Improving RADIUS Support

Current status (up to and including the current release)[edit]

Currently, RADIUS support is in two places:

• rutil/RADIUSDigestAuthenticator
  • uses radiusclient-ng to do SIP (DIGEST MD5) authentication as per [[1]]
  • works with FreeRADIUS server's rlm_digest module
• resip/dum/RADIUSServerAuthManager
  • uses the code from RADIUSDigestAuthenticator to authenticate SIP clients

Please see our main RADIUS page for details of how to use it.

Eventual improvement[edit]

We would also like to use RADIUS for TURN. TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.

An initial cut of the FreeRADIUS module already exists, it is called https://github.com/FreeRADIUS/freeradius-server/pull/367. The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.

To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:

• low level RADIUS wrapper around radiusclient-ng
  • no knowledge of SIP DIGEST
  • wraps the C client code
  • takes AV set as arguments
  • takes RADIUS config filename as argument
  • do lookup, return arbitrary attributes/values
• SIP DIGEST and TURN-HMAC helper classes
  • both classes should leverage the low level code just described
  • based on the existing rutil/RADIUSDigestAuthenticator API perhaps
• adapt resip/dum/RADIUSServerAuthManager to work in repro
  • repro needs a "monkey" that implements similar logic when forwarding requests
  • repro only uses the DUM authenticators for certain requests, such as registrations
• implement in reTurn