|
|
@@ -22,42 +22,41 @@ Jan Janak
|
|
|
|
|
|
<[email protected]>
|
|
|
|
|
|
- Copyright © 2002, 2003 FhG FOKUS
|
|
|
+ Copyright © 2002, 2003 FhG FOKUS
|
|
|
|
|
|
- Copyright © 2005 voice-system.ro
|
|
|
+ Copyright © 2005 voice-system.ro
|
|
|
|
|
|
- Copyright © 2008 Juha Heinanen
|
|
|
+ Copyright © 2008 Juha Heinanen
|
|
|
Revision History
|
|
|
- Revision $Revision$ $Date: 2008-03-08 01:03:56 +0200
|
|
|
- (Sat, 08 Mar 2008) $
|
|
|
- __________________________________________________________
|
|
|
+ Revision $Revision$ $Date$
|
|
|
+ __________________________________________________________________
|
|
|
|
|
|
Table of Contents
|
|
|
|
|
|
1. Admin Guide
|
|
|
|
|
|
- 1.1. Overview
|
|
|
- 1.2. Additional Credentials
|
|
|
- 1.3. Dependencies
|
|
|
+ 1. Overview
|
|
|
+ 2. Additional Credentials
|
|
|
+ 3. Dependencies
|
|
|
|
|
|
- 1.3.1. Kamailio Modules
|
|
|
- 1.3.2. External Libraries or Applications
|
|
|
+ 3.1. Modules
|
|
|
+ 3.2. External Libraries or Applications
|
|
|
|
|
|
- 1.4. Exported Parameters
|
|
|
+ 4. Exported Parameters
|
|
|
|
|
|
- 1.4.1. radius_config (string)
|
|
|
- 1.4.2. service_type (integer)
|
|
|
- 1.4.3. auth_extra (string)
|
|
|
- 1.4.4. use_ruri_flag (integer)
|
|
|
+ 4.1. radius_config (string)
|
|
|
+ 4.2. service_type (integer)
|
|
|
+ 4.3. auth_extra (string)
|
|
|
+ 4.4. use_ruri_flag (integer)
|
|
|
|
|
|
- 1.5. Exported Functions
|
|
|
+ 5. Exported Functions
|
|
|
|
|
|
- 1.5.1. radius_www_authorize(realm)
|
|
|
- 1.5.2. radius_proxy_authorize(realm [, uri_user])
|
|
|
+ 5.1. radius_www_authorize(realm)
|
|
|
+ 5.2. radius_proxy_authorize(realm [, uri_user])
|
|
|
|
|
|
List of Examples
|
|
|
|
|
|
- 1.1. "SIP-AVP" RADIUS AVP exmaples
|
|
|
+ 1.1. “SIP-AVP� RADIUS AVP exmaples
|
|
|
1.2. radius_config parameter usage
|
|
|
1.3. service_type parameter usage
|
|
|
1.4. auth_extra parameter usage
|
|
|
@@ -67,30 +66,50 @@ Jan Janak
|
|
|
|
|
|
Chapter 1. Admin Guide
|
|
|
|
|
|
-1.1. Overview
|
|
|
-
|
|
|
- This module contains functions that are used to perform
|
|
|
- authentication using a Radius server. Basically the proxy will
|
|
|
- pass along the credentials to the radius server which will in
|
|
|
- turn send a reply containing result of the authentication. So
|
|
|
- basically the whole authentication is done in the Radius
|
|
|
- server. Before sending the request to the radius server we
|
|
|
- perform some sanity checks over the credentials to make sure
|
|
|
- that only well formed credentials will get to the server. We
|
|
|
- have implemented radius authentication according to
|
|
|
- draft-sterman-aaa-sip-00. This module requires radiusclient-ng
|
|
|
- library version 0.5.0 or higher which is available from
|
|
|
+ Table of Contents
|
|
|
+
|
|
|
+ 1. Overview
|
|
|
+ 2. Additional Credentials
|
|
|
+ 3. Dependencies
|
|
|
+
|
|
|
+ 3.1. Modules
|
|
|
+ 3.2. External Libraries or Applications
|
|
|
+
|
|
|
+ 4. Exported Parameters
|
|
|
+
|
|
|
+ 4.1. radius_config (string)
|
|
|
+ 4.2. service_type (integer)
|
|
|
+ 4.3. auth_extra (string)
|
|
|
+ 4.4. use_ruri_flag (integer)
|
|
|
+
|
|
|
+ 5. Exported Functions
|
|
|
+
|
|
|
+ 5.1. radius_www_authorize(realm)
|
|
|
+ 5.2. radius_proxy_authorize(realm [, uri_user])
|
|
|
+
|
|
|
+1. Overview
|
|
|
+
|
|
|
+ This module contains functions that are used to perform authentication
|
|
|
+ using a Radius server. Basically the proxy will pass along the
|
|
|
+ credentials to the radius server which will in turn send a reply
|
|
|
+ containing result of the authentication. So basically the whole
|
|
|
+ authentication is done in the Radius server. Before sending the request
|
|
|
+ to the radius server we perform some sanity checks over the credentials
|
|
|
+ to make sure that only well formed credentials will get to the server.
