Radius Authentication FAQ

Quick & Dirty:
Install radiusclient & freeradius copy the dictionary definitions found in doc/ directory to /usr/local/etc/raddb. 

Start radiusd. This can be either done automatically (init.d) or by running the /usr/local/sbin/radiusd. 

It is recommended that one should run radiusd with the -X parameter for maximum debugging information. 

Edit the radiusclient.conf file found in sip_router/etc to point to the correct servers and make sure that the accounting secret is the same as the one defined in /usr/local/etc/raddb/clients file. 

The client file also allows a scope limited address selection approach to security. There we can control which clients are allowed to contact the server. Again, the documentations included in these files is very lucid and is easily understood.

Add users in /usr/local/etc/raddb/users file. The file format is quite self-explanatory but the Digest-Hash-A1 := is a field that is created by hashing together the username, realm and password. This was done so that to avoid having plain-text passwords on the server. A helper application found under sip_router/utils/gen_ha1 can  be used to create this field for the the user.

Exported Functions:

Name:  "radius_www_authorize"
Params: realm - realm string
        table - subscriber database table name (just to keep it the same as auth)
Desc:   Checks credentials in Authorization header field

Name:   radius_proxy_authorize
Params: realm - realm string
        table - subscriber database table name
Desc:   Checks credentials in Proxy-Authorization header field



Name:   radius_www_challenge
Params: realm - realm string
        qop   - qop string, "1" means use qop parameter
                            "0" means do not use qop parameter
Desc:   Challenges a user agent using WWW-Authenticate header
        field. The second parameter specifies if qop parameter
        (according to rfc2617) should be used or not.

Name:   radius_proxy_challenge
Params: realm - realm string
        qop   - qop string, "1" means use qop parameter
                            "0" means do not use qop parameter
Desc:   Challenges a user agent using Proxy-Authenticate header
        field. The second parameter specifies if qop parameter
        (according to rfc2617) should be used or not.

Name:	radius_is_in_group
Params: group - Group to be checked against.
Desc:	Sends an authentication request to RADIUS server which 
		returns the group that the user belongs to.

Requirements:

Radiusclient 0.3.2: 
Compile and install the radiusclient library. 
	./configure
	make
	make install (as root)

The radiusclient.conf file included in the sip_router/etc/  directory contains all the necessary pointer needed. Currently, some files need to be edited to point to the radiusclient.conf. These are indexed by the CONFIG_FILE define in both radius_acc and radius_auth modules. 

Finally, if the sip_router gives compile errors of not being able to link the hared object file radiusclient, run ldconfig. If that doesn't work, make sure that ldconfig.conf points to /usr/local/lib.

If there should be an upgrade to the radiusclient library, the main files that need to be changed are the ones containing the SIP defines.


FreeRadius 0.7:
Compile and install the latest FreeRadius version.
	./configure
	Edit the Make.inc file to include rlm_digest in the modules list
	make 
	make install (as root)

Copy the dictionary definitions (if not included in the distribution, meaning the one created at Fokus)

It is recommended that in the deployment phase, the radius daemon is run with the -X switch to allow for maximum debugging information. 
/usr/local/sbin/radiusd -X

The general configuration information for the freeradius server is located in the /usr/local/etc/raddb/ directory. The users directory found there includes the directory where user information is stored for use with the radius_auth module. 

An example user listing is the following.
steltest        Auth-Type := Digest,
	User-Password == "test", 
	Digest-Hash-A1 := "5fdf1606fca4de3d94ee69b887b454f4"
	 Reply-Message = "local"

Auth-Type is used to indicate that authentication is going to be performed by the Digest module. The User-Password parameter is optional and is only used to compute the Digest if the Digest-Hash-A1 parameter is missing. The Digest-Hash-A1 parameter should be used whenever possible since to 'hides' the plain text password entry for the user thus increasing system security. The  Digest-Hash-A1 is a computation of the user-name, realm and password which tends to remain static within a system. A helper utility which can be found in sip_router/utils/gen_ha1, can be used to generate this parameter. The Reply-Message is a current work-around for displaying the user's group designation. Further enhancements can be implemented by attaching directly to SER's  mySQL database.


Implementation:

 The function radius_authorize_freeradius is used to send RADIUS authentication requests. Originally, we had built an implementation on top of freeradius-0.6 but 0.7 offered support for digests. This function is designed to work with the freeradius implementation, details of the changes and the implementation can be found in the source code. 

The entire radius authentication code is built on top of the existing auth module. The changes can be found in the check_response function in the authorize.c file. There instead of getting the information from the MySQL DB, the radius server is consulted for the result. If the response calculated is the same, the user is authenticated.



Operation

All the commands are prepended with the radius word but in all other respects reflect the commands found in the auth module.

radius_www_authorize",
"radius_proxy_authorize",
"radius_www_challenge",
"radius_proxy_challenge",


