Auth_aaa Module


Table of Contents

1. Admin Guide
1.1. Overview
1.2. Additional Credentials
1.3. Dependencies
1.3.1. OpenSIPS Modules
1.3.2. External Libraries or Applications
1.4. Exported Parameters
1.4.1. aaa_url (string)
1.4.2. service_type (integer)
1.4.3. use_ruri_flag (string/integer)
1.5. Exported Functions
1.5.1. aaa_www_authorize(realm[, uri_user])
1.5.2. aaa_proxy_authorize(realm [, uri_user])
2. Contributors
2.1. By Commit Statistics
2.2. By Commit Activity
3. Documentation
3.1. Contributors

List of Tables

2.1. Top contributors by DevScore(1), authored commits(2) and lines added/removed(3)
2.2. Most recently active contributors(1) to this module

List of Examples

1.1. SIP-AVP AAA AVP examples
1.2. aaa_url parameter usage
1.3. service_type parameter usage
1.4. use_ruri_flag parameter usage
1.5. aaa_www_authorize usage
1.6. proxy_authorize usage

Chapter 1. Admin Guide

1.1. Overview

This module contains functions that are used to perform authentication using an AAA server. Basically the proxy will pass along the credentials to the AAA server which will in turn send a reply containing result of the authentication. So basically the whole authentication is done in the AAA server. Before sending the request to the AAA server we perform some sanity checks over the credentials to make sure that only well formed credentials will get to the server. We have implemented AAA authentication according to draft-sterman-aaa-sip-00.

1.2. Additional Credentials

When performing authentication, the AAA server may include in the response additional credentials. This scheme is very useful in fetching additional user information from the AAA server without making extra queries.

The additional credentials are embedded in the AAA reply as AVPs SIP-AVP. The syntax of the value is:

  • value = SIP_AVP_NAME SIP_AVP_VALUE

  • SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER

  • SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE

All additional credentials will be stored as OpenSIPS AVPs (SIP_AVP_NAME = SIP_AVP_VALUE).

The RPID value may be fetch via this mechanism.

Example 1.1. SIP-AVP AAA AVP examples

....
"email:joe@yahoo.com"
    - STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
"#14:joe@yahoo.com"
    - ID AVP (14) with STRING VALUE (joe@yahoo.com)
"age#28"
    - STRING NAME AVP (age) with INTEGER VALUE (28)
"#14#28"
    - ID AVP (14) with INTEGER VALUE (28)
....
		

1.3. Dependencies

1.3.1. OpenSIPS Modules

The module depends on the following modules (in the other words the listed modules must be loaded before this module):

  • auth -- Generic authentication functions

  • an aaa implementing module -- for example aaa_radius

1.3.2. External Libraries or Applications

This module does not depend on any external library.

1.4. Exported Parameters

1.4.1. aaa_url (string)

This is the url representing the AAA protocol used and the location of the configuration file of this protocol.

The syntax for the url is the following: "name_of_the_aaa_protocol_used:path_of_the_configuration_file"

Example 1.2. aaa_url parameter usage

		
modparam("auth_aaa", "aaa_url", "radius:/etc/radiusclient-ng/radiusclient.conf")
		

1.4.2. service_type (integer)

This is the value of the Service-Type aaa attribute to be used. The default should be fine for most people. See your aaa client include files for numbers to be put in this parameter if you need to change it.

Default value is 15.

Example 1.3. service_type parameter usage

		
modparam("auth_aaa", "service_type", 15)
		

1.4.3. use_ruri_flag (string/integer)

When this parameter is set to the value other than "NULL" and the request being authenticated has flag with matching number set via setflag() function, use Request URI instead of uri parameter value from the Authorization / Proxy-Authorization header field to perform AAA authentication. This is intended to provide workaround for misbehaving NAT / routers / ALGs that alter request in the transit, breaking authentication. At the time of this writing, certain versions of Linksys WRT54GL are known to do that.

Default value is NULL (not set).

Example 1.4. use_ruri_flag parameter usage

		
modparam("auth_aaa", "use_ruri_flag", "USE_RURI_FLAG")
                

1.5. Exported Functions

1.5.1. aaa_www_authorize(realm[, uri_user])

The function verifies credentials according to RFC2617. If the credentials are verified successfully then the function will succeed and mark the credentials as authorized (marked credentials can be later used by some other functions). If the function was unable to verify the credentials for some reason then it will fail and the script should call www_challenge which will challenge the user again.

Negative codes may be interpreted as follows:

  • -5 (generic error) - some generic error occurred and no reply was sent out;

  • -4 (no credentials) - credentials were not found in request;

  • -3 (stale nonce) - stale nonce;

This function will, in fact, perform sanity checks over the received credentials and then pass them along to the aaa server which will verify the credentials and return whether they are valid or not.

Meaning of the parameter is as follows:

  • realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. Usually this is domain of the host the server is running on.

    If an empty string is used then the server will generate it from the request. In case of REGISTER requests To header field domain will be used (because this header field represents a user being registered), for all other messages From header field domain will be used.

    The string may contain pseudo variables.

  • uri_user - Uri_user is an optional pseudo variable parameter whose value, if present, will be given to Radius server as value of SIP-URI-User check item. If uri_user pseudo variable parameter is not present, the server will generate SIP-URI-User check item value from user part of To URI.

