Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SER Authentication with Radius and LDAP Nimal Ratnayake Lanka Education and Research Network (LEARN) and Department of Electrical & Electronic Engineering,

Similar presentations


Presentation on theme: "1 SER Authentication with Radius and LDAP Nimal Ratnayake Lanka Education and Research Network (LEARN) and Department of Electrical & Electronic Engineering,"— Presentation transcript:

1 1 SER Authentication with Radius and LDAP Nimal Ratnayake Lanka Education and Research Network (LEARN) and Department of Electrical & Electronic Engineering, University of Peradeniya

2 2 SER Authentication Checks whether the provided password is correct Local users –Added using serctl command line utility serctl add –Need a proper database for persistence Users defined in MySQL database –Existing directory can be exported to MySQL –Need to export whenever directory is modified Use Radius/LDAP –SER authenticates via Radius –Radius gets directory data from LDAP server –Useful for implementing SIP.EDU.

3 3 Digest Authentication SIP server/proxy challenges UA – 401 Unauthorized – 407 Proxy authentication required –Challenge includes realm and nonce – realm is normally set to the SIP domain UA –Get the password from user –Compute MD5 hash of user:realm:password (This is called HA1) –UA computes the response as the MD5 hash of HA1, nonce and some other info –Sends response, nonce etc to SIP server/proxy

4 4 Digest Authentication (ctd) SIP server/proxy –Creates a Radius Access-Request packet and sends to Radius server Radius server –Computes the HA1 and then response Radius server must know users cleartext password or HA1 (already computed) –Looks up the LDAP database for the user's password Bind to the LDAP directory tree Search the LDAP directory tree for users password –Must authenticate itself to the LDAP server –Sends an Access-Accept or Access-Reject packet to SER

5 5 Digest Authentication (ctd) SIP server/proxy –Sends OK to UA if authenticated –Sends Unauthorized if not authenticated

6 6 Software components SIP server (ser-0.9.4) –Enable radius module when compiling Radius client (radiusclient-ng 0.3.2) –SER talks to the Radius server using radiusclient Radius server (freeradius 1.0.5r3) –In our case running on the same machine LDAP server (openldap server 2.2.3) –In our case running on the same machine –Already populated LDAP Directory This presentation will focus on –SER and FreeRadius configuration

7 7 SER Configuration For HTTP Authentication –Load the auth_radius module in addition to auth module –Set parameters for the module radius_config and service_type parameters –Use radius_www_authorize and radius_proxy_authorize instead of www_authorize and proxy_authorize They take only one parameter instead of two for www_authorize and proxy_authorize

8 8 SER Configuration Example loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_radius.so"..... modparam("auth_radius", "radius_config", "/etc/ser/radiusclient.conf") modparam("auth_radius", "service_type", 15)..... if (!radius_www_authorize("pdn.ac.lk")) { www_challenge("pdn.ac.lk", "0"); break; };..... if (!radius_proxy_authorize("pdn.ac.lk")) { proxy_challenge("pdn.ac.lk", "0"); break; };......

9 9 Radiusclient configuration Add Radius server name or IP address in file /etc/ser/radiusclient.conf authserver localhost acctserver localhost Add the shared secret in file /etc/radiusclient-ng/servers localhost testing123 Append contents of /etc/ser/dictionary.ser to file /etc/radiusclient-ng/dictionary cat /etc/ser/dictionary.ser >> /etc/radiusclient-ng/dictionary

10 10 Radius server configuration Add radius client name/IP in file /etc/raddb/clients client { secret testing123 } Include the SER dictionary by adding the following in the file /etc/raddb/dictionary $INCLUDE /etc/ser/dictionary.ser Configure LDAP lookup modules {.... ldap { // ldap config goes here } } // end of modules

11 11 Radius server configuration example ldap { server = "localhost" identity = "cn=root,dc=pdn,dc=ac,dc=lk" password = tops3cr3t basedn = "ou=People,dc=pdn,dc=ac,dc=lk" filter = "(uid=%u)"..... password_attribute = userPassword..... }

12 12 LDAP configuration LDAP –Directory tree structure –LDAP permissions are important Before searching LDAP directory, Radius server needs to bind to some location on the LDAP tree –Configuration parameter identity identity = "cn=root,dc=pdn,dc=ac,dc=lk" From the bind location, you must have permission to read/authenticate againt the location you are searching –Configuration parameter basedn basedn = "ou=People,dc=pdn,dc=ac,dc=lk" filter = "(uid=%u)"

