(RADIATOR) Question about Radiator Support.
Hugh Irvine
hugh at open.com.au
Wed Jan 4 16:02:12 CST 2006
Hello Ricardo -
To do what you describe below you will need to use the PreClientHook.
Radiator will do SIP authentication internally, but it does not parse
the Digest-Attributes into separate attributes as the hook does.
Hope that clarifies the situation.
regards
Hugh
On 5 Jan 2006, at 08:13, Ricardo Martinez wrote:
> Hello.
> Regarding to this issue. i installed Radiator Version 3.13. I
> even installed the perl-MD4 support as Martin pointed, i used the
> dictionary.sip, but still my Radiator can't "understand" the Digest
> attributes.
> I'm going to explain again my situation, myabe with this new
> Radiator version something can be done.
> As i describe in my initial post. I'm using Raditor to authenticate
> my SIP clients from my platform. My SIP Proxy send a Access-
> Request with this format :
>
> Attributes:
> User-Name = MA_1942430 at sip.domain.com
> Digest-Attributes = "<10><12>MA_1942430"
> Digest-Attributes = "<1><20>sip.domain.com"
> Digest-Attributes =
> "<2>*43bbf113b4aec1b2a41071f19acaa305bf258fe4"
> Digest-Attributes = "<4><24>sip:sip.domain.com"
> Digest-Attributes = "<3><10>REGISTER"
> Digest-Attributes = "<5><6>auth"
> Digest-Attributes = "<9><10>00000097"
> Digest-Attributes = "<8><10>34e3d02f"
> Digest-Response = "f9a8677c3550372a09a8685cc76c4ec7"
> Service-Type = Sip-Session
> Sip-Uri-User = "559100001027"
> NAS-IP-Address = 100.100.100.35
> NAS-Port = 5060
>
> This radius request has several "Digest-Attributes" attributes,
> these digest attributes are according to the "draft-sterman-aaa-
> sip-00". Digest authentication attributes are encoded as sub-
> attributes into a single RADIUS attribute (Digest-Attributes).
> So, as i comment in my original post, i can handle this using a
> preClientHook, and works ok. This is what i have
>
> PreClientHook file:"/usr/src/radiusd/Radiator-3.13/goodies/digest.pl"
>
> and then if i want to match according to the Digest-Method i use a
> handler like :
>
> <Handler Digest-Method=REGISTER>
>
> And the request match ok.
> So far so good, but as Hugh mention :
>
> "Sent: Friday, June 03, 2005 6:34 PM
> Subject: Re: (RADIATOR) Question about Radiator Support.
>
>
> >
> > Hello Ricardo -
> >
> > Further to this, I didn't make it clear that if you define your
> > dictionaries like this (in recent versions of Radiator):
> >
> > DictionaryFile %D/dictionary, %D/dictionary.sip
> >
> > SIP authentication will work automatically without requiring
> hooks or
> > whatever.
> >
> > The most recent version is Radiator 3.13.
> >
> > regards
> >
> > Hugh
> "
> I even read the dictionary.sip included in the 3.13 version:
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++
> # This is a specialised dictionary for recognising
> # SIP radius attritbues as described in draft-sterman-aaa-sip-00.txt
> # They are included in this spearate dictionary because they
> conflict with
> # other common and standard attributes.
> # They override attribues 206 Ascend-Menu-Item and 207 Ascend-PW-
> Warntime
> # in the standard dictionary.
> # Author: Mike McCauley mikem at open.com.au
> # $Id: dictionary.sip,v 1.2 2003/01/02 11:21:07 mikem Exp $
> +++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> So i was expecting that with this new dictionary maybe the Digest-
> Attrubutes could be parsed ok. But this is what i obtain (removing
> my preClientHook)
>
> Wed Jan 4 15:52:19 2006: DEBUG: Handling request with Handler ' '
>
> The attribute Digest-Attributes = "<3><10>REGISTER" seems not to
> be parsed to Digest-Method="REGISTER" and then the match with the
> HANDLER fails.
> So, what i'm doing wrong?
> Does Radiator supports this kind of attributes?
>
> I'm attaching my radius.cfg :
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> LogStdout
> DbDir /usr/src/radiusd/Radiator-3.13
> LogDir /var/log/radiator
> LogFile %L/logfile_radius_auth_ser
> PidFile %L/radiusd_radius_auth_ser.pid
> AuthPort 1647
> AcctPort
>
> DictionaryFile %D/dictionary, %D/dictionary.sip
>
> # This will log at DEBUG level: very verbose
> # User a lower trace level in production systems, typically use 3
> Trace 5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with. This will work
> # at least with radpwtst running on the local machine
>
> #PreClientHook file:"/usr/src/radiusd/Radiator-3.13/goodies/digest.pl"
>
> ....client part removed
>
> # Authentication LOG profile, %L is replaced by LogDir above.
