[Freeswitch-users] Mod_rad_auth issue for FS working with FreeRadius server

fieldpeak fieldpeak at gmail.com
Wed Aug 3 08:32:39 MSD 2011


Hi Tihomir,

Sorry, i missed your mail in gmail before, just now saw it, and after using
your dictionary.all, the dictionary issue was resolved, very appreciated for
your kindly help! however, it did not fully functional yet,

Attached are configuration files that i used, when i dial 601 to trigger to
auth, the freeradius server shows log below, the supecious log is the value
User-Password, it should be '1111' that i've set in the mysql db of
freeradisu server for the user 1001 .

i searched in google, for "known good" password issue, i suggest change
user-password to cleartext-password, however, i did not find where it is.
and also the Auth-Type, where to configure it...

Freeradius server log:

rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49,
length=111
        User-Name = "1001"
        User-Password = "?\210\365@\263\t\306\343\243iT?\311C\t\002"
        Called-Station-Id = "888"
        h323-conf-id = "749d2b5a-16ad-48e4-af58-24011949d1b5"
        Calling-Station-Id = "1001"
        NAS-Port = 0
        NAS-IP-Address = 127.0.0.1
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803
[auth_log]      expand: %t -> Wed Aug  3 12:06:33 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1001", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> 1001
[sql] sql_set_user escaped user --> '1001'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '1001'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'1001'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User 1001 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.        Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 1001
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 49 to 127.0.0.1 port 52684
Waking up in 4.9 seconds.
Cleaning up request 8 ID 49 with timestamp +7674
Ready to process requests.
WARNING! No "known good" password found for the user