|
|
|
+ We have implemented radius authentication according to
|
|
|
+ draft-sterman-aaa-sip-00. This module requires radiusclient-ng library
|
|
|
+ version 0.5.0 or higher which is available from
|
|
|
http://developer.berlios.de/projects/radiusclient-ng/.
|
|
|
|
|
|
-1.2. Additional Credentials
|
|
|
+2. Additional Credentials
|
|
|
|
|
|
- When performing authentification, the RADIUS server may include
|
|
|
- in the response additional credentials. This scheme is very
|
|
|
- useful in fetching additional user information from the RADIUS
|
|
|
- server without making extra queries.
|
|
|
+ When performing authentification, the RADIUS server may include in the
|
|
|
+ response additional credentials. This scheme is very useful in fetching
|
|
|
+ additional user information from the RADIUS server without making extra
|
|
|
+ queries.
|
|
|
|
|
|
- The additional credentials are embedded in the RADIUS reply as
|
|
|
- AVPs "SIP-AVP". The syntax of the value is:
|
|
|
+ The additional credentials are embedded in the RADIUS reply as AVPs
|
|
|
+ “SIP-AVP�. The syntax of the value is:
|
|
|
* value = SIP_AVP_NAME SIP_AVP_VALUE
|
|
|
* SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
|
|
|
* SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE
|
|
|
@@ -100,7 +119,7 @@ Chapter 1. Admin Guide
|
|
|
|
|
|
The RPID value may be fetch via this mechanism.
|
|
|
|
|
|
- Example 1.1. "SIP-AVP" RADIUS AVP exmaples
|
|
|
+ Example 1.1. “SIP-AVP� RADIUS AVP exmaples
|
|
|
....
|
|
|
"email:[email protected]"
|
|
|
- STRING NAME AVP (email) with STRING VALUE ([email protected])
|
|
|
@@ -112,165 +131,186 @@ Chapter 1. Admin Guide
|
|
|
- ID AVP (14) with INTEGER VALUE (28)
|
|
|
....
|
|
|
|
|
|
-1.3. Dependencies
|
|
|
+3. Dependencies
|
|
|
+
|
|
|
+ 3.1. Modules
|
|
|
+ 3.2. External Libraries or Applications
|
|
|
|
|
|
-1.3.1. Kamailio Modules
|
|
|
+3.1. Modules
|
|
|
|
|
|
- The module depends on the following modules (in the other words
|
|
|
- the listed modules must be loaded before this module):
|
|
|
- * auth -- Generic authentication functions
|
|
|
+ The module depends on the following modules (in the other words the
|
|
|
+ listed modules must be loaded before this module):
|
|
|
+ * modules_s/auth -- Generic authentication functions
|
|
|
|
|
|
-1.3.2. External Libraries or Applications
|
|
|
+3.2. External Libraries or Applications
|
|
|
|
|
|
- The following libraries or applications must be installed
|
|
|
- before compilling Kamailio with this module loaded:
|
|
|
- * radiusclient-ng 0.5.0 or higher -- library and development
|
|
|
- files. See
|
|
|
- http://developer.berlios.de/projects/radiusclient-ng/.
|
|
|
+ The following libraries or applications must be installed before
|
|
|
+ compilling Kamailio with this module loaded:
|
|
|
+ * radiusclient-ng 0.5.0 or higher -- library and development files.
|
|
|
+ See http://developer.berlios.de/projects/radiusclient-ng/.
