Dear Daniel, Yeah right. I totally forgot, its a reverse dns. Now I checked the radius server in debug mode and I cannot see any request from openser trying to connect to radius server. So, the request from openser is not reaching the radius server. Then I installed wireshark and checked the ip address 128.185.38.162<http://128-185-38-162.totisp.net:1812> (radius server ip add) in the server where openser was installed. There also I did not find any entry related to 128.185.38.16<http://128-185-38-162.totisp.net:1812> . So, it seems my configuration is wrong. I am sending you the configuration of openser.cfg and radiusclient.conf.
openser.cfg SSH Secure Shell 3.2.3 (Build 279) Copyright (c) 2000-2003 SSH Communications Security Corp - http://www.ssh.com/ This copy of SSH Secure Shell is a non-commercial version. This version does not include PKI and PKCS #11 functionality. Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux Ubuntu 10.04 LTS Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148 isof...@isoftel-desktop:~$ cd /usr/local/etc/openser/ isof...@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg # # $Id$ # # radius config script # # ----------- global configuration parameters ------------------------ debug=6 # debug level (cmd line: -dddddddddd) log_stderror=yes # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 #listen=udp:localhost #alias="kamailio.org" fifo="/tmp/openser_fifo" # ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so" # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:opense...@localhost/openser") modparam("usrloc", "db_mode", 2) # -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # -- group_radius params -- modparam("group_radius", "use_domain", 1) # -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # check if user is suspended if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")) { if (radius_is_user_in("From", "suspended")) { sl_send_reply("403", "Forbidden - suspended"); exit; }; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); if(is_method("BYE")) { # log it all the time acc_rad_request("200 ok"); acc_log_request("200 ok"); } route(1); }; if(is_method("INVITE") && !has_totag()) { # set the acc flags setflag(1); setflag(2); }; if (!uri==myself) { # check if user is allowed to do voip calls to other domains if(is_method("INVITE|MESSAGE")) { if (!radius_is_user_in("From", "voip")) { sl_send_reply("403", "Forbidden VoIP"); exit; }; }; # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { # authenticate registers if (method=="REGISTER") { if (!radius_www_authorize("")) { www_challenge("", "1"); exit; }; # check the src ip address if(!avp_check("i:2", "eq/$src_ip/ig")) { sl_send_reply("403", "Forbidden IP"); exit; }; save("location"); exit; }; # calls to pstn if(uri=~"sip:00[1-9][0-9]+@") { if(is_method("INVITE") && !has_totag()) { if (!radius_is_user_in("From", "pstn")) { sl_send_reply("403", "Forbidden PSTN"); exit; }; }; # set gateway address rewritehostport("localhost:5090"); route(1); }; # load callee's avps if(avp_load_radius("callee")) { # check if user has time filter enabled if(avp_check("i:3", "eq/i:1")) { # print time in an avp avp_printf("i:100", "$Tf"); # extract day avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/"); if(!avp_check("i:6", "fm/$day")) { sl_send_reply("403", "Forbidden - day"); exit; }; # extract 'hours:minutes' avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/"); if((is_avp_set("i:4") && avp_check("i:4", "gt/$time")) || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) { sl_send_reply("403", "Forbidden - time"); exit; }; }; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # log to acc as missed call acc_rad_request("404 Not Found"); acc_log_request("404 Not Found"); sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); }; route(1); } # generic forward route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; } radiusclient-ng.conf # General settings # specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius #add 'local' with comma # maximum login tries a user has login_tries 4 # timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60 # name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin # name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient-ng/issue # RADIUS settings # RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver 128.185.38.162 # RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # acctserver 128.185.38.162 # file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient-ng/servers # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient-ng/dictionary # program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius # file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq # file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient-ng/port-id-map # default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm # time to wait for a reply from the RADIUS server radius_timeout 10 # resend request this many times before trying the next server radius_retries 3 # local address from which radius packets have to be sent bindaddr localhost #change with 'localhost' # LOCAL settings # program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login I have edited servers file also with the servername and secret. Thank you very much. Regards, Pratik On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla <mico...