File: auth_radius_user.sgml

package info (click to toggle)
openser 1.1.0-9etch1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 9,828 kB
  • ctags: 11,809
  • sloc: ansic: 120,528; sh: 5,249; yacc: 1,716; makefile: 1,261; php: 656; perl: 205; sql: 190
file content (259 lines) | stat: -rw-r--r-- 8,589 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
 
<!-- Auth_radius Module User's Guide -->

<chapter>
	<chapterinfo>
	<revhistory>
		<revision>
		<revnumber>$Revision: 1.6 $</revnumber>
		<date>$Date: 2006/03/01 18:07:38 $</date>
		</revision>
	</revhistory>
	</chapterinfo>
	<title>User's Guide</title>
	
	<section>
	<title>Overview</title>
	<para>
		This module contains functions that are used to perform authentication 
		using a Radius server. Basically the proxy will pass along the 
		credentials to the radius server which will in turn send a reply 
		containing result of the authentication. So basically the whole
		authentication is done in the Radius server. Before sending the request 
		to the radius server we perform some sanity checks over the 
		credentials to make sure that only well formed credentials will get to 
		the server. We have implemented radius authentication according to 
		draft-sterman-aaa-sip-00. This module requires radiusclient-ng
		library version 0.5.0 or higher which is available from 
		<ulink url='http://developer.berlios.de/projects/radiusclient-ng/'>
		http://developer.berlios.de/projects/radiusclient-ng/</ulink>.
	</para>
	</section>
	<section>
	<title>Additional Credentials</title>
	<para>
		When performing authentification, the RADIUS server may include in the
		response additional credentials. This scheme is very useful in fetching
		additional user information from the RADIUS server without making
		extra queries.
	</para>
	<para>
		The additional credentials are embedded in the RADIUS reply as AVPs 
		<quote>SIP-AVP</quote>. The syntax of the value is:
		<itemizedlist>
			<listitem><para><emphasis>
			value = SIP_AVP_NAME SIP_AVP_VALUE
			</emphasis></para></listitem>
			<listitem><para><emphasis>
			SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
			</emphasis></para></listitem>
			<listitem><para><emphasis>
			SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE
			</emphasis></para></listitem>
		</itemizedlist>
	</para>
	<para>
		All additional credentials will be stored as &ser; AVPs
		(SIP_AVP_NAME = SIP_AVP_VALUE).
	</para>
	<para>
		The RPID value may be fetch via this mechanism.
	</para>
	<example>
	<title><quote>SIP-AVP</quote> RADIUS AVP exmaples</title>
		<programlisting format="linespecific">
....
"email:joe@yahoo.com"
    -> STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    -> ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    -> STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    -> ID AVP (14) with INTEGER VALUE (28)
....
		</programlisting>
	</example>
	</section>

	<section>
	<title>Dependencies</title>
		<section>
			<title>&ser; Modules</title>
			<para>
			The module depends on the following modules (in the other words 
			the listed modules must be loaded before this module):
			<itemizedlist>
				<listitem>
				<para><emphasis>auth</emphasis> -- Generic authentication 
				functions</para>
				</listitem>
			</itemizedlist>
			</para>
		</section>
		<section>
			<title>External Libraries or Applications</title>
			<para>
			The following libraries or applications must be installed 
			before compilling &ser; with this module loaded:
			<itemizedlist>
				<listitem>
				<para><emphasis>radiusclient-ng</emphasis> 0.5.0 or higher -- 
				library and development files. See <ulink 
				url='http://developer.berlios.de/projects/radiusclient-ng/'>
				http://developer.berlios.de/projects/radiusclient-ng/</ulink>.
				</para>
				</listitem>
			</itemizedlist>
		</section>
	</section>

