Improving RADIUS Support

From reSIProcate
Jump to navigation Jump to search

Current status (up to and including the current release)[edit]

Currently, RADIUS support is in two places:

  • rutil/RADIUSDigestAuthenticator
    • uses radiusclient-ng to do SIP (DIGEST MD5) authentication as per [[1]]
    • works with FreeRADIUS server's rlm_digest module
  • resip/dum/RADIUSServerAuthManager
    • uses the code from RADIUSDigestAuthenticator to authenticate SIP clients

Please see our main RADIUS page for details of how to use it.

Eventual improvement[edit]

We would also like to use RADIUS for TURN. TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.

An initial cut of the FreeRADIUS module already exists, it is called https://github.com/FreeRADIUS/freeradius-server/pull/367. The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.

To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:

  • low level RADIUS wrapper around radiusclient-ng
    • no knowledge of SIP DIGEST
    • wraps the C client code
    • takes AV set as arguments
    • takes RADIUS config filename as argument
    • do lookup, return arbitrary attributes/values
  • SIP DIGEST and TURN-HMAC helper classes
    • both classes should leverage the low level code just described
    • based on the existing rutil/RADIUSDigestAuthenticator API perhaps
  • adapt resip/dum/RADIUSServerAuthManager to work in repro
    • repro needs a "monkey" that implements similar logic when forwarding requests
    • repro only uses the DUM authenticators for certain requests, such as registrations
  • implement in reTurn