@gmail.com > wrote: > Hello, > > > On 8/2/10 12:36 PM, Pratik Shrestha wrote: > > Dear Daniel, > Now the new issue. Seems now openser is trying to talk with radius server. > But still I am getting the one error in syslog which is as follows. > > rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812 > > Actually I have written only 128.185.38.162 in auth_server in > radiusclient.conf. I don't know how this totisp.net is added. I haven't > mentioned it anywhere. > > > probably reverse dns is done in the library, it is not relevant anyhow. Can > you start radius server in debug mode and see if it got some request? You > can also do a ngrep/wireshark on port 1812 of your radius server to watch > for network packets coming from kamailio. > > Cheers, > Daniel > > > > Please help me. > Thanks. > > Regards, > Pratik > > On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha <pratik...@gmail.com>wrote: > >> Dear Daniel, >> >> Before I work for the new version, I am first trying to configure old >> version of openser and radius. I am using openser version 1.0.1 and radius >> client version 0.5.1 and I am following the tutorial given in >> http://kamailio.net/docs/openser-radius-1.0.x.html. >> >> My freeradius server is in another machine and when I use radclient to >> check the user I made, I get the "Authenticated" message. >> But when I use X-lite and connect to openser, it seems openser is not >> talking with freeradius servers. I am sure the "secret" I am using is right >> as I have already tested from radclient. The log which I am getting in >> openser is as shown below >> >> 9(1986) SIP Request: >> 9(1986) method: <REGISTER> >> 9(1986) uri: <sip:192.168.0.56> >> 9(1986) version: <SIP/2.0> >> 9(1986) parse_headers: flags=2 >> 9(1986) Found param type 232, <branch> = >> <z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6 >> 9(1986) Found param type 235, <rport> = <n/a>; state=17 >> 9(1986) end of header reached, state=5 >> 9(1986) parse_headers: Via found, flags=2 >> 9(1986) parse_headers: this is the first via >> 9(1986) After parse_msg... >> 9(1986) preparing to run routing scripts... >> 9(1986) parse_headers: flags=100 >> 9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70 >> 9(1986) parse_headers: flags=10 >> 9(1986) DEBUG:parse_to:end of header reached, state=9 >> 9(1986) DEBUG: get_hdr_field: <To> [44]; uri=[sip:101%40kamailio.org@ >> 192.168.0.56] >> 9(1986) DEBUG: to body ["101"<sip:101%40kamailio....@192.168.0.56> >> ] >> 9(1986) DEBUG: add_param: tag=cc6e4259 >> 9(1986) DEBUG:parse_to:end of header reached, state=29 >> 9(1986) radius_is_user_in(): Failure >> 9(1986) parse_headers: flags=200 >> 9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER> >> 9(1986) DEBUG: get_hdr_body : content_length=0 >> 9(1986) found end of header >> 9(1986) find_first_route: No Route headers found >> 9(1986) loose_route: There is no Route HF >> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] >> == [127.0.0.1] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] >> == [192.168.0.56] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] >> == [127.0.0.1] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] >> == [192.168.0.56] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) check_nonce(): comparing >> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and >> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] >> 9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed >> 9(1986) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.0.56", >> nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c" >> ' >> 9(1986) parse_headers: flags=ffffffffffffffff >> 9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0) >> 9(1986) DEBUG:destroy_avp_list: destroying list (nil) >> 9(1986) receive_msg: cleaning up >> >> At freeradius also, no request goes from openser. >> >> Please advise me how to get rid of this problem. >> >> Best Regards, >> Pratik >> >> >> On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha <pratik...@gmail.com>wrote: >> >>> Thanks a lot. I will give it a try >>> >>> Pratik >>> >>> >>> On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla < >>> mico...@gmail.com> wrote: >>> >>>> Hello, >>>> >>>> >>>> On 7/22/10 6:06 AM, Pratik Shrestha wrote: >>>> >>>>> Dear All, >>>>> >>>>> I am very new to OpenSer. I want to use latest version of OpenSer with >>>>> Radius. I need the documentation/tutorial on how to do this. Googling, >>>>> Ionly >>>>> found for the old version. Please help me. >>>>> >>>> >>>> indeed, there is a rather old version: >>>> >>>> http://www.kamailio.org/docs/openser-radius-1.0.x.html >>>> >>>> What I can say now is that you can skip the part of installing kamailio >>>> and use next link instead: >>>> >>>> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git >>>> >>>> Radius client library is now in most of common Linux distributions, so >>>> you can install it with the package manager (you need the devel headers as >>>> well, the -dev package). >>>> >>>> FreeRadius configuration should be more or less the same. >>>> >>>> The config of kamailio has changed quite a lot. Use the default one from >>>> kamailio, follow the WITH_AUTH define conditions and replace auth_db with >>>> auth_radius modules and functions. Also, the rest of radius modules were >>>> merged into misc_radius. For enabling radius acc, you need to recompile acc >>>> module after editing the Makefile in module directory. >>>> >>>> Hope it helps to start, ask here if you get stuck. >>>> >>>> >>>> Cheers, >>>> Daniel >>>> >>>> -- >>>> Daniel-Constantin Mierla >>>> http://www.asipto.com/ >>>> >>>> >>> >> > > -- > Daniel-Constantin Mierlahttp://www.asipto.com/ > >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
