Konfigurácia OpenSer-u a Radius-u na operačnom systéme Debian server
V tomto článku sa Vám budem snažiť popísať konfiguráciu openseru a radiusu.
Architektúra VoIP služby:
Inštalácia:
1. FreeRadius server
2. Radiusclient
3. Openser 1.3
1. FreeRadius server
Apt-get install freeradius
2. Radiusclient
Apt-get install libradiusclient-ng2 libradiusclient-ng-dev
3. OpenSer
Apt-get install openser openser-radius-modulesPopis konfigurácie Openser dictionary:
Openser vo svojej inštalácii obsahuje RADIUS dictionary, ktorý je potrebný pre komunikáciu s FreeRadius serverom. Štandardne je uložený v /etc/openser/dictionary.radius. V tomto súbore je potrebné mať zapnuté všetky SIP metódy. Prehľad týchto metód uvádzam v nasledujúcom configuračnom súbore:
#### Attributes ### ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc ATTRIBUTE Sip-Src-IP 108 string # Proprietary, acc ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius ### Acct-Status-Type Values ### VALUE Acct-Status-Type Failed 15 # RFC2866, acc ### Service-Type Values ### VALUE Service-Type Call-Check 10 # RFC2865, uri_radius VALUE Service-Type Group-Check 12 # Proprietary, group_radius VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius ### Sip-Method Values ### VALUE Sip-Method Undefined 0 VALUE Sip-Method Invite 1 VALUE Sip-Method Cancel 2 VALUE Sip-Method Ack 4 VALUE Sip-Method Bye 8 VALUE Sip-Method Info 16 VALUE Sip-Method Options 32 VALUE Sip-Method Update 64 VALUE Sip-Method Register 128 VALUE Sip-Method Message 256 VALUE Sip-Method Subscribe 512 VALUE Sip-Method Notify 1024 VALUE Sip-Method Prack 2048 VALUE Sip-Method Refer 4096 VALUE Sip-Method Other 8192 VALUE Sip-Method INVITE 1 # Proprietary, acc VALUE Sip-Method CANCEL 2 # Proprietary, acc VALUE Sip-Method ACK 4 # Proprietary, acc VALUE Sip-Method BYE 8 # Proprietary, acc
Po úprave tohto súboru je potrebné ho nakopírovať do adresára radiusclienta:
cp /etc/openser/dictionary.radius /etc/radiusclient-ng/dictionary.openser
Konfigurácia FreeRadius
Konfigurácia clienta vo freeradius
Freeradius dovoľuje pripojiť openser klienta len prostredníctvom Radiusclienta. Pre daný Openser nastavíme secret heslo a ip adresu, z ktorej sa openser pripája na freeradius. V našom prípade je Openser a Freeradius na jednom servri.
Editujeme súbor /etc/freeradius/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
}
Konfigurácia hlavného radiusd.conf súboru
V hlavnom konfiguračnom súbore, ktorý sa taktiež nachádza v adresári /etc/freeradius/ povolíme modul digest (odkomentovaním pôvodne zakomentovaného modulu).
Ďalším krokom je odkomentovanie autorizácie a autentifikácie. Odkomentujeme všetky riadky kde sa nachádza modul authorize a authenticate.
Výpis celého konfiguračného súboru radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
#bind_address = localhost
#port = 0
listen {
ipaddr = localhost
port = 0
type = auth
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
# PROXY CONFIGURATION
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
snmp = no
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# MODULE CONFIGURATION
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
authenticate
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
# Instantiation
instantiate {
exec
expr
}
authorize {
preprocess
auth_log
chap
mschap
digest
suffix
eap
files
pap
}
# Authentication.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
# Pre-accounting. Decide which accounting type to use.
preacct {
preprocess
acct_unique
suffix
files
}
# Accounting. Log the accounting data.
accounting {
detail
unix
radutmp
}
radutmp
session {
radutmp
}
# Post-Authentication
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
Konfigurácia Freeradius dictionary súboru
V tomto kroku pridáme Openser radius dictionary do Freeradius dictionary.
