictionary.ser,v 1.5 2004/12/04 22:37:48 janakj Exp $
>
> 	#
>
> 	# SIP RADIUS attributes
>
> 	#
>
> 	# Schulzrinne indicates attributes according to
>
> 	# draft-schulzrinne-sipping-radius-accounting-00
>
> 	#
>
> 	# Sterman indicates attributes according to
>
> 	# draft-sterman-aaa-sip-00
>
> 	#
>
> 	# Proprietary indicates an attribute that hasn't
>
> 	# been standardized
>
> 	#
>
> 	# Check out http://www.iana.org/assignments/radius-types
>
> 	# for up-to-date list of standard RADIUS attributes
>
> 	# and values
>
> 	#
>
> 	#
>
> 	# NOTE: All standard (IANA registered) attributes are
>
> 	# commented out except those that are missing in
>
> 	# the default dictionary of the radiusclient-ng
>
> 	# library.
>
> 	#
>
>
>
> 	#### Attributes ###
>
> 	#ATTRIBUTE User-Name 1 string # RFC2865, acc, auth_radius, 
> avp_radius, group_radius, uri_radius
>
> 	#ATTRIBUTE Service-Type 6 integer # RFC2865, acc, auth_radius, 
> avp_radius, group_radius, uri_radius
>
> 	#ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc
>
> 	#ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc
>
> 	#ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc
>
> 	#ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc
>
> 	ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc
>
> 	ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc
>
> 	ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius
>
> 	ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius
>
> 	ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius
>
> 	ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius
>
> 	ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius
>
> 	ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius
>
> 	ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius
>
> 	### CISCO Vendor Specific Attributes ###
>
> 	#VENDOR Cisco 9
>
> 	#ATTRIBUTE Cisco-AVPair 1 string Cisco # VSA, auth_radius
>
> 	### Acct-Status-Type Values ###
>
> 	#VALUE Acct-Status-Type Start 1 # RFC2866, acc
>
> 	#VALUE Acct-Status-Type Stop 2 # RFC2866, acc
>
> 	VALUE Acct-Status-Type Failed 15 # RFC2866, acc
>
> 	### Service-Type Values ###
>
> 	VALUE Service-Type Call-Check 10 # RFC2865, uri_radius
>
> 	VALUE Service-Type Group-Check 12 # Proprietary, group_radius
>
> 	VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius
>
> 	VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius
>
> 	VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius
>
>
>
> 		----- Original Message -----
> 		From: Deniz Aydin <mailto:deniza at netone.net.tr>
> 		To: radiator at open.com.au
> 		Sent: Tuesday, January 31, 2006 6:23 PM
> 		Subject: (RADIATOR) HTTP Digest
>
>
>
> 		Hi,
>
> 		I have been tring to authenticate Cisco Sip Proxy requests with 
> http-digest authentication.But in the logfile of radiator it seems 
> like this;
>
> 		Attributes:
> 		        NAS-IP-Address = xxxxxxxx
> 		        NAS-Port-Type = Virtual
> 		        User-Name = "user1"
> 		        Ascend-Menu-Item = "7ec574c399276a1e353c16e8a7376d4a"
> 		        Ascend-PW-Warntime = 17253193
> 		        Ascend-PW-Warntime = 34223155
> 		        Ascend-PW-Warntime = 50874702
> 		        Ascend-PW-Warntime = 70546281
> 		        Ascend-PW-Warntime = 84304245
> 		        Ascend-PW-Warntime = 101010756
> 		        Ascend-PW-Warntime = 134689587
> 		        Ascend-PW-Warntime = 151662640
> 		        Ascend-PW-Warntime = 168260979
>
>
> 		But raw radius requests is like this,
>
> 		NAS-IP-Address = xxxxx
> 		NAS-Port-Type = Virtual
> 		User-Name = "user1"
> 		Digest-Response = "941e7ee75864b7f9d2fcc69b1c2beef9"
> 		Digest-Attributes = 0x0107434953434f
> 		Digest-Attributes = 0x020a3366663230636238
> 		Digest-Attributes = 0x030a5245474953544552
> 		Digest-Attributes = 0x040f7369703a7676732d7669747261
> 		Digest-Attributes = 0x050661757468
> 		Digest-Attributes = 0x06056d6435
> 		Digest-Attributes = 0x080a3061653134323362
> 		Digest-Attributes = 0x090a3030303030303031
> 		Digest-Attributes = 0x0a0637393035
>
>
> 		İs this sth about the dictionary file or http digest support.Or 
> about the configuration. My handler is like that.
> 		<Handler NAS-IP-Address = xxx>
> 		     Identifier sip
> 		     AuthBy sip_acconting
>
> 		</Handler>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list