Mod rad auth

From FreeSWITCH Wiki
Jump to: navigation, search

Module rad_auth does only authentication (and not the accounting).

The truly magic thing about the rad_auth is that you can specify your own list of VSAs to be included in the packet along with the standard ones that are being used.

         name:       just a description
         value:      direct input or variable
         pec:        vendor ID (0 for default, 9 for cisco...)
         expr:       0 - direct input (string), 1 - channel variable
         direction:  in for radius-request, out for radius-response

VSA mappings can be used to specify additional VSA list in both radius request and radius response messages.

Including an additional VSA in a radius request message looks like this:

<param name="Calling-Station-Id" id="31" value="CALLINGNUMBER" pec="0" expr="1" direction="in"/>

or

<param name="Calling-Station-Id" id="31" value="16094191500" pec="0" expr="0" direction="in"/>

CALLINGNUMBER is a channel variable you can re-use later in the dialplan.

Extracting VSA of your interest from a radius response message looks like this:

<param name="lang" id="107" value="PREFFERED_LANG" pec="9" expr="0" direction="out"/>

Here you map VSA with vendor_id=9 and id=110 into a channel variable called PREFFERED_LANG so you can use it later in dialplan to play the correct language for instance.

1) To install the module you have to install freeradius-client first.

Go to http://freeradius.org/freeradius-client/ and download the package:

$ cd ~/build

$ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.bz2

$ tar jxf freeradius-client-1.1.6.tar.bz2

$ cd freeradius-client-1.1.6

$ ./configure

$ make

$ sudo make install

(or $ sudo checkinstall) Checkinstall will create and install a nice debian package for you, otherwise you may use a traditional make install.

run ldconfig as root to update the shared libs links:

ldconfig -v | grep radius

hash -r

2) Go to FreeSWITCH source directory and edit the modules.conf

append applications/mod_rad_auth to the end

$ cd src/mod/applications/mod_rad_auth/

$ make

$ make install

or simply:

$ make mod_rad_auth-install

3) Run freeswitch and verify that module is installed.

freeswitch> load mod_rad_auth

Example on how to use RADIUS for authentication:

Here is an example.

 <configuration name="rad_auth.conf" description="radius authentification module">
  <settings>
     <!-- backward compatibility to allow radiusclient config file instead of an embedded config -->
     <!--  <param name="radius_config" value="/usr/local/etc/radiusclient/radiusclient.conf"/>   -->
  </settings>

  <client>
    <param name="authserver" value="10.1.1.10:1812:gateway"/>
    <param name="dictionary" value="/usr/local/etc/radiusclient/dictionary.all"/>
    <param name="seqfile" value="/var/run/radius.seq"/>
    <param name="mapfile" value="/usr/local/etc/radiusclient/port-id-map"/>
    <param name="default_realm" value=""/>
    <param name="radius_timeout" value="3"/>
    <param name="radius_retries" value="2"/>
    <param name="radius_deadtime" value="0"/>
    <param name="bindaddr" value="*"/>
  </client>

  <vsas>
    <!-- 
         name:       just a description
         value:      direct input or variable 
         pec:        vendor ID (0 for default, 9 for cisco...)
         expr:       0 - direct input (string), 1 - channel variable
         direction:  in for radius-request, out for radius-response
    -->

    <!-- mappings for radius request message; input attributes -->
    <param name="h323-conf-id" id="24" value="CALLID" pec="9" expr="1" direction="in"/>
    <param name="h323-prompt-id" id="104" value="SERVICENUM" pec="9" expr="1" direction="in"/>
    <param name="Cisco-AVPair" id="1" value="TRANSACTIONID" pec="9" expr="1" direction="in"/>
    <param name="Calling-Station-Id" id="31" value="CALLINGNUMBER" pec="0" expr="1" direction="in"/>
    <param name="NAS-Port-Type" id="61" value="0" pec="0" expr="0" direction="in"/>
    <param name="NAS-Port-Id" id="87" value="ISDN 3/0:D:14" pec="0" expr="0" direction="in"/>
    <param name="Login-User" id="1" value="1" pec="0" expr="0" direction="in"/>

