Digest authentication and perl authorization
Hi, I have a test deployment with a sip proxy (kamailio) and a back to back user agent (sippy b2bua) pointing to freeradius. SIP proxy is making digest authentication of users and that is working fine. My plan is to use b2bua for prepaid calls authorization and call dropping (sip proxy forward calls from prepaid users to b2bua) so, I want b2bua to make just authorization of calls (this is, balance check). I am thinking in something like this: - Radius client (b2bua) sends an access-request with Service_type = "Authorize-Only" - Adding perl module to authorization section. - In authorize function of perl module check if the balance is enough to make the call. if yes add an attribute to the reply with granted credit time and return return RLM_MODULE_OK. If no, return RLM_MODULE_REJECT. My questions are: how is the best way of making authorization without authentication? - Should perl module set Auth-Type := Accept if the user is authorized? - What should I need to add in the users file for this to work, something like this? DEFAULT Auth-Type := Accept, Service-Type == "Authorize-Only" Thanks for your time. Regards Luciano
I am thinking in something like this:
- Radius client (b2bua) sends an access-request with Service_type = "Authorize-Only" - Adding perl module to authorization section. - In authorize function of perl module check if the balance is enough to make the call. if yes add an attribute to the reply with granted credit time and return return RLM_MODULE_OK. If no, return RLM_MODULE_REJECT.
That can work. As long as radius client understands that Service-Type.
My questions are: how is the best way of making authorization without authentication?
The way you described it.
- Should perl module set Auth-Type := Accept if the user is authorized?
Yes.
- What should I need to add in the users file for this to work, something like this?
DEFAULT Auth-Type := Accept, Service-Type == "Authorize-Only"
No nedd. perl can do it all. It can add Service-Type to reply as well. Ivan Kalik Kalik Informatika ISP
Hi, On Mon, Jan 5, 2009 at 2:23 PM, <tnt@kalik.net> wrote:
I am thinking in something like this:
- Radius client (b2bua) sends an access-request with Service_type = "Authorize-Only" - Adding perl module to authorization section. - In authorize function of perl module check if the balance is enough to make the call. if yes add an attribute to the reply with granted credit time and return return RLM_MODULE_OK. If no, return RLM_MODULE_REJECT.
That can work. As long as radius client understands that Service-Type.
My questions are: how is the best way of making authorization without authentication?
The way you described it.
- Should perl module set Auth-Type := Accept if the user is authorized?
Yes.
- What should I need to add in the users file for this to work, something like this?
DEFAULT Auth-Type := Accept, Service-Type == "Authorize-Only"
No nedd. perl can do it all. It can add Service-Type to reply as well.
I have done that and everything seems to be ok. Now, I have an stupid question. When I do digest authentication with this config, digest module set Auth-Type = Digest but I am overriding it with Auth-Type = Accept in perl module. How do I set Auth-Type in perl only if it is not already set? What is the value for a not-set attribute in perl? Regards Luciano
Luciano Afranllie wrote:
Now, I have an stupid question. When I do digest authentication with this config, digest module set Auth-Type = Digest but I am overriding it with Auth-Type = Accept in perl module. How do I set Auth-Type in perl only if it is not already set? What is the value for a not-set attribute in perl?
The "Auth-Type" attribute is in the RAD_CHECK hash. Just look for it using normal Perl code. Alan DeKok
participants (3)
-
Alan DeKok -
Luciano Afranllie -
tnt@kalik.net