Skip to main content

mod_rad_auth

About

Module rad_auth does only RADIUS authentication (and not the accounting).

The truly magic thing about the rad_auth is that you can specify your own list of VSAs (Vendor-Specific Attributes) to be included in the packet along with the standard ones that are being used.

         name:       just a description
value: direct input or variable
pec: vendor ID (0 for default, 9 for cisco...)
expr: 0 - direct input (string), 1 - channel variable
direction: in for radius-request, out for radius-response

VSA mappings can be used to specify additional VSA list in both radius request and radius response messages.

Including an additional VSA in a radius request message looks like this:

<param name="Calling-Station-Id" id="31" value="CALLINGNUMBER" pec="0" expr="1" direction="in"/>

or

<param name="Calling-Station-Id" id="31" value="16094191500" pec="0" expr="0" direction="in"/>

CALLINGNUMBER is a channel variable you can re-use later in the dialplan.

Extracting VSA of your interest from a radius response message looks like this:

<param name="lang" id="107" value="PREFFERED_LANG" pec="9" expr="0" direction="out"/>

Here you map VSA with vendor_id=9 and id=110 into a channel variable called PREFFERED_LANG so you can use it later in dialplan to play the correct language for instance.

1) To install the module you have to install freeradius-client first.

Go to http://freeradius.org/freeradius-client/ and download the package:

$ cd ~/build
$ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.bz2
$ tar jxf freeradius-client-1.1.6.tar.bz2
$ cd freeradius-client-1.1.6
$ ./configure
$ make
$ sudo make install

(or $ sudo checkinstall) Checkinstall will create and install a nice Debian package for you, otherwise you may use a traditional make install.

run ldconfig as root to update the shared libs links:

ldconfig -v | grep radius
hash -r

2) Go to FreeSWITCH source directory and edit the modules.conf

append applications/mod_rad_auth to the end

$ cd src/mod/applications/mod_rad_auth/
$ make
$ make install

or simply:

$ make mod_rad_auth-install

3) Run Freeswitch and verify that module is installed.

freeswitch> load mod_rad_auth

Here an example on how to use RADIUS for authentication:

 <configuration name="rad_auth.conf" description="radius authentification module">
<settings>
<!-- backward compatibility to allow radiusclient config file instead of an embedded config -->
<!-- <param name="radius_config" value="/usr/local/etc/radiusclient/radiusclient.conf"/> -->
</settings>

<client>
<param name="authserver" value="10.1.1.10:1812:gateway"/>
<param name="dictionary" value="/usr/local/etc/radiusclient/dictionary.all"/>
<param name="seqfile" value="/var/run/radius.seq"/>
<param name="mapfile" value="/usr/local/etc/radiusclient/port-id-map"/>
<param name="default_realm" value=""/>
<param name="radius_timeout" value="3"/>
<param name="radius_retries" value="2"/>
<param name="radius_deadtime" value="0"/>
<param name="bindaddr" value="*"/>
</client>

<vsas>
<!--
name: just a description
value: direct input or variable
pec: vendor ID (0 for default, 9 for cisco...)
expr: 0 - direct input (string), 1 - channel variable
direction: in for radius-request, out for radius-response
-->

<!-- mappings for radius request message; input attributes -->
<param name="h323-conf-id" id="24" value="CALLID" pec="9" expr="1" direction="in"/>
<param name="h323-prompt-id" id="104" value="SERVICENUM" pec="9" expr="1" direction="in"/>
<param name="Cisco-AVPair" id="1" value="TRANSACTIONID" pec="9" expr="1" direction="in"/>
<param name="Calling-Station-Id" id="31" value="CALLINGNUMBER" pec="0" expr="1" direction="in"/>
<param name="NAS-Port-Type" id="61" value="0" pec="0" expr="0" direction="in"/>
<param name="NAS-Port-Id" id="87" value="ISDN 3/0:D:14" pec="0" expr="0" direction="in"/>
<param name="Login-User" id="1" value="1" pec="0" expr="0" direction="in"/>

