Menu Zavrieť

OpenSer & Radius

Michal Šterbák 0 Komentárov

Konfigurácia OpenSer-u a Radius-u na operačnom systéme Debian server

 

V tomto článku sa Vám budem snažiť popísať konfiguráciu openseru a radiusu.

 

 Architektúra VoIP služby:

 

Architektura VoIP 

 

 

Inštalácia:

1. FreeRadius server

2. Radiusclient

3. Openser 1.3

 

  1.  FreeRadius server
Apt-get install freeradius
 
  2.  Radiusclient 
Apt-get install libradiusclient-ng2 libradiusclient-ng-dev
 
  3.  OpenSer 

Apt-get install openser openser-radius-modules

 Popis konfigurácie Openser dictionary:

 

 Openser vo svojej inštalácii obsahuje RADIUS dictionary, ktorý je potrebný pre komunikáciu s FreeRadius serverom. Štandardne je uložený v /etc/openser/dictionary.radius. V tomto súbore je potrebné mať zapnuté všetky SIP metódy. Prehľad týchto metód uvádzam v nasledujúcom configuračnom súbore:

#### Attributes ###
ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc
ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc
ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc
ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc
ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc
ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc
ATTRIBUTE Sip-Src-IP 108 string # Proprietary, acc
ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc
ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius
ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius
ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius
ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius
ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius
ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius
ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius
ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius
ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius
ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius
ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius
ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius
ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius
ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius
ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius

### Acct-Status-Type Values ###
VALUE Acct-Status-Type Failed 15 # RFC2866, acc

### Service-Type Values ###
VALUE Service-Type Call-Check 10 # RFC2865, uri_radius
VALUE Service-Type Group-Check 12 # Proprietary, group_radius
VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius
VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius
VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius

### Sip-Method Values ###
VALUE Sip-Method Undefined 0
VALUE Sip-Method Invite 1
VALUE Sip-Method Cancel 2
VALUE Sip-Method Ack 4
VALUE Sip-Method Bye 8
VALUE Sip-Method Info 16
VALUE Sip-Method Options 32
VALUE Sip-Method Update 64
VALUE Sip-Method Register 128
VALUE Sip-Method Message 256
VALUE Sip-Method Subscribe 512
VALUE Sip-Method Notify 1024
VALUE Sip-Method Prack 2048
VALUE Sip-Method Refer 4096
VALUE Sip-Method Other 8192

VALUE Sip-Method INVITE 1 # Proprietary, acc
VALUE Sip-Method CANCEL 2 # Proprietary, acc
VALUE Sip-Method ACK 4 # Proprietary, acc
VALUE Sip-Method BYE 8 # Proprietary, acc

Po úprave tohto súboru je potrebné ho nakopírovať do adresára radiusclienta:

cp /etc/openser/dictionary.radius /etc/radiusclient-ng/dictionary.openser

Konfigurácia FreeRadius

Konfigurácia clienta vo freeradius

Freeradius dovoľuje pripojiť openser klienta len prostredníctvom Radiusclienta. Pre daný Openser nastavíme secret heslo a ip adresu, z ktorej sa openser pripája na freeradius. V našom prípade je Openser a Freeradius na jednom servri.

Editujeme súbor /etc/freeradius/clients.conf

client 127.0.0.1 {
	secret		= testing123
	shortname	= localhost
}

Konfigurácia hlavného radiusd.conf súboru

V hlavnom konfiguračnom súbore, ktorý sa taktiež nachádza v adresári /etc/freeradius/ povolíme modul digest (odkomentovaním pôvodne zakomentovaného modulu).

Ďalším krokom je odkomentovanie autorizácie a autentifikácie. Odkomentujeme všetky riadky kde sa nachádza modul authorize a authenticate.

Výpis celého konfiguračného súboru radiusd.conf:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius

log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius

pidfile = ${run_dir}/freeradius.pid

user = freerad
group = freerad

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

#bind_address = localhost
#port = 0

listen {
	ipaddr = localhost
	port = 0
	type = auth
}

hostname_lookups = no
allow_core_dumps = no

regular_expressions	= yes
extended_expressions	= yes

log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no

usercollide = no

lower_user = no
lower_pass = no

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
}

# PROXY CONFIGURATION
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf


# CLIENTS CONFIGURATION
$INCLUDE  ${confdir}/clients.conf

# SNMP CONFIGURATION
snmp	= no
$INCLUDE  ${confdir}/snmp.conf

# THREAD POOL CONFIGURATION
thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
modules {
	pap {
		auto_header = yes
	}
	chap {
		authtype = CHAP
	}
	pam {
		pam_auth = radiusd
	}
	unix {
		cache = no
		cache_reload = 600
		shadow = /etc/shadow
		radwtmp = ${logdir}/radwtmp
	}
$INCLUDE ${confdir}/eap.conf
	mschap {
	}
	ldap {
		server = "ldap.your.domain"
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		start_tls = no
		access_attr = "dialupAccess"
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_connections_number = 5
		edir_account_policy_check=no
		timeout = 4
		timelimit = 3
		net_timeout = 1
	}
authenticate
	realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_default = no
		ignore_null = no
	}
	realm suffix {
		format = suffix
		delimiter = "@"
		ignore_default = no
		ignore_null = no
	}
	realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_default = no
		ignore_null = no
	}
	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}	
	checkval {
		item-name = Calling-Station-Id
		check-name = Calling-Station-Id
		data-type = string
	}
	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}
	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		preproxy_usersfile = ${confdir}/preproxy_users
		compat = no
	}
	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}
	$INCLUDE  ${confdir}/sql.conf
	radutmp {
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes		
		perm = 0600
		callerid = "yes"
	}
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
	attr_filter {
		attrsfile = ${confdir}/attrs
	}
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
	sqlcounter dailycounter {
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = daily
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

	}

	sqlcounter monthlycounter {
		counter-name = Monthly-Session-Time
		check-name = Max-Monthly-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = monthly
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	}
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}
	expr {
	}
	digest {
	}
	exec {
		wait = yes
		input_pairs = request
	}
	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}
	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${raddbdir}/db.ippool
		ip-index = ${raddbdir}/db.ipindex
		override = no
		maximum-timeout = 0
	}
}

# Instantiation
instantiate {
	exec
	expr
}
authorize {
	preprocess
	auth_log
	chap
	mschap
	digest
	suffix
	eap
	files
	pap
}

#  Authentication.
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	digest
	unix
	eap
}

#  Pre-accounting.  Decide which accounting type to use.
preacct {
	preprocess
	acct_unique
	suffix
	files
}

#  Accounting.  Log the accounting data.
accounting {
	detail
	unix
	radutmp
}


radutmp 
session {
	radutmp
}

#  Post-Authentication
post-auth {
}
pre-proxy {
}
post-proxy {
	eap
}

Konfigurácia Freeradius dictionary súboru

V tomto kroku pridáme Openser radius dictionary do Freeradius dictionary.

Editujeme súbor /etc/freeradius/dictionary a pridáme nasledovný riadok:

$INCLUDE	/etc/radiusclient-ng/dictionary.openser

Pridávanie užívateľov do Freeradius databázy

Editujeme súbor /etc/freeradius/users a pridávame jednotlivých užívateľov podľa nasledovného vzoru:

uzivatel@p1.sip.uniza.sk		User-Password := "test"

Konfigurácia RadiusClient-ng

Konfigurácia hlavného súboru radiusclient.conf

Hlavný konfiguračný súbor radiusclient.conf sa nachádza v adresári /etc/radiusclient-ng/. Tu je potrebné nastaviť autorizačný a autentifikačný server.

authserver 	localhost
acctserver 	localhost

Ostatné nastavenia si môžete porovnať s nasledovným výpisom:

auth_order	radius
login_tries	1
login_timeout	60
nologin /etc/nologin
issue	/etc/radiusclient-ng/issue
authserver 	localhost
acctserver 	localhost
servers		/etc/radiusclient-ng/servers
dictionary 	/etc/radiusclient-ng/dictionary
login_radius	/usr/sbin/login.radius
seqfile		/var/run/radius.seq
mapfile		/etc/radiusclient-ng/port-id-map
default_realm 
radius_timeout	10
radius_retries	3
bindaddr localhost
login_local	/bin/login

Konfigurácia dictionary súboru v radiusclient-ng

Pridáme nasledovný riadok do súboru /etc/radiusclient-ng/dictionary:

$INCLUDE /etc/openser/dictionary.radius

Konfigurácia hlavného konfiguračného súboru OpenSer

Prikladám kompletný výpis konfiguračného súboru /etc/openser/openser.cfg

####### Global Parameters #########

debug=3
log_stderror=no
log_facility=LOG_LOCAL0

fork=yes
children=4

/* odkomentovat ak chceme spustit openser v debugovacom rezime */
#debug=6
#fork=no
#log_stderror=yes

listen=udp:158.193.139.189
alias="p1.sip.uniza.sk"
alias="158.193.139.189"
port=5060

