[Kamailio-Devel] Radius attributes and dictionary

Samuel Muller sml at 720.fr
Mon Nov 3 22:14:45 CET 2008 

hello,

I would really thank you Juha, it works perfectly :)
I had to adapt some part of Radiator code (a little hook to replace the $urg
variable when the auth request is coming).

# -- AUTH ---------------------------------------------------------------- #
route[6]
{
...
    # urgency numbers : if called, flag it and get the urg geo number by
radius :
    if (uri=~"^sip:1(5|7|8|12|15|19)@")
    {
        xlog("L_INFO","-> urgency code $rU called by $fU ");
        setflag(13);    # flag urg
    }
    # radius www authentication
    if (!radius_proxy_authorize(""))
    {
        proxy_challenge("", "1");
        if ($retcode == -5)
        {
         xlog("L_INFO", "-> 500: internal server error");
         sl_send_reply("500", "Internal Server Error");
        }
        else if ($retcode == -4)
        {
          xlog("L_INFO", "-> 404: credentials not found");
          sl_send_reply("404", "Credentials Not Found");
         }
         else if ($retcode == -3)
         {
          xlog("L_INFO", "-> 400: bad request");
          sl_send_reply("400", "Bad Request");
         }
          else
         {
           if ($adu)
           { append_to_reply("$adu"); }
          xlog("L_INFO", "-> 407 - proxy auth required");
          sl_send_reply("407", "Proxy Authentication Required");
         }
         drop;
     }
    xlog("L_INFO", "-> authentication is ok, let it continue");
    setflag(8);        # flag auth_ok
...
    if (isflagset(13))
    {
        xlog("L_INFO", "-> urgency $rU called by $fU : send directly to
pstn");
        route(15);    # route PSTN
    }
}

And it's ok in the radius :

*** Received from 192.168.60.9 port 56178 ....
Code:       Access-Request
Identifier: 208
Authentic:  i.<179>;:_<197>H<131><232><219>+<7>2i<153>
Attributes:
    Cisco-AVPair = "0123451012 at sip.720.fr"
    Digest-Attributes = "<10><12>0123451012"
    Digest-Attributes = "<1><12>sip.720.fr"
    Digest-Attributes =
"<2>2490f6a370000000e4448ccf0eb032d4998da6b6142aa03ea"
    Digest-Attributes = "<4><19>sip:18 at sip.720.fr <sip%3A18 at sip.720.fr>"
    Digest-Attributes = "<3><8>INVITE"
    Digest-Attributes = "<5><6>auth"
    Digest-Attributes = "<9><10>00000001"
    Digest-Attributes = "<8><10>da2ac20f"
    Digest-Response = "fbfa3947386bcdeb0bd9c825b50fca2f"
    Service-Type = Sip-Session
    Sip-URI-User = "0123451012"
    cisco-avpair = "call-id=60df24b8-54ec4365 at 192.168.1.5"
    NAS-Port = 5060
    NAS-IP-Address = 192.168.60.9

Mon Nov  3 22:11:39 2008: DEBUG: Handling request with Handler
'Service-Type=Sip-Session'
Mon Nov  3 22:11:39 2008: DEBUG: Rewrote user name to 0123451012 at sip.720.fr
...
*** Sending to 192.168.60.9 port 56178 ....
Code:       Access-Accept
Identifier: 208
Authentic:  i.<179>;:_<197>H<131><232><219>+<7>2i<153>
Attributes:
    Message-Authenticator =
"<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
    User-Name = "0123451012"
    Sip-User-ID = "0123451012"
    Sip-User-Realm = "sip.720.fr"
    Sip-URI-User = "0123451012 at sip.720.fr"
    Sip-Rpid = "0123451012"
    Sip-Group = "full"
    Sip-AVP = "asserted_id:0123451012"
    Sip-AVP = "urg:01233450018"