Regards,
Charles

2011/8/3 Tihomir Culjaga <tculjaga at gmail.com>

> did u use the dictionary i have attached ?
>
>
> On Tue, Aug 2, 2011 at 10:08 AM, fieldpeak <fieldpeak at gmail.com> wrote:
>
>> i tried change to 'h323-conf-id' to 'h323-call-origin' in
>> 02_unitest_rad-ANI-auth.xml, rad_auth.conf.xml, however, it still prompt
>> '[ERR] mod_rad_auth.c:428 Unknown attribute: key:h323-conf-id, not found
>> in dictionary', so where the mod_rad_auth read out the 'h323-conf-id'? very
>> very strange, which dictionary it was using...
>>
>> Regards,
>> Charles
>>
>>
>> 2011/8/2 fieldpeak <fieldpeak at gmail.com>
>>
>>> Hi Tihomir,
>>>
>>> Finally the answer coming, i see the hope, thanks for your reply, :)
>>>
>>> As your advise, i only use one attribute(h323-conf-id) in my dialplan,
>>> and only one attribute(h323-conf-id) in rad_auth.conf.xml, and using the
>>> attached dictionary (from ciso) which contains this attribute, however, it
>>> still prompt 'unknown attribute', so i suspected if it was reading
>>> /usr/local/etc/radiusclient/dictionary, so i copy the same dictionary to
>>> /usr/local/freeswitch/radius/, it did not any help at all... very strange...
>>>
>>> Log:
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set default_realm
>>> := .
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set radius_timeout
>>> := 3.
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set radius_retries
>>> := 2.
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set radius_deadtime
>>> := 0.
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set bindaddr := *.
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:371 ... radius:
>>> User-Name: 38516060333
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:380 ... radius:
>>> User-Password: 003282
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:396 ... radius:
>>> Called-station-Id: 16094191500
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:413 Handle attribute:
>>> h323-conf-id
>>> 2011-08-02 15:37:26.578217 [ERR] mod_rad_auth.c:428 Unknown attribute:
>>> key:h323-conf-id, not found in dictionary
>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:538 abort sending
>>> radius packet.
>>> 2011-08-02 15:37:26.578217 [ERR] mod_rad_auth.c:546 An error occured
>>> during RADIUS Authentication(RC=-1)
>>> 2011-08-02 15:37:26.578217 [ERR] mod_rad_auth.c:702 An error occured
>>> during radius authorization.
>>>
>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO  AUTH_RESULT=)
>>>
>>>
>>>
>>>   <extension name="unitest_rad-ANI-auth">
>>>     <condition field="destination_number" expression="^601$">
>>>       <!-- <action application="log" data="INFO  Before Auth "/> -->
>>>
>>>       <action inline="true" application="set" data="CALLID=h323-conf-id
>>> =${uuid}"/>
>>>
>>>       <action inline="true" application="set" data="USERNAME=1001"/>
>>>       <action inline="true" application="set" data="PASSWD=1111"/>
>>>
>>>
>>>       <action application="sleep" data="2000"/>
>>>       <action application="auth_function" data="in ${DIALED_NUMBER}, in
>>> ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
>>>
>>>     </condition>
>>>   </extension>
>>>
>>>
>>>
>>> <configuration name="rad_auth.conf" description="radius authentification
>>> module">
>>>   <settings>
>>>
>>>   </settings>
>>>
>>>   <client>
>>>     <param name="authserver" value="127.0.0.1:1812:gateway"/>
>>>     <param name="dictionary"
>>> value="/usr/local/etc/radiusclient/dictionary"/>
>>>     <param name="seqfile" value="/var/run/radius.seq"/>
>>>     <param name="mapfile"
>>> value="/usr/local/etc/radiusclient/port-id-map"/>
>>>     <param name="default_realm" value=""/>
>>>     <param name="radius_timeout" value="3"/>
>>>     <param name="radius_retries" value="2"/>
>>>     <param name="radius_deadtime" value="0"/>
>>>     <param name="bindaddr" value="*"/>
>>>   </client>
>>>
>>>   <vsas>
>>>
>>>
>>>     <param name="h323-conf-id" id="24" value="CALLID" pec="9" expr="1"
>>> direction="in"/>
>>>
>>>   </vsas>
>>>  </configuration>
>>>
>>>
>>>
>>> 2011/8/2 Tihomir Culjaga <tculjaga at gmail.com>
>>>
>>>> hi,
>>>>
>>>> dictionary.all is just the name of a file containing all attributes i
>>>> needed at that time.
>>>>
>>>> you can include other dictionaries by putting #INCLUDE <pathname> at the
>>>> end of the dictionary file you reference in rad_auth.conf.xml.
>>>> if the INCLUDE doesn't work, just append dictionary.cisco to your
>>>> dictionary file... and make your own file.
>>>>
>>>>
>>>> check inline comments down below...
>>>>
>>>>
>>>> T.
>>>>
>>>>
>>>> On Sun, Jul 31, 2011 at 10:46 AM, fieldpeak <fieldpeak at gmail.com>wrote:
>>>>
>>>>> Hello Gurus,
>>>>>
>>>>> i met a issue when using
>>>>> mod_rad_auth(http://wiki.freeswitch.org/wiki/Mod_rad_auth) to works
>>>>> with freeradius server+mysql for AAA, the details is below, Could
>>>>> anyone give any hints, Thanks in advance.
>>>>>
>>>>> i setup a dial plan "unitest_rad-ANI-auth" as wiki above, however,
>>>>> when i dialed 601 to trigger the dial plan, the console show errors,
>>>>> it looks "h323-conf-id" is not in the directory, then i tried to add
>>>>> this attribute to the dictionary, however, it does not help, in the
>>>>> wiki, it mentioned the rad_auth.conf.xml contains <param
>>>>> name="dictionary"
>>>>> value="/usr/local/etc/radiusclient/dictionary.all"/>, however i did
>>>>> not find the file "dictionary.all" at that directory, so i use
>>>>> dictionary. BTW, the freeradius server + mysql works well.
>>>>>
>>>>
>>>> i just appended the information needed into dictionary.all file...
>>>> (vendor and attribute definition).
>>>>
>>>>
>>>>
>>>>>
>>>>> console errors:
>>>>>
>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 auth_function(in , in
>>>>> 38516060333, in 003282, out AUTH_RESULT)
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:301 allocate initial
>>>>> structure.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:313 initialzed
>>>>> configuration.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set authserver
>>>>> := 127.0.0.1:1812:gateway.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set dictionary
>>>>> := /usr/local/etc/radiusclient/dictionary.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set seqfile :=
>>>>> /var/run/radius.seq.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set mapfile :=
>>>>> /usr/local/etc/radiusclient/port-id-map.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set default_realm
>>>>> := .
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>> radius_timeout := 3.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>> radius_retries := 2.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>> radius_deadtime := 0.
