YRadius

From Yate Documentation
Jump to: navigation, search

YRadius Module adds support for RADIUS in Yate to bill calls using well known RADIUS billing mechanism.

The yradius module requires the cdrbuild module.

RADIUS Attributes

YRadius supports both Authentication (may be Authorization is the best term there) and Accounting. It doesn't support Authentification (Registration) yet.

It supports following RADIUS attributes:

 User-Name
 User-Password
 NAS-IP-Address
 NAS-Port
 Vendor-Specific (only for CISCO's h323-conf-id)
 Session-Timeout
 Called-Station-Id
 Calling-Station-Id
 NAS-Identifier
 Acct-Status-Type
 Acct-Delay-Time
 Acct-Session-Id
 Acct-Session-Time

The h323-conf-id is the billing id used by YATE.

You can add as many RADIUS servers you want.

Configuration File

Configuration has 3 sections:

  • First one is general specifying the IDs of NAS.
  • The second section is for NAS. Each NAS section is named with words nasN' where N is the number of nas in this configuration, like nas1, nas2, nas3 ... nasN.
  • The last section is RADIUS. The radius section is for radius server, it follows similar pattern and should contain radius1, radius2, radius3 ... radiusN, respectively.

Right now one server is supported for each NAS. Option to have more backup servers will be added soon. Although you can reference same radius server sections more than once in different NAS sections.

Disabling Accounting or Authentication

By default a radius section would have both authentication and accounting enabled. But this can be controlled by disabling the feature you don't want.

If you only want to bill then use:

  disable_auth=on

Comprehensive yradius.conf

[general]
nas_id=yatenas           ; identifier for this NAS
nas_ip=192.168.0.2       ; ip address of this nas
nas_port=5062            ; port to use for listening (can be anything)
priority=55


[nas1]
called_num=^1234\(.*\)$  ; number to match for authenticating/billing.
radsec=radius1           ; name of section containing info about RADIUS server, defined later
authfailnum=1235         ; number to route to if authfails.
autherrnum=1236          ; number to route to if some other error occurs

[radius1]
server=192.168.0.2       ; address of RADIUS server
auth_port=1812           ; auth port for radius server
acct_port=1813           ; acct port for radius server
secret=nassecret         ; shared secret with RADIUS server
;disable_auth=on         ; disable auth for this radius server
;disable_acct=on         ; disable accounting for this radius server
timeoutsecs = 5          ; timeout for receiving reply from server
retries = 2              ; retries to send auth or acct packets

File yradius.conf

[general]
; set global parameters of the RADIUS client

; enabled: bool: Enable the RADIUS module
;enabled=true

; addr: ipaddress: IP address to bind to - must be set to enable, 0.0.0.0 is OK
;addr=

; port: integer: UDP port to bind to, must be non-zero
;port=1810

; single_socket: bool: Share the socket for requests (not recommended)
;single_socket=false

; local_time: bool: Use local timestamps instead of GMT
;local_time=false

; short_number: bool: Prefer to use parameter "called" over "calledfull"
;short_number=false

; auth_priority: integer: Priority of the user.auth handler
;auth_priority=70

; acct_priority: integer: Priority of the call.cdr handler
;acct_priority=70

; print_attributes: bool: Print returned attributes on debug level ALL
;print_attributes=false

; cisco_attributes: bool: Set hardcoded attributes in Cisco format
;cisco_attributes=true

; quintum_attributes: bool: Set hardcoded attributes in Quintum format
; NOTE: The Cisco and Quintum attributes can be enabled both at the same time
; and the hardcoded attributes will be added as Cisco and Quintum attributes
; quintum_attributes=false


[portabill]
; Settings related to interoperation with PortaOne's PortaBill

; enabled: bool: Enable handling of the routing parameters
;enabled=no
 ; parallel: bool: Make outgoing calls in parallel instead of sequence
;parallel=no

; simplify: bool: Simplify returned partial URIs by stripping parameters
;simplify=no

; maxcall: int: Maximum time to wait until call is answered in milliseconds
;maxcall=

; stoperror: string: Regular expression matching the names of the errors
;  that will terminate the entire call, not just one route
;stoperror=busy


;[nas]
;There can be several sections named [nas] or [nas SOMETHING]

; rad_auth: bool: Enable authentication on this virtual NAS
;rad_auth=yes

; rad_acct: bool: Enable accounting on this virtual NAS
;rad_acct=yes

; rad_server: string: Name of the server to use, default [radius SOMETHING]
;rad_server=

; add: will add an attribute to the RADIUS request
;add:attribute-name=EXPRESSION
;add:subtype:attribute-name=EXPRESSION

; set: will set message parameters
;set:paramname=EXPRESSION

; ret: will set authentication returned attributes back into message
;ret:attribute-name=paramname

; ret-fail: will set returned attributes from auth rejection back into message
;ret-fail:attribute-name=paramname

; Any other parameter will attempt to match the right hand Regexp
;paramname=REGEXP


[nas register]
; Sample SIP REGISTER authentication NAS
rad_acct=false
rad_server=common
protocol=sip
method=REGISTER
add:Service-Type=15
add:Cisco-AVPair=h323-session-protocol=sipv2


[nas invite]
; Sample SIP INVITE authentication NAS
rad_acct=false
rad_server=common
protocol=sip
method=INVITE
add:Service-Type=15
add:Cisco-AVPair=h323-session-protocol=sipv2
; PortaOne specific
;add:Cisco-AVPair=h323-ivr-out=PortaBilling_Routing:SIP


[nas auth]
; Sample authentication NAS
; Settings and matching rules specific to this virtual Network Access Server
rad_acct=no
rad_server=common
; Some RADIUS attributes you're likely to set
add:Service-Type=8


[nas acct]
; Sample accounting NAS
; Settings and matching rules specific to this virtual Network Access Server
rad_auth=no
rad_server=common
; Some RADIUS attributes you're likely to set
add:h323-disconnect-cause=${cause_q931}
add:Acct-Delay-Time=0


[radius common]
; Settings specific to this RADIUS server
; server: ipaddress: IP address of the server - must be set
;server=

; secret: string: Secret token (password) used to authenticate to the server
;secret=

; auth_port: integer: UDP port used by the server for authentication
;auth_port=1812

; acct_port: integer: UDP port used by the server for accounting
;acct_port=1813

; timeout: integer: How much to wait for an answer from the server (milliseconds)
;timeout=2000

; retries: integer: How many attempts to make until timing out
;retries=2

; Some RADIUS attributes you're likely to set
add:Cisco-NAS-Port=${chan}
add:NAS-Identifier=Yate
;add:NAS-IP-Address=


See also

Personal tools
Namespaces

Variants
Actions
Preface
Configuration
Administrators
Developers