Juha Heinanen
ecdcd5fabc
* Fixed Makefiles of Radius related modules, which did not include
|
16 سال پیش | |
|---|---|---|
| .. | ||
| doc | 16 سال پیش | |
| Makefile | 16 سال پیش | |
| README | 16 سال پیش | |
| authorize.c | 16 سال پیش | |
| authorize.h | 16 سال پیش | |
| authrad_mod.c | 16 سال پیش | |
| authrad_mod.h | 16 سال پیش | |
| extra.c | 16 سال پیش | |
| extra.h | 16 سال پیش | |
| sterman.c | 16 سال پیش | |
| sterman.h | 16 سال پیش | |
README
Auth_radius Module
Jan Janak
FhG Fokus
Juha Heinanen
Stelios Sidiroglou-Douskos
Bogdan-Andrei Iancu
voice-system.ro
Edited by
Jan Janak
Copyright � 2002, 2003 FhG FOKUS
Copyright � 2005 voice-system.ro
Copyright � 2008 Juha Heinanen
Revision History
Revision $Revision$ $Date: 2008-03-08 01:03:56 +0200
(Sat, 08 Mar 2008) $
__________________________________________________________
Table of Contents
1. Admin Guide
1.1. Overview
1.2. Additional Credentials
1.3. Dependencies
1.3.1. Kamailio Modules
1.3.2. External Libraries or Applications
1.4. Exported Parameters
1.4.1. radius_config (string)
1.4.2. service_type (integer)
1.4.3. auth_extra (string)
1.4.4. use_ruri_flag (integer)
1.5. Exported Functions
1.5.1. radius_www_authorize(realm)
1.5.2. radius_proxy_authorize(realm [, uri_user])
List of Examples
1.1. "SIP-AVP" RADIUS AVP exmaples
1.2. radius_config parameter usage
1.3. service_type parameter usage
1.4. auth_extra parameter usage
1.5. use_ruri_flag parameter usage
1.6. radius_www_authorize usage
1.7. proxy_authorize usage
Chapter 1. Admin Guide
1.1. Overview
This module contains functions that are used to perform
authentication using a Radius server. Basically the proxy will
pass along the credentials to the radius server which will in
turn send a reply containing result of the authentication. So
basically the whole authentication is done in the Radius
server. Before sending the request to the radius server we
perform some sanity checks over the credentials to make sure
that only well formed credentials will get to the server. We
have implemented radius authentication according to
draft-sterman-aaa-sip-00. This module requires radiusclient-ng
library version 0.5.0 or higher which is available from
http://developer.berlios.de/projects/radiusclient-ng/.
1.2. Additional Credentials
When performing authentification, the RADIUS server may include
in the response additional credentials. This scheme is very
useful in fetching additional user information from the RADIUS
server without making extra queries.
The additional credentials are embedded in the RADIUS reply as
AVPs "SIP-AVP". The syntax of the value is:
* value = SIP_AVP_NAME SIP_AVP_VALUE
* SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
* SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE
All additional credentials will be stored as Kamailio AVPs
(SIP_AVP_NAME = SIP_AVP_VALUE).
The RPID value may be fetch via this mechanism.
Example 1.1. "SIP-AVP" RADIUS AVP exmaples
....
"email:[email protected]"
- STRING NAME AVP (email) with STRING VALUE ([email protected])
"#14:[email protected]"
- ID AVP (14) with STRING VALUE ([email protected])
"age#28"
- STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
- ID AVP (14) with INTEGER VALUE (28)
....
1.3. Dependencies
1.3.1. Kamailio Modules
The module depends on the following modules (in the other words
the listed modules must be loaded before this module):
* auth -- Generic authentication functions
1.3.2. External Libraries or Applications
The following libraries or applications must be installed
before compilling Kamailio with this module loaded:
* radiusclient-ng 0.5.0 or higher -- library and development
files. See
http://developer.berlios.de/projects/radiusclient-ng/.