>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set bindaddr :=
>>>>> *.
>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:371 ... radius:
>>>>> User-Name: 38516060333
>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:380 ... radius:
>>>>> User-Password: 003282
>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:391 ... radius:
>>>>> Called-station-Id is empty, ignoring...
>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:413 Handle
>>>>> attribute: h323-conf-id
>>>>> 2011-07-31 16:23:24.737004 [ERR] mod_rad_auth.c:428 Unknown attribute:
>>>>> key:h323-conf-id, not found in dictionary
>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:538 abort sending
>>>>> radius packet.
>>>>> 2011-07-31 16:23:24.737004 [ERR] mod_rad_auth.c:546 An error occured
>>>>> during RADIUS Authentication(RC=-1)
>>>>> 2011-07-31 16:23:24.737004 [ERR] mod_rad_auth.c:702 An error occured
>>>>> during radius authorization.
>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO  AUTH_RESULT=)
>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202  AUTH_RESULT=
>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO  billing_model=)
>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202  billing_model=
>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO  credit_amount=)
>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202  credit_amount=
>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO  currency=)
>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202  currency=
>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO  preffered_lang=)
>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202  preffered_lang=
>>>>>
>>>>> added below in the dictionary(/usr/local/etc/radiusclient/dictionary):
>>>>>
>>>>> ATTRIBUTE       h323-conf-id            1008    string
>>>>>
>>>>
>>>> you need the vendor definition as well
>>>>
>>>>
>>>>>
>>>>>
>>>>> dial plan:
>>>>> <extension name="unitest_rad-ANI-auth">
>>>>>    <condition field="destination_number" expression="^601$">
>>>>>      <action application="log" data="INFO  Before Auth "/>
>>>>>
>>>>>      <action inline="true" application="set"
>>>>> data="CALLID=h323-conf-id=${uuid}"/>
>>>>>      <action inline="true" application="set"
>>>>> data="SERVICENUM=h323-prompt-id=${destination_number}"/>
>>>>>      <action inline="true" application="set"
>>>>> data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
>>>>>  <!--      <action inline="true" application="set"
>>>>> data="CALLINGNUMBER=${caller_id_number}"/> -->
>>>>>      <action inline="true" application="set"
>>>>> data="CALLINGNUMBER=38516060333"/>
>>>>>      <action inline="true" application="set"
>>>>> data="USERNAME=38516060333"/>
>>>>>  <!--      <action inline="true" application="set"
>>>>> data="USERNAME=209354"/> -->
>>>>>      <action inline="true" application="set" data="PASSWD=003282"/>
>>>>>  <!--      <action inline="true" application="set"
>>>>> data="DIALED_NUMBER=16094191500"/>  -->
>>>>>
>>>>>      <action application="sleep" data="2000"/>
>>>>>      <action application="auth_function" data="in ${DIALED_NUMBER},
>>>>> in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
>>>>>
>>>>>
>>>>>      <action application="log" data="INFO
>>>>>  AUTH_RESULT=${AUTH_RESULT}"/>
>>>>>      <action application="log" data="INFO
>>>>>  billing_model=${billing_model}"/>
>>>>>      <action application="log" data="INFO
>>>>>  credit_amount=${credit_amount}"/>
>>>>>      <action application="log" data="INFO  currency=${currency}"/>
>>>>>      <action application="log" data="INFO
>>>>>  preffered_lang=${preffered_lang}"/>
>>>>>      <action application="log" data="INFO
>>>>>  credit_time=${credit_time}"/>
>>>>>      <action application="log" data="INFO
>>>>> h323_ivr_duration=${h323_ivr_duration}"/>
>>>>>      <action application="log" data="INFO
>>>>>  return_code=${return_code}"/>
>>>>>      <!-- <action application="execute_extension" data="AUTH XML
>>>>> default"/> -->
>>>>>    </condition>
>>>>>  </extension>
>>>>>
>>>>>  radius_cdr.conf.xml:
>>>>>  <configuration name="radius_cdr.conf" description="RADIUS CDR
>>>>> Configuration">
>>>>>
>>>>>        <settings>
>>>>>
>>>>>                <!-- location of the radius dictionary files -->
>>>>>
>>>>>                <param name="dictionary"
>>>>> value="/usr/local/freeswitch/conf/radius/dictionary"/>
>>>>>
>>>>>
>>>> your dictionary file need to contain all the attributes you are trying
>>>> to use or to include other dictionaries (In this case dictionary.cisco) from
>>>> the dictionary file you are referencing here.
>>>>
>>>>
>>>>>                <!-- number of retries for each server -->
>>>>>
>>>>>                <param name="radius_retries" value="3"/>
>>>>>
>>>>>                <!-- number of seconds to wait between retries -->
>>>>>
>>>>>                <param name="radius_timeout" value="5"/>
>>>>>
>>>>>                <!-- accounting servers, up to 8 allowed -->
>>>>>
>>>>>                <!-- value is "host:port:secret", port is optional -->
>>>>>
>>>>>                <!-- use IP ADDRESSES, not hostnames -->
>>>>>
>>>>>                <param name="acct_server" value="127.0.0.1:1813
>>>>> :testing123"/>
>>>>>
>>>>>
>>>>>        </settings>
>>>>>
>>>>> </configuration>
>>>>>
>>>>>  the FS version:
>>>>>  FreeSWITCH Version 1.0.head (git-492bc6b 2011-07-23 12-53-04 -0400)
>>>>>
>>>>>  Regards,
>>>>>  Charles
>>>>>
>>>>> _______________________________________________
>>>>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>>>> http://www.cluecon.com 877-7-4ACLUE
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>>
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>>> http://www.cluecon.com 877-7-4ACLUE
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _______________________________________________
> Join us at ClueCon 2011, Aug 9-11, Chicago
> http://www.cluecon.com 877-7-4ACLUE
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110803/b381a3f6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02_unitest_rad-ANI-auth.xml
Type: text/xml
Size: 1934 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110803/b381a3f6/attachment-0002.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rad_auth.conf.xml
Type: text/xml
Size: 2779 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110803/b381a3f6/attachment-0003.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mysql_user_info.png
Type: image/png
Size: 114727 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110803/b381a3f6/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusclient.conf
Type: application/octet-stream
Size: 3302 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110803/b381a3f6/attachment-0001.obj 


More information about the FreeSWITCH-users mailing list