|
|
|
|
|
|
-1.4. Exported Parameters
|
|
|
+4. Exported Parameters
|
|
|
|
|
|
-1.4.1. radius_config (string)
|
|
|
+ 4.1. radius_config (string)
|
|
|
+ 4.2. service_type (integer)
|
|
|
+ 4.3. auth_extra (string)
|
|
|
+ 4.4. use_ruri_flag (integer)
|
|
|
+
|
|
|
+4.1. radius_config (string)
|
|
|
|
|
|
This is the location of the configuration file of radius client
|
|
|
libraries.
|
|
|
|
|
|
- Default value is
|
|
|
- "/usr/local/etc/radiusclient-ng/radiusclient.conf".
|
|
|
+ Default value is “/usr/local/etc/radiusclient-ng/radiusclient.conf�.
|
|
|
|
|
|
Example 1.2. radius_config parameter usage
|
|
|
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
|
|
|
|
|
|
-1.4.2. service_type (integer)
|
|
|
+4.2. service_type (integer)
|
|
|
|
|
|
- This is the value of the Service-Type radius attribute to be
|
|
|
- used. The default should be fine for most people. See your
|
|
|
- radius client include files for numbers to be put in this
|
|
|
- parameter if you need to change it.
|
|
|
+ This is the value of the Service-Type radius attribute to be used. The
|
|
|
+ default should be fine for most people. See your radius client include
|
|
|
+ files for numbers to be put in this parameter if you need to change it.
|
|
|
|
|
|
- Default value is "15".
|
|
|
+ Default value is “15�.
|
|
|
|
|
|
Example 1.3. service_type parameter usage
|
|
|
modparam("auth_radius", "service_type", 15)
|
|
|
|
|
|
-1.4.3. auth_extra (string)
|
|
|
+4.3. auth_extra (string)
|
|
|
|
|
|
Semi-colon separated list of extra RADIUS attribute name=pseudo
|
|
|
- variable pairs. When radius_www_authorize() or
|
|
|
- radius_proxy_authorize() function is called, listed extra
|
|
|
- attributes are included in RADIUS request with current values
|
|
|
- of corresponding pseudo variables.
|
|
|
+ variable pairs. When radius_www_authorize() or radius_proxy_authorize()
|
|
|
+ function is called, listed extra attributes are included in RADIUS
|
|
|
+ request with current values of corresponding pseudo variables.
|
|
|
|
|
|
- There is no default value, i.e., by default no extra attributes
|
|
|
- are included.
|
|
|
+ There is no default value, i.e., by default no extra attributes are
|
|
|
+ included.
|
|
|
|
|
|
Example 1.4. auth_extra parameter usage
|
|
|
modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")
|
|
|
|
|
|
-1.4.4. use_ruri_flag (integer)
|
|
|
+4.4. use_ruri_flag (integer)
|
|
|
|
|
|
- When this parameter is set to the value other than "-1" and the
|
|
|
- request being authenticated has flag with matching number set
|
|
|
- via setflag() function, use Request URI instead of uri
|
|
|
- parameter value from the Authorization / Proxy-Authorization
|
|
|
- header field to perform RADIUS authentication. This is intended
|
|
|
- to provide workaround for misbehaving NAT / routers / ALGs that
|
|
|
- alter request in the transit, breaking authentication. At the
|
|
|
- time of this writing, certain versions of Linksys WRT54GL are
|
|
|
- known to do that.
|
|
|
+ When this parameter is set to the value other than "-1" and the request
|
|
|
+ being authenticated has flag with matching number set via setflag()
|
|
|
+ function, use Request URI instead of uri parameter value from the
|
|
|
+ Authorization / Proxy-Authorization header field to perform RADIUS
|
|
|
+ authentication. This is intended to provide workaround for misbehaving
|
|
|
+ NAT / routers / ALGs that alter request in the transit, breaking
|
|
|
+ authentication. At the time of this writing, certain versions of
|
|
|
+ Linksys WRT54GL are known to do that.
|
|
|
|
|
|
- Default value is "-1".
|
|
|
+ Default value is “-1�.
