[Serusers] RADIUS authentication: draft-sterman-aaa-sip

Jiri Kuthan jiri at iptel.org
Wed Oct 29 12:03:07 CET 2003


At 09:45 AM 10/29/2003, Alexander Mayrhofer wrote:
>On (28.10.03 10:46), Jiri Kuthan wrote:
>> Unfortunately, there is now no standard for use of RADIUS along
>> with SIP. SER users leveraging the combination of these two
>> technologies are left with implementation of expired internet 
>> drafts. There are some chances that the IETF community revitalizes 
>> the document.
>> 
>> Thus, I would appreciate hearing if any of the active RADIUS/SIP/SER 
>> users have had any issues with the RADIUS authentication in SER,
>> which is based on draft-sterman-aaa-sip.
>
>Jiri,
>
>as i told you in person on the VON, the module is quite useable at the
>moment (and in production here), with the following issues:
>
>- the readiusclient library which the module is using does not support
>  vendor-specific attributes, therefore you have to redefine existing
>  attribute space rather than defining new ones (this is what the draft
>  does). A revamp of the module should probably switch to a different
>  backend library (maybe there's something in the freeradius package?)

point taken, put on the "someday" priority -- I focus most of our
effort on sanity now, see bellow.

>- the module lacks failover to a secondary radius server. failover seems
>  quite straightforward to implement for authentication, which is my major
>  concern, so i'd appreciate seeing that in the module. (We didn't have
>  problems with that yet because of the stability of our radius server,
>  but the day will come for sure  ;). It may be more difficult for
>  accounting, but i'm fine with SQL accounting at the moment.
>- I'd love to see my radius-alias-patch in the upstream sources. That's
>  more of a personal request, because it would save me lot of
>  backporting when switching to a new release. I'd appreciate to hear if
>  someone considers that stuff useful or even dares to use it ;)

I hope all of that will be addressed by changes we are planning. The idea
is to introduce RADIUS (and LDAP too) as database drivers. The drivers
would support fail-over and could be used for maintenance of the alias
database (that would solve also the problem with aliases, that don't
appear in in-memory databases before a user registers).

That's all a long-term effort which will not complete this year (guesstimate: 
February).

(btw ad long-term efforts: the same for your favorite request, variables.
We'ld love to have them, preparation work for them already began. As
that is a big change, I plan to spend quite some time with it to keep it
sane.)

>I'd volunteer to help on revitalizing the sterman draft. SIP/SER/RADIUS
>might have become a much more widespread solution over the last few
>months, so there may be more attention at this time.

I will see if I can get you involved somehow.

-jiri 




More information about the sr-users mailing list