This function can be used from REQUEST_ROUTE.

Example 1.5. aaa_www_authorize usage

		
...
if (!aaa_www_authorize("siphub.net")) {
	www_challenge("siphub.net", "1");
};
...


1.5.2. aaa_proxy_authorize(realm [, uri_user])

The function verifies credentials according to RFC2617. If the credentials are verified successfully then the function will succeed and mark the credentials as authorized (marked credentials can be later used by some other functions). If the function was unable to verify the credentials for some reason then it will fail and the script should call proxy_challenge which will challenge the user again. For more about the negative return codes, see the above function.

This function will, in fact, perform sanity checks over the received credentials and then pass them along to the aaa server which will verify the credentials and return whether they are valid or not.

Meaning of the parameters is as follows:

  • realm - Realm is a opaque string that the user agent should present to the user so he can decide what username and password to use. This is usually one of the domains the proxy is responsible for. If an empty string is used then the server will generate realm from host part of From header field URI.

    The string may contain pseudo variables.

  • uri_user - Uri_user is an optional pseudo variable parameter whose value, if present, will be given to Radius server as value of SIP-URI-User check item. If uri_user pseudo variable parameter is not present, the server will generate SIP-URI-User check item value from user part of From URI.

This function can be used from REQUEST_ROUTE.

Example 1.6. proxy_authorize usage

		
...
if (!aaa_proxy_authorize("")) {   # Realm and URI user will be autogenerated
	proxy_challenge("", "1");
};
...
if (!aaa_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
	proxy_challenge("$pd", "1");         # from P-Preferred-Identity
};                                           # header field
...


Chapter 2. Contributors

2.1. By Commit Statistics

Table 2.1. Top contributors by DevScore(1), authored commits(2) and lines added/removed(3)

 NameDevScoreCommitsLines ++Lines --
1. Jan Janak (@janakj)902432942182
2. Bogdan-Andrei Iancu (@bogdan-iancu)3628359225
3. Irina-Maria Stanescu168185299
4. Daniel-Constantin Mierla (@miconda)15136755
5. Maksym Sobolyev (@sobomax)126167171
6. Liviu Chircu (@liviuchircu)1183270
7. Juha Heinanen (@juha-h)8514253
8. Andrei Pelinescu-Onciul7582
9. Razvan Crainea (@razvancrainea)53910
10. Jiri Kuthan (@jiriatipteldotorg)4231

All remaining contributors: Henning Westerholt (@henningw), Ancuta Onofrei, Anatoly Pidruchny, Peter Nixon, Konstantin Bokarius, Edson Gellert Schubert.

(1) DevScore = author_commits + author_lines_added / (project_lines_added / project_commits) + author_lines_deleted / (project_lines_deleted / project_commits)

(2) including any documentation-related commits, excluding merge commits. Regarding imported patches/code, we do our best to count the work on behalf of the proper owner, as per the "fix_authors" and "mod_renames" arrays in opensips/doc/build-contrib.sh. If you identify any patches/commits which do not get properly attributed to you, please submit a pull request which extends "fix_authors" and/or "mod_renames".

(3) ignoring whitespace edits, renamed files and auto-generated files

2.2. By Commit Activity

Table 2.2. Most recently active contributors(1) to this module

 NameCommit Activity
1. Bogdan-Andrei Iancu (@bogdan-iancu)Jun 2005 - Jun 2018
2. Liviu Chircu (@liviuchircu)Jan 2013 - Jun 2018
3. Razvan Crainea (@razvancrainea)Feb 2012 - Aug 2015
4. Irina-Maria StanescuAug 2009 - Apr 2010
5. Daniel-Constantin Mierla (@miconda)Oct 2005 - Mar 2008
6. Konstantin BokariusMar 2008 - Mar 2008
7. Edson Gellert SchubertFeb 2008 - Feb 2008
8. Maksym Sobolyev (@sobomax)Dec 2003 - Feb 2008
9. Juha Heinanen (@juha-h)May 2003 - Dec 2007
10. Henning Westerholt (@henningw)Sep 2007 - Nov 2007

All remaining contributors: Ancuta Onofrei, Anatoly Pidruchny, Peter Nixon, Jan Janak (@janakj), Andrei Pelinescu-Onciul, Jiri Kuthan (@jiriatipteldotorg).

(1) including any documentation-related commits, excluding merge commits

Chapter 3. Documentation

3.1. Contributors

Last edited by: Bogdan-Andrei Iancu (@bogdan-iancu), Liviu Chircu (@liviuchircu), Razvan Crainea (@razvancrainea), Irina-Maria Stanescu, Daniel-Constantin Mierla (@miconda), Konstantin Bokarius, Edson Gellert Schubert, Maksym Sobolyev (@sobomax), Juha Heinanen (@juha-h), Henning Westerholt (@henningw), Ancuta Onofrei, Anatoly Pidruchny, Peter Nixon, Jan Janak (@janakj), Andrei Pelinescu-Onciul, Jiri Kuthan (@jiriatipteldotorg).

doc copyrights:

Copyright © 2005-2009 Voice Sistem SRL

Copyright © 2002-2003 FhG FOKUS