File: README

package info (click to toggle)
openser 1.1.0-9etch1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 9,828 kB
  • ctags: 11,809
  • sloc: ansic: 120,528; sh: 5,249; yacc: 1,716; makefile: 1,261; php: 656; perl: 205; sql: 190
file content (267 lines) | stat: -rw-r--r-- 8,615 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
 

Auth_radius Module

Jan Janak

   FhG Fokus

Juha Heinanen

   Song Networks

Stelios Sidiroglou-Douskos

Bogdan-Andrei Iancu

   voice-system.ro

Edited by

Jan Janak

   Copyright  2002, 2003 FhG FOKUS

   Copyright  2005 voice-system.ro
     _________________________________________________________

   Table of Contents
   1. User's Guide

        1.1. Overview
        1.2. Additional Credentials
        1.3. Dependencies

              1.3.1. OpenSER Modules
              1.3.2. External Libraries or Applications

        1.4. Exported Parameters

              1.4.1. radius_config (string)
              1.4.2. service_type (integer)

        1.5. Exported Functions

              1.5.1. radius_www_authorize(realm)
              1.5.2. radius_proxy_authorize(realm)

   2. Developer's Guide
   3. Frequently Asked Questions

   List of Examples
   1-1. "SIP-AVP" RADIUS AVP exmaples
   1-2. radius_config parameter usage
   1-3. service_type parameter usage
   1-4. radius_www_authorize usage
   1-5. proxy_authorize usage
     _________________________________________________________

Chapter 1. User's Guide

1.1. Overview

   This module contains functions that are used to perform
   authentication using a Radius server. Basically the proxy will
   pass along the credentials to the radius server which will in
   turn send a reply containing result of the authentication. So
   basically the whole authentication is done in the Radius
   server. Before sending the request to the radius server we
   perform some sanity checks over the credentials to make sure
   that only well formed credentials will get to the server. We
   have implemented radius authentication according to
   draft-sterman-aaa-sip-00. This module requires radiusclient-ng
   library version 0.5.0 or higher which is available from
   http://developer.berlios.de/projects/radiusclient-ng/.
     _________________________________________________________

1.2. Additional Credentials

   When performing authentification, the RADIUS server may
   include in the response additional credentials. This scheme is
   very useful in fetching additional user information from the
   RADIUS server without making extra queries.

   The additional credentials are embedded in the RADIUS reply as
   AVPs "SIP-AVP". The syntax of the value is:

     * value = SIP_AVP_NAME SIP_AVP_VALUE 
     * SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER 
     * SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE 

   All additional credentials will be stored as OpenSER AVPs
   (SIP_AVP_NAME = SIP_AVP_VALUE).

   The RPID value may be fetch via this mechanism.

   Example 1-1. "SIP-AVP" RADIUS AVP exmaples
....
"email:joe@yahoo.com"
    -> STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    -> ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    -> STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    -> ID AVP (14) with INTEGER VALUE (28)
....
     _________________________________________________________

1.3. Dependencies

1.3.1. OpenSER Modules

   The module depends on the following modules (in the other
   words the listed modules must be loaded before this module):

     * auth -- Generic authentication functions
     _________________________________________________________

1.3.2. External Libraries or Applications

   The following libraries or applications must be installed
   before compilling OpenSER with this module loaded:

     * radiusclient-ng 0.5.0 or higher -- library and development
       files. See
       http://developer.berlios.de/projects/radiusclient-ng/.
     _________________________________________________________

1.4. Exported Parameters

1.4.1. radius_config (string)

   This is the location of the configuration file of radius
   client libraries.

   Default value is
   "/usr/local/etc/radiusclient-ng/radiusclient.conf".

   Example 1-2. radius_config parameter usage
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
     _________________________________________________________

1.4.2. service_type (integer)

   This is the value of the Service-Type radius attribute to be
   used. The default should be fine for most people. See your
   radius client include files for numbers to be put in this
   parameter if you need to change it.

   Default value is "15".

   Example 1-3. service_type parameter usage
modparam("auth_radius", "service_type", 15)
     _________________________________________________________

1.5. Exported Functions

1.5.1. radius_www_authorize(realm)

   The function verifies credentials according to RFC2617. If the
   credentials are verified successfully then the function will
   succeed and mark the credentials as authorized (marked
   credentials can be later used by some other functions). If the
   function was unable to verify the credentials for some reason
   then it will fail and the script should call www_challenge
   which will challenge the user again.

   This function will, in fact, perform sanity checks over the
   received credentials and then pass them along to the radius
   server which will verify the credentials and return whether
   they are valid or not.

   Meaning of the parameter is as follows:

     * realm - Realm is a opaque string that the user agent
       should present to the user so he can decide what username
       and password to use. Usually this is domain of the host
       the server is running on.
       If an empty string "" is used then the server will
       generate it from the request. In case of REGISTER requests
       To header field domain will be used (because this header
       field represents a user being registered), for all other
       messages From header field domain will be used.
       The string may contain pseudo variables.

   This function can be used from REQUEST_ROUTE.

   Example 1-4. radius_www_authorize usage
...
if (!radius_www_authorize("siphub.net")) {
        www_challenge("siphub.net", "1");
};
...
     _________________________________________________________

1.5.2. radius_proxy_authorize(realm)

   The function verifies credentials according to RFC2617. If the
   credentials are verified successfully then the function will
   succeed and mark the credentials as authorized (marked
   credentials can be later used by some other functions). If the
   function was unable to verify the credentials for some reason
   then it will fail and the script should call proxy_challenge
   which will challenge the user again.

   This function will, in fact, perform sanity checks over the
   received credentials and then pass them along to the radius
   server which will verify the credentials and return whether
   they are valid or not.

   Meaning of the parameter is as follows:

     * realm - Realm is a opaque string that the user agent
       should present to the user so he can decide what username
       and password to use. Usually this is domain of the host
       the server is running on.
       If an empty string "" is used then the server will
       generate it from the request. From header field domain
       will be used as realm.
       The string may contain pseudo variables.

   This function can be used from REQUEST_ROUTE.

   Example 1-5. proxy_authorize usage
...
if (!radius_proxy_authorize("")) {
        proxy_challenge("", "1");  # Realm will be autogenerated
};
...
     _________________________________________________________

Chapter 2. Developer's Guide

   The module does not provide any API to use in other OpenSER
   modules.
     _________________________________________________________

Chapter 3. Frequently Asked Questions

   3.1. Where can I find more about OpenSER?
   3.2. Where can I post a question about this module?
   3.3. How can I report a bug?

   3.1. Where can I find more about OpenSER?

   Take a look at http://openser.org/.

   3.2. Where can I post a question about this module?

   First at all check if your question was already answered on
   one of our mailing lists:

     * User Mailing List -
       http://openser.org/cgi-bin/mailman/listinfo/users
     * Developer Mailing List -
       http://openser.org/cgi-bin/mailman/listinfo/devel

   E-mails regarding any stable OpenSER release should be sent to
   <users@openser.org> and e-mails regarding development versions
   should be sent to <devel@openser.org>.

   If you want to keep the mail private, send it to
   <team@openser.org>.

   3.3. How can I report a bug?

   Please follow the guidelines provided at:
   http://sourceforge.net/tracker/?group_id=139143.