	<section>
	<title>Exported Parameters</title>
	<section>
		<title><varname>radius_config</varname> (string)</title>
		<para>
		This is the location of the configuration file of radius client 
		libraries.
		</para>
		<para>
		Default value is 
			<quote>/usr/local/etc/radiusclient-ng/radiusclient.conf</quote>.
		</para>
		<example>
		<title><varname>radius_config</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
		</programlisting>
		</example>
	</section>
	<section>
		<title><varname>service_type</varname> (integer)</title>
		<para>
		This is the value of the Service-Type radius attribute to be used. 
		The default should be fine for most people. See your radius client 
		include files for numbers to be put in this parameter if you need 
		to change it.
		</para>
		<para>
		Default value is <quote>15</quote>.
		</para>
		<example>
		<title><varname>service_type</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_radius", "service_type", 15)
		</programlisting>
		</example>
	</section>
	</section>

	<section>
	<title>Exported Functions</title>
	<section>
		<title><function moreinfo="none">radius_www_authorize(realm)</function></title>
		<para>
		The function verifies credentials according to 
		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If 
		the credentials are verified successfully then the function will 
		succeed and mark the credentials as authorized (marked credentials can 
		be later used by some other functions). If the function was unable to 
		verify the credentials for some reason then it will fail and
		the script should call <function moreinfo="none">www_challenge</function>
		which will challenge the user again.
		</para>
		<para>
		This function will, in fact, perform sanity checks over the received 
		credentials and then pass them along to the radius server which will 
		verify the credentials and return whether they are valid or not.
		</para>
		<para>Meaning of the parameter is as follows:</para>
		<itemizedlist>
		<listitem>
			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
			the user agent should present to the user so he can decide what 
			username and password to use. Usually this is domain of the host 
			the server is running on.
			</para>
			<para>
			If an empty string <quote></quote> is used then the server will 
			generate it from the request. In case of REGISTER requests To 
			header field domain will be used (because this header field 
			represents a user being registered), for all other messages From 
			header field domain will be used.
			</para>
			<para>
			The string may contain pseudo variables.
			</para>
		</listitem>
		</itemizedlist>
		<para>
		This function can be used from REQUEST_ROUTE.
		</para>
		<example>
		<title><function moreinfo="none">radius_www_authorize</function> usage</title>
		<programlisting format="linespecific">
...
if (!radius_www_authorize("siphub.net")) {
	www_challenge("siphub.net", "1");
};
...
</programlisting>
		</example>
	</section>

	<section>
		<title><function moreinfo="none">radius_proxy_authorize(realm)</function></title>
		<para>
		The function verifies credentials according to 
		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If 
		the credentials are verified successfully then the function will 
		succeed and mark the credentials as authorized (marked credentials can 
		be later used by some other functions). If the function was unable to 
		verify the credentials for some reason then it will fail and the script 
		should call <function moreinfo="none">proxy_challenge</function> which 
		will challenge the user again.
		</para>
		<para>
		This function will, in fact, perform sanity checks over the received 
		credentials and then pass them along to the radius server which will 
		verify the credentials and return whether they are valid or not.
		</para>
		<para>Meaning of the parameter is as follows:</para>
		<itemizedlist>
		<listitem>
			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
			the user agent should present to the user so he can decide what 
			username and password to use. Usually this is domain of the host 
			the server is running on.
			</para>
			<para>
			If an empty string <quote></quote> is used then the server will 
			generate it from the request. From header field domain will be 
			used as realm.
			</para>
			<para>
			The string may contain pseudo variables.
			</para>
		</listitem>
		</itemizedlist>
		<para>
		This function can be used from REQUEST_ROUTE.
		</para>
		<example>
		<title><function moreinfo="none">proxy_authorize</function> usage</title>
		<programlisting format="linespecific">
...
if (!radius_proxy_authorize("")) {
	proxy_challenge("", "1");  # Realm will be autogenerated
};
...
</programlisting>
		</example>
	</section>
	</section>
</chapter>

<!-- Keep this element at the end of the file
Local Variables:
sgml-parent-document: ("auth_radius.sgml" "Book" "chapter")
End:
-->