Re: [Serusers] Strange behavior of Radius-Authentification with Usernames

Hi list! I just came across something very strange when using the radius-modules and wonder if it is a wanted feature, a bug or simply me being stupid (which I guess will be the case). The thing is the following. My ser.cfg has the following in it when an UA registers: if (method=="REGISTER") { if (!radius_proxy_authorize("XXX.XXX.XXX.XXX")) { proxy_challenge("XXX.XXX.XXX.XXX", "0"); break; }; log(1,"Registered"); save("location"); break; }; This works fine, means the user get's registered, if it is known to Radius and not registered in the opposite case. Now to the strange thing. In most UAs you can enter different user-parts of the URI and Authentication-Users. I used kphone for this test and entered a valid username as authentication username and some random number (or word, that doesn't matter) as "User part of SIP URL". What happens then is, that the user can register and gets a URI different from the authenticated username. With this behavior every user would be able to "hijack" connections from other user. How can I tell SER to not allow this? Has it something to do with the SIP-Rpid argument in Radius? Ser seems to ignore it.