[Freeswitch-users] Mod_rad_auth issue for FS working with FreeRadius server
Tihomir Culjaga
tculjaga at gmail.com
Fri Aug 5 11:18:03 MSD 2011
add to rad_auth.conf.xml
<param name="NAS-Port-Type" id="61" value="0" pec="0" expr="0"
direction="in"/>
<param name="Login-User" id="6" value="1" pec="0" expr="0" direction="in"/>
as for Auth Type im not sure if you need it ... this is up to your server.
According to dictionary file you need to set it as follows:
<param name="Auth-Type" id="1000" value="?" pec="0" expr="0"
direction="in"/>
the value (set as ?) is one of the folowing. Again, not sure what is
required by your server.
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
#
# Cistron extensions
#
VALUE Auth-Type Pam 253
VALUE Auth-Type Accept 254
regards,
Tihomir.
On Wed, Aug 3, 2011 at 6:32 AM, fieldpeak <fieldpeak at gmail.com> wrote:
> Hi Tihomir,
>
> Sorry, i missed your mail in gmail before, just now saw it, and after using
> your dictionary.all, the dictionary issue was resolved, very appreciated for
> your kindly help! however, it did not fully functional yet,
>
> Attached are configuration files that i used, when i dial 601 to trigger to
> auth, the freeradius server shows log below, the supecious log is the value
> User-Password, it should be '1111' that i've set in the mysql db of
> freeradisu server for the user 1001 .
>
> i searched in google, for "known good" password issue, i suggest change
> user-password to cleartext-password, however, i did not find where it is.
> and also the Auth-Type, where to configure it...
>
> Freeradius server log:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 52684, id=49,
> length=111
> User-Name = "1001"
> User-Password = "?\210\365@\263\t\306\343\243iT?\311C\t\002"
> Called-Station-Id = "888"
> h323-conf-id = "749d2b5a-16ad-48e4-af58-24011949d1b5"
> Calling-Station-Id = "1001"
> NAS-Port = 0
> NAS-IP-Address = 127.0.0.1
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20110803
> [auth_log]
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20110803
> [auth_log] expand: %t -> Wed Aug 3 12:06:33 2011
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "1001", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> [sql] expand: %{User-Name} -> 1001
> [sql] sql_set_user escaped user --> '1001'
> rlm_sql (sql): Reserving sql socket id: 4
> [sql] expand: SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> -> SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = '1001' ORDER BY id
> [sql] expand: SELECT groupname FROM radusergroup
> WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
> groupname FROM radusergroup WHERE username =
> '1001' ORDER BY priority
> rlm_sql (sql): Released sql socket id: 4
> [sql] User 1001 not found
> ++[sql] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> WARNING: Unprintable characters in the password. Double-check the
> shared secret on the server and the NAS!
> Using Post-Auth-Type Reject
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> 1001
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 8 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 8
> Sending Access-Reject of id 49 to 127.0.0.1 port 52684
> Waking up in 4.9 seconds.
> Cleaning up request 8 ID 49 with timestamp +7674
> Ready to process requests.
> WARNING! No "known good" password found for the user
>
> Regards,
> Charles
>
>
> 2011/8/3 Tihomir Culjaga <tculjaga at gmail.com>
>
>> did u use the dictionary i have attached ?
>>
>>
>> On Tue, Aug 2, 2011 at 10:08 AM, fieldpeak <fieldpeak at gmail.com> wrote:
>>
>>> i tried change to 'h323-conf-id' to 'h323-call-origin' in
>>> 02_unitest_rad-ANI-auth.xml, rad_auth.conf.xml, however, it still prompt
>>> '[ERR] mod_rad_auth.c:428 Unknown attribute: key:h323-conf-id, not found
>>> in dictionary', so where the mod_rad_auth read out the 'h323-conf-id'? very
>>> very strange, which dictionary it was using...
>>>
>>> Regards,
>>> Charles
>>>
>>>
>>> 2011/8/2 fieldpeak <fieldpeak at gmail.com>
>>>
>>>> Hi Tihomir,
>>>>
>>>> Finally the answer coming, i see the hope, thanks for your reply, :)
>>>>
>>>> As your advise, i only use one attribute(h323-conf-id) in my dialplan,
>>>> and only one attribute(h323-conf-id) in rad_auth.conf.xml, and using the
>>>> attached dictionary (from ciso) which contains this attribute, however, it
>>>> still prompt 'unknown attribute', so i suspected if it was reading
>>>> /usr/local/etc/radiusclient/dictionary, so i copy the same dictionary to
>>>> /usr/local/freeswitch/radius/, it did not any help at all... very strange...