<!-- mappings for radius-response message; output values from returning outributes -->
<param name="BILING_MODEL" id="109" value="billing_model" pec="9" expr="0" direction="out"/>
<param name="CREDIT_AMOUNT" id="101" value="credit_amount" pec="9" expr="0" direction="out"/>
<param name="CURRENCY" id="110" value="currency" pec="9" expr="0" direction="out"/>
<param name="PREFFERED_LANG" id="107" value="preffered_lang" pec="9" expr="0" direction="out"/>
<param name="CREDIT_TIME" id="102" value="credit_time" pec="9" expr="0" direction="out"/>
<param name="H323-IVR-IN:DIRATION" id="1" value="h323_ivr_duration" pec="9" expr="0" direction="out"/>
<param name="RADIUS_RETURN_CODE" id="103" value="return_code" pec="9" expr="0" direction="out"/>
<!-- expr param is to be ignored here-->
</vsas>
</configuration>

In the dialplan you need to trigger auth as:

<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>

There are two behaviors:

  1. authorize the call according to username&pass and dialed number - if authorized, the radius server returns credit time towards the dialed number.
  2. authorize the call according to username&pass - if authorized, the radius server returns the current account balance.

For example, you may use the credit time for scheduled hangup of call:

     <action application="log" data="INFO  credit_time=${credit_time}"/>
<action application="sched_hangup" data="+${credit_time:17:-1} ${Core-UUID}"/>
  <extension name="unitest_rad-ANI-auth">

<condition field="destination_number" expression="^601$">
<action application="log" data="INFO Before Auth "/>

<action inline="true" application="set" data="CALLID=h323-conf-id=${uuid}"/>
<action inline="true" application="set" data="SERVICENUM=h323-prompt-id=${destination_number}"/>
<action inline="true" application="set" data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
<!-- <action inline="true" application="set" data="CALLINGNUMBER=${caller_id_number}"/> -->
<action inline="true" application="set" data="CALLINGNUMBER=38516060333"/>
<action inline="true" application="set" data="USERNAME=38516060333"/>
<!-- <action inline="true" application="set" data="USERNAME=209354"/> -->
<action inline="true" application="set" data="PASSWD=003282"/>
<!-- <action inline="true" application="set" data="DIALED_NUMBER=16094191500"/> -->

<action application="sleep" data="2000"/>
<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>

<action application="log" data="INFO AUTH_RESULT=${AUTH_RESULT}"/>
<action application="log" data="INFO billing_model=${billing_model}"/>
<action application="log" data="INFO credit_amount=${credit_amount}"/>
<action application="log" data="INFO currency=${currency}"/>
<action application="log" data="INFO preffered_lang=${preffered_lang}"/>
<action application="log" data="INFO credit_time=${credit_time}"/>
<action application="log" data="INFO h323_ivr_duration=${h323_ivr_duration}"/>
<action application="log" data="INFO return_code=${return_code}"/>
<!-- <action application="execute_extension" data="AUTH XML default"/> -->
</condition>
</extension>

<extension name="unitest_rad-ANI-balance">
<condition field="destination_number" expression="^602$">
<action application="log" data="INFO PRIJE RAD_AUTH "/>

<action inline="true" application="set" data="CALLID=h323-conf-id=${uuid}"/>
<action inline="true" application="set" data="SERVICENUM=h323-prompt-id=${destination_number}"/>
<action inline="true" application="set" data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
<!-- <action inline="true" application="set" data="CALLINGNUMBER=${caller_id_number}"/> -->
<action inline="true" application="set" data="CALLINGNUMBER=38516060333"/>
<action inline="true" application="set" data="USERNAME=38516060333"/>
<!-- <action inline="true" application="set" data="USERNAME=209354"/> -->
<action inline="true" application="set" data="PASSWD=003282"/>
<action inline="true" application="set" data="DIALED_NUMBER=16094191500"/>

<action application="sleep" data="2000"/>
<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>

<action application="log" data="INFO AUTH_RESULT=${AUTH_RESULT}"/>
<action application="log" data="INFO billing_model=${billing_model}"/>
<action application="log" data="INFO credit_amount=${credit_amount}"/>
<action application="log" data="INFO currency=${currency}"/>
<action application="log" data="INFO preffered_lang=${preffered_lang}"/>
<action application="log" data="INFO credit_time=${credit_time}"/>
<action application="log" data="INFO h323_ivr_duration=${h323_ivr_duration}"/>
<action application="log" data="INFO return_code=${return_code}"/>
<!-- <action application="execute_extension" data="AUTH XML default"/> -->
</condition>
</extension>