Konfigurácia OpenSer-u a Radius-u na operačnom systéme Debian server
V tomto článku sa Vám budem snažiť popísať konfiguráciu openseru a radiusu.
Architektúra VoIP služby:
Inštalácia:
1. FreeRadius server
2. Radiusclient
3. Openser 1.3
Apt-get install freeradius
Apt-get install libradiusclient-ng2 libradiusclient-ng-dev
Apt-get install openser openser-radius-modules
Popis konfigurácie Openser dictionary:
Openser vo svojej inštalácii obsahuje RADIUS dictionary, ktorý je potrebný pre komunikáciu s FreeRadius serverom. Štandardne je uložený v /etc/openser/dictionary.radius. V tomto súbore je potrebné mať zapnuté všetky SIP metódy. Prehľad týchto metód uvádzam v nasledujúcom configuračnom súbore:
#### Attributes ### ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc ATTRIBUTE Sip-Src-IP 108 string # Proprietary, acc ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius ### Acct-Status-Type Values ### VALUE Acct-Status-Type Failed 15 # RFC2866, acc ### Service-Type Values ### VALUE Service-Type Call-Check 10 # RFC2865, uri_radius VALUE Service-Type Group-Check 12 # Proprietary, group_radius VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius ### Sip-Method Values ### VALUE Sip-Method Undefined 0 VALUE Sip-Method Invite 1 VALUE Sip-Method Cancel 2 VALUE Sip-Method Ack 4 VALUE Sip-Method Bye 8 VALUE Sip-Method Info 16 VALUE Sip-Method Options 32 VALUE Sip-Method Update 64 VALUE Sip-Method Register 128 VALUE Sip-Method Message 256 VALUE Sip-Method Subscribe 512 VALUE Sip-Method Notify 1024 VALUE Sip-Method Prack 2048 VALUE Sip-Method Refer 4096 VALUE Sip-Method Other 8192 VALUE Sip-Method INVITE 1 # Proprietary, acc VALUE Sip-Method CANCEL 2 # Proprietary, acc VALUE Sip-Method ACK 4 # Proprietary, acc VALUE Sip-Method BYE 8 # Proprietary, acc
Po úprave tohto súboru je potrebné ho nakopírovať do adresára radiusclienta:
cp /etc/openser/dictionary.radius /etc/radiusclient-ng/dictionary.openser
Konfigurácia FreeRadius
Konfigurácia clienta vo freeradius
Freeradius dovoľuje pripojiť openser klienta len prostredníctvom Radiusclienta. Pre daný Openser nastavíme secret heslo a ip adresu, z ktorej sa openser pripája na freeradius. V našom prípade je Openser a Freeradius na jednom servri.
Editujeme súbor /etc/freeradius/clients.conf
client 127.0.0.1 { secret = testing123 shortname = localhost }
Konfigurácia hlavného radiusd.conf súboru
V hlavnom konfiguračnom súbore, ktorý sa taktiež nachádza v adresári /etc/freeradius/ povolíme modul digest (odkomentovaním pôvodne zakomentovaného modulu).
Ďalším krokom je odkomentovanie autorizácie a autentifikácie. Odkomentujeme všetky riadky kde sa nachádza modul authorize a authenticate.
Výpis celého konfiguračného súboru radiusd.conf:
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 #bind_address = localhost #port = 0 listen { ipaddr = localhost port = 0 type = auth } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } # PROXY CONFIGURATION proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION snmp = no $INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE CONFIGURATION modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } authenticate realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } # Instantiation instantiate { exec expr } authorize { preprocess auth_log chap mschap digest suffix eap files pap } # Authentication. authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } # Pre-accounting. Decide which accounting type to use. preacct { preprocess acct_unique suffix files } # Accounting. Log the accounting data. accounting { detail unix radutmp } radutmp session { radutmp } # Post-Authentication post-auth { } pre-proxy { } post-proxy { eap }
Konfigurácia Freeradius dictionary súboru
V tomto kroku pridáme Openser radius dictionary do Freeradius dictionary.