Editujeme súbor /etc/freeradius/dictionary a pridáme nasledovný riadok:
$INCLUDE /etc/radiusclient-ng/dictionary.openser
Pridávanie užívateľov do Freeradius databázy
Editujeme súbor /etc/freeradius/users a pridávame jednotlivých užívateľov podľa nasledovného vzoru:
uzivatel@p1.sip.uniza.sk User-Password := "test"
Konfigurácia RadiusClient-ng
Konfigurácia hlavného súboru radiusclient.conf
Hlavný konfiguračný súbor radiusclient.conf sa nachádza v adresári /etc/radiusclient-ng/. Tu je potrebné nastaviť autorizačný a autentifikačný server.
authserver localhost acctserver localhost
Ostatné nastavenia si môžete porovnať s nasledovným výpisom:
auth_order radius
login_tries 1
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient-ng/issue
authserver localhost
acctserver localhost
servers /etc/radiusclient-ng/servers
dictionary /etc/radiusclient-ng/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient-ng/port-id-map
default_realm
radius_timeout 10
radius_retries 3
bindaddr localhost
login_local /bin/login
Konfigurácia dictionary súboru v radiusclient-ng
Pridáme nasledovný riadok do súboru /etc/radiusclient-ng/dictionary:
$INCLUDE /etc/openser/dictionary.radius
Konfigurácia hlavného konfiguračného súboru OpenSer
Prikladám kompletný výpis konfiguračného súboru /etc/openser/openser.cfg
####### Global Parameters ######### debug=3 log_stderror=no log_facility=LOG_LOCAL0 fork=yes children=4 /* odkomentovat ak chceme spustit openser v debugovacom rezime */ #debug=6 #fork=no #log_stderror=yes listen=udp:158.193.139.189 alias="p1.sip.uniza.sk" alias="158.193.139.189" port=5060 ####### Modules Section ######## mpath="/usr/lib/openser/modules/" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "mi_fifo.so" loadmodule "uri.so" loadmodule "uri_radius.so" loadmodule "xlog.so" loadmodule "avpops.so" loadmodule "auth.so" loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so" loadmodule "acc.so" # ----- mi_fifo params ----- modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") # ----- rr params ----- modparam("rr", "enable_full_lr", 1) modparam("rr", "append_fromtag", 0) # ----- rr params ----- modparam("registrar", "method_filtering", 1) # ----- acc params ----- modparam("acc", "early_media", 1) modparam("acc", "report_ack", 1) modparam("acc", "report_cancels", 1) modparam("acc", "detect_direction", 0) modparam("acc", "failed_transaction_flag", 3) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # ----- usrloc params ----- modparam("usrloc", "db_mode", 0) # -- group_radius params --
modparam("group_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1) # -- auth_radius params --
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("auth_radius", "service_type", 15) # -- avpops params -- modparam("avpops","use_domain",1) # -- avp_radius params --
modparam("avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("avp_radius", "caller_service_type", 18)
# -- uri_radius params --
modparam("uri_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("uri_radius", "service_type", 11) ####### Routing Logic ######## # main request routing logic route{ if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; } if (has_totag()) { if (loose_route()) { if (is_method("BYE")) { log (1, "BYE - STOP ACCOUNTING\n"); setflag(1); # do accouting ... setflag(3); # ... even if the transaction fails } route(1); } else { if ( is_method("ACK") ) { if ( t_check_trans() ) { t_relay(); exit; } else { exit; } } sl_send_reply("404","Not here"); } exit; } if (!method=="OPTIONS") setflag(3); if (is_method("CANCEL")) { log (1, "CANCEL - STOP ACCOUNTING\n"); if (t_check_trans()) t_relay(); exit; } t_check_trans(); if (!is_method("REGISTER|MESSAGE")) record_route(); if (is_method("INVITE")) { log(1, "INVITE MESSAGE RECEIVED - START ACC\n"); setflag(1); # do accouting setflag(2); } if (!uri==myself) { append_hf("P-hint: outbound\r\n"); route(1); } if (is_method("PUBLISH")) { sl_send_reply("503", "Service Unavailable"); exit; } if (is_method("REGISTER"))
{ if (!radius_www_authorize("p1.sip.uniza.sk")) { www_challenge("p1.sip.uniza.sk", "1"); exit; } if (!save("location")) sl_reply_error(); exit; } if ($rU==NULL) { # request with no Username in RURI sl_send_reply("484","Address Incomplete"); exit; } if (!lookup("location")) { switch ($retcode) { case -1: case -3: t_newtran(); t_reply("404", "Not Found"); exit; case -2: sl_send_reply("405", "Method Not Allowed"); exit; } } setflag(2); route(1); } route[1] { if (is_method("INVITE")) { t_on_branch("2"); t_on_reply("2"); t_on_failure("1"); } if (!t_relay()) { sl_reply_error(); }; exit; } branch_route[2] { xlog("new branch at $ru\n"); } onreply_route[2] { xlog("incoming reply\n"); } failure_route[1] { if (t_was_cancelled()) { exit; } }
Spustenie jednotlivých programov
/etc/init.d/freeradius start openser
Záver
Týmto by som chcel poďakovať p. Ing. Brunckovi, ktorý ochotne pomohol pri riešení problémov pri konfiguráciach a rozbehávaniu radiusu a opensera.
