2
SER Authentication
• Checks whether the provided password is correct
• Local users
– Added using serctl command line utility
serctl add <username> <passwd> <email>
– Need a proper database for persistence
• Users defined in MySQL database
– Existing directory can be exported to MySQL – Need to export whenever directory is modified
• Use Radius/LDAP
– SER authenticates via Radius
– Radius gets directory data from LDAP server – Useful for implementing SIP.EDU
Digest Authentication
• SIP server/proxy challenges UA
– 401 Unauthorized
– 407 Proxy authentication required – Challenge includes realm and nonce
– realm is normally set to the SIP domain
• UA
– Get the password from user
– Compute MD5 hash of user:realm:password (This is called HA1)
4
Digest Authentication (ctd)
• SIP server/proxy
– Creates a Radius Access-Request packet and sends to Radius server
• Radius server
– Computes the HA1 and then response
• Radius server must know users cleartext password or HA1 (already computed)
– Looks up the LDAP database for the user's password • Bind to the LDAP directory tree
• Search the LDAP directory tree for users password – Must authenticate itself to the LDAP server
– Sends an Access-Accept or Access-Reject packet to SER
Digest Authentication (ctd)
• SIP server/proxy
– Sends OK to UA if authenticated
6
Software components
• SIP server (ser-0.9.4)
– Enable radius module when compiling
• Radius client (radiusclient-ng 0.3.2)
– SER talks to the Radius server using radiusclient
• Radius server (freeradius 1.0.5r3)
– In our case running on the same machine
• LDAP server (openldap server 2.2.3)
– In our case running on the same machine – Already populated LDAP Directory
• This presentation will focus on
SER Configuration
• For HTTP Authentication
– Load the auth_radius module in addition to auth module
– Set parameters for the module
• radius_config and service_type parameters – Use radius_www_authorize and
radius_proxy_authorize instead of www_authorize and proxy_authorize
• They take only one parameter instead of two for www_authorize and proxy_authorize
8
SER Configuration Example
loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_radius.so" ... modparam("auth_radius", "radius_config", "/etc/ser/radiusclient.conf") modparam("auth_radius", "service_type", 15) ... if (!radius_www_authorize("pdn.ac.lk")) { www_challenge("pdn.ac.lk", "0"); break; }; ... if (!radius_proxy_authorize("pdn.ac.lk")) { proxy_challenge("pdn.ac.lk", "0"); break; }; ...
Radiusclient configuration
• Add Radius server name or IP address in file
/etc/ser/radiusclient.conf
authserver localhost
acctserver localhost
• Add the shared secret in file
/etc/radiusclientng/servers
localhost testing123
• Append contents of /etc/ser/dictionary.ser to file
/etc/radiusclientng/dictionary
10
Radius server configuration
• Add radius client name/IP in file /etc/raddb/clients
client 127.0.0.1 {
secret testing123 }
• Include the SER dictionary by adding the following in
the file /etc/raddb/dictionary
$INCLUDE /etc/ser/dictionary.ser
• Configure LDAP lookup
modules { .... ldap { // ldap config goes here } } // end of modules
Radius server configuration example
ldap { server = "localhost" identity = "cn=root,dc=pdn,dc=ac,dc=lk" password = tops3cr3t basedn = "ou=People,dc=pdn,dc=ac,dc=lk" filter = "(uid=%u)" ... password_attribute = userPassword ...12
LDAP configuration
• LDAP
– Directory tree structure
– LDAP permissions are important
• Before searching LDAP directory, Radius server
needs to bind to some location on the LDAP tree
– Configuration parameter identity
identity = "cn=root,dc=pdn,dc=ac,dc=lk"
