From CINEMA v1.20, sipd can use an external RADIUS server for logging and accounting. Accounting information about specific events such as INVITE, BYE, REGISTER can be logged using RADIUS. Detailed description of packet formats, attributes etc; can be found in the Internet Draft. This document focuses on configuring Yard RADIUS server for use with sipd.
sipd has extensible logging facility. Users can configure several loggers such as SQL, RADIUS, Text file etc; to be used at the same time. In order to configure RADIUS, a logger entry needs to be added to the sipd_log table through the web interface. The logger entry has the following syntax:radius://user:password@radius-server[:port]. The user name and password are shared between the RADIUS server, and sipd. The password is used as the key for computing a MD5 MAC over the RADIUS packet, and this is used by the RADIUS server for integrity verification.
On startup, sipd will start the RADIUS accounting service automatically, if a RADIUS logger entry is present in the database.
radiusd is started at by the command./radiusd
-a acct_dir /usr/local/yardradius/logs
-b uses GDBM for users file in /conf
-c clears user stasts database
-d db_dir usr/local/yardradius/logs
-f alt_passwd_file /etc/passwd.
-i ip_addr
-l log_file syslog
-p 1812 (udp_port)
Although the udp_port is set to 1812, the RADIUS accounting server listens on port 1813. 1812 refers to the port used by the RADIUS authentication/ authorisation server.
radiusd requires a group of configuration files under /usr/local/yardradius/conf in order to properly work.
/usr/local/yardradius/conf/users This file contains the human readable information for users' accounting and authorization.
/usr/local/yardradius/conf/dictionary This read-only file contains the codes and formats for standard and vendor RADIUS protocol attributes and values along with their human readable representation.
/usr/local/yardradius/conf/clients It contains names or ip addresses of remote clients authorized to use the server for authentication and accounting. One should use 600 level protection for this file as it also contains the shared secret.
/usr/local/yardradius/conf/allowuser It lists (one per line) usernames/groupnames who are granted for having access (if their passwords are correct). Each entry must respect one of the following syntax:
USER:
GROUP:
GECOS:
SHELL:
An empty or missing file grants access to anyone which is not listed in the next file. For testing purposes the values were set to ANY./usr/local/yardradius/conf/denyuser The same syntax of allowuser can be used to deny access to specific classes of users, with the same previous matching criteria. An empty or missing file grants access to anyone which is listed in the previous file or not.
All logging and accounting files of YARD RADIUS are stored under /usr/local/yardradius/logs. It also creates some specific binary files to store the on-line status of users, and collect users statistics.
RADIUS servers use a Dictionary for mapping RADIUS attributes (numeric integers) to Symbolic names. The dictionary is customizable, and the following entries need to be added to the dictionary for mapping SIP specific attributes:VALUE Service-Type Sip-session 12
#Columbia University VSAs
VENDOR Columbia-University 11862
ATTRIBUTE Sip-Method 0 integer Columbia-University
ATTRIBUTE Sip-From 1 string Columbia-University
ATTRIBUTE Sip-To 2 string Columbia-University
ATTRIBUTE Sip-Translated-Request-URI 4 string Columbia-University
VALUE Sip-Method INVITE 0
VALUE Sip-Method BYE 1
VALUE Sip-Method REGISTER 2
VALUE Sip-Method OTHER 3
Fri Jan 4 13:41:31 2002Last updated by Sankaran Narayanan@ Internet Real-Time Laboratory
Acct-Status-Type = Start
Acct-Status-Type = Accounting-On
Acct-Session-Id = "93fd4557-9e6b-47be-b380-76b737250c0b@thalys.cs.columbia.edu"
Acct-Authentic = Remote
User-Name = "sip:kns10@cs.columbia.edu"
NAS-IP-Address = 128.59.19.69
NAS-Port = 5060
Acct-Delay-Time = 0
Event-Timestamp = 1010169606
Service-Type = Sip-session
Sip-Method = REGISTER
Sip-From = "sip:kns10@cs.columbia.edu"
Sip-To = "sip:kns10@cs.columbia.edu"
Sip-Translated-Request-URI = "sip:conductor.cs.columbia.edu"
Timestamp = 1010169691