Difference between revisions of "Improving RADIUS Support"

From reSIProcate
Jump to navigation Jump to search
(Created page with " == Current status (up to and including v1.8) == Currently, RADIUS support is in two places: * rutil/RADIUSDigestAuthenticator ** uses radiusclient-ng to do SIP (DIGEST MD5)...")
 
Line 13: Line 13:
  
 
We would also like to use RADIUS for TURN.  TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.
 
We would also like to use RADIUS for TURN.  TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.
 +
 +
An initial cut of the FreeRADIUS module already exists, it is called [[rlm_hmac|https://github.com/FreeRADIUS/freeradius-server/pull/367]].  The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.
  
 
To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:
 
To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:

Revision as of 08:12, 30 August 2013

Current status (up to and including v1.8)

Currently, RADIUS support is in two places:

  • rutil/RADIUSDigestAuthenticator
    • uses radiusclient-ng to do SIP (DIGEST MD5) authentication as per [[1]]
    • works with FreeRADIUS server's rlm_digest module
  • resip/dum/RADIUSServerAuthManager
    • uses the code from RADIUSDigestAuthenticator to authenticate SIP clients

Eventual improvement

We would also like to use RADIUS for TURN. TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.

An initial cut of the FreeRADIUS module already exists, it is called https://github.com/FreeRADIUS/freeradius-server/pull/367. The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.

To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:

  • low level RADIUS wrapper around radiusclient-ng
    • no knowledge of SIP DIGEST
    • wraps the C client code
    • takes AV set as arguments
    • takes RADIUS config filename as argument
    • do lookup, return arbitrary attributes/values
  • SIP DIGEST and TURN-HMAC helper classes
    • both classes should leverage the low level code just described
    • based on the existing rutil/RADIUSDigestAuthenticator API perhaps
  • adapt resip/dum/RADIUSServerAuthManager to work in repro
    • repro needs a "monkey" that implements similar logic when forwarding requests
    • repro only uses the DUM authenticators for certain requests, such as registrations
  • implement in reTurn