Radius Accounting FAQ

Quick & Dirty:
Install radiusclient & freeradius copy the dictionary definitions found in doc/ directory to /usr/local/etc/raddb. 

Start radiusd. This can be either done automatically (init.d) or by running the /usr/local/sbin/radiusd. 

It is recommended that one should run radiusd with the -X parameter for maximum debugging information. 

Edit the radiusclient.conf file found in sip_router/etc to point to the correct servers and make sure that the accounting secret is the same as the one defined in /usr/local/etc/raddb/clients file. 

The client file also allows a scope limited address selection approach to security. There we can control which clients are allowed to contact the server. Again, the documentations included in these files is very lucid and is easily understood.


Requirements:

Radiusclient 0.3.2: 
Compile and install the radiusclient library. 
	./configure
	make
	make install (as root)

The radiusclient.conf file included in the sip_router/etc/  directory contains all the necessary pointer needed. Currently, some files need to be edited to point to the radiusclient.conf. These are indexed by the CONFIG_FILE define in both radius_acc and radius_auth modules. 

Finally, if the sip_router gives compile errors of not being able to link the hared object file radiusclient, run ldconfig. If that doesn't work, make sure that ldconfig.conf points to /usr/local/lib.

If there should be an upgrade to the radiusclient library, the main files that need to be changed are the ones containing the SIP defines.


FreeRadius 0.7:
Compile and install the latest FreeRadius version.
	./configure
	Edit the Make.inc file to include rlm_digest in the modules list
	make 
	make install (as root)

Copy the dictionary definitions (if not included in the distribution, meaning the one created at Fokus)

It is recommended that in the deployment phase, the radius daemon is run with the -X switch to allow for maximum debugging information. 
/usr/local/sbin/radiusd -X

The general configuration information for the freeradius server is located in the /usr/local/etc/raddb/ directory. The users directory found there includes the directory where user information is stored for use with the radius_auth module. 

An example user listing is the following.
steltest        Auth-Type := Digest,
	User-Password == "test", 
	Digest-Hash-A1 := "5fdf1606fca4de3d94ee69b887b454f4"
	 Reply-Message = "local"

Auth-Type is used to indicate that authentication is going to be performed by the Digest module. The User-Password parameter is optional and is only used to compute the Digest if the Digest-Hash-A1 parameter is missing. The Digest-Hash-A1 parameter should be used whenever possible since to 'hides' the plain text password entry for the user thus increasing system security. The  Digest-Hash-A1 is a computation of the user-name, realm and password which tends to remain static within a system. A helper utility which can be found in sip_router/utils/gen_ha1, can be used to generate this parameter. The Reply-Message is a current work-around for displaying the user's group designation. Further enhancements can be implemented by attaching directly to SER's  mySQL database.


Implementation:

Three basic commands are used to start and/or stop RADIUS accounting requests. 

Radius_log_reply
Radius_log_ack
Radius_acc_request

These commands mimic the behavior of the previous accounting module. The accounting request operation can be easily derived by examining the code but a few code segments may facilitate understanding the code functionality.

Radius value pairs are added by specifying the value and the tag that identifies the parameter.

/* Add service type, always SIP */
av_type = SIP_SERVICE_TYPE; 
if (rc_avpair_add(&send, PW_SERVICE_TYPE, &av_type, 0) == NULL) {
    DBG("rad_acc_request(): ERROR:PW_SERVICE_TYPE \n");
    return(ERROR_RC);
}

In this case we want to add the standard SIP service type. It's tag is PW_SERVICE_TYPE and we want to add it to the send structure which, holds all the  parameters that one may wish to send as part of the accounting request.

The rest of the code should be self-explanatory. The cleanbody command present in the code is used to add a '\0' at the end of strings thus avoiding the expensive stringcpys.

Operation

The summary of all the accounting activity can be found in
/usr/local/var/log/radius/radacct/*ip address of sip router*

It is organized in accounting START and STOP commands, mainly, except for the newly added command CALL_MISSED found in rad_acc_req. This new command was added in the /usr/local/etc/raddb/dictionary file. 

In the dictionary file one can find all the integer translations used to facilitate human-readability by converting integers into human-readable format. SIP methods and other information can be found there.


