[OpenSER-Devel] uac module authentication
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Tue Sep 11 17:25:02 CEST 2007
Hi Marc,
Can you describe what exactly is not working? do you have the second
INVITE (with credential) sent to the GW?
Regards,
bogdan
Marc LEURENT wrote:
> Since anybody have been able to fully answer my question on OpenSER-Users, I would be very grateful if you can help my to understand how is it
> possible to use the module...
> I would like to handle SIP/PSTN gateway directly with OpenSER, without Asterisk. But my gateway need to be registered, so the forward of INVITE
> request cannot work without previous registration..
> I already have radius AAA working, NAT traversal using STUN and CDRTool to generate tickets
>
>
> I used the http://www.voice-system.ro/docs/uac/ar01s06.html#ex_auth tutorial and my problem is that INVITE request are forward without a previous
> REGISTER one, so I get a 403 forbidden answer...
>
>
> Thank you for your answers...
>
> Best Regards
>
>
>
> Here is my openser.cfg file:
>
>
> #
> # $Id: openser.cfg 1827 2007-03-12 15:22:53Z bogdan_iancu $
> #
> # simple quick-start config script
> # Please refer to the Core CookBook at http://www.openser.org/dokuwiki/doku.php
> # for a explanation of possible statements, functions and parameters.
> #
>
> # ----------- global configuration parameters ------------------------
>
> debug=7 # debug level (cmd line: -dddddddddd)
> fork=no
> log_stderror=yes # (cmd line: -E)
> children=4
>
> listen=192.168.95.248
> alias=sip.wifirst.fr
>
> port=5060
>
> # uncomment the following lines for TLS support
> #disable_tls = 0
> #listen = tls:192.168.95.248:5061
> #alias=sip.wifirst.fr
> #tls_verify_server = 1
> #tls_verify_client = 1
> #tls_require_client_certificate = 0
> #tls_method = TLSv1
> #tls_certificate = "/etc/openser/tls/user/user-cert.pem"
> #tls_private_key = "/etc/openser/tls/user/user-privkey.pem"
> #tls_ca_list = "/etc/openser/tls/user/user-calist.pem"
>
> #server_signature=yes
> #tos=IPTOS_LOWDELAY
>
>
> avp_aliases="day=i:101;time=i:102;can_uri=i:800;s_ip=i:801;billing_party=i:802;from_header=i:803;sip_proxy_ip=i:804"
> #;pstnuser=i:805;pstnpassword=i:806:pstnrealm=i:807"
>
>
> # ------------------ module loading ----------------------------------
>
> #set module path
> mpath="/usr/lib/openser/modules/"
>
> # Uncomment this if you want to use SQL database
> loadmodule "mysql.so"
>
> loadmodule "sl.so" # Stateless Module
> loadmodule "tm.so" # Transaction Module
> loadmodule "rr.so" # Record-Route and Route Module
> loadmodule "maxfwd.so" # Max-Forward processor Module
> loadmodule "usrloc.so" # User Location Implementation Module
> loadmodule "registrar.so" # SIP Registrat Implementation Module
> loadmodule "textops.so" # Text Operation Module
> loadmodule "mi_fifo.so" # FIFO transport layer implementation for Management Interface
>
> loadmodule "acc.so" # Accounting Module
> loadmodule "avpops.so" # AVP Operation Module (user preference)
> loadmodule "uri.so" # Generic URI operation Module
>
> loadmodule "auth.so" # Authentification Module
> #loadmodule "auth_db.so" # Database-backend Authentication mMdule
> loadmodule "auth_radius.so" # RADIUS-backend Authentication Module
> loadmodule "group_radius.so" # User-groups Module with RADIUS-backend
> #loadmodule "avp_radius.so" # RADIUS-backend for AVP loading Module
>
> #loadmodule "presence.so" # Presence server Module
> #loadmodule "pua.so" # Common API for presence user agent client
>
> loadmodule "options.so" # OPTIONS server replier Module
> loadmodule "xlog.so" # Advanced Logger Module
>
> #loadmodule "nathelper.so" # NAT Traversal Helper Module
> #loadmodule "dispatcher.so" # Dispatcher (load-balancer) Module
>
> loadmodule "uac.so" # User Agent Client
> loadmodule "siptrace.so" # SipTrace module (storage of SIP requests)
> #loadmodule "exec.so" # Allows to start an external command from a OpenSER script
>
> # ----------------- setting module-specific parameters ---------------
>
>
> # -- exec params --
> #modparam("exec", "setvars", 1) # Turn off to disable setting environment variables for executed commands
> #modparam("exec", "time_to_kill", 20) # longest time a program is allowed to execute
>
>
> # -- maxfwd params --
> modparam("maxfwd", "max_limit", 10) # Default is 256 | 10 in the functions
>
>
> # -- sl params --
> #modparam("sl", "enable_stats", 1)
>
>
> # -- mi_fifo params --
> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>
>
> # -- usrloc params --
> # Uncomment this if you want to use SQL database
> modparam("usrloc", "db_mode", 1) # Write instantaneously in the DB
> modparam("usrloc", "db_url", "mysql://openser:razovski@sip.wifirst.fr/openser")
> modparam("usrloc", "timer_interval", 10)
> #modparam("usrloc", "use_domain", 1) # Not working for now...