>
> <AuthLog FILE>
>
> Identifier AUTH_SIP_LOG
> Filename %L/auth/sip/auth_%{Digest-Method}_log
>
> LogSuccess 1
> LogFailure 1
>
> # FORMAT Time,User-
> Name,User,Realm,Nonce,Uri,Method,qop,Nonce-count,Cnonce,Nonce-
> Response,Service-Type,SIP-Uri-User,NAS-IP-A
> ddress,MessageSeverity,Reason,OK/FAIL
> SuccessFormat %l,%{User-Name},%{Digest-User},%{Digest-
> Realm},%{Digest-Nonce},%{Digest-Uri},%{Digest-Method},%{Digest-qop},%{
> Digest-Nonce-count},%{Digest-Cnonce},%{Digest-Response},%{Service-
> Type},%{Sip-Uri-User},%{NAS-IP-Address},%0,%1:OK
> FailureFormat %l,%{User-Name},%{Digest-User},%{Digest-
> Realm},%{Digest-Nonce},%{Digest-Uri},%{Digest-Method},%{Digest-qop},%{
> Digest-Nonce-count},%{Digest-Cnonce},%{Digest-Response},%{Service-
> Type},%{Sip-Uri-User},%{NAS-IP-Address},%0,%1:FAIL
>
> </AuthLog>
>
> #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> #
> # HANDLER PARA USUARIOS DE PREPAGO (ADAPTADORES)
> #
> #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> <Handler Digest-Method=REGISTER>
> # Se agrega el AuthByPolicy para manejar los Timeout de la
> Base de Datos.
> AuthByPolicy ContinueWhileIgnore
>
> <AuthBy SQL>
> DBSource dbi:Oracle:*******
> DBUsername *****
> DBAuth *****
>
> NoDefault
> AuthSelect select *************
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, NAS-Port-Type, reply
>
> </AuthBy>
>
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
>
> # Log authentication to a detail file.
> AuthLog AUTH_SIP_LOG
> </Handler>
>
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> More information about sterman-aaa-sip in :
> http://www.watersprings.org/pub/id/draft-sterman-aaa-sip-00.txt
>
>
> I really hope that someone can help me here!
> Thanks!
>
> Ricardo Martinez.-
>
> -----Mensaje original-----
> De: Martin Wallner [mailto:Martin.Wallner at eunet.co.at]
> Enviado el: Jueves, 29 de Diciembre de 2005 21:58
> Para: Rosario Pingaro; Hugh Irvine
> CC: radiator at open.com.au
> Asunto: AW: (RADIATOR) Question about Radiator Support.
>
> I might be TOTALLY on the wrong track here, but sometimes perl-MD4
> Support is not installed/missing (and that one is used for
> MSCHAP)... That can bring the funniest effects....
>
> Martin
>
> Von: owner-radiator at open.com.au im Auftrag von Rosario Pingaro
> Gesendet: Do 29.12.2005 23:02
> An: Hugh Irvine
> Cc: radiator at open.com.au
> Betreff: Re: (RADIATOR) Question about Radiator Support.
>
> we are experiencing the same problem.
> Radiator is the latest 3.13 patched.
>
> I have couppled my dictionary with the sip one like Hugh described
> some time
> Before, but I am not able to let Radiator decoding the Digest-
> Attribute:
> Attributes:
> User-Name = "rpingar at voip.convergenze.it"
> Digest-Attributes = "<10><9>rpingar"
> Digest-Attributes = "<1><21>voip.convergenze.it"
> Digest-Attributes =
> "<2>*43b45a051b018d59f1ccf21927c56cb5f3b7eabe"
> Digest-Attributes = "<4><25>sip:voip.convergenze.it"
> Digest-Attributes = "<3><10>REGISTER"
> Digest-Response = "e8b688341619b901e17713acec847ff1"
> Service-Type = IAPP-Register
> SIP-URI-User = "rpingar"
> NAS-Port = 5060
>
>
> This is the dictionary from the radiusclient:
> #### Attributes ###
> ATTRIBUTE User-Name 1 string # RFC2865, acc,
> auth_radius, avp_radius, group_radius, uri_radius
> ATTRIBUTE NAS-Port 5 integer
> ATTRIBUTE Service-Type 6 integer # RFC2865, acc,
> auth_radius, avp_radius, group_radius, uri_radius
> ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc
> ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc
> ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc
> ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc
> ATTRIBUTE Sip-Method 101 integer #
> Schulzrinne, acc
> ATTRIBUTE Sip-Response-Code 102 integer #
> Schulzrinne, acc
> ATTRIBUTE Sip-Cseq 103 string #
> Schulzrinne, acc
> ATTRIBUTE Sip-To-Tag 104 string #
> Schulzrinne, acc
> ATTRIBUTE Sip-From-Tag 105 string #
> Schulzrinne, acc
> ATTRIBUTE Sip-Translated-Request-URI 107 string #
> Proprietary, acc
> ATTRIBUTE Digest-Response 206 string # Sterman,
> auth_radius
> ATTRIBUTE Sip-Uri-User 208 string # Proprietary,
> auth_radius
> ATTRIBUTE Sip-Group 211 string # Proprietary,
> group_radius
> ATTRIBUTE Sip-Rpid 213 string # Proprietary,
> auth_radius
> ATTRIBUTE SIP-AVP 225 string # Proprietary,
> avp_radius
> ATTRIBUTE Digest-Realm 1063 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-Nonce 1064 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-Method 1065 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-URI 1066 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-QOP 1067 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-Algorithm 1068 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-Body-Digest 1069 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-CNonce 1070 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman,
> auth_radius
> ATTRIBUTE Digest-User-Name 1072 string # Sterman,
> auth_radius
>
>
> Seems that what you call attribute 207, has from the client point
> of view
> different attributes, from 1063 to 1072
>
> Howto deal with this strange situation?
