Auth_radius Module

Jan Janak

   FhG Fokus
   <jan@iptel.org>

Juha Heinanen

   <jh@tutpro.com>

Stelios Sidiroglou-Douskos

Bogdan-Andrei Iancu

   voice-system.ro
   <bogdan@voice-system.ro>

Edited by

Jan Janak

   <jan@iptel.org>

   Copyright © 2002, 2003 FhG FOKUS

   Copyright © 2005 voice-system.ro

   Copyright © 2008-2010 Juha Heinanen
   Revision History
   Revision $Revision$ $Date$
     __________________________________________________________________

   Table of Contents

   1. Admin Guide

        1. Overview
        2. Additional Credentials
        3. Dependencies

              3.1. Modules
              3.2. External Libraries or Applications

        4. Exported Parameters

              4.1. radius_config (string)
              4.2. service_type (integer)
              4.3. auth_extra (string)
              4.4. use_ruri_flag (integer)

        5. Exported Functions

              5.1. radius_www_authorize(realm)
              5.2. radius_proxy_authorize(realm [, uri_user])

   List of Examples

   1.1. “SIP-AVP” RADIUS AVP exmaples
   1.2. radius_config parameter usage
   1.3. service_type parameter usage
   1.4. auth_extra parameter usage
   1.5. use_ruri_flag parameter usage
   1.6. radius_www_authorize usage
   1.7. proxy_authorize usage

Chapter 1. Admin Guide

   Table of Contents

   1. Overview
   2. Additional Credentials
   3. Dependencies

        3.1. Modules
        3.2. External Libraries or Applications

   4. Exported Parameters

        4.1. radius_config (string)
        4.2. service_type (integer)
        4.3. auth_extra (string)
        4.4. use_ruri_flag (integer)

   5. Exported Functions

        5.1. radius_www_authorize(realm)
        5.2. radius_proxy_authorize(realm [, uri_user])

1. Overview

   This module contains functions that are used to perform authentication
   using a Radius server. Basically the proxy will pass along the
   credentials to the radius server which will in turn send a reply
   containing result of the authentication. So basically the whole
   authentication is done in the Radius server. Before sending the request
   to the radius server we perform some sanity checks over the credentials
   to make sure that only well formed credentials will get to the server.
   We have implemented radius authentication according to
   draft-sterman-aaa-sip-00. This module requires radiusclient-ng library
   version 0.5.0 or higher which is available from
   http://developer.berlios.de/projects/radiusclient-ng/.

2. Additional Credentials

   When performing authentification, the RADIUS server may include in the
   response additional credentials. This scheme is very useful in fetching
   additional user information from the RADIUS server without making extra
   queries.

   The additional credentials are embedded in the RADIUS reply as AVPs
   “SIP-AVP”. The syntax of the value is:
     * value = SIP_AVP_NAME SIP_AVP_VALUE
     * SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
     * SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE

   All additional credentials will be stored as Kamailio AVPs
   (SIP_AVP_NAME = SIP_AVP_VALUE).

   The RPID value may be fetch via this mechanism.

   Example 1.1. “SIP-AVP” RADIUS AVP exmaples
....
"email:joe@yahoo.com"
    - STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    - ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    - STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    - ID AVP (14) with INTEGER VALUE (28)
....

3. Dependencies

   3.1. Modules
   3.2. External Libraries or Applications

3.1. Modules

   The module depends on the following modules (in the other words the
   listed modules must be loaded before this module):
     * modules/auth -- Generic authentication functions

3.2. External Libraries or Applications

   The following libraries or applications must be installed before
   compilling Kamailio with this module loaded:
     * radiusclient-ng 0.5.0 or higher -- library and development files.
       See http://developer.berlios.de/projects/radiusclient-ng/.

4. Exported Parameters

   4.1. radius_config (string)
   4.2. service_type (integer)
   4.3. auth_extra (string)
   4.4. use_ruri_flag (integer)

4.1. radius_config (string)

   This is the location of the configuration file of radius client
   libraries.

   Default value is “/usr/local/etc/radiusclient-ng/radiusclient.conf”.

   Example 1.2. radius_config parameter usage
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")

4.2. service_type (integer)

   This is the value of the Service-Type radius attribute to be used. The
   default should be fine for most people. See your radius client include
   files for numbers to be put in this parameter if you need to change it.

   Default value is “15”.

   Example 1.3. service_type parameter usage
modparam("auth_radius", "service_type", 15)

4.3. auth_extra (string)

   Semi-colon separated list of extra RADIUS attribute name=pseudo
   variable pairs. When radius_www_authorize() or radius_proxy_authorize()
   function is called, listed extra attributes are included in RADIUS
   request with current values of corresponding pseudo variables.

