Auth_radius Module

Jan Janak

FhG Fokus

Juha Heinanen

Stelios Sidiroglou-Douskos

Bogdan-Andrei Iancu

Voice Sistem SRL

Edited by

Jan Janak

Edited by

Phil Lavin


Table of Contents

1. Admin Guide
1. Overview
2. Additional Credentials
3. Dependencies
3.1. Modules
3.2. External Libraries or Applications
4. Parameters
4.1. radius_config (string)
4.2. service_type (integer)
4.3. auth_extra (string)
4.4. use_ruri_flag (integer)
4.5. radius_avps_mode (integer)
4.6. append_realm_to_username (integer)
5. Functions
5.1. radius_www_authorize(realm [, uri_user])
5.2. radius_proxy_authorize(realm [, uri_user])

List of Examples

1.1. SIP-AVP RADIUS AVP exmaples
1.2. radius_config parameter usage
1.3. service_type parameter usage
1.4. auth_extra parameter usage
1.5. use_ruri_flag parameter usage
1.6. radius_avps_mode parameter usage
1.7. append_realm_to_username parameter usage
1.8. radius_www_authorize usage
1.9. proxy_authorize usage

Chapter 1. Admin Guide

1. Overview

This module contains functions that are used to perform authentication using a Radius server. Basically the proxy will pass along the credentials to the radius server which will in turn send a reply containing result of the authentication. So basically the whole authentication is done in the Radius server. Before sending the request to the radius server we perform some sanity checks over the credentials to make sure that only well formed credentials will get to the server. We have implemented radius authentication according to draft-sterman-aaa-sip-00. This module requires the radiusclient-ng library version 0.5.0 or higheer or freeradius-client which is available from https://github.com/FreeRADIUS/freeradius-client/. You can also install this library from distribution repositories.

2. Additional Credentials

When performing authentification, the RADIUS server may include additional credentials in the response. This scheme is very useful in fetching additional user information from the RADIUS server without making extra queries.

The additional credentials are embedded in the RADIUS reply as AVPs SIP-AVP. The syntax of the value is:

  • value = SIP_AVP_NAME SIP_AVP_VALUE

  • SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER

  • SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE

All additional credentials will be stored as Kamailio AVPs (SIP_AVP_NAME = SIP_AVP_VALUE).

The RPID value may be fetch via this mechanism.

Example 1.1. SIP-AVP RADIUS AVP exmaples

....
"email:joe@yahoo.com"
    - STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    - ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    - STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    - ID AVP (14) with INTEGER VALUE (28)
....

3. Dependencies

3.1. Modules

The module depends on the following modules (in the other words the listed modules must be loaded before this module):

  • auth -- Generic authentication functions

3.2. External Libraries or Applications

The following libraries or applications must be installed before compilling Kamailio with this module loaded:

One of these libraries. Notice that development of radiusclient-ng has stopped, as the project merged with freeradius-client.

4. Parameters

4.1. radius_config (string)

This is the location of the configuration file of radius client libraries.

Default value is /usr/local/etc/radiusclient-ng/radiusclient.conf.

Example 1.2. radius_config parameter usage

modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")

4.2. service_type (integer)

This is the value of the Service-Type radius attribute to be used. The default should be fine for most people. See your radius client include files for numbers to be put in this parameter if you need to change it.

Default value is 15.

Example 1.3. service_type parameter usage

modparam("auth_radius", "service_type", 15)

4.3. auth_extra (string)

Semi-colon separated list of extra RADIUS attribute name=pseudo variable pairs. When radius_www_authorize() or radius_proxy_authorize() function is called, listed extra attributes are included in RADIUS request with current values of corresponding pseudo variables.

There is no default value, i.e., by default no extra attributes are included.

Example 1.4. auth_extra parameter usage

modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")

4.4. use_ruri_flag (integer)

When this parameter is set to the value other than "-1" and the request being authenticated has flag with matching number set via setflag() function, use Request URI instead of uri parameter value from the Authorization / Proxy-Authorization header field to perform RADIUS authentication. This is intended to provide workaround for misbehaving NAT / routers / ALGs that alter request in the transit, breaking authentication. At the time of this writing, certain versions of Linksys WRT54GL are known to do that.

Default value is -1.

