Improving RADIUS Support
Revision as of 12:16, 1 January 2014 by Dpocock (talk | contribs) (→Current status (up to and including v1.8))
Current status (up to and including the current release)[edit]
Currently, RADIUS support is in two places:
- rutil/RADIUSDigestAuthenticator
- uses radiusclient-ng to do SIP (DIGEST MD5) authentication as per [[1]]
- works with FreeRADIUS server's rlm_digest module
- resip/dum/RADIUSServerAuthManager
- uses the code from RADIUSDigestAuthenticator to authenticate SIP clients
Please see our main RADIUS page for details of how to use it.
Eventual improvement[edit]
We would also like to use RADIUS for TURN. TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.
An initial cut of the FreeRADIUS module already exists, it is called https://github.com/FreeRADIUS/freeradius-server/pull/367. The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.
To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:
- low level RADIUS wrapper around radiusclient-ng
- no knowledge of SIP DIGEST
- wraps the C client code
- takes AV set as arguments
- takes RADIUS config filename as argument
- do lookup, return arbitrary attributes/values
- SIP DIGEST and TURN-HMAC helper classes
- both classes should leverage the low level code just described
- based on the existing rutil/RADIUSDigestAuthenticator API perhaps
- adapt resip/dum/RADIUSServerAuthManager to work in repro
- repro needs a "monkey" that implements similar logic when forwarding requests
- repro only uses the DUM authenticators for certain requests, such as registrations
- implement in reTurn