1.4. Exported Parameters
1.4.1. radius_config (string)
This is the location of the configuration file of radius client
libraries.
Default value is
"/usr/local/etc/radiusclient-ng/radiusclient.conf".
Example 1.2. radius_config parameter usage
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
1.4.2. service_type (integer)
This is the value of the Service-Type radius attribute to be
used. The default should be fine for most people. See your
radius client include files for numbers to be put in this
parameter if you need to change it.
Default value is "15".
Example 1.3. service_type parameter usage
modparam("auth_radius", "service_type", 15)
1.4.3. auth_extra (string)
Semi-colon separated list of extra RADIUS attribute name=pseudo
variable pairs. When radius_www_authorize() or
radius_proxy_authorize() function is called, listed extra
attributes are included in RADIUS request with current values
of corresponding pseudo variables.
There is no default value, i.e., by default no extra attributes
are included.
Example 1.4. auth_extra parameter usage
modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")
1.4.4. use_ruri_flag (integer)
When this parameter is set to the value other than "-1" and the
request being authenticated has flag with matching number set
via setflag() function, use Request URI instead of uri
parameter value from the Authorization / Proxy-Authorization
header field to perform RADIUS authentication. This is intended
to provide workaround for misbehaving NAT / routers / ALGs that
alter request in the transit, breaking authentication. At the
time of this writing, certain versions of Linksys WRT54GL are
known to do that.
Default value is "-1".
Example 1.5. use_ruri_flag parameter usage
modparam("auth_radius", "use_ruri_flag", 22)
1.5. Exported Functions
1.5.1. radius_www_authorize(realm)
The function verifies credentials according to RFC2617. If the
credentials are verified successfully then the function will
succeed and mark the credentials as authorized (marked
credentials can be later used by some other functions). If the
function was unable to verify the credentials for some reason
then it will fail and the script should call www_challenge
which will challenge the user again.
Negative codes may be interpreted as follows:
* -5 (generic error) - some generic error occurred and no
reply was sent out;
* -4 (no credentials) - credentials were not found in
request;
* -3 (stale nonce) - stale nonce;
This function will, in fact, perform sanity checks over the
received credentials and then pass them along to the radius
server which will verify the credentials and return whether
they are valid or not.
Meaning of the parameter is as follows:
* realm - Realm is a opaque string that the user agent should
present to the user so he can decide what username and
password to use. Usually this is domain of the host the
server is running on.
If an empty string "" is used then the server will generate
it from the request. In case of REGISTER requests To header
field domain will be used (because this header field
represents a user being registered), for all other messages
From header field domain will be used.
The string may contain pseudo variables.
This function can be used from REQUEST_ROUTE.
Example 1.6. radius_www_authorize usage
...
if (!radius_www_authorize("siphub.net")) {
www_challenge("siphub.net", "1");
};
...
1.5.2. radius_proxy_authorize(realm [, uri_user])
The function verifies credentials according to RFC2617. If the
credentials are verified successfully then the function will
succeed and mark the credentials as authorized (marked
credentials can be later used by some other functions). If the
function was unable to verify the credentials for some reason
then it will fail and the script should call proxy_challenge
which will challenge the user again. For more about the
negative return codes, see the above function.
This function will, in fact, perform sanity checks over the
received credentials and then pass them along to the radius
server which will verify the credentials and return whether
they are valid or not.
Meaning of the parameters is as follows:
* realm - Realm is a opaque string that the user agent should
present to the user so he can decide what username and
password to use. This is usually one of the domains the
proxy is responsible for. If an empty string "" is used
then the server will generate realm from host part of From
header field URI.
The string may contain pseudo variables.
* uri_user - Uri_user is an optional pseudo variable
parameter whose value, if present, will be given to Radius
server as value of SIP-URI-User check item. If uri_user
pseudo variable parameter is not present, the server will
generate SIP-URI-User check item value from user part of
To/From URI.