> modparam("usrloc", "cseq_delay", 5) # Delay before authorizing others retransmissions
> #modparam("usrloc", "matching_mode", 1) # 1 - CONTACT and CALLID based matching algorithm
> #modparam("usrloc", "nat_bflag" , 3)
>
>
> # -- rr params --
> modparam("rr", "enable_full_lr", 1) # add value to ;lr param to make some broken UAs happy
> #modparam("rr", "add_username", 1) # username is added to the record-route
>
>
> # -- siptrace params --
> modparam("siptrace", "db_url", "mysql://openser:razovski@sip.wifirst.fr/openser")
> modparam("siptrace", "table", "sip_trace") # Default value "sip_trace"
> modparam("siptrace", "trace_on", 1)
>
>
> # -- avpops params --
> #modparam("avpops", "avp_aliases", "day=i:101;time=i:102") # Deprecated
>
>
> # -- presence params --
> #modparam("presence", "db_url", "mysql://openser:razovski@192.168.95.248/openser")
> #modparam("presence", "max_expires", 3600)
> #modparam("presence", "force_active", 1)
> #modparam("presence", "server_address", "sip:sip.wifirst.fr:5060" )
>
>
> # -- pua params --
> #modparam("pua", "db_url", "mysql://openser:razovski@192.168.95.248/openser")
>
>
> # -- options params --
> #modparam("options", "accept", "*/*")
> #modparam("options", "accept", "*/sdp")
> #modparam("options", "accept_encoding", "") # gzip non supporte
> #modparam("options", "accept_language", "en")
>
>
> # -- registrar params --
> modparam("registrar", "default_expires", 1800)
> #modparam("registrar", "nat_flag", 6)
> #modparam("registrar", "min_expires", 60)
> #modparam("registrar", "max_expires", 0)
> #modparam("registrar", "retry_after", 30)
> #modparam("registrar", "received_avp", "$avp(i:42)")
>
>
> # -- nathelper params --
> #modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:22222")
> #modparam("nathelper", "natping_interval", 10)
> #modparam("nathelper", "ping_nated_only", 1)
> #modparam("nathelper", "sipping_bflag", 7)
> ##modparam("nathelper", "sipping_method", "OPTIONS")
> #modparam("nathelper", "received_avp", "$avp(i:42)") # Same Value as the registrar module
> #modparam("nathelper", "sipping_from", "sip:pinger at sip.wifirst.fr")
>
>
> # -- dispatcher params --
> #modparam("dispatcher", "list_file", "/etc/openser/dispatcher.list")
> #modparam("dispatcher", "force_dst", 1) # Force overwriting of the destination
> #modparam("dispatcher", "flags", 3)
>
> #modparam("dispatcher", "use_default", 1)
> #modparam("dispatcher", "dst_avp", "$avp(i:271)")
> #modparam("dispatcher", "grp_avp", "$avp(i:272)")
> #modparam("dispatcher", "cnt_avp", "$avp(i:273)")
>
>
>
> # -- uac params --
> #modparam("uac", "credential", "1401:saturne.alsion.com:7hR")
> modparam("uac", "credential", "0824:sip.plugandtel.net:635xyM")
> #modparam("uac", "auth_username_avp", "$avp(i:901)") #
> #modparam("uac", "auth_password_avp", "$avp(i:902)") #
> #modparam("uac", "auth_realm_avp", "$avp(i:903)") #
> modparam("uac","from_restore_mode","auto") # sequential requests and replies will be automatically updated based on stored original URI
> modparam("uac","from_passwd","UGKZ7DIGIVyfgugdygièè§!yF7TR67") # String password to be used to encrypt the RR storing paramter.
