*Configuration
10. Radiusclient-ng configuration
vi clients.conf
add:
x.x.x.x testing123
localhost testing123
vi radiusclient.conf
edit:
authserver localhost <--- recommended! using x.x.x.x is slower and easy to fail
acctserver localhost <--- recommended! using 5x.x.x.x is slower and easy to fail
vi dictionary add: $INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser cp /usr/local/etc/openser/dictionary.radius /usr/local/etc/radiusclient-ng/dictionary.openser 11. Openser configuration dictionary.radius mv /usr/local/etc/openser/dictionary.radius /usr/local/etc/openser/dictionary.radius.bak vi /usr/local/etc/openser/dictionary.radius add: #### Attributes ### #ATTRIBUTE User-Name 1 string # RFC2865 #ATTRIBUTE Service-Type 6 integer # RFC2865 #ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc #ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc #ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc #ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc ATTRIBUTE Password 2 string ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc ATTRIBUTE Sip-Src-IP 108 string # Proprietary, acc ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius ATTRIBUTE Digest-User-Password 1073 string # by jww ### CISCO Vendor Specific Attributes ### #VENDOR Cisco 9 #ATTRIBUTE Cisco-AVPair 1 string Cisco # VSA, auth_radius ### Acct-Status-Type Values ### VALUE Acct-Status-Type Start 1 # RFC2866, acc VALUE Acct-Status-Type Stop 2 # RFC2866, acc VALUE Acct-Status-Type Failed 15 # RFC2866, acc ### Service-Type Values ### VALUE Service-Type Call-Check 10 # RFC2865, uri_radius VALUE Service-Type Group-Check 12 # Proprietary, group_radius VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius VALUE Sip-Method INVITE 1 # Proprietary, acc VALUE Sip-Method CANCEL 2 # Proprietary, acc VALUE Sip-Method ACK 4 # Proprietary, acc VALUE Sip-Method BYE 8 # Proprietary, acc VALUE Auth-Type DIGEST 1050 mv /usr/local/etc/openser/openser.conf /usr/local/etc/openser/openser.conf.bak vi /usr/local/etc/openser/openser.conf add: # ----------- global configuration parameters ------------------------ debug=7 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 listen=59.125.160.36 fifo="/tmp/openser_fifo" #fifo_db_url="mysql://openser:openserrw@localhost/openser" # ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so" loadmodule "nathelper.so" loadmodule "group.so" # ------------DB auth ---------------------- #loadmodule "auth_db.so" #modparam("auth_db", "password_column","password") # -------------Voicemail -------------------- #tm timeout for voicemail params modparam("tm", "fr_timer", 25) modparam("tm", "fr_inv_timer", 25) modparam("tm", "noisy_ctimer", 1) # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser") modparam("usrloc", "db_mode", 2) # -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") modparam("registrar", "default_expires", 60) modparam("registrar", "min_expires", 30) modparam("registrar", "nat_flag", 6) modparam("registrar", "sip_natping_flag", 7) # -------Nat Helper --------------------- modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:7890") #modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") modparam("nathelper", "sipping_method", "INFO") # -- group_radius params -- modparam("group_radius", "use_domain", 1) # -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102") modparam("avpops", "avp_table", "usr_preferences") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};
# NAT detection
route(2);
# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER"){
record_route();
}
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(method == "BYE" || method == "CANCEL" )
{
# log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};
if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(method == "INVITE" || method == "MESSAGE") {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("x.x.x.x")) {
www_challenge("x.x.x.x", "0");
exit;
};
# check the src ip address
#if(!avp_check("$avp(i:2)", "eq/$src_ip/ig")) {
# sl_send_reply("403", "Forbidden IP");
# exit;
#};
if (isflagset(5)) {
setflag(6);
# if you want OPTIONS natpings uncomment next
# setflag(7);
};
save("location");
exit;
};
# calls to pstn
#if(uri=~"sip:00[1-9][0-9]+@") {
# if(is_method("INVITE") && !has_totag()) {
# if (!radius_is_user_in("From", "pstn")) {
# sl_send_reply("403", "Forbidden PSTN");
# exit;
# };
# };
# #set gateway address
# rewritehostport("x.x.x.x:5090");
# route(1);
#};
# requests for Media server
if(is_method("INVITE") && !has_totag() && uri=~"sip:\*9") {
route(3);
exit;
}
# mark transaction if user is in voicemail group
if(is_method("INVITE") && !has_totag()
&& is_user_in("Request-URI","voicemail"))
{
xdbg("user [$ru] has voicemail redirection enabled\n");
# backup R-URI
avp_write("$ruri", "$avp(i:10)");
setflag(2);
};
# load callee's avps
if(avp_load_radius("callee")){
# check if user has time filter enabled
if(avp_check("$avp(i:3)", "eq/i:1")){
# print time in an avp
avp_printf("$avp(i:100)", "$Tf");
# extract day
avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/");
if(!avp_check("$avp(i:6)", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};
# extract 'hours:minutes'
avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/");
if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$time"))
|| (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
if(isflagset(2)) {
# route to Asterisk Media Server
prefix("1");
rewritehostport("127.0.0.1:5070");
route(1);
} else {
# log to acc as missed call
acc_rad_request("404 Not Found");
acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
}
};
append_hf("P-hint: usrloc applied\r\n");
};
route(1);
}
# generic forward
route[1] {
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if(isflagset(2)){
t_on_failure("1");
};
if (subst_uri('/(sip:.*);nat=yes/\1/')){
setflag(6);
};
if (isflagset(5)||isflagset(6)) {
route(4);
}
if (!t_relay()) {
sl_reply_error();
};
exit;
}
route[2]{
force_rport();
if (nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}
# voicemail access
# - *98 - listen caller's voice messages, being prompted for pin
# - *981 - listen voice messages, being promted for mailbox and pin
# - *98XXXX - leave voice message to XXXX
#
route[3] {
# direct voicemail
if (uri =~ "sip:\*98@" ) {
rewriteuser("1");
xdbg("voicemail access\n");
} else if (uri =~ "sip:\*981@" ) {
strip(4);
rewriteuser("11");
} else if (uri =~ "sip:\*98.+@" ) {
strip(3);
prefix("1");
} else {
xlog("unknown media extension $rU\n");
sl_send_reply("404", "Unknown media service");
exit;
}
# route to Asterisk Media Server
rewritehostport("127.0.0.1:5070");
route(1);
}
route[4] {
if (is_method("BYE|CANCEL")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")){
force_rtp_proxy();
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
t_on_reply("1");
}
onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status=~"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
}
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
if (isflagset(6)) {
fix_nated_contact();
}
exit;
}
failure_route[1]{
if (t_was_cancelled()) {
xdbg("transaction was cancelled by UAC\n");
return;
}
# restore initial uri
avp_pushto("$ruri", "$avp(i:10)");
prefix("1");
# route to Asterisk Media Server
rewritehostport("127.0.0.1:5070");
resetflag(2);
route(1);
}
failure_route[2] {
if (isflagset(6) || isflagset(5)) {
unforce_rtp_proxy();
}
}
#
mv /usr/local/etc/openser/openserctlrc /usr/local/etc/openser/openserctlrc.bak
vi /usr/local/etc/openser/openserctlrc
add:
# $Id: openserctlrc,v 1.2 2006/07/05 19:37:20 miconda Exp $
#
# openser control tool resource file
#
# here you can set variables used in the openserctl
## your SIP domain
SIP_DOMAIN=x.x.x.x
## database type: MYSQL or PGSQL, by defaulte none is loaded
DBENGINE=MYSQL
## database host
DBHOST=localhost
## database name
DBNAME=openser
## database read/write user
DBRWUSER=openser
## database read only user
DBROUSER=openserro
## password for database read only user
DBROPW=openserro
## database super user
DBROOTUSER="root"
## type of aliases used: DB - database aliases; UL - usrloc aliases
## - default: none
ALIASES_TYPE="DB"
## control engine: FIFO or UNIXSOCK
## - default FIFO
CTLENGINE="FIFO"
## path to FIFO file
# OSER_FIFO="FIFO"
## check ACL names; default on (1); off (0)
VERIFY_ACL=1
## ACL names - if VERIFY_ACL is set, only the ACL names from below list
## are accepted
ACL_GROUPS="local ld int voicemail free-pstn"
## verbose - debug purposes - default '0'
VERBOSE=1
12. Freeradius configuration
cp /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/radiusd.conf.bak
vi /usr/local/etc/raddb/radiusd.conf
add:
modules {
...
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
...
}
authorize {
...
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest
...
}
...
authenticate {
...
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
...
}
cp /usr/local/etc/raddb/directionary /usr/local/etc/raddb/directionary.bak
vi directionary
add
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser
cp /usr/local/etc/raddb/clients.conf /usr/local/etc/raddb/clients.conf
vi clients.conf
add:
client x.x.x.x {
secret = testing123
shortname = x.x.x.x
nastype = other
}
cp /usr/local/etc/raddb/users /usr/local/etc/raddb/users
vi uesrs
edit:
#DEFAULT Auth-Type = System
# Fall-Through = 1
add: (example)
### --- avps ---
0003@x.x.x.x Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
Sip-Avp += "#3#0",
Sip-Avp += "#4:08:00",
Sip-Avp += "#5:16:00",
Sip-Avp += "#6:Mon,Wed,Thu,Fri"
0005@x.x.x.x Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
Sip-Avp += "#3#0",
Sip-Avp += "#4:08:00",
Sip-Avp += "#5:16:00",
Sip-Avp += "#6:Mon,Wed,Thu,Free"
# #3#1= enable the time-base checking
### --- group checking ---
0003@x.x.x.x Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
Reply-Message = "Authorized"
0003@x.x.x.x Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
Reply-Message = "Authorized"
0005@x.x.x.x Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
Reply-Message = "Authorized"
0005@x.x.x.x Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
Reply-Message = "Authorized"
DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"
### --- user authentication ---
0003@x.x.x.x Auth-Type := Digest, User-Password == "0003"
Sip-Avp += "rpid:0003",
Sip-Avp += "#2:x.x.x.x",
Reply-Message = "Authenticated"
0005@x.x.x.x Auth-Type := Digest, User-Password == "0005"
Sip-Avp += "rpid:0005",
Sip-Avp += "#2:x.x.x.x",
Reply-Message = "Authenticated"
13. Asterisk configuration
edit /etc/asterisk/sip.conf
bindport=5070 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=x.x.x.x
checkmwi=10
[openser]
type=friend
context=default
host=localhost
insecure=very
edit /etc/asterisk/extconfig.conf
;for Mysql driver (asterisk add-on needed)
;sipusers => mysql,asterisk,sipusers
;sippeers => mysql,asterisk,sipusers
;voicemail => mysql,asterisk,vmusers
;for odbc driver (unixODBC needed )
sipusers => odbc,asterisk,sipusers
sippeers => odbc,asterisk,sipusers
voicemail => odbc,asterisk,vmusers
PS cannot use both two drivers as the same time!
