mod_rad_auth
About
Module rad_auth does only RADIUS authentication (and not the accounting).
The truly magic thing about the rad_auth is that you can specify your own list of VSAs (Vendor-Specific Attributes) to be included in the packet along with the standard ones that are being used.
name: just a description
value: direct input or variable
pec: vendor ID (0 for default, 9 for cisco...)
expr: 0 - direct input (string), 1 - channel variable
direction: in for radius-request, out for radius-response
VSA mappings can be used to specify additional VSA list in both radius request and radius response messages.
Including an additional VSA in a radius request message looks like this:
<param name="Calling-Station-Id" id="31" value="CALLINGNUMBER" pec="0" expr="1" direction="in"/>
or
<param name="Calling-Station-Id" id="31" value="16094191500" pec="0" expr="0" direction="in"/>
CALLINGNUMBER is a channel variable you can re-use later in the dialplan.
Extracting VSA of your interest from a radius response message looks like this:
<param name="lang" id="107" value="PREFFERED_LANG" pec="9" expr="0" direction="out"/>
Here you map VSA with vendor_id=9 and id=110 into a channel variable called PREFFERED_LANG so you can use it later in dialplan to play the correct language for instance.
1) To install the module you have to install freeradius-client first.
Go to http://freeradius.org/freeradius-client/ and download the package:
$ cd ~/build
$ wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.bz2
$ tar jxf freeradius-client-1.1.6.tar.bz2
$ cd freeradius-client-1.1.6
$ ./configure
$ make
$ sudo make install
(or $ sudo checkinstall) Checkinstall will create and install a nice Debian package for you, otherwise you may use a traditional make install.
run ldconfig as root to update the shared libs links:
ldconfig -v | grep radius
hash -r
2) Go to FreeSWITCH source directory and edit the modules.conf
append applications/mod_rad_auth to the end
$ cd src/mod/applications/mod_rad_auth/
$ make
$ make install
or simply:
$ make mod_rad_auth-install
3) Run Freeswitch and verify that module is installed.
freeswitch> load mod_rad_auth
Here an example on how to use RADIUS for authentication:
<configuration name="rad_auth.conf" description="radius authentification module">
<settings>
<!-- backward compatibility to allow radiusclient config file instead of an embedded config -->
<!-- <param name="radius_config" value="/usr/local/etc/radiusclient/radiusclient.conf"/> -->
</settings>
<client>
<param name="authserver" value="10.1.1.10:1812:gateway"/>
<param name="dictionary" value="/usr/local/etc/radiusclient/dictionary.all"/>
<param name="seqfile" value="/var/run/radius.seq"/>
<param name="mapfile" value="/usr/local/etc/radiusclient/port-id-map"/>
<param name="default_realm" value=""/>
<param name="radius_timeout" value="3"/>
<param name="radius_retries" value="2"/>
<param name="radius_deadtime" value="0"/>
<param name="bindaddr" value="*"/>
</client>
<vsas>
<!--
name: just a description
value: direct input or variable
pec: vendor ID (0 for default, 9 for cisco...)
expr: 0 - direct input (string), 1 - channel variable
direction: in for radius-request, out for radius-response
-->
<!-- mappings for radius request message; input attributes -->
<param name="h323-conf-id" id="24" value="CALLID" pec="9" expr="1" direction="in"/>
<param name="h323-prompt-id" id="104" value="SERVICENUM" pec="9" expr="1" direction="in"/>
<param name="Cisco-AVPair" id="1" value="TRANSACTIONID" pec="9" expr="1" direction="in"/>
<param name="Calling-Station-Id" id="31" value="CALLINGNUMBER" pec="0" expr="1" direction="in"/>
<param name="NAS-Port-Type" id="61" value="0" pec="0" expr="0" direction="in"/>
<param name="NAS-Port-Id" id="87" value="ISDN 3/0:D:14" pec="0" expr="0" direction="in"/>
<param name="Login-User" id="1" value="1" pec="0" expr="0" direction="in"/>
<!-- mappings for radius-response message; output values from returning outributes -->
<param name="BILING_MODEL" id="109" value="billing_model" pec="9" expr="0" direction="out"/>
<param name="CREDIT_AMOUNT" id="101" value="credit_amount" pec="9" expr="0" direction="out"/>
<param name="CURRENCY" id="110" value="currency" pec="9" expr="0" direction="out"/>
<param name="PREFFERED_LANG" id="107" value="preffered_lang" pec="9" expr="0" direction="out"/>
<param name="CREDIT_TIME" id="102" value="credit_time" pec="9" expr="0" direction="out"/>
<param name="H323-IVR-IN:DIRATION" id="1" value="h323_ivr_duration" pec="9" expr="0" direction="out"/>
<param name="RADIUS_RETURN_CODE" id="103" value="return_code" pec="9" expr="0" direction="out"/>
<!-- expr param is to be ignored here-->
</vsas>
</configuration>
In the dialplan you need to trigger auth as:
<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
There are two behaviors:
- authorize the call according to username&pass and dialed number - if authorized, the radius server returns credit time towards the dialed number.