This function can be used from REQUEST_ROUTE.
Example 1.7. proxy_authorize usage
...
if (!radius_proxy_authorize("")) { # Realm and URI user will be autoge
nerated
proxy_challenge("", "1");
};
...
if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are ta
ken
proxy_challenge("$pd", "1"); # from P-Preferred-Identity
}; # header field
...
Jan Janak
FhG Fokus
Juha Heinanen
Stelios Sidiroglou-Douskos
Bogdan-Andrei Iancu
voice-system.ro
Edited by
Jan Janak
Copyright � 2002, 2003 FhG FOKUS
Copyright � 2005 voice-system.ro
Copyright � 2008 Juha Heinanen
Revision History
Revision $Revision$ $Date: 2008-03-08 01:03:56 +0200
(Sat, 08 Mar 2008) $
__________________________________________________________
Table of Contents
1. Admin Guide
1.1. Overview
1.2. Additional Credentials
1.3. Dependencies
1.3.1. Kamailio Modules
1.3.2. External Libraries or Applications
1.4. Exported Parameters
1.4.1. radius_config (string)
1.4.2. service_type (integer)
1.4.3. auth_extra (string)
1.4.4. use_ruri_flag (integer)
1.5. Exported Functions
1.5.1. radius_www_authorize(realm)
1.5.2. radius_proxy_authorize(realm [, uri_user])
List of Examples
1.1. "SIP-AVP" RADIUS AVP exmaples
1.2. radius_config parameter usage
1.3. service_type parameter usage
1.4. auth_extra parameter usage
1.5. use_ruri_flag parameter usage
1.6. radius_www_authorize usage
1.7. proxy_authorize usage
Chapter 1. Admin Guide
1.1. Overview
This module contains functions that are used to perform
authentication using a Radius server. Basically the proxy will
pass along the credentials to the radius server which will in
turn send a reply containing result of the authentication. So
basically the whole authentication is done in the Radius
server. Before sending the request to the radius server we
perform some sanity checks over the credentials to make sure
that only well formed credentials will get to the server. We
have implemented radius authentication according to
draft-sterman-aaa-sip-00. This module requires radiusclient-ng
library version 0.5.0 or higher which is available from
http://developer.berlios.de/projects/radiusclient-ng/.
1.2. Additional Credentials
When performing authentification, the RADIUS server may include
in the response additional credentials. This scheme is very
useful in fetching additional user information from the RADIUS
server without making extra queries.
The additional credentials are embedded in the RADIUS reply as
AVPs "SIP-AVP". The syntax of the value is:
* value = SIP_AVP_NAME SIP_AVP_VALUE
* SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
* SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE
All additional credentials will be stored as Kamailio AVPs
(SIP_AVP_NAME = SIP_AVP_VALUE).
The RPID value may be fetch via this mechanism.
Example 1.1. "SIP-AVP" RADIUS AVP exmaples
....
"email:[email protected]"
- STRING NAME AVP (email) with STRING VALUE ([email protected])
"#14:[email protected]"
- ID AVP (14) with STRING VALUE ([email protected])
"age#28"
- STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
- ID AVP (14) with INTEGER VALUE (28)
....
1.3. Dependencies
1.3.1. Kamailio Modules
The module depends on the following modules (in the other words
the listed modules must be loaded before this module):
* auth -- Generic authentication functions
1.3.2. External Libraries or Applications
The following libraries or applications must be installed
before compilling Kamailio with this module loaded:
* radiusclient-ng 0.5.0 or higher -- library and development
files. See
http://developer.berlios.de/projects/radiusclient-ng/.
1.4. Exported Parameters
1.4.1. radius_config (string)
This is the location of the configuration file of radius client
libraries.
Default value is
"/usr/local/etc/radiusclient-ng/radiusclient.conf".
Example 1.2. radius_config parameter usage
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
1.4.2. service_type (integer)
This is the value of the Service-Type radius attribute to be
used. The default should be fine for most people. See your
radius client include files for numbers to be put in this
parameter if you need to change it.