for storing voicemail into database, ODBC is required.
;edit /etc/asterisk/res_mysql.conf insert:
;[general]
;dbhost = localhost
;dbname = asterisk
;dbuser = asterisk (or root)
;dbpass = asterisk (or root-password if user is root)
;dbport = 3306
edit /etc/asterisk/res_odbc.conf:
[asterisk]
enabled => yes
dsn => MySQL-asterisk
username => asterisk
password => asterisk
pre-connect => yes
vi /etc/odbc.ini
[MySQL-asterisk]
Description = MySQL Asterisk database
Trace = Off
TraceFile = stderr
Driver = MySQL
SERVER = localhost
USER = asterisk
PASSWORD = asterisk
PORT = 3306
DATABASE = asterisk
vi /etc/odbcinst.ini
[MySQL]
Description = MySQL driver
Driver = /usr/lib/libmyodbc3.so
Setup = /usr/lib/libodbcmyS.so
CPTimeout =
CPReuse =
UsageCount = 1
edit /etc/asterisk/extensions.conf
exten => 1,1,Ringing
exten => 1,2,VoicemailMain(${CALLERID(num)})
exten => 1,3,Hangup
exten => 11,1,Ringing
exten => 11,2,VoicemailMain()
exten => 11,3,Hangup
exten => _1XXXX,1,Ringing
;exten => _1XXXX,2,MailboxExists(${EXTEN:1})
;exten => _1XXXX,3,Playback(invalid)
;exten => _1XXXX,4,Hangup
;exten => _1XXXX,103,Voicemail(u${EXTEN:1})
;exten => _1XXXX,104,Hangup
exten => _1XXXX,2,Voicemail(u${EXTEN:1})
exten => _1XXXX,3,Hangup
給SLR680和Sonar專用的保護袋。不像是一般的Sx70有多種專用皮袋,原廠SLR680&Sonar的袋子很少見,大多是拿尺寸差不多的袋子充當(很醜),或是購買日本的Porter出的專門包(很貴,比一台相機還貴)。雖然偶而在Ebay上能看到有含保護袋的相機在拍賣,但對於已經擁有相機的我來說是不可能為了一個袋子再買一台相機的。再說,市面上能看到的袋子都是又醜又厚重的黑皮袋,一點都不適合外出攜帶(出門帶兩個袋子很不方便),原本我是用鏡頭布來包裹,但沒辦法包裹整個相機,且每次使用前和後都要花時間在打開和再包裹,實在很麻煩。還好,某天在網上閑晃時發現了有專門定製的保護袋,價錢上也不貴,一個加厚的雙層袋才210元,還有不同顏色可以選,一口氣就定了兩個給SLR680和Sonar。放入相機後體積也沒大多少,還可以放進背包裡,這樣就不用背兩個袋子出門了。
3. 反面
4.開啟後
5.另一角度
Melton hall - the University of Nottingham 提供給在Jubilee campus研究生的宿舍,09/2004~09/2005的一整年就是待在這裡,當時號稱全校最高檔的宿舍,因為每間房都有個人衛浴設施,每星期也都有人來打掃,再加上距離系所不到五分鐘的路程在寒冷的冬天是很吸引人的,不過缺點就是貴....
很有趣的裝飾品,上圖的飛天豬是大姊家中的裝飾品,乍看之下並沒有啥特別之處,但是仔細看各個重要的特徵都由簡單的線條輕易的達成,帶有著簡單中不失重點;加上翅膀,又顯示著平凡中帶點特別。所使用的材料也並非一般常見的陶土或是木雕,而是由沉甸甸的鐵塊所構成的,各人倒是蠻喜歡的。
英國著名的建築物- 大鵬鐘(Big Ben),真不知道是誰翻譯出來的名字,曾經還看過翻成"大笨鐘".(我是看旅遊書才知道中文的翻譯)