- authorize the call according to username&pass - if authorized, the radius server returns the current account balance.
For example, you may use the credit time for scheduled hangup of call:
<action application="log" data="INFO credit_time=${credit_time}"/>
<action application="sched_hangup" data="+${credit_time:17:-1} ${Core-UUID}"/>
<extension name="unitest_rad-ANI-auth">
<condition field="destination_number" expression="^601$">
<action application="log" data="INFO Before Auth "/>
<action inline="true" application="set" data="CALLID=h323-conf-id=${uuid}"/>
<action inline="true" application="set" data="SERVICENUM=h323-prompt-id=${destination_number}"/>
<action inline="true" application="set" data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
<!-- <action inline="true" application="set" data="CALLINGNUMBER=${caller_id_number}"/> -->
<action inline="true" application="set" data="CALLINGNUMBER=38516060333"/>
<action inline="true" application="set" data="USERNAME=38516060333"/>
<!-- <action inline="true" application="set" data="USERNAME=209354"/> -->
<action inline="true" application="set" data="PASSWD=003282"/>
<!-- <action inline="true" application="set" data="DIALED_NUMBER=16094191500"/> -->
<action application="sleep" data="2000"/>
<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
<action application="log" data="INFO AUTH_RESULT=${AUTH_RESULT}"/>
<action application="log" data="INFO billing_model=${billing_model}"/>
<action application="log" data="INFO credit_amount=${credit_amount}"/>
<action application="log" data="INFO currency=${currency}"/>
<action application="log" data="INFO preffered_lang=${preffered_lang}"/>
<action application="log" data="INFO credit_time=${credit_time}"/>
<action application="log" data="INFO h323_ivr_duration=${h323_ivr_duration}"/>
<action application="log" data="INFO return_code=${return_code}"/>
<!-- <action application="execute_extension" data="AUTH XML default"/> -->
</condition>
</extension>
<extension name="unitest_rad-ANI-balance">
<condition field="destination_number" expression="^602$">
<action application="log" data="INFO PRIJE RAD_AUTH "/>
<action inline="true" application="set" data="CALLID=h323-conf-id=${uuid}"/>
<action inline="true" application="set" data="SERVICENUM=h323-prompt-id=${destination_number}"/>
<action inline="true" application="set" data="TRANSACTIONID=h323-ivr-out=transactionID:1234"/>
<!-- <action inline="true" application="set" data="CALLINGNUMBER=${caller_id_number}"/> -->
<action inline="true" application="set" data="CALLINGNUMBER=38516060333"/>
<action inline="true" application="set" data="USERNAME=38516060333"/>
<!-- <action inline="true" application="set" data="USERNAME=209354"/> -->
<action inline="true" application="set" data="PASSWD=003282"/>
<action inline="true" application="set" data="DIALED_NUMBER=16094191500"/>
<action application="sleep" data="2000"/>
<action application="auth_function" data="in ${DIALED_NUMBER}, in ${USERNAME}, in ${PASSWD}, out AUTH_RESULT"/>
<action application="log" data="INFO AUTH_RESULT=${AUTH_RESULT}"/>
<action application="log" data="INFO billing_model=${billing_model}"/>
<action application="log" data="INFO credit_amount=${credit_amount}"/>
<action application="log" data="INFO currency=${currency}"/>
<action application="log" data="INFO preffered_lang=${preffered_lang}"/>
<action application="log" data="INFO credit_time=${credit_time}"/>
<action application="log" data="INFO h323_ivr_duration=${h323_ivr_duration}"/>
<action application="log" data="INFO return_code=${return_code}"/>
<!-- <action application="execute_extension" data="AUTH XML default"/> -->
</condition>
</extension>