I'm developing a product that need to integrate with RADIUS server as an authentication method.
When configuring the RADIUS server (IP Address, Port, Shared Secret) I would like to do a "test" in order to check that the configuration is valid - The server is available and it is indeed a RADIUS server, Shared secret is OK.
I did some research on how to do it,
My options are:
Send Access-Request message with fictional user name and password to the RADIUS server
Send Status-Server message to the RADIUS server
RFC 5997 introduces the use of Status-Server Packets in the RADIUS protocol.
This packet extension enabling clients to query the status of a RADIUS server.
The Status-Server is marked as experimental and as Informational RFC rather than as a Standards-Track RFC
My questions are:
Which are the most common \ in use RADIUS server vendors ? MS NPS, FreeRADIUS, Other?
Are these vendors supporting Status-Server request - Do they implementing this packet type ?
If i will use Access-Request, I will receive "Access-Reject" with a failure message in "Reply-Message" attribute. Can i understand the reason for the refusal from that text message? Is there any list of error codes\messages that are part of the Standard ?
Thanks a lot,
Yossi Zrahia
Ad 1) Exact (or even estimate) numbers are hard to come by, but you should expect to encounter FreeRADIUS, Microsoft NPS, Radiator and maybe Cisco ACS/ISE.
Ad 2) FreeRADIUS, Radiator support it. Microsoft NPS and Cisco ACS/ISE do not. If your "test" is used once (upon configuring) I would use option 1 with the Access-Request. If you wish to periodically check the availability and configuration of a RADIUS server, I would suggest implementing both options and allow for configuration of the check as part of the RADIUS configuration:
IP: 1.2.3.4
Port: 1812
Shared Secret: U7tr453cur3
Servercheck: [x] Status-Server
[ ] Access-Request
Ad 3) From RFC2865, section 5.18 (Reply-Message):
"[...] This Attribute indicates text which MAY be displayed to the user. [...] When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. [...] The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [7] characters."
There apparently are no standard messages specified; however if IP, Port or Shared Secret are configured incorrectly you should not get a response at all, because RFC 2865 specifies:
"A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded."
Related
Part of our app allows users to input their SMTP server info for sending emails, and users are always coming up with combinations we aren't set up to test. Specifically, looking at these Java mail props: mail.smtp.auth, mail.smtp.starttls.enable, and mail.smtp.ssl.enable.
Are all 8 combinations valid? (Valid as in there could be some server somewhere that requires that combination -- I already know Java will let me set any of these) If not, which would not be valid combinations? Bonus points for links to where this is documented -- my googlefu has failed me on this.
In all Diameter implementations I saw, the messages originating from the server is always sent towards the DNS resolved IP address of whats in the Destination-Host AVP. But, in commercial servers, we see an option to configure a DRA or a DEA which takes in all the messages and routes them.
Thus, when it comes to the mobicents diameter stack, this approach is sometimes hard to do. I can anyway re-configure the hosts file so that the message ends up in a DRA/DEA, yet, its a pain. I see no option to send these messages to a central diameter agent which will take care of all the dirty work for me.
The next issue is, if I plan to create such a DRA/DEA, the stack does not accept messages to a different host. Where, the message's Destination-Host parameter might contain a different hostname than ours. (which would be the ultimate destination it needs to go)
Is there a hack to achieve this without meddling with the internals of the jdiameter code and RA code?
If you change jdiameter's config to something like this:
<Network>
<Peers>
<Peer name="aaa://127.0.0.1:21812" attempt_connect="false" rating="1" />
<Peer name="aaa://CUSTOM_HOST:4545" attempt_connect="false" rating="1" />
</Peers>
<Realms>
<Realm name="custom.realm" peers="CUSTOM_HOST" local_action="LOCAL" dynamic="false" exp_time="1">
<ApplicationID>
...
</ApplicationID>
</Realm>
</Realms>
</Network>
In your sbb, then you'll need to create a client session providing your custom realm using this method:
DiameterCCAResourceAdaptor.CreditControlProviderImpl.createClientSession(DiameterIdentity destinationHost, DiameterIdentity destinationRealm)
Example:
ccaRaSbb.createClientSession(null, "custom.realm")
where ccaRaSbb is a CreditControlProvider instance (resource adaptor interface)
finally, when creating your CCR, the method CreditControlClientSession.createCreditControlRequest() will use the session' realm to find an available peer previously configured.
Let me know if this makes sense to you
Posting the method I used to solve this problem.
As it turns out its not possible out of the box to send a diameter message towards a peer which is not configured in the stack's jdiameter-config.xml file.
For me, the option to alter the stack in this case was also not feasible. So I devised a workaround for the problem by co-operating with the DRA we have. (most DRA's should be able to handle this method)
I added two custom AVPs to the outgoing request, namely Ultimate-Destination-Host and Ultimate-Destination-Realm.