Editujeme súbor /etc/freeradius/dictionary a pridáme nasledovný riadok:
$INCLUDE /etc/radiusclient-ng/dictionary.openser
Pridávanie užívateľov do Freeradius databázy
Editujeme súbor /etc/freeradius/users a pridávame jednotlivých užívateľov podľa nasledovného vzoru:
uzivatel@p1.sip.uniza.sk User-Password := "test"
Konfigurácia RadiusClient-ng
Konfigurácia hlavného súboru radiusclient.conf
Hlavný konfiguračný súbor radiusclient.conf sa nachádza v adresári /etc/radiusclient-ng/. Tu je potrebné nastaviť autorizačný a autentifikačný server.
authserver localhost acctserver localhost
Ostatné nastavenia si môžete porovnať s nasledovným výpisom:
auth_order radius
login_tries 1
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient-ng/issue
authserver localhost
acctserver localhost
servers /etc/radiusclient-ng/servers
dictionary /etc/radiusclient-ng/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient-ng/port-id-map
default_realm
radius_timeout 10
radius_retries 3
bindaddr localhost
login_local /bin/login
Konfigurácia dictionary súboru v radiusclient-ng
Pridáme nasledovný riadok do súboru /etc/radiusclient-ng/dictionary:
$INCLUDE /etc/openser/dictionary.radius
Konfigurácia hlavného konfiguračného súboru OpenSer
Prikladám kompletný výpis konfiguračného súboru /etc/openser/openser.cfg
####### Global Parameters ######### debug=3 log_stderror=no log_facility=LOG_LOCAL0 fork=yes children=4 /* odkomentovat ak chceme spustit openser v debugovacom rezime */ #debug=6 #fork=no #log_stderror=yes listen=udp:158.193.139.189 alias="p1.sip.uniza.sk" alias="158.193.139.189" port=5060 ####### Modules Section ######## mpath="/usr/lib/openser/modules/" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "mi_fifo.so" loadmodule "uri.so" loadmodule "uri_radius.so" loadmodule "xlog.so" loadmodule "avpops.so" loadmodule "auth.so" loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so" loadmodule "acc.so" # ----- mi_fifo params ----- modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") # ----- rr params ----- modparam("rr", "enable_full_lr", 1) modparam("rr", "append_fromtag", 0) # ----- rr params ----- modparam("registrar", "method_filtering", 1) # ----- acc params ----- modparam("acc", "early_media", 1) modparam("acc", "report_ack", 1) modparam("acc", "report_cancels", 1) modparam("acc", "detect_direction", 0) modparam("acc", "failed_transaction_flag", 3) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # ----- usrloc params ----- modparam("usrloc", "db_mode", 0) # -- group_radius params --
modparam("group_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1) # -- auth_radius params --
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("auth_radius", "service_type", 15) # -- avpops params -- modparam("avpops","use_domain",1) # -- avp_radius params --
modparam("avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("avp_radius", "caller_service_type", 18)
# -- uri_radius params --
modparam("uri_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("uri_radius", "service_type", 11) ####### Routing Logic ######## # main request routing logic route{ if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; } if (has_totag()) { if (loose_route()) { if (is_method("BYE")) { log (1, "BYE - STOP ACCOUNTING\n"); setflag(1); # do accouting ... setflag(3); # ... even if the transaction fails } route(1); } else { if ( is_method("ACK") ) { if ( t_check_trans() ) { t_relay(); exit; } else { exit; } } sl_send_reply("404","Not here"); } exit; } if (!method=="OPTIONS") setflag(3); if (is_method("CANCEL")) { log (1, "CANCEL - STOP ACCOUNTING\n"); if (t_check_trans()) t_relay(); exit; } t_check_trans(); if (!is_method("REGISTER|MESSAGE")) record_route(); if (is_method("INVITE")) { log(1, "INVITE MESSAGE RECEIVED - START ACC\n"); setflag(1); # do accouting setflag(2); } if (!uri==myself) { append_hf("P-hint: outbound\r\n"); route(1); } if (is_method("PUBLISH")) { sl_send_reply("503", "Service Unavailable"); exit; } if (is_method("REGISTER"))
{ if (!radius_www_authorize("p1.sip.uniza.sk")) { www_challenge("p1.sip.uniza.sk", "1"); exit; } if (!save("location")) sl_reply_error(); exit; } if ($rU==NULL) { # request with no Username in RURI sl_send_reply("484","Address Incomplete"); exit; } if (!lookup("location")) { switch ($retcode) { case -1: case -3: t_newtran(); t_reply("404", "Not Found"); exit; case -2: sl_send_reply("405", "Method Not Allowed"); exit; } } setflag(2); route(1); } route[1] { if (is_method("INVITE")) { t_on_branch("2"); t_on_reply("2"); t_on_failure("1"); } if (!t_relay()) { sl_reply_error(); }; exit; } branch_route[2] { xlog("new branch at $ru\n"); } onreply_route[2] { xlog("incoming reply\n"); } failure_route[1] { if (t_was_cancelled()) { exit; } }
Spustenie jednotlivých programov
/etc/init.d/freeradius start openser
Záver
Týmto by som chcel poďakovať p. Ing. Brunckovi, ktorý ochotne pomohol pri riešení problémov pri konfiguráciach a rozbehávaniu radiusu a opensera.