Improving RADIUS Support

Current status (up to and including the current release)

Currently, RADIUS support is in two places:

• rutil/RADIUSDigestAuthenticator
  • uses radiusclient-ng to do SIP (DIGEST MD5) authentication as per draft-sterman-aaa-sip-01
  • works with FreeRADIUS server's rlm_digest module
• resip/dum/RADIUSServerAuthManager
  • uses the code from RADIUSDigestAuthenticator to authenticate SIP clients

Please see our main RADIUS page for details of how to use it.

Eventual improvement

We would also like to use RADIUS for TURN. TURN uses HMAC-SHA1 rather than DIGEST-MD5 and therefore it requires a different module in FreeRADIUS and different attribute/value pairs must be submitted to the RADIUS server.

An initial cut of the FreeRADIUS module already exists, it is called rlm_hmac. The FreeRADIUS maintainers have suggesting some changes to it, but it is sufficient as a proof of concept.

To achieve this, rutil/RADIUSDigestAuthenticator needs to be split into two parts:

• low level RADIUS wrapper around radiusclient-ng
  • no knowledge of SIP DIGEST
  • wraps the C client code
  • takes AV set as arguments
  • takes RADIUS config filename as argument
  • do lookup, return arbitrary attributes/values
• SIP DIGEST and TURN-HMAC helper classes
  • both classes should leverage the low level code just described
  • based on the existing rutil/RADIUSDigestAuthenticator API perhaps
• adapt resip/dum/RADIUSServerAuthManager to work in repro
  • repro needs a "monkey" that implements similar logic when forwarding requests
  • repro only uses the DUM authenticators for certain requests, such as registrations
• implement in reTurn