Copyright © 2009
Irina-Maria
Stanescu
Copyright © 2009 Voice Sistem SRL
Revision History | |
---|---|
Revision $Revision: 5908 $ | $Date: 2009-07-21 15:56:23 +0200 (Tue, 21 Jul 2009) $ |
Table of Contents
List of Examples
This module provides a Radius implementation for the AAA API from the core.
It also provides two functions to be used from the script for generating custom Radius acct and auth requests. Detection and handling of SIP-AVPs from Radius replies is automatically and transparently done by the module.
Any module that wishes to use it has to do the following:
include aaa.h
make a bind call with a proper radius specific url
One of the following libraries must be installed before running OpenSIPS with this module loaded:
radiusclient-ng 0.5.0 or higher See http://developer.berlios.de/projects/radiusclient-ng/.
freeradius-client See http://freeradius.org/.
By default, radiusclient-ng is used. To change at compile time to freeradius, uncomment the USE_FREERADIUS=1 line in main Makefile.
Sets of Radius AVPs to be used when building custom RADIUS requests (set of input RADIUS AVPs) or when fetching data from the RADIUS reply (set of output RADIUS AVPs).
The format for a set definition is the following:
" set_name = ( attribute_name1 = var1 [, attribute_name2 = var2 ]* ) "
The left-hand side of the assignment must be an attribute name known by the RADIUS dictionary.
The right-hand side of the assignment must be a script pseudo variable or a script AVP. For more information about them see CookBooks - Scripting Variables.
Example 1.1. Set sets
parameter
... modparam("aaa_radius","sets","set4 = ( Sip-User-ID = $avp(10) , Sip-From-Tag=$si,Sip-To-Tag=$tt ) ") ... ... modparam("aaa_radius","sets","set1 = (User-Name=$var(usr), Sip-Group = $var(grp), Service-Type = $var(type)) ") ... ... modparam("aaa_radius","sets","set2 = (Sip-Group = $var(sipgrup)) ") ...
This function can be used from the script to make custom radius authentication request. The function takes two parameters.
The first parameter represents the name of the set that contains the list of attributes and pvars that will form the authentication request (see the “sets” module parameter).
The second parameter represents the name of the set that contains the list of attributes and pvars that will be extracted form the authentication reply (see the “sets” module parameter).
The sets must be defined using the “sets” exported parameter.
The function return TRUE (retcode 1) if authentication was successful, FALSE (retcode -1) if an error (any kind of error) occured during authentication processes or FALSE (retcode -2) if authentication was rejected or denied by RADIUS server.
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE, ONREPLY_ROUTE, BRANCH_ROUTE, ERROR_ROUTE and LOCAL_ROUTE.
Example 1.3. radius_send_auth
usage
... radius_send_auth("set1","set2"); switch ($rc) { case 1: xlog("authentication ok \n"); break; case -1: xlog("error during authentication\n"); break; case -2: xlog("authentication denied \n"); break; } ...
This function can be used from the script to make custom radius authentication request. The function takes only one parameter that represents the name of the set that contains the list of attributes and pvars that will form the accounting request.
Only one set is needed as a parameter because no AVPs can be extracted from the accounting replies.
The set must be defined using the "sets" exported parameter.
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE, ONREPLY_ROUTE, BRANCH_ROUTE, ERROR_ROUTE and LOCAL_ROUTE.