mirror of https://github.com/sipwise/kamailio.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
247 lines
6.8 KiB
247 lines
6.8 KiB
AUTH_DIAMETER Module
|
|
|
|
Elena-Ramona Modroiu
|
|
|
|
rosdev.ro
|
|
|
|
Edited by
|
|
|
|
Elena-Ramona Modroiu
|
|
|
|
Copyright © 2003, 2004 FhG FOKUS
|
|
__________________________________________________________________
|
|
|
|
Table of Contents
|
|
|
|
1. Admin Guide
|
|
|
|
1. Overview
|
|
2. Dependencies
|
|
|
|
2.1. Kamailio Modules
|
|
2.2. External Libraries or Applications
|
|
|
|
3. Parameters
|
|
|
|
3.1. diameter_client_host (string)
|
|
3.2. diameter_client_port (int)
|
|
3.3. use_domain (int)
|
|
|
|
4. Functions
|
|
|
|
4.1. diameter_www_authorize(realm)
|
|
4.2. diameter_proxy_authorize(realm)
|
|
4.3. diameter_is_user_in(who, group)
|
|
|
|
5. Installation and Running
|
|
|
|
List of Examples
|
|
|
|
1.1. Digest Authentication
|
|
1.2. Set diameter_client_host parameter
|
|
1.3. Set diameter_client_port parameter
|
|
1.4. Set use_domain parameter
|
|
1.5. diameter_www_authorize usage
|
|
1.6. diameter_proxy_authorize usage
|
|
1.7. diameter_is_user_in usage
|
|
|
|
Chapter 1. Admin Guide
|
|
|
|
Table of Contents
|
|
|
|
1. Overview
|
|
2. Dependencies
|
|
|
|
2.1. Kamailio Modules
|
|
2.2. External Libraries or Applications
|
|
|
|
3. Parameters
|
|
|
|
3.1. diameter_client_host (string)
|
|
3.2. diameter_client_port (int)
|
|
3.3. use_domain (int)
|
|
|
|
4. Functions
|
|
|
|
4.1. diameter_www_authorize(realm)
|
|
4.2. diameter_proxy_authorize(realm)
|
|
4.3. diameter_is_user_in(who, group)
|
|
|
|
5. Installation and Running
|
|
|
|
1. Overview
|
|
|
|
This module implements SIP authentication and authorization with
|
|
DIAMETER server, namely DIameter Server Client (DISC).
|
|
|
|
NOTE: diameter support was developed for DISC (DIameter Server Client
|
|
project at http://developer.berlios.de/projects/disc/). This project
|
|
seems to be no longer maintained and DIAMETER specifications were
|
|
updated in the meantime. Thus, the module is obsolete and needs rework
|
|
to be usable with opendiameter or other DIAMETER servers.
|
|
|
|
The digest authentication mechanism is presented in next figure.
|
|
|
|
Example 1.1. Digest Authentication
|
|
...
|
|
a) First phase of Digest Authentication for SIP:
|
|
|
|
|
|
+----+ SIP INVITE +=====+ DIAMETER +------+ +------+
|
|
| | no Auth hdr #/////# AA-Request | | | |
|
|
| |---------1--->#/////#-------2------->| |---2-->| |
|
|
|UAC | #UAS//# |DClnt | |DSrv |
|
|
| |<-----4-------#(SER)#<------3--------|(DISC)|<--3---|(DISC)|
|
|
| | 401 #/////# DIAMETER | | | |
|
|
+----+ Unauthorized +=====+ AA-Answer +------+ +------+
|
|
Result-Code=4001
|
|
|
|
|
|
b) Second phase of Digest Authentication for SIP:
|
|
|
|
|
|
+----+ SIP INVITE +=====+ DIAMETER +------+ +----+
|
|
| | Auth hdr #/////# AA-Request | | | |
|
|
| |--------1---->#/////#-------2------>| |---2-->| |
|
|
|UAC | #UAS//# |DClnt | |DSrv|
|
|
| |<-------4-----#(SER)#<------3-------| |<--3---| |
|
|
| | 200 OK #/////# DIAMETER | | | |
|
|
+----+ +=====+ AA-Answer +------+ +----+
|
|
Result-Code=2001
|
|
|
|
...
|
|
|
|
2. Dependencies
|
|
|
|
2.1. Kamailio Modules
|
|
2.2. External Libraries or Applications
|
|
|
|
2.1. Kamailio Modules
|
|
|
|
The following modules must be loaded before this module:
|
|
* sl - used to send stateless replies.