In the DRA, I asked the admin to delete my Destination-Host and Destination-Realm AVPs and replace them with the ones created in step 1.
Now, whenever I send a packet destined to other diameter peers outside the configured peer, I target them towards the DRA and set these 'Ultimate' destination AVPs.
Ours is an Oracle DSR which is capable of doing this AVP manipulation. Most commercial ones should be able to handle it. Hope someone who wanted an answer for this question found this useful.
I've setup a radius server in our local network (using freeradius3), and now the clients are successfully login and send their accounting requests to the radius server.
What I need to accomplish is to pass the Accounting Requests (and their attributes) to an external program to process or filter some information. the external program however does not need to return anything to the radius server or change the normal workflow in the radius, so simply a copy of accounting requests has to be sent to the external program.
Couldn't find anything useful on web, so could you please point me to a tutorial or explain how would you implement that ?
Thank you
See the exec module config. The key thing is to set wait to no this means FreeRADIUS will not wait for the program to return.
You can then use the exec module instance as detailed in the header of that file i.e.
"%{exec:<path to program> '%{<attribute>}' '%{<attribute>}'}"
I have added International Domain Name support to an XMPP client as specified in RFC 6122. In the RFC it states:
Although XMPP applications do not communicate the output of the
ToASCII operation (called an "ACE label") over the wire, it MUST be
possible to apply that operation without failing to each
internationalized label.
However, with the domain I have available for testing (running Prosody 0.9.4; working on getting feedback from someone else about how Ejabberd handles this), sending a Unicode name in the "to" field of an XMPP stanza causes them to immediately return an XMPP error stanza and terminate the stream. If I apply the toASCII operation before sending the stanza, the connection succeedes, and I can begin authentication with the server.
So sending:
<somestanza to="éxample.net"/>
Would cause an error, while:
<somestanza to="xn--xample-9ua.net"/>
works fine.
Is it correct to send the ASCII representation (ACE label) of the domain like this? If so, what does the spec mean when it says that "XMPP applications do not communicate the output of the ToASCII operation ... over the wire"? If not, how can I ensure compatibility with misbehaving servers?
I need to ask few question about Asterisk
1) Does ACL mean by Access Control list here ?If yes than how could i use it?
>ip show user 6001
* Name : 6001
Secret : <Set>
MD5Secret : <Not set>
Context : DLPN_Admin
Language :
AMA flags : Unknown
Transfer mode: open
MaxCallBR : 384 kbps
CallingPres : Presentation Allowed, Not Screened
Call limit : 2147483647
Callgroup : 1
Pickupgroup : 1
Callerid : "test" <6001>
ACL : No
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Sess-Min-SE : 90 secs
RTP Engine : asterisk
Codec Order : (ulaw:20,gsm:20)
Auto-Framing: No
2) What is mean by "Require Call Token" in Asterisk Digium GIU on Create new User Panel
3) Is There any command from where i can get users VOICE MAIL password ?
4) What AMI or CLI command set call recording on or off for user ? and if i want that file to be stored on client computer not on server memory what could i do ?
Question 1:
Yes, ACL does stand for Access Control List. You can use the settings "contextpermit/contactdeny" to control what addresses a UA can register from; "permit/deny" to control what addresses a UA can establish calls from (INVITE request); and "directmediapermit/directmediadeny" to control what addresses a UA can use to set up direct media between UAs. Note that all of this is in the sample sip.conf, delivered with Asterisk.
Question 2:
Call Token refers to the IAX setting "requirecalltoken". Older Asterisk clients (1.2 before 1.2.35) don't support call tokens. Note that call tokens were added to address a security vulnerability (AST-2009-006). From the AST notification:
"A lot of time was spent trying to come up with a way to resolve this issue in a way that was completely backwards compatible. However, the final resolution ended up requiring a modification to the IAX2 protocol. This modification is referred to as call token validation. Call token validation is used as a handshake before call numbers are assigned to IAX2 connections.
Call token validation by itself does not resolve the issue. However, it does allow an IAX2 server to validate that the source of the messages has not been spoofed. In addition to call token validation, Asterisk now also has the ability to limit the amount of call numbers assigned to a given remote IP address.
The combination of call token validation and call number allocation limits is used to mitigate this denial of service issue."
Question 3:
No. That doesn't mean you couldn't use AGI to call out to a script with the user's voicemail extension, do the parsing yourself, and put the result in a channel variable.
Question 4:
AMI commands are documented at Asterisk AMI Actions. I'm going to assume that by "set recording" you mean start a Monitor application on some particular channel (and not change CDRs, CELs, etc.) In that case, you'd use the Monitor AMI action to start the recording, and StopMonitor AMI action to stop the recording. Once the file is created, you can move it off the server yourself using AGI or some other externally spawned mechanism.