Default value is "15".
Example 1.3. service_type parameter usage
modparam("auth_radius", "service_type", 15)
1.4.3. auth_extra (string)
Semi-colon separated list of extra RADIUS attribute name=pseudo
variable pairs. When radius_www_authorize() or
radius_proxy_authorize() function is called, listed extra
attributes are included in RADIUS request with current values
of corresponding pseudo variables.
There is no default value, i.e., by default no extra attributes
are included.
Example 1.4. auth_extra parameter usage
modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")
1.4.4. use_ruri_flag (integer)
When this parameter is set to the value other than "-1" and the
request being authenticated has flag with matching number set
via setflag() function, use Request URI instead of uri
parameter value from the Authorization / Proxy-Authorization
header field to perform RADIUS authentication. This is intended
to provide workaround for misbehaving NAT / routers / ALGs that
alter request in the transit, breaking authentication. At the
time of this writing, certain versions of Linksys WRT54GL are
known to do that.
Default value is "-1".
Example 1.5. use_ruri_flag parameter usage
modparam("auth_radius", "use_ruri_flag", 22)
1.5. Exported Functions
1.5.1. radius_www_authorize(realm)
The function verifies credentials according to RFC2617. If the
credentials are verified successfully then the function will
succeed and mark the credentials as authorized (marked
credentials can be later used by some other functions). If the
function was unable to verify the credentials for some reason
then it will fail and the script should call www_challenge
which will challenge the user again.
Negative codes may be interpreted as follows:
* -5 (generic error) - some generic error occurred and no
reply was sent out;
* -4 (no credentials) - credentials were not found in
request;
* -3 (stale nonce) - stale nonce;
This function will, in fact, perform sanity checks over the
received credentials and then pass them along to the radius
server which will verify the credentials and return whether
they are valid or not.
Meaning of the parameter is as follows:
* realm - Realm is a opaque string that the user agent should
present to the user so he can decide what username and
password to use. Usually this is domain of the host the
server is running on.
If an empty string "" is used then the server will generate
it from the request. In case of REGISTER requests To header
field domain will be used (because this header field
represents a user being registered), for all other messages
From header field domain will be used.
The string may contain pseudo variables.
This function can be used from REQUEST_ROUTE.
Example 1.6. radius_www_authorize usage
...
if (!radius_www_authorize("siphub.net")) {
www_challenge("siphub.net", "1");
};
...
1.5.2. radius_proxy_authorize(realm [, uri_user])
The function verifies credentials according to RFC2617. If the
credentials are verified successfully then the function will
succeed and mark the credentials as authorized (marked
credentials can be later used by some other functions). If the
function was unable to verify the credentials for some reason
then it will fail and the script should call proxy_challenge
which will challenge the user again. For more about the
negative return codes, see the above function.
This function will, in fact, perform sanity checks over the
received credentials and then pass them along to the radius
server which will verify the credentials and return whether
they are valid or not.
Meaning of the parameters is as follows:
* realm - Realm is a opaque string that the user agent should
present to the user so he can decide what username and
password to use. This is usually one of the domains the
proxy is responsible for. If an empty string "" is used
then the server will generate realm from host part of From
header field URI.
The string may contain pseudo variables.
* uri_user - Uri_user is an optional pseudo variable
parameter whose value, if present, will be given to Radius
server as value of SIP-URI-User check item. If uri_user
pseudo variable parameter is not present, the server will
generate SIP-URI-User check item value from user part of
To/From URI.
This function can be used from REQUEST_ROUTE.
Example 1.7. proxy_authorize usage
...
if (!radius_proxy_authorize("")) { # Realm and URI user will be autoge
nerated
proxy_challenge("", "1");
};
...
if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are ta
ken
proxy_challenge("$pd", "1"); # from P-Preferred-Identity
}; # header field
...