Example 1.5. use_ruri_flag parameter usage

modparam("auth_radius", "use_ruri_flag", 22)

4.5. radius_avps_mode (integer)

If set to 1, all RADIUS AVPs returned by RADIUS server are stored in Kamailio AVPs list. If set to 0, only the SIP_AVP type of RADIUS AVPs are stored in Kamailio AVPs list.

Default value is 0.

Example 1.6. radius_avps_mode parameter usage

modparam("auth_radius", "radius_avps_mode", 1)

4.6. append_realm_to_username (integer)

If set to 1, the username passed to the RADIUS server will have the digest realm appended to it, if no domain is provided in the digest username.

Default value is 1.

Example 1.7. append_realm_to_username parameter usage

modparam("auth_radius", "append_realm_to_username", 0)

5. Functions

5.1. radius_www_authorize(realm [, uri_user])

The function verifies credentials according to RFC2617. If the credentials are verified successfully then the function will succeed and mark the credentials as authorized (marked credentials can be later used by some other functions).

If the function was unable to verify the credentials for some reason, it fails and assigns a WWW-Authorize header containing a new challenge to digest_challenge AVP (see modules/auth). The script should then respond with 401 that includes this header, which will challenge the user again.

Negative result codes may be interpreted as follows:

  • -7 (internal error) - some internal error occurred (see syslog);

  • -6 (nonce reused) - nonce is used more than once;

  • -5 (no credentials) - credentials were not found in request;

  • -4 (stale nonce) - stale nonce;

  • -2 (authorization failed) - RADIUS responded with Access Reject which may be, for example, due to user not found or wrong password;

  • -1 (error) - some error occurred during authorization (see syslog);

This function will perform sanity checks over the received credentials and then pass them along to RADIUS server which will verify the credentials and return whether they are valid or not.

Meaning of the parameter is as follows:

  • realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. In case of REGISTER requests it is usually hostpart of To URI.

    The string may contain pseudo variables.

  • uri_user - Uri_user is an optional pseudo variable parameter whose value, if present, will be given to Radius server as value of SIP-URI-User check item. If uri_user pseudo variable parameter is not present, the server will generate SIP-URI-User check item value from user part of To/From URI.

This function can be used from REQUEST_ROUTE.

Example 1.8. radius_www_authorize usage

...
    if (!radius_www_authorize("$td")) {
        switch ($rc) {
        case -7:
	    send_reply("500", "Server Internal Error");
	    exit;
        case -1:
	    send_reply("400", "Bad Request");
	    exit;
        default:
        };
        if (defined($avp(digest_challenge)) &&
                ($avp(digest_challenge) != "")) {
            append_to_reply("$avp(digest_challenge)");
        };
        send_reply("401", "Unauthorized");
        exit;
    };
...

5.2. radius_proxy_authorize(realm [, uri_user])

The function verifies credentials according to RFC2617. If the credentials are verified successfully then the function will succeed and mark the credentials as authorized (marked credentials can be later used by some other functions).

If the function was unable to verify the credentials for some reason, it fails and assigns a Proxy-Authorize header containing a new challenge to digest_challenge AVP. The script should then respond with 407 that includes this header, which will challenge the user again. For negative result codes, see the above function.

This function will perform sanity checks over the received credentials and then pass them along to RADIUS server which will verify the credentials and return whether they are valid or not.

Meaning of the parameters is as follows:

  • realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. In case of non-REGISTER requests it is usually hostpart of From or P-Preferred-Identity URI.

    The string may contain pseudo variables.

  • uri_user - Uri_user is an optional pseudo variable parameter whose value, if present, will be given to Radius server as value of SIP-URI-User check item. If uri_user pseudo variable parameter is not present, the server will generate SIP-URI-User check item value from user part of To/From URI.

This function can be used from REQUEST_ROUTE.

Example 1.9. proxy_authorize usage

...
    if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
        switch ($rc) {                           # from P-Preferred-Identity
        case -7:                                 # header field
	    send_reply("500", "Server Internal Error");
	    exit;
        case -1:
	    send_reply("400", "Bad Request");
	    exit;
        default:
        };
        if (defined($avp(digest_challenge)) &&
                ($avp(digest_challenge) != "")) {
            append_to_reply("$avp(digest_challenge)");
        };
        send_reply("407", "Proxy Authentication Required");
        exit;
    };
...