>>>>
>>>> Log:
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set default_realm
>>>> := .
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set radius_timeout
>>>> := 3.
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set radius_retries
>>>> := 2.
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set
>>>> radius_deadtime := 0.
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:318 set bindaddr := *.
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:371 ... radius:
>>>> User-Name: 38516060333
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:380 ... radius:
>>>> User-Password: 003282
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:396 ... radius:
>>>> Called-station-Id: 16094191500
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:413 Handle attribute:
>>>> h323-conf-id
>>>> 2011-08-02 15:37:26.578217 [ERR] mod_rad_auth.c:428 Unknown attribute:
>>>> key:h323-conf-id, not found in dictionary
>>>> 2011-08-02 15:37:26.578217 [DEBUG] mod_rad_auth.c:538 abort sending
>>>> radius packet.
>>>> 2011-08-02 15:37:26.578217 [ERR] mod_rad_auth.c:546 An error occured
>>>> during RADIUS Authentication(RC=-1)
>>>> 2011-08-02 15:37:26.578217 [ERR] mod_rad_auth.c:702 An error occured
>>>> during radius authorization.
>>>>
>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO AUTH_RESULT=)
>>>>
>>>>
>>>>
>>>> <extension name="unitest_rad-ANI-auth">
>>>> <condition field="destination_number" expression="^601$">
>>>> <!-- <action application="log" data="INFO Before Auth "/> -->
>>>>
>>>> <action inline="true" application="set" data="CALLID=h323-conf-id
>>>> =${uuid}"/>
>>>>
>>>> <action inline="true" application="set" data="USERNAME=1001"/>
>>>> <action inline="true" application="set" data="PASSWD=1111"/>
>>>>
>>>>
>>>> <action application="sleep" data="2000"/>
>>>> <action application="auth_function" data="in ${DIALED_NUMBER}, in
>>>> ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
>>>>
>>>> </condition>
>>>> </extension>
>>>>
>>>>
>>>>
>>>> <configuration name="rad_auth.conf" description="radius authentification
>>>> module">
>>>> <settings>
>>>>
>>>> </settings>
>>>>
>>>> <client>
>>>> <param name="authserver" value="127.0.0.1:1812:gateway"/>
>>>> <param name="dictionary"
>>>> value="/usr/local/etc/radiusclient/dictionary"/>
>>>> <param name="seqfile" value="/var/run/radius.seq"/>
>>>> <param name="mapfile"
>>>> value="/usr/local/etc/radiusclient/port-id-map"/>
>>>> <param name="default_realm" value=""/>
>>>> <param name="radius_timeout" value="3"/>
>>>> <param name="radius_retries" value="2"/>
>>>> <param name="radius_deadtime" value="0"/>
>>>> <param name="bindaddr" value="*"/>
>>>> </client>
>>>>
>>>> <vsas>
>>>>
>>>>
>>>> <param name="h323-conf-id" id="24" value="CALLID" pec="9" expr="1"
>>>> direction="in"/>
>>>>
>>>> </vsas>
>>>> </configuration>
>>>>
>>>>
>>>>
>>>> 2011/8/2 Tihomir Culjaga <tculjaga at gmail.com>
>>>>
>>>>> hi,
>>>>>
>>>>> dictionary.all is just the name of a file containing all attributes i
>>>>> needed at that time.
>>>>>
>>>>> you can include other dictionaries by putting #INCLUDE <pathname> at
>>>>> the end of the dictionary file you reference in rad_auth.conf.xml.
>>>>> if the INCLUDE doesn't work, just append dictionary.cisco to your
>>>>> dictionary file... and make your own file.
>>>>>
>>>>>
>>>>> check inline comments down below...
>>>>>
>>>>>
>>>>> T.
