[OpenSIPS-Users] Custom RADIUS authentication

[Bogdan-Andrei Iancu]

Hello Sebastian,

Aside the standard functionalities (auth and acc), opensips allows you 
do whatever custom RADIUS interaction via aaa_radius module.
You can define sets of AVPS to define the RADIUS requests and replies 
(see 
http://www.opensips.org/html/docs/modules/1.8.x/aaa_radius.html#id249101) and 
then, you can push data to RADIUS via radius_send_auth/acc() functions - 
http://www.opensips.org/html/docs/modules/1.8.x/aaa_radius.html#id249958

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 07/20/2012 02:26 PM, Sebastien CRUAUX wrote:
> Hi,
>
> I was wondering if it was possible to perform RADIUS authentication 
> (using custom AVPs) when the REGISTER request (with digest attributes) 
> is received BUT without checking anything in the "subscriber" database 
> (no user/password checking, only RADIUS server should tell us if we 
> can register or not).
>
> To sum up, here is the call flow I would like to get :
> - Opensips receives 1st REGISTER from the user
> - Opensips challenges the user with a 401 Unauthorized
> - user sends a 2nd REGISTER with digest attributes
> - Opensips sends an Access-Request with custom AVPs to my external 
> RADIUS server (using the "radius_send_auth" function)
> - RADIUS server answers Access-Accept (or Access-Reject) and Opensips 
> sends 200 OK (or 403 Forbidden) to the user
>
> I do not see how to do that in opensips.cfg since as far as I know, 
> "www_challenge" is always associated to either "www_authorize" (which 
> will perform a database check of username/password that I do not want) 
> or "aaa_www_authorize" (which will send an Access-Request to my RADIUS 
> server but without my custom AVPs).
>
> Thank you !
>
> Best regards,
> Sebastien
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>