• From the bind location, you must have permission to
read/authenticate againt the location you are
searching
– Configuration parameter basedn
basedn = "ou=People,dc=pdn,dc=ac,dc=lk" filter = "(uid=%u)"
Sample LDAP configuration
access to dn.base="" by * read access to attr=userPassword by self write by anonymous auth by dn.base="cn=root,dc=pdn,dc=ac,dc=lk" write by * none access to * by self write14
Debugging
• Radius server
– Run radiusd in debug mode /usr/sbin/radiusd -X
• Use radtest utility to test
– First try with a user defined in /etc/raddb/users
test Auth-Type := Local, User-Password := "test"
– Try HTTP Digest authentication with the same user
test Auth-Type := Digest, User-Password := "test" Reply-Message = "Hello, test with digest"
– May need some entries in /etc/raddb/hints to map user
Sample Radius debug output
rad_recv: AccessRequest packet from host 127.0.0.1:56217, id=200, length=194 UserName = "[email protected]" DigestAttributes = 0x0a086e696d616c72 DigestAttributes = 0x010b70646e2e61632e6c6b DigestAttributes = 0x022a343364343237316338643065323534376466383230303939656 43639646434323464373337383663 DigestAttributes = 0x040f7369703a70646e2e61632e6c6b DigestAttributes = 0x030a5245474953544552 DigestResponse = "df07d6bf3e4e0c78a04e597d430bc12e"16
Sample Radius debug output (2)
modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting DigestAttributes to something sane... DigestUserName = "nimalr" DigestRealm = "pdn.ac.lk" DigestNonce = "43d4271c8d0e2547df820099ed69dd424d73786c" DigestURI = "sip:pdn.ac.lk" DigestMethod = "REGISTER"
Sample Radius debug output (3)
rlm_digest: Converting DigestAttributes to something sane... DigestUserName = "nimalr" DigestRealm = "pdn.ac.lk" DigestNonce = "43d4271c8d0e2547df820099ed69dd424d73786c" DigestURI = "sip:pdn.ac.lk" DigestMethod = "REGISTER" ...18
Sample Radius debug output (3)
rlm_ldap: authorize rlm_ldap: performing user authorization for nimalr radius_xlat: '(uid=nimalr)' radius_xlat: 'ou=People,dc=pdn,dc=ac,dc=lk' ... rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=root,dc=pdn,dc=ac,dc=lk/tops3cr3t to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful ... rlm_ldap: performing search in ou=People,dc=pdn,dc=ac,dc=lk, with filter (uid=nimalr) rlm_ldap: Added password BlahBlah in check items
Sample Radius debug output (4)
modcall: group authorize returns ok for request 0 rad_check_password: Found AuthType DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 A1 = nimalr:pdn.ac.lk:BlahBlah A2 = REGISTER:sip:pdn.ac.lk KD = 2fc2286e2c035f42ef4c0d077751ca09:43d4271c8d0e2547df820099 ed69dd424d73786c:4ea8a5db028bb11e4698dcaef8f4c6d9 modcall[authenticate]: module "digest" returns ok for20
LDAP and SIP.EDU
• Incoming request INVITE [email protected]
• Lookup LDAP directory for PBX extension of nimalr
• If found append the new URL to the list of URLs
if ((method=="INVITE") & (uri=~ "sip:[az]{3,}@pdn.ac.lk")) { if (exec_dset("/usr/local/sbin/sipldap")) { log(1," sipldap lookup successful"); append_branch(); revert_uri(); }; };
•
If the call is not answered, can use LDAP directory to
LDAP lookup script
#!/usr/local/bin/bash LDAP_SERV="localhost" LDAP_BIND="cn=auth,ou=Servers,dc=pdn,dc=ac,dc=lk" LDAP_BINDPW="SvrS3cr3" LDAP_BASE="ou=People,dc=pdn,dc=ac,dc=lk" EMAIL=$(echo ${1} | cut d: f2) USERID=$(echo $EMAIL | sed e "s/@pdn.ac.lk//") ... # search LDAP directory22
LDAP lookup script (ctd)
# print out original unmodified URI if nothing found, or @pdn.ac.lk if [ z "${PHONE}" o "${PHONE}" = "none" ]; then echo "${1}" exit 1; else echo "sip:${PHONE}@192.248.40.59" exit 0; fi