>
>
>
>
>
> # -- auth_db params --
> # Uncomment if you are using auth module
> #modparam("auth_db", "db_url", "mysql://openser:razovski@192.168.95.248/openser")
> #modparam("auth_db", "calculate_ha1", yes)
> #modparam("auth_db", "password_column", "password")
>
>
> # -- auth params --
> #modparam("auth", "secret", "johndoessecretphrase") # Default is random => don't set it
> #modparam("auth", "nonce_expire", 300) # Time before nounce expiration
> modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
>
>
> # -- group_radius params --
> modparam("group_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
> modparam("group_radius", "use_domain", 1) # username at domain will be used for lookup
>
>
> # -- avp_radius parameter --
> #modparam("avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
>
>
> # -- acc params (with radius )--
> modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 2)
>
> modparam("acc", "early_media", 1)
> modparam("acc", "report_cancels", 1)
> #modparam("acc", "report_ack", 0)
> modparam("acc", "detect_direction", 1)
> #modparam("acc", "log_flag", 1) # number of the flag which will be used to mark messages for accounting
> #modparam("acc", "log_level", 1) # Set the reporting log level
> #modparam("acc", "log_missed_flag", 2) #
> #modparam("acc", "failed_transaction_flag", 2)
> modparam("acc", "service_type", 15) # Radius service type used for accounting : 15 = (SIP)
> #modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
> # ATTENTION: DO NOT PUT ; at the end of the radius_extra attribute
> modparam("acc", "radius_extra", "Sip-Src-IP=$si;
> Sip-Src-Port=$sp;
> Canonical-URI=$avp(can_uri);
> Billing-Party=$avp(billing_party);
> SIP-Proxy-IP=$avp(sip_proxy_ip);
> User-Agent=$ua
> ")
> #Billing-Party=$avp(billing_party)
> #From-Header=$hdr(from);
> #User-Name=$fU;
> #From-Header=$avp(from_header);
> #Digest-Realm=$fd
> #Sip-From-Tag=$avp(from_header);
> #SIP-Method=$rm;
>
> ######## Pseudo Variables #######
> # http://openser.org/dokuwiki/doku.php/pseudovariables:1.2.x
>
> #modparam("acc", "radius_extra", "Sip-RPid=$avp(s:rpid); \
> # Source-IP=$si; \
> # Source-Port=$sp; \
> # Canonical-URI=$avp(can_uri); \
> # Billing-Party=$avp(billing_party); \
> # Divert-Reason=$avp(s:divert_reason); \
> # X-RTP-Stat=$avp(s:rtp_statistics); \
> # From-Header=$hdr(from); \
> # User-Agent=$hdr(user-agent); \
> # Contact=$hdr(contact); \
> # Event=$hdr(event); \
> # SIP-Proxy-IP=$avp(s:sip_proxy_ip)")
>
>
> # -- acc params (with mysql) --
> #modparam("acc", "db_url", "mysql://openser:razovski@sip.wifirst.fr/openser")
> #modparam("acc", "db_flag", 1)
> #modparam("acc", "db_missed_flag", 2)
> #modparam("acc", "log_flag", 1)
> #modparam("acc", "log_missed_flag", 2)
>
>
> # -- xlog param --
> #modparam("xlog", "force_color", 1)
>
>
> # ------------------------- request routing logic -------------------
>
> # main routing logic
>
> route{
>
> # initial sanity checks -- messages with
> # max_forwards==0, or excessively long requests
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> exit;
> };
>
> if (msg:len >= 2048 ) {
> sl_send_reply("513", "Message too big");
> exit;
> };
>
>
> # check if user is suspended
> # if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")){
> # if (radius_is_user_in("From", "suspended")) {
> # sl_send_reply("403", "Forbidden - suspended");
> # exit;
> # };
> # };
>
