Copyright © 2002, 2003 FhG FOKUS
Copyright © 2005 voice-system.ro
Copyright © 2008 Juha Heinanen
Revision History | |
---|---|
Revision $Revision: 4842 $ | $Date: 2008-09-04 16:25:02 +0200 (Thu, 04 Sep 2008) $ |
Table of Contents
List of Examples
This module contains functions that are used to perform authentication using a Radius server. Basically the proxy will pass along the credentials to the radius server which will in turn send a reply containing result of the authentication. So basically the whole authentication is done in the Radius server. Before sending the request to the radius server we perform some sanity checks over the credentials to make sure that only well formed credentials will get to the server. We have implemented radius authentication according to draft-sterman-aaa-sip-00. This module requires radiusclient-ng library version 0.5.0 or higher which is available from http://developer.berlios.de/projects/radiusclient-ng/.
When performing authentification, the RADIUS server may include in the response additional credentials. This scheme is very useful in fetching additional user information from the RADIUS server without making extra queries.
The additional credentials are embedded in the RADIUS reply as AVPs “SIP-AVP”. The syntax of the value is:
value = SIP_AVP_NAME SIP_AVP_VALUE
SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE
All additional credentials will be stored as Kamailio AVPs (SIP_AVP_NAME = SIP_AVP_VALUE).
The RPID value may be fetch via this mechanism.
Example 1.1. “SIP-AVP” RADIUS AVP exmaples
.... "email:joe@yahoo.com" - STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com) "#14:joe@yahoo.com" - ID AVP (14) with STRING VALUE (joe@yahoo.com) "age#28" - STRING NAME AVP (age) with INTEGER VALUE (28) "#14#28" - ID AVP (14) with INTEGER VALUE (28) ....
The module depends on the following modules (in the other words the listed modules must be loaded before this module):
auth -- Generic authentication functions
The following libraries or applications must be installed before compilling Kamailio with this module loaded:
radiusclient-ng 0.5.0 or higher -- library and development files. See http://developer.berlios.de/projects/radiusclient-ng/.
This is the location of the configuration file of radius client libraries.
Default value is “/usr/local/etc/radiusclient-ng/radiusclient.conf”.
Example 1.2. radius_config
parameter usage
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
This is the value of the Service-Type radius attribute to be used. The default should be fine for most people. See your radius client include files for numbers to be put in this parameter if you need to change it.
Default value is “15”.
Semi-colon separated list of extra RADIUS attribute name=pseudo variable pairs. When radius_www_authorize() or radius_proxy_authorize() function is called, listed extra attributes are included in RADIUS request with current values of corresponding pseudo variables.
There is no default value, i.e., by default no extra attributes are included.
Example 1.4. auth_extra
parameter usage
modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")
When this parameter is set to the value other than "-1" and the request being authenticated has flag with matching number set via setflag() function, use Request URI instead of uri parameter value from the Authorization / Proxy-Authorization header field to perform RADIUS authentication. This is intended to provide workaround for misbehaving NAT / routers / ALGs that alter request in the transit, breaking authentication. At the time of this writing, certain versions of Linksys WRT54GL are known to do that.
Default value is “-1”.
The function verifies credentials according to
RFC2617. If
the credentials are verified successfully then the function will
succeed and mark the credentials as authorized (marked credentials can
be later used by some other functions). If the function was unable to
verify the credentials for some reason then it will fail and
the script should call
www_challenge
which will challenge the user again.
Negative codes may be interpreted as follows:
-5 (generic error) - some generic error occurred and no reply was sent out;
-4 (no credentials) - credentials were not found in request;
-3 (stale nonce) - stale nonce;
This function will, in fact, perform sanity checks over the received credentials and then pass them along to the radius server which will verify the credentials and return whether they are valid or not.
Meaning of the parameter is as follows:
realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.
If an empty string “” is used then the server will generate it from the request. In case of REGISTER requests To header field domain will be used (because this header field represents a user being registered), for all other messages From header field domain will be used.
The string may contain pseudo variables.
This function can be used from REQUEST_ROUTE.
Example 1.6. radius_www_authorize
usage
... if (!radius_www_authorize("siphub.net")) { www_challenge("siphub.net", "1"); }; ...
The function verifies credentials according to
RFC2617. If
the credentials are verified successfully then the function will
succeed and mark the credentials as authorized (marked credentials can
be later used by some other functions). If the function was unable to
verify the credentials for some reason then it will fail and the script
should call proxy_challenge
which
will challenge the user again. For more about the negative return
codes, see the above function.
This function will, in fact, perform sanity checks over the received credentials and then pass them along to the radius server which will verify the credentials and return whether they are valid or not.
Meaning of the parameters is as follows:
realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. This is usually one of the domains the proxy is responsible for. If an empty string “” is used then the server will generate realm from host part of From header field URI.
The string may contain pseudo variables.
uri_user - Uri_user is an optional pseudo variable parameter whose value, if present, will be given to Radius server as value of SIP-URI-User check item. If uri_user pseudo variable parameter is not present, the server will generate SIP-URI-User check item value from user part of To/From URI.
This function can be used from REQUEST_ROUTE.
Example 1.7. proxy_authorize
usage
... if (!radius_proxy_authorize("")) { # Realm and URI user will be autogenerated proxy_challenge("", "1"); }; ... if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken proxy_challenge("$pd", "1"); # from P-Preferred-Identity }; # header field ...