>
> Thanks
> Rosario
>
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Ricardo Martinez" <rmartinez at redvoiss.net>
> Cc: <radiator at open.com.au>
> Sent: Friday, June 03, 2005 6:34 PM
> Subject: Re: (RADIATOR) Question about Radiator Support.
>
>
> >
> > Hello Ricardo -
> >
> > Further to this, I didn't make it clear that if you define your
> > dictionaries like this (in recent versions of Radiator):
> >
> > DictionaryFile %D/dictionary, %D/dictionary.sip
> >
> > SIP authentication will work automatically without requiring
> hooks or
> > whatever.
> >
> > The most recent version is Radiator 3.13.
> >
> > regards
> >
> > Hugh
> >
> >
> > On 3 Jun 2005, at 16:07, Hugh Irvine wrote:
> >
> >>
> >> Hello Ricardo -
> >>
> >> On this same topic - see the file "dictionary.sip" in the
> Radiator 3.13
> >> distribution.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 3 Jun 2005, at 05:32, Ricardo Martinez wrote:
> >>
> >>
> >>> Hello list.
> >>> I'm using SER (Sip Express Router) to provide SIP
> services, and
> >>> also
> >>> i'm using Radiator 3.9 to my AAA services.
> >>> SER send to my radius server a authentication message like this :
> >>>
> >>> Attributes:
> >>> User-Name = "user1 at mydomain.com"
> >>> Digest-Attributes = "<10><10>user1"
> >>> Digest-Attributes = "<1><23>mydomain.com"
> >>> Digest-Attributes =
> "<2>*429f5a94dfac500699b5465aae863a390d5ebd92"
> >>> Digest-Attributes = "<4>&sip:1234567 at mydomain.com"
> >>> Digest-Attributes = "<3><10>REGISTER"
> >>> Digest-Attributes = "<5><6>auth"
> >>> Digest-Attributes = "<9><10>00000037"
> >>> Digest-Attributes = "<8><10>dbb06da4"
> >>> Digest-Response = "08525b9e17e0ed25fccc61b104ff9e20"
> >>> Service-Type = Sip-Session
> >>> Sip-Uri-User = "1234567"
> >>> NAS-IP-Address = 10.1.1.3
> >>> NAS-Port = 5060
> >>>
> >>> As you can see I have different's Digest-Attributes with different
> >>> values.
> >>> It suppose that these Digest-Attributes must be parsed to
> Digest- Uri ,
> >>> Digest-Realm, Digest-Nonce, etc...but RADIATOR seems not to be
> doing
> >>> anything about it.
> >>> Well. A long time ago asking in this mailing list Hugh told
> me that i
> >>> need
> >>> to run a preClientHook and parse by myself this attributes... well
> >>> that's
> >>> what i'm doing now and it is working.
> >>> What i found out recently is that, for example FreeRadius Server
> >>> recognize
> >>> this attributes and do the conversion by itself. So i0m
> wondering if
> >>> Radiator has maybe now a support for this type of message, i
> think that
> >>> is
> >>> the draft "draft-sterman-aaa-sip-00".
> >>>
> >>> I hope that somone could give me a hand here
> >>> Thanks in advace.
> >>>
> >>> Regards,
> >>>
> >>> Ricardo Martinez.-
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive (www.open.com.au/
> >> archives/radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS
> server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical,
> extensible,
> >> flexible with hardware, software, platform and database
> independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like
> systems.
> >>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/
> archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database
> independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like
> systems.
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list