Auth_aaa Module

Jan Janak

   FhG Fokus
   <jan@iptel.org>

Juha Heinanen

   Song Networks
   <jh@song.fi>

Stelios Sidiroglou-Douskos

Bogdan-Andrei Iancu

   <bogdan@opensips.org>

Edited by

Jan Janak

   <jan@iptel.org>

Edited by

Irina-Maria Stanescu

   <ironmissy@gmail.com>

   Copyright © 2002, 2003 FhG FOKUS

   Copyright © 2005, 2009 Voice Sistem SRL
   Revision History
   Revision $Revision: 8740 $ $Date$
     __________________________________________________________

   Table of Contents

   1. Admin Guide

        1.1. Overview
        1.2. Additional Credentials
        1.3. Dependencies

              1.3.1. OpenSIPS Modules
              1.3.2. External Libraries or Applications

        1.4. Exported Parameters

              1.4.1. aaa_url (string)
              1.4.2. service_type (integer)
              1.4.3. use_ruri_flag (string/integer)

        1.5. Exported Functions

              1.5.1. aaa_www_authorize(realm[, uri_user])
              1.5.2. aaa_proxy_authorize(realm [, uri_user])

   List of Examples

   1.1. “SIP-AVP” AAA AVP examples
   1.2. aaa_url parameter usage
   1.3. service_type parameter usage
   1.4. use_ruri_flag parameter usage
   1.5. aaa_www_authorize usage
   1.6. proxy_authorize usage

Chapter 1. Admin Guide

1.1. Overview

   This module contains functions that are used to perform
   authentication using an AAA server. Basically the proxy will
   pass along the credentials to the AAA server which will in turn
   send a reply containing result of the authentication. So
   basically the whole authentication is done in the AAA server.
   Before sending the request to the AAA server we perform some
   sanity checks over the credentials to make sure that only well
   formed credentials will get to the server. We have implemented
   AAA authentication according to draft-sterman-aaa-sip-00.

1.2. Additional Credentials

   When performing authentication, the AAA server may include in
   the response additional credentials. This scheme is very useful
   in fetching additional user information from the AAA server
   without making extra queries.

   The additional credentials are embedded in the AAA reply as
   AVPs “SIP-AVP”. The syntax of the value is:
     * value = SIP_AVP_NAME SIP_AVP_VALUE
     * SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
     * SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE

   All additional credentials will be stored as OpenSIPS AVPs
   (SIP_AVP_NAME = SIP_AVP_VALUE).

   The RPID value may be fetch via this mechanism.

   Example 1.1. “SIP-AVP” AAA AVP examples
....
"email:joe@yahoo.com"
    - STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    - ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    - STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    - ID AVP (14) with INTEGER VALUE (28)
....

1.3. Dependencies

1.3.1. OpenSIPS Modules

   The module depends on the following modules (in the other words
   the listed modules must be loaded before this module):
     * auth -- Generic authentication functions
     * an aaa implementing module -- for example aaa_radius

1.3.2. External Libraries or Applications

   This module does not depend on any external library.

1.4. Exported Parameters

1.4.1. aaa_url (string)

   This is the url representing the AAA protocol used and the
   location of the configuration file of this protocol.

   The syntax for the url is the following:
   "name_of_the_aaa_protocol_used:path_of_the_configuration_file"

   Example 1.2. aaa_url parameter usage

modparam("auth_aaa", "aaa_url", "radius:/etc/radiusclient-ng/radiusclien
t.conf")

1.4.2. service_type (integer)

   This is the value of the Service-Type aaa attribute to be used.
   The default should be fine for most people. See your aaa client
   include files for numbers to be put in this parameter if you
   need to change it.

   Default value is “15”.

   Example 1.3. service_type parameter usage

modparam("auth_aaa", "service_type", 15)

1.4.3. use_ruri_flag (string/integer)

   When this parameter is set to the value other than "NULL" and
   the request being authenticated has flag with matching number
   set via setflag() function, use Request URI instead of uri
   parameter value from the Authorization / Proxy-Authorization
   header field to perform AAA authentication. This is intended to
   provide workaround for misbehaving NAT / routers / ALGs that
   alter request in the transit, breaking authentication. At the
   time of this writing, certain versions of Linksys WRT54GL are
   known to do that.

   Default value is “NULL” (not set).

   Example 1.4. use_ruri_flag parameter usage

modparam("auth_aaa", "use_ruri_flag", "USE_RURI_FLAG")

1.5. Exported Functions

1.5.1. aaa_www_authorize(realm[, uri_user])

   The function verifies credentials according to RFC2617. If the
   credentials are verified successfully then the function will
   succeed and mark the credentials as authorized (marked
   credentials can be later used by some other functions). If the
   function was unable to verify the credentials for some reason
   then it will fail and the script should call www_challenge
   which will challenge the user again.

   Negative codes may be interpreted as follows:
     * -5 (generic error) - some generic error occurred and no
       reply was sent out;
     * -4 (no credentials) - credentials were not found in
       request;
     * -3 (stale nonce) - stale nonce;

   This function will, in fact, perform sanity checks over the
   received credentials and then pass them along to the aaa server
   which will verify the credentials and return whether they are
   valid or not.

   Meaning of the parameter is as follows:
     * realm - Realm is a opaque string that the user agent should
       present to the user so he can decide what username and
       password to use. Usually this is domain of the host the
       server is running on.
       If an empty string “” is used then the server will generate
       it from the request. In case of REGISTER requests To header
       field domain will be used (because this header field
       represents a user being registered), for all other messages
       From header field domain will be used.
       The string may contain pseudo variables.
     * uri_user - Uri_user is an optional pseudo variable
       parameter whose value, if present, will be given to Radius
       server as value of SIP-URI-User check item. If uri_user
       pseudo variable parameter is not present, the server will
       generate SIP-URI-User check item value from user part of To
       URI.

   This function can be used from REQUEST_ROUTE.

   Example 1.5. aaa_www_authorize usage

...
if (!aaa_www_authorize("siphub.net")) {
        www_challenge("siphub.net", "1");
};
...


1.5.2. aaa_proxy_authorize(realm [, uri_user])

   The function verifies credentials according to RFC2617. If the
   credentials are verified successfully then the function will
   succeed and mark the credentials as authorized (marked
   credentials can be later used by some other functions). If the
   function was unable to verify the credentials for some reason
   then it will fail and the script should call proxy_challenge
   which will challenge the user again. For more about the
   negative return codes, see the above function.

   This function will, in fact, perform sanity checks over the
   received credentials and then pass them along to the aaa server
   which will verify the credentials and return whether they are
   valid or not.

   Meaning of the parameters is as follows:
     * realm - Realm is a opaque string that the user agent should
       present to the user so he can decide what username and
       password to use. This is usually one of the domains the
       proxy is responsible for. If an empty string “” is used
       then the server will generate realm from host part of From
       header field URI.
       The string may contain pseudo variables.
     * uri_user - Uri_user is an optional pseudo variable
       parameter whose value, if present, will be given to Radius
       server as value of SIP-URI-User check item. If uri_user
       pseudo variable parameter is not present, the server will
       generate SIP-URI-User check item value from user part of
       From URI.

   This function can be used from REQUEST_ROUTE.

   Example 1.6. proxy_authorize usage

...
if (!aaa_proxy_authorize("")) {   # Realm and URI user will be autogener
ated
        proxy_challenge("", "1");
};
...
if (!aaa_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
        proxy_challenge("$pd", "1");         # from P-Preferred-Identity
};                                           # header field
...
