[OpenSIPS-Users] src ip check on Register => Re: How to insert the IP address of user in radius request.

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jul 3 11:51:54 CEST 2009


Hi Uwe,

I guess relevant to this discussion is the feature request made by Dan 
Bogos - and we decided to replace the avp_readius module with something 
more general , to allow you to build you own custom RAD requests and to 
fetch the custom replies also.

Regards,
Bogdan

Uwe Kastens wrote:
> Hi,
>
> this is the script part, that is doing the job. ATM just only logging
>
> loadmodule "avpops.so"
>
> # ---- avpops
> modparam("avpops", "db_url","mysql://xxxx:xxxx@abcd.domain.de/testdb")
>
>  if (method=="REGISTER") {
>         if (!radius_www_authorize("")) {
>          www_challenge("", "0");
>          exit;
>          };
>         avp_db_query("select ip from src_ip where number='$au'",
> "$avp(s:srcip)");
>         if ($avp(s:srcip)!=$si){
>          xlog("$au should have SRC_IP $avp(s:srcip), but has $si");
>         }
>  save("location") ;
>  exit;
>  }
>
> BR
>
> Uwe
>
>
> Uwe Kastens schrieb:
>   
>> Hi,
>>
>> I am facing a similar situation. We need to verify that a REGISTER comes
>> from the same srcip we have configured in our database. I am thinking
>> about doing this by making a select into an AVP and verfying the value
>> of the AVP with the $si. If this is successfull the UA would be saved
>> into the location and/or would be able to make a call.
>>
>> This should be possible with radius_avp as well.
>>
>> Looking at performance I would make the DIGEST Auth 1st and if this is
>> succesfull check the IPs.
>>
>> BR
>>
>> uwe
>>
>>
>> Tung Tran schrieb:
>>     
>>> Hi Mr. Bogdan
>>>
>>> We need it for IP authorize besides DIGEST auth, that is not standard anyway 
>>> but business requirements.
>>> We use MSSQL to do DIGEST authorize and we need an extra security layer 
>>> based on source IP, that is also a request by govements in my contry.
>>>
>>> So last but not lease, I would like someone can help me how to add this 
>>> feature as soon ass possible
>>>
>>> Thank you very much for your help
>>>
>>> Tung
>>> ----- Original Message ----- 
>>> From: "Bogdan-Andrei Iancu" <bogdan at voice-system.ro>
>>> To: "Tung Tran" <tr.tung at gmail.com>
>>> Cc: <users at lists.opensips.org>
>>> Sent: Friday, June 26, 2009 2:24 AM
>>> Subject: Re: [OpenSIPS-Users] How to insert the IP address of user in radius 
>>> request.
>>>
>>>
>>>       
>>>> Hi Tung,
>>>>
>>>> I see the difference - unfortunately there is no way (at the moment) to 
>>>> add custom info to the RADIUS auth header, but it should be an extension 
>>>> that can be done - out of curiosity? why do you need this in the AUTH 
>>>> request, as this info is not used in the DIGEST auth.
>>>>
>>>> Regards,
>>>> Bogdan
>>>>
>>>> Tung Tran wrote:
>>>>         
>>>>> Dear Mr. Bogdan,
>>>>>
>>>>> I know we can insert the source IP address in account request before 
>>>>> sending it to Radius, however can I insert it in AUTHORIZE request 
>>>>> instead?
>>>>>
>>>>> Thank you very much for your reply.
>>>>> Tung
>>>>>
>>>>> ----- Original Message ----- From: "Bogdan-Andrei Iancu" 
>>>>> <bogdan at voice-system.ro>
>>>>> To: "Tung Tran" <tr.tung at gmail.com>
>>>>> Cc: <users at lists.opensips.org>
>>>>> Sent: Tuesday, June 23, 2009 6:04 PM
>>>>> Subject: Re: [OpenSIPS-Users] How to insert the IP address of user in 
>>>>> radius request.
>>>>>
>>>>>
>>>>>           
>>>>>> Hi Tung,
>>>>>>
>>>>>> First of all you should upgrade to 1.5 version (see 
>>>>>> http://www.opensips.org/Resources/Downloads).
>>>>>>
>>>>>> For your problem, use extra accounting - you can account whatever extra 
>>>>>> info you want. See:
>>>>>>
>>>>>> http://www.opensips.org/html/docs/modules/1.5.x/acc.html#ACC-extra-id
>>>>>>
>>>>>> To get the source IP, use the $si pseudo-variable (see 
>>>>>> http://www.opensips.org/Resources/DocsCoreVar15#toc71).
>>>>>>
>>>>>> Regards,
>>>>>> Bogdan
>>>>>>
>>>>>> Tung Tran wrote:
>>>>>>             
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I get a request to insert the public IP address of the sip softphone or 
>>>>>>> IP Phone/ATA (end-point) in the Radius request sending to Radius 
>>>>>>> server.
>>>>>>> I am thinking about to mod the auth_radius module to insert that IP in 
>>>>>>> SIP-URI-User field, likely this one:
>>>>>>>
>>>>>>> Original
>>>>>>> Sip-Uri-User = "985512405"
>>>>>>>
>>>>>>> After mod:
>>>>>>> Sip-Uri-User = 985512405 at 1.2.3.4
>>>>>>>
>>>>>>> Where 1.2.3.4 is the IP of SIP end-point, not the IP address of 
>>>>>>> Opensips/Opensers servers.
>>>>>>>
>>>>>>> But I dont know where I should play with.
>>>>>>> Any one had done it before or know where we can edit, pls help  me.
>>>>>>>
>>>>>>> BTW, I am using openser 1.2.2 version.
>>>>>>> Thanks in advance
>>>>>>> Tung
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.opensips.org
>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>>               
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>       
>>     
>
>
>   




More information about the Users mailing list