13 13 Sample LDAP configuration access to dn.base="" by * read access to attr=userPassword by self write by anonymous auth by dn.base="cn=root,dc=pdn,dc=ac,dc=lk" write by * none access to * by self write by anonymous auth by dn.base="cn=root,dc=pdn,dc=ac,dc=lk" write by dn.one="ou=Servers,dc=pdn,dc=ac,dc=lk" read by * none

14 14 Debugging Radius server –Run radiusd in debug mode /usr/sbin/radiusd -X Use radtest utility to test –First try with a user defined in /etc/raddb/users test Auth-Type := Local, User-Password := "test" –Try HTTP Digest authentication with the same user test Auth-Type := Digest, User-Password := "test" Reply-Message = "Hello, test with digest" –May need some entries in /etc/raddb/hints to map user to just test

15 15 Sample Radius debug output rad_recv: Access-Request packet from host :56217, id=200, length=194 User-Name = Digest-Attributes = 0x0a086e696d616c72 Digest-Attributes = 0x010b70646e2e61632e6c6b Digest-Attributes = 0x022a Digest-Attributes = 0x040f a70646e2e61632e6c6b Digest-Attributes = 0x030a Digest-Response = "df07d6bf3e4e0c78a04e597d430bc12e" Service-Type = Sip-Session Sip-Uri-User = "nimalr" NAS-IP-Address = NAS-Port = 5060

16 16 Sample Radius debug output (2) modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "nimalr" Digest-Realm = "pdn.ac.lk" Digest-Nonce = "43d4271c8d0e2547df820099ed69dd424d73786c" Digest-URI = "sip:pdn.ac.lk" Digest-Method = "REGISTER"

17 17 Sample Radius debug output (3) rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "nimalr" Digest-Realm = "pdn.ac.lk" Digest-Nonce = "43d4271c8d0e2547df820099ed69dd424d73786c" Digest-URI = "sip:pdn.ac.lk" Digest-Method = "REGISTER".....

18 18 Sample Radius debug output (3) rlm_ldap: - authorize rlm_ldap: performing user authorization for nimalr radius_xlat: '(uid=nimalr)' radius_xlat: 'ou=People,dc=pdn,dc=ac,dc=lk'..... rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=root,dc=pdn,dc=ac,dc=lk/tops3cr3t to localhost:389 rlm_ldap: waiting for bind result... rlm_ldap: Bind was successful..... rlm_ldap: performing search in ou=People,dc=pdn,dc=ac,dc=lk, with filter (uid=nimalr) rlm_ldap: Added password BlahBlah in check items

19 19 Sample Radius debug output (4) modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 A1 = nimalr:pdn.ac.lk:BlahBlah A2 = REGISTER:sip:pdn.ac.lk KD = 2fc2286e2c035f42ef4c0d077751ca09:43d4271c8d0e2547df820099ed69dd42 4d73786c:4ea8a5db028bb11e4698dcaef8f4c6d9 modcall[authenticate]: module "digest" returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 200 to :56217

20 20 LDAP and SIP.EDU Incoming request INVITE Lookup LDAP directory for PBX extension of nimalr If found append the new URL to the list of URLs if ((method=="INVITE") & (uri=~ { if (exec_dset("/usr/local/sbin/sipldap")) { log(1," sipldap lookup successful"); append_branch(); revert_uri(); }; }; If the call is not answered, can use LDAP directory to forward the call to mobile

21 21 LDAP lookup script #!/usr/local/bin/bash LDAP_SERV="localhost" LDAP_BIND="cn=auth,ou=Servers,dc=pdn,dc=ac,dc=lk" LDAP_BINDPW="SvrS3cr3" LDAP_BASE="ou=People,dc=pdn,dc=ac,dc=lk" =$(echo ${1} | cut -d: -f2) USERID=$(echo $ | sed -e # search LDAP directory if [ -z "${PHONE}" ]; then PHONE=$(ldapsearch -LLL -x -h ${LDAP_SERV} -D ${LDAP_BIND} -w ${LDAP_BINDPW} -b ${LDAP_BASE} uid=${USERID} telephoneNumber | grep -i telephoneNumber | cut -d' ' -f2 | tr -d '-') fi

22 22 LDAP lookup script (ctd) # print out original unmodified URI if nothing found, if [ -z "${PHONE}" -o "${PHONE}" = "none" ]; then echo "${1}" exit 1; else echo exit 0; fi


Download ppt "1 SER Authentication with Radius and LDAP Nimal Ratnayake Lanka Education and Research Network (LEARN) and Department of Electrical & Electronic Engineering,"

Similar presentations


Ads by Google