Digest test

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Digest test

Iandc Davies
All,

I am using freeradiusd 1.0.4 on RedHat Linux 9 and have just run the digest
test suggested in the doc area through radclient.
As it stands, I receive a code 3 reply (Access-Reject).

The instruction for the test tells me to do the following:
1. In the /etc/raddb/users file insert entry as below :-
      test  Auth-Type := Digest, User-Password = "test"
            Reply-Message = "Hello, test with Digest"

2. Initiate radclient with a file called digest (i.e. radclient -f digest
localhost auth testing123)
      User-Name = "test",
      Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7",
      Digest-Realm = "testrealm",
      Digest-Nonce = "1234abcd",
      Digest-Method = "INVITE",
      Digest-URI = "sip:[hidden email]",
      Digest-Algorithm = "MD5",
      Digest-User-Name = "test"

The command line holds the shared secret as defined in clients.conf file.
However for this test to work, I had to insert a User-Password = "xxxx"
(where xxxx is the actual password), into the digest file.
After this I get a code 2 reply (Access-Accept).

A radiusd -X dump shows freerad trying to do a unix authentication via the
rlm_unix module.
I've tried to comment out any instances of unix authentication from the
radiusd.conf file but with the same results.

Is there a way to tell freerad not to check user-password ?


Ian Davies {02476 564662}
          Internal   (x740 4662)
IMS-SIPAC
Software Development Engineer


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Digest test

Alan DeKok
"Iandc Davies" <[hidden email]> wrote:
> The instruction for the test tells me to do the following:
> 1. In the /etc/raddb/users file insert entry as below :-
>       test  Auth-Type := Digest, User-Password = "test"

  That should be ... User-Password := "test".

  The "users" file isn't really set up for modern deployments.  It's
design goes back to 1993, when all the fancy authentication methods
didn't exist.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Digest test

Iandc Davies
In reply to this post by Iandc Davies

Is there a way to tell freerad not to check user-password ?

Ian Davies {02476 564662}
          Internal   (x740 4662)
IMS-SIPAC
Software Development Engineer


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Digest test

Alan DeKok
"Iandc Davies" <[hidden email]> wrote:
> Is there a way to tell freerad not to check user-password ?

  Use ":=", as per my previous message.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Digest test

Iandc Davies
In reply to this post by Iandc Davies

>"Iandc Davies" <[hidden email]> wrote:
 > Is there a way to tell freerad not to check user-password ?

 >>  Use ":=", as per my previous message.

 >>  Alan DeKok.

Am I doing something really stupid, as it still requires a password field
in the sending file ! ? !
/etc/raddb/users file now has an entry right at the top such as this :
test  Auth-Type := Digest, User-Password := "xxxx" (where xxxx = password)
      Reply-Message = "Hello, test with Digest"

Separate question:
Is the Reply-Message supposed to be returned ? Or is that the authenticator
field returned on a code 2 ?


Ian Davies {02476 564662}
          Internal   (x740 4662)
IMS-SIPAC
Software Development Engineer


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Digest test

Alan DeKok
"Iandc Davies" <[hidden email]> wrote:
> Am I doing something really stupid, as it still requires a password field
> in the sending file ! ? !
> /etc/raddb/users file now has an entry right at the top such as this :

  If you're using the latest CVS, the fix I committed earlier will help.
If you're usng 1.0.4, I'm not sure what would be wrong.

> Is the Reply-Message supposed to be returned ? Or is that the authenticator
> field returned on a code 2 ?

  I'm not sure what you mean by that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html