>>>>>
>>>>>
>>>>> On Sun, Jul 31, 2011 at 10:46 AM, fieldpeak <fieldpeak at gmail.com>wrote:
>>>>>
>>>>>> Hello Gurus,
>>>>>>
>>>>>> i met a issue when using
>>>>>> mod_rad_auth(http://wiki.freeswitch.org/wiki/Mod_rad_auth) to works
>>>>>> with freeradius server+mysql for AAA, the details is below, Could
>>>>>> anyone give any hints, Thanks in advance.
>>>>>>
>>>>>> i setup a dial plan "unitest_rad-ANI-auth" as wiki above, however,
>>>>>> when i dialed 601 to trigger the dial plan, the console show errors,
>>>>>> it looks "h323-conf-id" is not in the directory, then i tried to add
>>>>>> this attribute to the dictionary, however, it does not help, in the
>>>>>> wiki, it mentioned the rad_auth.conf.xml contains <param
>>>>>> name="dictionary"
>>>>>> value="/usr/local/etc/radiusclient/dictionary.all"/>, however i did
>>>>>> not find the file "dictionary.all" at that directory, so i use
>>>>>> dictionary. BTW, the freeradius server + mysql works well.
>>>>>>
>>>>>
>>>>> i just appended the information needed into dictionary.all file...
>>>>> (vendor and attribute definition).
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> console errors:
>>>>>>
>>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 auth_function(in , in
>>>>>> 38516060333, in 003282, out AUTH_RESULT)
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:301 allocate initial
>>>>>> structure.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:313 initialzed
>>>>>> configuration.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set authserver
>>>>>> := 127.0.0.1:1812:gateway.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set dictionary
>>>>>> := /usr/local/etc/radiusclient/dictionary.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set seqfile :=
>>>>>> /var/run/radius.seq.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set mapfile :=
>>>>>> /usr/local/etc/radiusclient/port-id-map.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>>> default_realm := .
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>>> radius_timeout := 3.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>>> radius_retries := 2.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set
>>>>>> radius_deadtime := 0.
>>>>>> 2011-07-31 16:23:24.717088 [DEBUG] mod_rad_auth.c:318 set bindaddr :=
>>>>>> *.
>>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:371 ... radius:
>>>>>> User-Name: 38516060333
>>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:380 ... radius:
>>>>>> User-Password: 003282
>>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:391 ... radius:
>>>>>> Called-station-Id is empty, ignoring...
>>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:413 Handle
>>>>>> attribute: h323-conf-id
>>>>>> 2011-07-31 16:23:24.737004 [ERR] mod_rad_auth.c:428 Unknown attribute:
>>>>>> key:h323-conf-id, not found in dictionary
>>>>>> 2011-07-31 16:23:24.737004 [DEBUG] mod_rad_auth.c:538 abort sending
>>>>>> radius packet.
>>>>>> 2011-07-31 16:23:24.737004 [ERR] mod_rad_auth.c:546 An error occured
>>>>>> during RADIUS Authentication(RC=-1)
>>>>>> 2011-07-31 16:23:24.737004 [ERR] mod_rad_auth.c:702 An error occured
>>>>>> during radius authorization.
>>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO AUTH_RESULT=)
>>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202 AUTH_RESULT=
>>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO billing_model=)
>>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202 billing_model=
>>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO credit_amount=)
>>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202 credit_amount=
>>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO currency=)
>>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202 currency=
>>>>>> EXECUTE sofia/internal/1001 at 124.193.106.104 log(INFO
>>>>>> preffered_lang=)
>>>>>> 2011-07-31 16:23:24.737004 [INFO] mod_dptools.c:1202 preffered_lang=
>>>>>>
>>>>>> added below in the dictionary(/usr/local/etc/radiusclient/dictionary):
>>>>>>
>>>>>> ATTRIBUTE h323-conf-id 1008 string
>>>>>>
>>>>>
>>>>> you need the vendor definition as well
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> dial plan:
>>>>>> <extension name="unitest_rad-ANI-auth">