####### Modules Section ########

mpath="/usr/lib/openser/modules/"

loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri.so"
loadmodule "uri_radius.so"
loadmodule "xlog.so"
loadmodule "avpops.so"
loadmodule "auth.so"
loadmodule "auth_radius.so"
loadmodule "group_radius.so"
loadmodule "avp_radius.so"
loadmodule "acc.so"

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")

# ----- rr params -----
modparam("rr", "enable_full_lr", 1)
modparam("rr", "append_fromtag", 0)

# ----- rr params -----
modparam("registrar", "method_filtering", 1)

# ----- acc params -----
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)
modparam("acc", "detect_direction", 0)
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "radius_flag", 1)
modparam("acc", "radius_missed_flag", 2)
modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")

# ----- usrloc params -----
modparam("usrloc", "db_mode", 0)

# -- group_radius params --
modparam("group_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("group_radius", "use_domain", 1)

# -- auth_radius params --
modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("auth_radius", "service_type", 15)

# -- avpops params --
modparam("avpops","use_domain",1)

# -- avp_radius params --
modparam("avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("avp_radius", "caller_service_type", 18)

# -- uri_radius params --
modparam("uri_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
modparam("uri_radius", "service_type", 11)

####### Routing Logic ########

# main request routing logic

route{

	if (!mf_process_maxfwd_header("10")) {
		sl_send_reply("483","Too Many Hops");
		exit;
	}

	if (has_totag()) {
		if (loose_route()) {
			if (is_method("BYE")) {
				log (1, "BYE  - STOP ACCOUNTING\n");
				setflag(1); # do accouting ...
				setflag(3); # ... even if the transaction fails
			}
			route(1);
		} else {
			if ( is_method("ACK") ) {
				if ( t_check_trans() ) {
					t_relay();
					exit;
				} else {
					exit;
				}
			}
			sl_send_reply("404","Not here");
		}
		exit;
	}
      if (!method=="OPTIONS") setflag(3);
	if (is_method("CANCEL"))
	{
		log (1, "CANCEL - STOP ACCOUNTING\n");
		if (t_check_trans())
			t_relay();
		exit;
	}

	t_check_trans();
	if (!is_method("REGISTER|MESSAGE"))
		record_route();
	if (is_method("INVITE")) {
		log(1, "INVITE MESSAGE RECEIVED - START ACC\n");
		setflag(1); # do accouting
		setflag(2);
	}
	if (!uri==myself)
	{
		append_hf("P-hint: outbound\r\n"); 
		route(1);
	}

	if (is_method("PUBLISH"))
	{
		sl_send_reply("503", "Service Unavailable");
		exit;
	}
	if (is_method("REGISTER"))
	{
		if (!radius_www_authorize("p1.sip.uniza.sk"))
		{
			www_challenge("p1.sip.uniza.sk", "1");
			exit;
		}
		if (!save("location"))
			sl_reply_error();

		exit;
	}
	if ($rU==NULL) {
		# request with no Username in RURI
		sl_send_reply("484","Address Incomplete");
		exit;
	}
	if (!lookup("location")) {
		switch ($retcode) {
			case -1:
			case -3:
				t_newtran();
				t_reply("404", "Not Found");
				exit;
			case -2:
				sl_send_reply("405", "Method Not Allowed");
				exit;
		}
	}
	setflag(2);
	route(1);
}

route[1] {
	if (is_method("INVITE")) {
		t_on_branch("2");
		t_on_reply("2");
		t_on_failure("1");
	}

	if (!t_relay()) {
		sl_reply_error();
	};
	exit;
}
branch_route[2] {
	xlog("new branch at $ru\n");
}
onreply_route[2] {
	xlog("incoming reply\n");
}
failure_route[1] {
	if (t_was_cancelled()) {
		exit;
	}
}

Spustenie jednotlivých programov

/etc/init.d/freeradius start

openser

Záver

Týmto by som chcel poďakovať p. Ing. Brunckovi, ktorý ochotne pomohol pri riešení problémov pri konfiguráciach a rozbehávaniu radiusu a opensera.

 

Rate this post
Tweet
Pin
Share
0 Shares

Pridaj komentár

Vaša e-mailová adresa nebude zverejnená. Vyžadované polia sú označené *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.