I just want to know why the avp_print function understand another kind of
AVP name than he one we got in the Radius request ?
it adds "caller_" or "callee_" as a prefix ...

in the debug log :
Nov  3 22:07:34 ser0 kamailio[28252]: -> urgency code 18 called by
0123451012
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth:check_nonce: comparing
[490f69420000000c00de4aa46ee94c1b07cc0239f6ae8ef8] and
[490f69420000000c00de4aa46ee94c1b07cc0239f6ae8ef8]
Nov  3 22:07:34 ser0 kamailio[28252]:
DBG:auth_radius:radius_authorize_sterman: Success
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:generate_avps: getting
SIP AVPs from avpair 225
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:extract_avp: string is
<asserted_id:0123451012>
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:extract_avp: AVP name
is <asserted_id>
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:extract_avp: AVP val
is <0123451012>
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:generate_avps: AVP
'asserted_id'/0='0123451012'/0 has been added
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:extract_avp: string is
<urg:01233450018>
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:extract_avp: AVP name
is <urg>
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:extract_avp: AVP val
is <01233450018>
Nov  3 22:07:34 ser0 kamailio[28252]: DBG:auth_radius:generate_avps: AVP
'urg'/0='01233450018'/0 has been added

with an avp_print() :

Nov  3 22:05:00 kamailio[28252]: INFO:avpops:ops_print_avp:
p=0x7f0037677ec8, flags=0x0003
Nov  3 22:05:00 kamailio[28252]: INFO:avpops:ops_print_avp:
^I^I^Iname=<caller_urg>
Nov  3 22:05:00 kamailio[28252]: INFO:avpops:ops_print_avp:
^I^I^Ival_str=<01233450018 / 4>


Again, many thanks,

.Sam.




On Tue, Oct 28, 2008 at 7:02 PM, Samuel Muller <sml at 720.fr> wrote:

> oh, you're right, nice !
>
> the idea should be (not the real script lines but similar in the concept) :
>
> $fu INVITE $ruri (where $ruri is a urg code) :
>
> route(authenticate)
> {
>    if (ruri = (15|17|18)@)
>    {
>    ($username == $urg);
>    setflag(urg);
>    }
>    radius_proxy_authorize("...")
>    {...}
> }
> route(pstn)
> {
>    if (isflagset(urg))
>    {
>     rewriteusername($urg);
>     route(send_to_a_dedicated_trunk);
>     exit;
>    }
> }
>
> and the radius replies during the authentication, the real associated geo
> number of the urg code.
>
> nice ! many thanks ! I'll try it asap !
>
> .Sam.
>
>
>
>
> On Tue, Oct 28, 2008 at 6:39 PM, Juha Heinanen <jh at tutpro.com> wrote:
>
>> Samuel Muller writes:
>>
>>  > when the sipphone calls the urgency code "15", openser receives
>>  > sip:15 at realm
>>  > "
>>  > so I use the avp_load_radius to get the AVP $urg (for example).
>>  > the radius checks its db :
>>  > . $fu -> insee code=$insee (insee codes relates the geo number of
>> urgencies)
>>  > . $ruri -> urg code=$urg
>>  > so it translates the code in the good geo number (15 = 0123456789)
>>  > then openser just rewrite the ruri like sip:$urg at realm.
>>
>> sounds good, but if you authenticate the call in kamailio, you don't
>> need this extra avp_load_radius call, because you can return the goe
>> number already during authentication.  on the other hand, there are not
>> that many emergency calls that the extra call would matter.
>>
>> -- juha
>>
>
>
>
> --
> Samuel MULLER
> Ingénieur Reseaux & Telecom
> 720 DEGRES
> +33 (0)663 128 505
> sml at 720.fr
>



-- 
Samuel MULLER
Ingénieur Reseaux & Telecom
720 DEGRES
+33 (0)663 128 505
sml at 720.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/devel/attachments/20081103/d3058a06/attachment-0001.htm

More information about the Devel mailing list