   There is no default value, i.e., by default no extra attributes are
   included.

   Example 1.4. auth_extra parameter usage
modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")

4.4. use_ruri_flag (integer)

   When this parameter is set to the value other than "-1" and the request
   being authenticated has flag with matching number set via setflag()
   function, use Request URI instead of uri parameter value from the
   Authorization / Proxy-Authorization header field to perform RADIUS
   authentication. This is intended to provide workaround for misbehaving
   NAT / routers / ALGs that alter request in the transit, breaking
   authentication. At the time of this writing, certain versions of
   Linksys WRT54GL are known to do that.

   Default value is “-1”.

   Example 1.5. use_ruri_flag parameter usage
modparam("auth_radius", "use_ruri_flag", 22)

5. Exported Functions

   5.1. radius_www_authorize(realm)
   5.2. radius_proxy_authorize(realm [, uri_user])

5.1. radius_www_authorize(realm)

   The function verifies credentials according to RFC2617. If the
   credentials are verified successfully then the function will succeed
   and mark the credentials as authorized (marked credentials can be later
   used by some other functions).

   If the function was unable to verify the credentials for some reason,
   it fails and assigns a WWW-Authorize header containing a new challenge
   to digest_challenge AVP (see modules/auth). The script should then
   respond with 401 that includes this header, which will challenge the
   user again.

   Negative codes may be interpreted as follows:
     * -5 (internal error) - some internal error occurred;
     * -4 (no credentials) - credentials were not found in request;
     * -3 (stale nonce) - stale nonce;
     * -2 (bad request) - something wrong in request, for example,
       credentials were not filled properly;
     * -1 (authorization failed) - RADIUS responded with Access Reject

   This function will, in fact, perform sanity checks over the received
   credentials and then pass them along to the radius server which will
   verify the credentials and return whether they are valid or not.

   Meaning of the parameter is as follows:
     * realm - Realm is a opaque string that the user agent should present
       to the user so he can decide what username and password to use. In
       case of REGISTER requests it is usually hostpart of To URI.
       The string may contain pseudo variables.

   This function can be used from REQUEST_ROUTE.

   Example 1.6. radius_www_authorize usage
...
    if (!radius_www_authorize("$td")) {
    switch ($rc) {
    case -5:
        send_reply("500", "Server Internal Error");
        exit;
    case -2:
        send_reply("400", "Bad Request");
        exit;
    default:
    };
    if (defined($avp(digest_challenge)) &&
            ($avp(digest_challenge) != "")) {
        append_to_reply("$avp(digest_challenge)");
    };
    send_reply("401", "Unauthorized");
    exit;
...

5.2. radius_proxy_authorize(realm [, uri_user])

   The function verifies credentials according to RFC2617. If the
   credentials are verified successfully then the function will succeed
   and mark the credentials as authorized (marked credentials can be later
   used by some other functions).

   If the function was unable to verify the credentials for some reason,
   it fails and assigns a Proxy-Authorize header containing a new
   challenge to digest_challenge AVP. The script should then respond with
   407 that includes this header, which will challenge the user again. For
   more about the negative return codes, see the above function.

   This function will, in fact, perform sanity checks over the received
   credentials and then pass them along to the radius server which will
   verify the credentials and return whether they are valid or not.

   Meaning of the parameters is as follows:
     * realm - Realm is a opaque string that the user agent should present
       to the user so he can decide what username and password to use. In
       case of non-REGISTER requests it is usually hostpart of From or
       P-Preferred-Identity URI.
       The string may contain pseudo variables.
     * uri_user - Uri_user is an optional pseudo variable parameter whose
       value, if present, will be given to Radius server as value of
       SIP-URI-User check item. If uri_user pseudo variable parameter is
       not present, the server will generate SIP-URI-User check item value
       from user part of To/From URI.

   This function can be used from REQUEST_ROUTE.

   Example 1.7. proxy_authorize usage
...
    if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
    switch ($rc) {                               # from P-Preferred-Identity
    case -5:                                     # header field
        send_reply("500", "Server Internal Error");
        exit;
    case -2:
        send_reply("400", "Bad Request");
        exit;
    default:
    };
    if (defined($avp(digest_challenge)) &&
            ($avp(digest_challenge) != "")) {
        append_to_reply("$avp(digest_challenge)");
    };
    send_reply("407", "Proxy Authentication Required");
    exit;
...