Ricardo Carvalho
2007-Feb-19 06:53 UTC
[asterisk-users] Asterisk with Radius users authentication
Dear all, I've searched the web about Asterisk with Radius integration for user authentication, and got a bit confused... I see that there have been some work around it, there is PortaOne's Radius client patch, an still open branch of Digium Issue Tracker "SIP peer authentication on an external database (RADIUS - LDAP)", etc. Although, none of these seems to give me the confidence to implement it in a production environment... What do you people recommend me? Which Asterisk+Radius solution should in your opinion be the best choice? Does Asterisk 1.4 already implement it properly? Thanks in advance, Ricardo.
Ricardo Carvalho wrote:> Dear all, > > I've searched the web about Asterisk with Radius integration for user > authentication, and got a bit confused... > I see that there have been some work around it, there is PortaOne's > Radius client patch, an still open branch of Digium Issue Tracker "SIP > peer authentication on an external database (RADIUS - LDAP)", etc. > Although, none of these seems to give me the confidence to implement it > in a production environment... > > What do you people recommend me? Which Asterisk+Radius solution should > in your opinion be the best choice? Does Asterisk 1.4 already implement > it properly? > > > Thanks in advance, > Ricardo.Here is a mock-up of what I used to hook-up to a Radius Server, with Porta's patch. It worked quite well for us. I have'nt used it in 2 years or so, cant remember much :) . I thin we got it to work by seeing the debug (set it in /etc/asterisk/logger.conf) and seeing what values were getting sent and recieved. ;exten => _X.,1,SetVar(RADIUS_Server=x.x.x.x) exten => _X.,2,SetVar(RADIUS_Secret=secret) exten => _X.,3,SetVar(NAS_IP_Address=x.x.x.x) exten => _X.,4,SetVar(CALLERID=${CALLERIDNUM}) exten => _X.,5,SetVar(DNID=${EXTEN}) ; ; Set account to authorize by ; It can be a prepaid calling card PIN, ANI, or SIP ID depending on your application ; ;exten => _X.,6,SetAccount(${CALLERIDNUM}) exten => _X.,6,SetAccount(${CALLERIDNAME}) ; ; RADIUS Authorize ; Called as: agi-rad-auth.pl|parametr1=value1¶metr2=value2¶metr3=value3 ; Possible parametrs: ; Routing=XXX will will send h323-ivr-out = 'PortaBilling_Routing:XXX' attribure (XXX is usually SIP) ; AuthorizeBy=SIP requires SIPGetHeader(SIP_Authorization=Proxy-Authorization) first + externalauth=yes in sip.conf ; AuthorizeBy=Account requires SetAccount(<username>) first ; Password=Password optional and may be used together with AuthorizeBy=Account ; IfFailed=DoNotHangup optional, used for custome authentication error processing i.e. IVR ; ; exten => _X.,7,agi,agi-rad-auth.pl|AuthorizeBy=Account&Password=${CALLERIDNUM}&IfFailed=DoNotHangup ;exten => _X.,7,agi,agi-rad-auth.pl|AuthorizeBy=Account&Password=Account&IfFailed=DoNotHangup ;exten => _X.,7,agi,agi-rad-auth.pl|AuthorizeBy=Account&IfFailed=DoNotHangup ; exten => _X.,8,NoOp(${h323-credit-time}) exten => _X.,9, Set(TIMEOUT(absolute)=${h323-credit-time:17}) ;exten => _X.,10, AbsoluteTimeout(${h323-credit-time}) exten => _X.,10,Goto(sip-calls,${EXTEN},1) exten => _X.,11,Hangup exten => T,1,NoOp(timeout) -- thanks, Yusuf