> # if(is_method("INVITE")) {
> # if (!radius_is_user_in("From","voip")) {
> # xlog("L_DBG","NOT IN THE voip GROUP \r\n");
> # sl_send_reply("403", "Forbidden - Not in the voip group");
> # } else {
> # xlog("L_DBG","IN THE voip GROUP\r\n");
> # };
> # };
>
>
> # we record-route all messages -- to make sure that
> # subsequent messages will go through our proxy; that's
> # particularly good if upstream and downstream entities
> # use different transport protocol
> if (!method=="REGISTER") {
> record_route();
> };
>
> # subsequent messages withing a dialog should take the
> # path determined by record-routing
> if (loose_route()) { # mark routing logic in request
> append_hf("P-hint: rr-enforced\r\n");
> if(is_method("BYE")) { # log it all the time
> acc_rad_request("200 ok");
> acc_log_request("200 ok");
> }
> route(1);
> };
>
> #if (!uri==myself) {
> # mark routing logic in request
> # append_hf("P-hint: outbound\r\n");
> # if you have some interdomain connections via TLS
> #if(uri=~"@tls_domain1.net") {
> # t_relay("tls:domain1.net");
> # exit;
> #} else if(uri=~"@tls_domain2.net") {
> # t_relay("tls:domain2.net");
> # exit;
> #}
> #route(1);
> #};
>
>
>
> ################ SECTION USED TO ANSWER ping OPTIONS requests #################
>
> if (uri==myself) {
> if (method==OPTIONS){
> if (uri=~"sip:ping[@]+.*") {
> rewriteuri("sip:sip.wifirst.fr");
> #rewriteuri("sip:$dd");
> xlog("URI AFTER rewriteuri() = $ru \r\n");
> options_reply();
> exit;
> };
> if (! uri=~"sip:.*[@]+.*") {
> xlog("URI USED FOR PING = $ru \r\n");
> options_reply();
> };
> };
> };
>
>
> ################################################################################
>
>
> #################### REDIRECT PSTN PHONE CALLS##################################
>
>
> # set failure route for authentication
> t_on_failure("3");
> # reset flag to mark no authentication yet performed
> resetflag(7);
>
> if (method==INVITE && uri=~"sip:0677832974@*") {
> # #append_time(); # Should add time
> # insert_hf("Mon-Premier-Test: marc at leurent.eu\r\n", "Call-ID"); # Add a new field to SDP
> # #rewritehost("10.10.10.1"); # Rewrite network address
> # consume_credentials();
> # $avp(i:901) = "084";
> # $avp(i:902) = "63yM";
> # $avp(i:903) = "sip.plugandtel.net";
>
> # rewritehostport("saturne.alsion.com");
> rewritehostport("sip.plugandtel.net");
>
> #uac_replace_from("sip:104 at sip.wifirst.fr");
>
>
> # forward to PSTN
> #t_relay("udp:saturne.alsion.com:5060");
> t_relay("udp:sip.plugandtel.net:5060");
>
> exit;
>
> };
> ################################################################################
>
> # Set the acc flags
> if(is_method("INVITE") && !has_totag()) {
> xlog("L_INFO", "I AM SETTING THE FLAGS FOR RADIUS \r\n");
> $avp(can_uri) = $ru; # SIP Request's URI
> $avp(billing_party) = $fu; # From URI
> $avp(from_header) = $fU; # From URI username
> $avp(sip_proxy_ip) = $Ri; # Received IP address
>
> setflag(1); # radius_flag
> setflag(2); # radius_missed_flag
> };
>
>
> # Functions when calling other domains
> if (!uri==myself) {
> # check if user is allowed to do voip calls to other domains
> if(is_method("INVITE|MESSAGE")) {
> if (radius_is_user_in("From", "voip")) {
> sl_send_reply("403", "Forbidden VoIP");
> exit;
> };
> };
> # mark routing logic in request
> append_hf("P-hint: outbound\r\n");
> route(1);
> };
>
>
>
>
>
>
> # if the request is for other domain use UsrLoc