|
|
|
|
|
|
Example 1.5. use_ruri_flag parameter usage
|
|
|
modparam("auth_radius", "use_ruri_flag", 22)
|
|
|
|
|
|
-1.5. Exported Functions
|
|
|
+5. Exported Functions
|
|
|
+
|
|
|
+ 5.1. radius_www_authorize(realm)
|
|
|
+ 5.2. radius_proxy_authorize(realm [, uri_user])
|
|
|
|
|
|
-1.5.1. radius_www_authorize(realm)
|
|
|
+5.1. radius_www_authorize(realm)
|
|
|
|
|
|
The function verifies credentials according to RFC2617. If the
|
|
|
- credentials are verified successfully then the function will
|
|
|
- succeed and mark the credentials as authorized (marked
|
|
|
- credentials can be later used by some other functions). If the
|
|
|
- function was unable to verify the credentials for some reason
|
|
|
- then it will fail and the script should call www_challenge
|
|
|
- which will challenge the user again.
|
|
|
+ credentials are verified successfully then the function will succeed
|
|
|
+ and mark the credentials as authorized (marked credentials can be later
|
|
|
+ used by some other functions).
|
|
|
+
|
|
|
+ If the function was unable to verify the credentials for some reason,
|
|
|
+ it fails and assigns a WWW-Authorize header containing a new challenge
|
|
|
+ to digest_challenge AVP (see modules_s/auth). The script should then
|
|
|
+ respond with 401 that includes this header, which will challenge the
|
|
|
+ user again.
|
|
|
|
|
|
Negative codes may be interpreted as follows:
|
|
|
- * -5 (generic error) - some generic error occurred and no
|
|
|
- reply was sent out;
|
|
|
- * -4 (no credentials) - credentials were not found in
|
|
|
- request;
|
|
|
+ * -5 (internal error) - some internal error occurred;
|
|
|
+ * -4 (no credentials) - credentials were not found in request;
|
|
|
* -3 (stale nonce) - stale nonce;
|
|
|
+ * -2 (bad request) - something wrong in request, for example,
|
|
|
+ credentials were not filled properly;
|
|
|
+ * -1 (authorization failed) - RADIUS responded with Access Reject
|
|
|
|
|
|
- This function will, in fact, perform sanity checks over the
|
|
|
- received credentials and then pass them along to the radius
|
|
|
- server which will verify the credentials and return whether
|
|
|
- they are valid or not.
|
|
|
+ This function will, in fact, perform sanity checks over the received
|
|
|
+ credentials and then pass them along to the radius server which will
|
|
|
+ verify the credentials and return whether they are valid or not.
|
|
|
|
|
|
Meaning of the parameter is as follows:
|
|
|
- * realm - Realm is a opaque string that the user agent should
|
|
|
- present to the user so he can decide what username and
|
|
|
- password to use. Usually this is domain of the host the
|
|
|
- server is running on.
|
|
|
- If an empty string "" is used then the server will generate
|
|
|
- it from the request. In case of REGISTER requests To header
|
|
|
- field domain will be used (because this header field
|
|
|
- represents a user being registered), for all other messages
|
|
|
- From header field domain will be used.
|
|
|
+ * realm - Realm is a opaque string that the user agent should present
|
|
|
+ to the user so he can decide what username and password to use. In
|
|
|
+ case of REGISTER requests it is usually hostpart of To URI.
|
|
|
The string may contain pseudo variables.
|
|
|
|
|
|
This function can be used from REQUEST_ROUTE.
|
|
|
|
|
|
Example 1.6. radius_www_authorize usage
|
|
|
...
|
|
|
-if (!radius_www_authorize("siphub.net")) {
|
|
|
- www_challenge("siphub.net", "1");
|
|
|
-};
|
|
|
+ if (!radius_www_authorize("$td")) {
|
|
|
+ switch ($rc) {
|
|
|
+ case -5:
|
|
|
+ send_reply("500", "Server Internal Error");
|
|
|
+ exit;
|
|
|
+ case -2:
|
|
|
+ send_reply("400", "Bad Request");
|
|
|
+ exit;
|
|
|
+ default:
|
|
|
+ };
|
|
|
+ if (defined($avp(digest_challenge)) &&
|
|
|
+ ($avp(digest_challenge) != "")) {
|
|
|
+ append_to_reply("$avp(digest_challenge)");
|
|
|
+ };
|
|
|
+ send_reply("401", "Unauthorized");
|
|
|
+ exit;
|
|
|
...