    <!-- mappings for radius-response message; output values from returning outributes -->
    <param name="BILING_MODEL" id="109" value="billing_model" pec="9" expr="0" direction="out"/>
    <param name="CREDIT_AMOUNT" id="101" value="credit_amount" pec="9" expr="0" direction="out"/>
    <param name="CURRENCY" id="110" value="currency" pec="9" expr="0" direction="out"/>
    <param name="PREFFERED_LANG" id="107" value="preffered_lang" pec="9" expr="0" direction="out"/>
    <param name="CREDIT_TIME" id="102" value="credit_time" pec="9" expr="0" direction="out"/>
    <param name="H323-IVR-IN:DIRATION" id="1" value="h323_ivr_duration" pec="9" expr="0" direction="out"/>
    <param name="RADIUS_RETURN_CODE" id="103" value="return_code" pec="9" expr="0" direction="out"/>
    <!-- expr param is to be ignored here-->
  </vsas>
 </configuration>

In the dialplan you need to trigger auth as:

<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>

There are two behaviors:

  1. authorize the call according to username&pass and dialed number - if authorized, the radius server returns credit time towards the dialed number.
  2. authorize the call according to username&pass - if authorized, the radius server returns the current account balance.

For example: you may use the credit time for scheduled hangup of call.

     <action application="log" data="INFO  credit_time=${credit_time}"/>
     <action application="sched_hangup" data="+${credit_time:17:-1} ${Core-UUID}"/>
  <extension name="unitest_rad-ANI-auth">
    <condition field="destination_number" expression="^601$">
      <action application="log" data="INFO  Before Auth "/>

      <action inline="true" application="set" data="CALLID=h323-conf-id=${uuid}"/>
      <action inline="true" application="set" data="SERVICENUM=h323-prompt-id=${destination_number}"/>
      <action inline="true" application="set" data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
 <!--      <action inline="true" application="set" data="CALLINGNUMBER=${caller_id_number}"/> -->
      <action inline="true" application="set" data="CALLINGNUMBER=38516060333"/>
      <action inline="true" application="set" data="USERNAME=38516060333"/>
 <!--      <action inline="true" application="set" data="USERNAME=209354"/> -->
      <action inline="true" application="set" data="PASSWD=003282"/>
 <!--      <action inline="true" application="set" data="DIALED_NUMBER=16094191500"/>  -->

      <action application="sleep" data="2000"/>
      <action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>


      <action application="log" data="INFO  AUTH_RESULT=${AUTH_RESULT}"/>
      <action application="log" data="INFO  billing_model=${billing_model}"/>
      <action application="log" data="INFO  credit_amount=${credit_amount}"/>
      <action application="log" data="INFO  currency=${currency}"/>
      <action application="log" data="INFO  preffered_lang=${preffered_lang}"/>
      <action application="log" data="INFO  credit_time=${credit_time}"/>
      <action application="log" data="INFO  h323_ivr_duration=${h323_ivr_duration}"/>
      <action application="log" data="INFO  return_code=${return_code}"/>
      <!-- <action application="execute_extension" data="AUTH XML default"/> -->
    </condition>
  </extension>
  <extension name="unitest_rad-ANI-balance">
    <condition field="destination_number" expression="^602$">
      <action application="log" data="INFO  PRIJE RAD_AUTH "/>

      <action inline="true" application="set" data="CALLID=h323-conf-id=${uuid}"/>
      <action inline="true" application="set" data="SERVICENUM=h323-prompt-id=${destination_number}"/>
      <action inline="true" application="set" data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
 <!--      <action inline="true" application="set" data="CALLINGNUMBER=${caller_id_number}"/> -->
      <action inline="true" application="set" data="CALLINGNUMBER=38516060333"/>
      <action inline="true" application="set" data="USERNAME=38516060333"/>
 <!--      <action inline="true" application="set" data="USERNAME=209354"/> -->
      <action inline="true" application="set" data="PASSWD=003282"/>
      <action inline="true" application="set" data="DIALED_NUMBER=16094191500"/>

      <action application="sleep" data="2000"/>
      <action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>


      <action application="log" data="INFO  AUTH_RESULT=${AUTH_RESULT}"/>
      <action application="log" data="INFO  billing_model=${billing_model}"/>
      <action application="log" data="INFO  credit_amount=${credit_amount}"/>
      <action application="log" data="INFO  currency=${currency}"/>
      <action application="log" data="INFO  preffered_lang=${preffered_lang}"/>
      <action application="log" data="INFO  credit_time=${credit_time}"/>
      <action application="log" data="INFO  h323_ivr_duration=${h323_ivr_duration}"/>
      <action application="log" data="INFO  return_code=${return_code}"/>
      <!-- <action application="execute_extension" data="AUTH XML default"/> -->
    </condition>
  </extension>