> # (in case, it does not work, use the following command
> # with proper names and addresses in it)
> if (uri==myself) {
>
> if (method=="REGISTER") {
> sip_trace();
> xlog("L_INFO", "$si IS TRYING TO REGISTER \r\n");
>
> # Uncomment this if you want to use digest authentication
> # if (!www_authorize("sip.wifirst.fr", "subscriber")) {
> # www_challenge("sip.wifirst.fr", "1"); # qop set to 1
> # xlog("L_INFO", "WWW_CHALLENGE of $si FAILED \r\n");
> # exit;
> # };
>
> if (!radius_www_authorize("sip.wifirst.fr")) {
> www_challenge("sip.wifirst.fr", "0"); # qop set to 1
> xlog("L_INFO", "WWW_CHALLENGE of $si FAILED \r\n");
> exit;
> };
>
> # check the src ip address
> #if(!avp_check("$avp(i:2)", "eq/$src_ip/ig")) {
> # sl_send_reply("403", "Forbidden IP");
> # exit;
> #};
>
> save("location");
> xlog("L_INFO", "SAVE LOCATION OF $si \r\n");
> exit;
> };
>
>
> # # calls to pstn
> # if(uri=~"sip:[0-9]*+@") {
> # if(is_method("INVITE") && !has_totag()) {
> # if (!radius_is_user_in("From", "pstn")) {
> # sl_send_reply("403", "Forbidden PSTN");
> # exit;
> # };
> # };
> # # set gateway address
> # rewritehostport("sip.wifirst.fr:5090");
> # route(1);
> # };
>
>
> # load callee's avps
> # if(avp_load_radius("callee")) {
> # # check if user has time filter enabled
> # if(avp_check("$avp(i:3)", "eq/i:1")) {
> # # print time in an avp
> # avp_printf("$avp(i:100)", "$Tf");
> # # extract day
> # avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/");
> # #if(!avp_check("$avp(i:6)", "fm/$avp($day)")) {
> # if(!avp_check("$avp(i:6)", "fm/$avp(day)")) {
> # sl_send_reply("403", "Forbidden - day");
> # exit;
> # };
> # # extract 'hours:minutes'
> # avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/");
> # if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$avp(time)"))
> # || (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$avp(time)"))) {
> # sl_send_reply("403", "Forbidden - time");
> # exit;
> # };
> # };
>
>
>
> # lookup("aliases");
> # if (!uri==myself) {
> # append_hf("P-hint: outbound alias\r\n");
> # route(1);
> # };
>
> # native SIP destinations are handled using our USRLOC DB
>
>
> if (!lookup("location")) {
> # log to acc as missed call
> acc_rad_request("404 Not Found");
> acc_log_request("404 Not Found");
> xlog("L_DBG", "ACC RADIUS: 404 NOT FOUND FOR $si \r\n");
> sl_send_reply("404", "Not Found");
> exit;
> };
> append_hf("P-hint: usrloc applied\r\n");
>
> };
>
>
>
> #if ($scr_ip != 192.168.95.248) {
> # ds_select_dst("1", "0");
> # forward();
> #};
>
> route(1);
> }
>
>
> # Generic Forward
> route[1] {
> sip_trace();
> # send it out now; use stateful forwarding as it works reliably
> # even for UDP2TCP
> if (!t_relay()) {
> sl_reply_error();
> };
> exit;
> }
>
>
>
>
> failure_route[3]
> {
> # authentication reply received?
> xlog("FAILURE ROUTE 3 STARTED /r/n");
> xlog("AUTHENTICATION REPLY RECEIVED /r/n");
> if ( t_check_status("401|407") )
> {
> # have we already tried to authenticate?
> if (isflagset(7))
> {
> t_reply("503","Authentication failed");
> exit;
> }
> if (uac_auth())
> {
> # mark that auth was performed
> setflag(7);
> # trigger again the failure route
> t_on_failure("3");
> # repeat the request with auth response this time
> append_branch();
> t_relay();
> }
> }
> }
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>
>
More information about the Devel
mailing list