Improving RADIUS Support

From reSIProcate
Revision as of 08:12, 30 August 2013 by Dpocock (talk | contribs)
Jump to navigation Jump to search

Current status (up to and including v1.8)

Currently, RADIUS support is in two places:

  • rutil/RADIUSDigestAuthenticator
    • uses radiusclient-ng to do SIP (DIGEST MD5) authentication as per [[1]]
    • works with FreeRADIUS server's rlm_digest module
  • resip/dum/RADIUSServerAuthManager
    • uses the code from RADIUSDigestAuthenticator to authenticate SIP clients

Eventual improvement

We would also like to use RADIUS for TURN. TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.

An initial cut of the FreeRADIUS module already exists, it is called The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.

To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:

  • low level RADIUS wrapper around radiusclient-ng
    • no knowledge of SIP DIGEST
    • wraps the C client code
    • takes AV set as arguments
    • takes RADIUS config filename as argument
    • do lookup, return arbitrary attributes/values
  • SIP DIGEST and TURN-HMAC helper classes
    • both classes should leverage the low level code just described
    • based on the existing rutil/RADIUSDigestAuthenticator API perhaps
  • adapt resip/dum/RADIUSServerAuthManager to work in repro
    • repro needs a "monkey" that implements similar logic when forwarding requests
    • repro only uses the DUM authenticators for certain requests, such as registrations
  • implement in reTurn