Auth_radius Module

Jan Janak

FhG Fokus

Juha Heinanen

Song Networks

Stelios Sidiroglou-Douskos

Bogdan-Andrei Iancu

Edited by

Jan Janak


Table of Contents
1. User's Guide
1.1. Overview
1.2. Additional Credentials
1.3. Dependencies
1.3.1. OpenSER Modules
1.3.2. External Libraries or Applications
1.4. Exported Parameters
1.4.1. radius_config (string)
1.4.2. service_type (integer)
1.5. Exported Functions
1.5.1. radius_www_authorize(realm)
1.5.2. radius_proxy_authorize(realm)
2. Developer's Guide
3. Frequently Asked Questions
List of Examples
1-1. "SIP-AVP" RADIUS AVP exmaples
1-2. radius_config parameter usage
1-3. service_type parameter usage
1-4. radius_www_authorize usage
1-5. proxy_authorize usage

Chapter 1. User's Guide

1.1. Overview

This module contains functions that are used to perform authentication using a Radius server. Basically the proxy will pass along the credentials to the radius server which will in turn send a reply containing result of the authentication. So basically the whole authentication is done in the Radius server. Before sending the request to the radius server we perform some sanity checks over the credentials to make sure that only well formed credentials will get to the server. We have implemented radius authentication according to draft-sterman-aaa-sip-00. This module requires radiusclient-ng library version 0.5.0 or higher which is available from http://developer.berlios.de/projects/radiusclient-ng/.


1.2. Additional Credentials

When performing authentification, the RADIUS server may include in the response additional credentials. This scheme is very useful in fetching additional user information from the RADIUS server without making extra queries.

The additional credentials are embedded in the RADIUS reply as AVPs "SIP-AVP". The syntax of the value is:

  • value = SIP_AVP_NAME SIP_AVP_VALUE

  • SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER

  • SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE

All additional credentials will be stored as OpenSER AVPs (SIP_AVP_NAME = SIP_AVP_VALUE).

The RPID value may be fetch via this mechanism.

Example 1-1. "SIP-AVP" RADIUS AVP exmaples

....
"email:joe@yahoo.com"
    -> STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    -> ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    -> STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    -> ID AVP (14) with INTEGER VALUE (28)
....
		

1.3. Dependencies

1.3.1. OpenSER Modules

The module depends on the following modules (in the other words the listed modules must be loaded before this module):

  • auth -- Generic authentication functions


1.3.2. External Libraries or Applications

The following libraries or applications must be installed before compilling OpenSER with this module loaded:


1.4. Exported Parameters

1.4.1. radius_config (string)

This is the location of the configuration file of radius client libraries.

Default value is "/usr/local/etc/radiusclient-ng/radiusclient.conf".

Example 1-2. radius_config parameter usage

modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
		

1.4.2. service_type (integer)

This is the value of the Service-Type radius attribute to be used. The default should be fine for most people. See your radius client include files for numbers to be put in this parameter if you need to change it.

Default value is "15".

Example 1-3. service_type parameter usage

modparam("auth_radius", "service_type", 15)
		

1.5. Exported Functions

1.5.1. radius_www_authorize(realm)

The function verifies credentials according to RFC2617. If the credentials are verified successfully then the function will succeed and mark the credentials as authorized (marked credentials can be later used by some other functions). If the function was unable to verify the credentials for some reason then it will fail and the script should call www_challenge which will challenge the user again.

This function will, in fact, perform sanity checks over the received credentials and then pass them along to the radius server which will verify the credentials and return whether they are valid or not.

Meaning of the parameter is as follows:

  • realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.

    If an empty string "" is used then the server will generate it from the request. In case of REGISTER requests To header field domain will be used (because this header field represents a user being registered), for all other messages From header field domain will be used.

    The string may contain pseudo variables.

This function can be used from REQUEST_ROUTE.

Example 1-4. radius_www_authorize usage

...
if (!radius_www_authorize("siphub.net")) {
	www_challenge("siphub.net", "1");
};
...

1.5.2. radius_proxy_authorize(realm)

The function verifies credentials according to RFC2617. If the credentials are verified successfully then the function will succeed and mark the credentials as authorized (marked credentials can be later used by some other functions). If the function was unable to verify the credentials for some reason then it will fail and the script should call proxy_challenge which will challenge the user again.

This function will, in fact, perform sanity checks over the received credentials and then pass them along to the radius server which will verify the credentials and return whether they are valid or not.

Meaning of the parameter is as follows:

  • realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.

    If an empty string "" is used then the server will generate it from the request. From header field domain will be used as realm.

    The string may contain pseudo variables.

This function can be used from REQUEST_ROUTE.

Example 1-5. proxy_authorize usage

...
if (!radius_proxy_authorize("")) {
	proxy_challenge("", "1");  # Realm will be autogenerated
};
...

Chapter 2. Developer's Guide

The module does not provide any API to use in other OpenSER modules.


Chapter 3. Frequently Asked Questions

3.1. Where can I find more about OpenSER?
3.2. Where can I post a question about this module?
3.3. How can I report a bug?

3.1. Where can I find more about OpenSER?

Take a look at http://openser.org/.

3.2. Where can I post a question about this module?

First at all check if your question was already answered on one of our mailing lists:

E-mails regarding any stable OpenSER release should be sent to and e-mails regarding development versions should be sent to .

If you want to keep the mail private, send it to .

3.3. How can I report a bug?

Please follow the guidelines provided at: http://sourceforge.net/tracker/?group_id=139143.