[Serusers] Strange behavior of Radius-Authentification with Usernames
Kai Militzer
km at westend.com
Thu Jul 8 13:20:47 CEST 2004
Hi list!
I just came across something very strange when using the radius-modules
and wonder if it is a wanted feature, a bug or simply me being stupid
(which I guess will be the case).
The thing is the following. My ser.cfg has the following in it when an
UA registers:
if (method=="REGISTER") {
if (!radius_proxy_authorize("XXX.XXX.XXX.XXX"))
{
proxy_challenge("XXX.XXX.XXX.XXX", "0");
break;
};
log(1,"Registered");
save("location");
break;
};
This works fine, means the user get's registered, if it is known to
Radius and not registered in the opposite case.
Now to the strange thing. In most UAs you can enter different user-parts
of the URI and Authentication-Users. I used kphone for this test and
entered a valid username as authentication username and some random
number (or word, that doesn't matter) as "User part of SIP URL". What
happens then is, that the user can register and gets a URI different
from the authenticated username. With this behavior every user would be
able to "hijack" connections from other user.
How can I tell SER to not allow this? Has it something to do with the
SIP-Rpid argument in Radius? Ser seems to ignore it.
Any hints, or RTFMs to get me looking in the right direction to solve
this problem would be very kind.
Best regards
Kai
--
Kai Militzer WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
Lütticher Straße 10 Tel 0241/701333-11
km at westend.com D-52064 Aachen Fax 0241/911879
More information about the sr-users
mailing list