>>>>>> <condition field="destination_number" expression="^601$">
>>>>>> <action application="log" data="INFO Before Auth "/>
>>>>>>
>>>>>> <action inline="true" application="set"
>>>>>> data="CALLID=h323-conf-id=${uuid}"/>
>>>>>> <action inline="true" application="set"
>>>>>> data="SERVICENUM=h323-prompt-id=${destination_number}"/>
>>>>>> <action inline="true" application="set"
>>>>>> data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
>>>>>> <!-- <action inline="true" application="set"
>>>>>> data="CALLINGNUMBER=${caller_id_number}"/> -->
>>>>>> <action inline="true" application="set"
>>>>>> data="CALLINGNUMBER=38516060333"/>
>>>>>> <action inline="true" application="set"
>>>>>> data="USERNAME=38516060333"/>
>>>>>> <!-- <action inline="true" application="set"
>>>>>> data="USERNAME=209354"/> -->
>>>>>> <action inline="true" application="set" data="PASSWD=003282"/>
>>>>>> <!-- <action inline="true" application="set"
>>>>>> data="DIALED_NUMBER=16094191500"/> -->
>>>>>>
>>>>>> <action application="sleep" data="2000"/>
>>>>>> <action application="auth_function" data="in ${DIALED_NUMBER},
>>>>>> in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
>>>>>>
>>>>>>
>>>>>> <action application="log" data="INFO
>>>>>> AUTH_RESULT=${AUTH_RESULT}"/>
>>>>>> <action application="log" data="INFO
>>>>>> billing_model=${billing_model}"/>
>>>>>> <action application="log" data="INFO
>>>>>> credit_amount=${credit_amount}"/>
>>>>>> <action application="log" data="INFO currency=${currency}"/>
>>>>>> <action application="log" data="INFO
>>>>>> preffered_lang=${preffered_lang}"/>
>>>>>> <action application="log" data="INFO
>>>>>> credit_time=${credit_time}"/>
>>>>>> <action application="log" data="INFO
>>>>>> h323_ivr_duration=${h323_ivr_duration}"/>
>>>>>> <action application="log" data="INFO
>>>>>> return_code=${return_code}"/>
>>>>>> <!-- <action application="execute_extension" data="AUTH XML
>>>>>> default"/> -->
>>>>>> </condition>
>>>>>> </extension>
>>>>>>
>>>>>> radius_cdr.conf.xml:
>>>>>> <configuration name="radius_cdr.conf" description="RADIUS CDR
>>>>>> Configuration">
>>>>>>
>>>>>> <settings>
>>>>>>
>>>>>> <!-- location of the radius dictionary files -->
>>>>>>
>>>>>> <param name="dictionary"
>>>>>> value="/usr/local/freeswitch/conf/radius/dictionary"/>
>>>>>>
>>>>>>
>>>>> your dictionary file need to contain all the attributes you are trying
>>>>> to use or to include other dictionaries (In this case dictionary.cisco) from
>>>>> the dictionary file you are referencing here.
>>>>>
>>>>>
>>>>>> <!-- number of retries for each server -->
>>>>>>
>>>>>> <param name="radius_retries" value="3"/>
>>>>>>
>>>>>> <!-- number of seconds to wait between retries -->
>>>>>>
>>>>>> <param name="radius_timeout" value="5"/>
>>>>>>
>>>>>> <!-- accounting servers, up to 8 allowed -->
>>>>>>
>>>>>> <!-- value is "host:port:secret", port is optional -->
>>>>>>
>>>>>> <!-- use IP ADDRESSES, not hostnames -->
>>>>>>
>>>>>> <param name="acct_server" value="127.0.0.1:1813
>>>>>> :testing123"/>
>>>>>>
>>>>>>
>>>>>> </settings>
>>>>>>
>>>>>> </configuration>
>>>>>>
>>>>>> the FS version:
>>>>>> FreeSWITCH Version 1.0.head (git-492bc6b 2011-07-23 12-53-04 -0400)
>>>>>>
>>>>>> Regards,
>>>>>> Charles
>>>>>>
>>>>>> _______________________________________________
>>>>>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>>>>> http://www.cluecon.com 877-7-4ACLUE
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>>
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>>>> http://www.cluecon.com 877-7-4ACLUE
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Join us at ClueCon 2011, Aug 9-11, Chicago
>>> http://www.cluecon.com 877-7-4ACLUE
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _______________________________________________
>> Join us at ClueCon 2011, Aug 9-11, Chicago
>> http://www.cluecon.com 877-7-4ACLUE
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _______________________________________________
> Join us at ClueCon 2011, Aug 9-11, Chicago
> http://www.cluecon.com 877-7-4ACLUE
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110805/6464bc46/attachment-0001.html
More information about the FreeSWITCH-users
mailing list