|
|
|
|
2.2. External Libraries or Applications
|
|
|
|
The following libraries or applications must be installed before
|
|
running Kamailio with this module loaded:
|
|
* None.
|
|
|
|
3. Parameters
|
|
|
|
3.1. diameter_client_host (string)
|
|
3.2. diameter_client_port (int)
|
|
3.3. use_domain (int)
|
|
|
|
3.1. diameter_client_host (string)
|
|
|
|
Hostname of the machine where the DIAMETER Client is running.
|
|
|
|
Default value is “localhost”.
|
|
|
|
Example 1.2. Set diameter_client_host parameter
|
|
...
|
|
modparam("auth_diameter", "diameter_client_host", "10.10.10.10")
|
|
...
|
|
|
|
3.2. diameter_client_port (int)
|
|
|
|
Port number where the DIAMETER Client is listening.
|
|
|
|
Default value is “3000”.
|
|
|
|
Example 1.3. Set diameter_client_port parameter
|
|
...
|
|
modparam("auth_diameter", "diameter_client_port", 3000)
|
|
...
|
|
|
|
3.3. use_domain (int)
|
|
|
|
Specifies whether the domain name part of URI is used when checking the
|
|
user's privileges.
|
|
|
|
Default value is “0 (0==false and 1==true )”.
|
|
|
|
Example 1.4. Set use_domain parameter
|
|
...
|
|
modparam("auth_diameter", "use_domain", 1)
|
|
...
|
|
|
|
4. Functions
|
|
|
|
4.1. diameter_www_authorize(realm)
|
|
4.2. diameter_proxy_authorize(realm)
|
|
4.3. diameter_is_user_in(who, group)
|
|
|
|
4.1. diameter_www_authorize(realm)
|
|
|
|
SIP Server checks for authorization having a DIAMETER server in
|
|
backend. If no credentials are provided inside the SIP request then a
|
|
challenge is sent back to UAC. If the credentials don't match the ones
|
|
computed by DISC then “403 Forbidden” is sent back.
|
|
|
|
Negative codes may be interpreted as follows:
|
|
* -5 (generic error) - some generic error occurred and no reply was
|
|
sent out;
|
|
* -3 (stale nonce) - stale nonce;
|
|
|
|
Meaning of the parameters is as follows:
|
|
* realm - the realm to be use for authentication and authorization.
|
|
The string may contain pseudo variables.
|
|
|
|
This function can be used from REQUEST_ROUTE.
|
|
|
|
Example 1.5. diameter_www_authorize usage
|
|
...
|
|
if(!diameter_www_authorize("siphub.net"))
|
|
{ /* user is not authorized */
|
|
exit;
|
|
};
|
|
...
|
|
|
|
4.2. diameter_proxy_authorize(realm)
|
|
|
|
SIP Proxy checks for authorization having a DIAMETER server in backend.
|
|
If no credentials are provided inside the SIP request then a challenge
|
|
is sent back to UAC. If the credentials don't match the ones computed
|
|
by DISC then “403 Forbidden” is sent back. For more about the negative
|
|
return codes, see the above function.
|
|
|
|
Meaning of the parameters is as follows:
|
|
* realm - the realm to be use for authentication and authorization.
|
|
The string may contain pseudo variables.
|
|
|
|
This function can be used from REQUEST_ROUTE.
|
|
|
|
Example 1.6. diameter_proxy_authorize usage
|
|
...
|
|
if(!diameter_proxy_authorize("siphub.net"))
|
|
{ /* user is not authorized */
|
|
exit;
|
|
};
|
|
...
|
|
|
|
4.3. diameter_is_user_in(who, group)
|
|
|
|
The method performs group membership checking with DISC.
|
|
|
|
Meaning of the parameters is as follows:
|
|
* who - what header to be used to get the SIP URI that is wanted to
|
|
be checked being member in a certain group. It can be:
|
|
“Request-URI”, “From”, “To” or “Credentials”.
|
|
* group - the group name where to check if the user is part of.
|
|
|
|
This function can be used from REQUEST_ROUTE.
|
|
|
|
Example 1.7. diameter_is_user_in usage
|
|
...
|
|
if(!diameter_is_user_in("From", "voicemail"))
|
|
{ /* user is not authorized */
|
|
exit;
|
|
};
|
|
...
|
|
|
|
5. Installation and Running
|
|
|
|
Notes about installation and running.
|