|
|
|
|
|
|
-1.5.2. radius_proxy_authorize(realm [, uri_user])
|
|
|
+5.2. radius_proxy_authorize(realm [, uri_user])
|
|
|
|
|
|
The function verifies credentials according to RFC2617. If the
|
|
|
- credentials are verified successfully then the function will
|
|
|
- succeed and mark the credentials as authorized (marked
|
|
|
- credentials can be later used by some other functions). If the
|
|
|
- function was unable to verify the credentials for some reason
|
|
|
- then it will fail and the script should call proxy_challenge
|
|
|
- which will challenge the user again. For more about the
|
|
|
- negative return codes, see the above function.
|
|
|
-
|
|
|
- This function will, in fact, perform sanity checks over the
|
|
|
- received credentials and then pass them along to the radius
|
|
|
- server which will verify the credentials and return whether
|
|
|
- they are valid or not.
|
|
|
+ credentials are verified successfully then the function will succeed
|
|
|
+ and mark the credentials as authorized (marked credentials can be later
|
|
|
+ used by some other functions).
|
|
|
+
|
|
|
+ If the function was unable to verify the credentials for some reason,
|
|
|
+ it fails and assigns a WWW-Authorize header containing a new challenge
|
|
|
+ to digest_challenge AVP. The script should then respond with 407 that
|
|
|
+ includes this header, which will challenge the user again. For more
|
|
|
+ about the negative return codes, see the above function.
|
|
|
+
|
|
|
+ This function will, in fact, perform sanity checks over the received
|
|
|
+ credentials and then pass them along to the radius server which will
|
|
|
+ verify the credentials and return whether they are valid or not.
|
|
|
|
|
|
Meaning of the parameters is as follows:
|
|
|
- * realm - Realm is a opaque string that the user agent should
|
|
|
- present to the user so he can decide what username and
|
|
|
- password to use. This is usually one of the domains the
|
|
|
- proxy is responsible for. If an empty string "" is used
|
|
|
- then the server will generate realm from host part of From
|
|
|
- header field URI.
|
|
|
+ * realm - Realm is a opaque string that the user agent should present
|
|
|
+ to the user so he can decide what username and password to use. In
|
|
|
+ case of non-REGISTER requests it is usually hostpart of From or
|
|
|
+ P-Preferred-Identity URI.
|
|
|
The string may contain pseudo variables.
|
|
|
- * uri_user - Uri_user is an optional pseudo variable
|
|
|
- parameter whose value, if present, will be given to Radius
|
|
|
- server as value of SIP-URI-User check item. If uri_user
|
|
|
- pseudo variable parameter is not present, the server will
|
|
|
- generate SIP-URI-User check item value from user part of
|
|
|
- To/From URI.
|
|
|
+ * uri_user - Uri_user is an optional pseudo variable parameter whose
|
|
|
+ value, if present, will be given to Radius server as value of
|
|
|
+ SIP-URI-User check item. If uri_user pseudo variable parameter is
|
|
|
+ not present, the server will generate SIP-URI-User check item value
|
|
|
+ from user part of To/From URI.
|
|
|
|
|
|
This function can be used from REQUEST_ROUTE.
|
|
|
|
|
|
Example 1.7. proxy_authorize usage
|
|
|
...
|
|
|
-if (!radius_proxy_authorize("")) { # Realm and URI user will be autoge
|
|
|
-nerated
|
|
|
- proxy_challenge("", "1");
|
|
|
-};
|
|
|
-...
|
|
|
-if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are ta
|
|
|
-ken
|
|
|
- proxy_challenge("$pd", "1"); # from P-Preferred-Identity
|
|
|
-}; # header field
|
|
|
+ if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
|
|
|
+ switch ($rc) { # from P-Preferred-Identity
|
|
|
+ case -5: # header field
|
|
|
+ send_reply("500", "Server Internal Error");
|
|
|
+ exit;
|
|
|
+ case -2:
|
|
|
+ send_reply("400", "Bad Request");
|
|
|
+ exit;
|
|
|
+ default:
|
|
|
+ };
|
|
|
+ if (defined($avp(digest_challenge)) &&
|
|
|
+ ($avp(digest_challenge) != "")) {
|
|
|
+ append_to_reply("$avp(digest_challenge)");
|
|
|
+ };
|
|
|
+ send_reply("407", "Proxy Authentication Required");
|
|
|
+ exit;
|
|
|
...
|
Juha Heinanen