Sunday, May 20, 2007

Asterisk + Openser + Freeradius + Mysql (2)

*Configuration

10. Radiusclient-ng configuration
vi clients.conf
add:
x.x.x.x testing123
localhost testing123

vi radiusclient.conf
edit:
authserver localhost <--- recommended! using x.x.x.x is slower and easy to fail
acctserver localhost <--- recommended! using 5x.x.x.x is slower and easy to fail

vi dictionary add: $INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser cp /usr/local/etc/openser/dictionary.radius /usr/local/etc/radiusclient-ng/dictionary.openser 11. Openser configuration dictionary.radius mv /usr/local/etc/openser/dictionary.radius /usr/local/etc/openser/dictionary.radius.bak vi /usr/local/etc/openser/dictionary.radius add: #### Attributes ### #ATTRIBUTE User-Name 1 string # RFC2865 #ATTRIBUTE Service-Type 6 integer # RFC2865 #ATTRIBUTE Called-Station-Id 30 string # RFC2865, acc #ATTRIBUTE Calling-Station-Id 31 string # RFC2865, acc #ATTRIBUTE Acct-Status-Type 40 integer # RFC2865, acc #ATTRIBUTE Acct-Session-Id 44 string # RFC2865, acc ATTRIBUTE Password 2 string ATTRIBUTE Sip-Method 101 integer # Schulzrinne, acc ATTRIBUTE Sip-Response-Code 102 integer # Schulzrinne, acc ATTRIBUTE Sip-Cseq 103 string # Schulzrinne, acc ATTRIBUTE Sip-To-Tag 104 string # Schulzrinne, acc ATTRIBUTE Sip-From-Tag 105 string # Schulzrinne, acc ATTRIBUTE Sip-Translated-Request-URI 107 string # Proprietary, acc ATTRIBUTE Sip-Src-IP 108 string # Proprietary, acc ATTRIBUTE Sip-Src-Port 109 string # Proprietary, acc ATTRIBUTE Digest-Response 206 string # Sterman, auth_radius ATTRIBUTE Sip-Uri-User 208 string # Proprietary, auth_radius ATTRIBUTE Sip-Group 211 string # Proprietary, group_radius ATTRIBUTE Sip-Rpid 213 string # Proprietary, auth_radius ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Realm 1063 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce 1064 string # Sterman, auth_radius ATTRIBUTE Digest-Method 1065 string # Sterman, auth_radius ATTRIBUTE Digest-URI 1066 string # Sterman, auth_radius ATTRIBUTE Digest-QOP 1067 string # Sterman, auth_radius ATTRIBUTE Digest-Algorithm 1068 string # Sterman, auth_radius ATTRIBUTE Digest-Body-Digest 1069 string # Sterman, auth_radius ATTRIBUTE Digest-CNonce 1070 string # Sterman, auth_radius ATTRIBUTE Digest-Nonce-Count 1071 string # Sterman, auth_radius ATTRIBUTE Digest-User-Name 1072 string # Sterman, auth_radius ATTRIBUTE Digest-User-Password 1073 string # by jww ### CISCO Vendor Specific Attributes ### #VENDOR Cisco 9 #ATTRIBUTE Cisco-AVPair 1 string Cisco # VSA, auth_radius ### Acct-Status-Type Values ### VALUE Acct-Status-Type Start 1 # RFC2866, acc VALUE Acct-Status-Type Stop 2 # RFC2866, acc VALUE Acct-Status-Type Failed 15 # RFC2866, acc ### Service-Type Values ### VALUE Service-Type Call-Check 10 # RFC2865, uri_radius VALUE Service-Type Group-Check 12 # Proprietary, group_radius VALUE Service-Type Sip-Session 15 # Schulzrinne, acc, auth_radius VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius VALUE Sip-Method INVITE 1 # Proprietary, acc VALUE Sip-Method CANCEL 2 # Proprietary, acc VALUE Sip-Method ACK 4 # Proprietary, acc VALUE Sip-Method BYE 8 # Proprietary, acc VALUE Auth-Type DIGEST 1050 mv /usr/local/etc/openser/openser.conf /usr/local/etc/openser/openser.conf.bak vi /usr/local/etc/openser/openser.conf add: # ----------- global configuration parameters ------------------------ debug=7 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 listen=59.125.160.36 fifo="/tmp/openser_fifo" #fifo_db_url="mysql://openser:openserrw@localhost/openser" # ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so" loadmodule "nathelper.so" loadmodule "group.so" # ------------DB auth ---------------------- #loadmodule "auth_db.so" #modparam("auth_db", "password_column","password") # -------------Voicemail -------------------- #tm timeout for voicemail params modparam("tm", "fr_timer", 25) modparam("tm", "fr_inv_timer", 25) modparam("tm", "noisy_ctimer", 1) # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser") modparam("usrloc", "db_mode", 2) # -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") modparam("registrar", "default_expires", 60) modparam("registrar", "min_expires", 30) modparam("registrar", "nat_flag", 6) modparam("registrar", "sip_natping_flag", 7) # -------Nat Helper --------------------- modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:7890") #modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") modparam("nathelper", "sipping_method", "INFO") # -- group_radius params -- modparam("group_radius", "use_domain", 1) # -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102") modparam("avpops", "avp_table", "usr_preferences") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
exit;
};

# NAT detection
route(2);

# check if user is suspended
if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE"))
{
if (radius_is_user_in("From", "suspended")) {
sl_send_reply("403", "Forbidden - suspended");
exit;
};
};

# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol

if (!method=="REGISTER"){
record_route();
}


# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
if(method == "BYE" || method == "CANCEL" )
{
# log it all the time
acc_rad_request("200 ok");
acc_log_request("200 ok");
}
route(1);
};


if (!uri==myself) {
# check if user is allowed to do voip calls to other domains
if(method == "INVITE" || method == "MESSAGE") {
if (!radius_is_user_in("From", "voip")) {
sl_send_reply("403", "Forbidden VoIP");
exit;
};
};
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};

# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
# authenticate registers
if (method=="REGISTER") {
if (!radius_www_authorize("x.x.x.x")) {
www_challenge("x.x.x.x", "0");
exit;
};

# check the src ip address
#if(!avp_check("$avp(i:2)", "eq/$src_ip/ig")) {
# sl_send_reply("403", "Forbidden IP");
# exit;
#};

if (isflagset(5)) {
setflag(6);
# if you want OPTIONS natpings uncomment next
# setflag(7);
};

save("location");
exit;
};

# calls to pstn
#if(uri=~"sip:00[1-9][0-9]+@") {
# if(is_method("INVITE") && !has_totag()) {
# if (!radius_is_user_in("From", "pstn")) {
# sl_send_reply("403", "Forbidden PSTN");
# exit;
# };
# };
# #set gateway address
# rewritehostport("x.x.x.x:5090");
# route(1);
#};

# requests for Media server
if(is_method("INVITE") && !has_totag() && uri=~"sip:\*9") {
route(3);
exit;
}

# mark transaction if user is in voicemail group
if(is_method("INVITE") && !has_totag()
&& is_user_in("Request-URI","voicemail"))
{
xdbg("user [$ru] has voicemail redirection enabled\n");
# backup R-URI
avp_write("$ruri", "$avp(i:10)");
setflag(2);
};

# load callee's avps
if(avp_load_radius("callee")){
# check if user has time filter enabled
if(avp_check("$avp(i:3)", "eq/i:1")){
# print time in an avp
avp_printf("$avp(i:100)", "$Tf");
# extract day
avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/");
if(!avp_check("$avp(i:6)", "fm/$day")) {
sl_send_reply("403", "Forbidden - day");
exit;
};

# extract 'hours:minutes'
avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/");
if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$time"))
|| (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$time"))) {
sl_send_reply("403", "Forbidden - time");
exit;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
if(isflagset(2)) {
# route to Asterisk Media Server
prefix("1");
rewritehostport("127.0.0.1:5070");
route(1);
} else {
# log to acc as missed call
acc_rad_request("404 Not Found");
acc_log_request("404 Not Found");
sl_send_reply("404", "Not Found");
exit;
}
};
append_hf("P-hint: usrloc applied\r\n");
};

route(1);
}

# generic forward
route[1] {

# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP

if(isflagset(2)){
t_on_failure("1");
};

if (subst_uri('/(sip:.*);nat=yes/\1/')){
setflag(6);
};

if (isflagset(5)||isflagset(6)) {
route(4);
}

if (!t_relay()) {
sl_reply_error();
};
exit;
}

route[2]{
force_rport();
if (nat_uac_test("19")) {
if (method=="REGISTER") {
fix_nated_register();
} else {
fix_nated_contact();
};
setflag(5);
};
}

# voicemail access
# - *98 - listen caller's voice messages, being prompted for pin
# - *981 - listen voice messages, being promted for mailbox and pin
# - *98XXXX - leave voice message to XXXX
#
route[3] {
# direct voicemail
if (uri =~ "sip:\*98@" ) {
rewriteuser("1");
xdbg("voicemail access\n");
} else if (uri =~ "sip:\*981@" ) {
strip(4);
rewriteuser("11");
} else if (uri =~ "sip:\*98.+@" ) {
strip(3);
prefix("1");
} else {
xlog("unknown media extension $rU\n");
sl_send_reply("404", "Unknown media service");
exit;
}

# route to Asterisk Media Server
rewritehostport("127.0.0.1:5070");
route(1);
}

route[4] {
if (is_method("BYE|CANCEL")) {
unforce_rtp_proxy();
} else if (is_method("INVITE")){
force_rtp_proxy();
t_on_failure("2");
};
if (isflagset(5))
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
t_on_reply("1");
}


onreply_route[1] {
if ((isflagset(5) || isflagset(6)) && status=~"(183)|(2[0-9][0-9])") {
force_rtp_proxy();
}
search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');

if (isflagset(6)) {
fix_nated_contact();
}
exit;
}


failure_route[1]{
if (t_was_cancelled()) {
xdbg("transaction was cancelled by UAC\n");
return;
}
# restore initial uri
avp_pushto("$ruri", "$avp(i:10)");
prefix("1");
# route to Asterisk Media Server
rewritehostport("127.0.0.1:5070");
resetflag(2);
route(1);
}

failure_route[2] {
if (isflagset(6) || isflagset(5)) {
unforce_rtp_proxy();
}
}

#

mv /usr/local/etc/openser/openserctlrc /usr/local/etc/openser/openserctlrc.bak
vi /usr/local/etc/openser/openserctlrc
add:
# $Id: openserctlrc,v 1.2 2006/07/05 19:37:20 miconda Exp $
#
# openser control tool resource file
#
# here you can set variables used in the openserctl

## your SIP domain
SIP_DOMAIN=x.x.x.x

## database type: MYSQL or PGSQL, by defaulte none is loaded
DBENGINE=MYSQL

## database host
DBHOST=localhost

## database name
DBNAME=openser

## database read/write user
DBRWUSER=openser

## database read only user
DBROUSER=openserro

## password for database read only user
DBROPW=openserro

## database super user
DBROOTUSER="root"

## type of aliases used: DB - database aliases; UL - usrloc aliases
## - default: none
ALIASES_TYPE="DB"

## control engine: FIFO or UNIXSOCK
## - default FIFO
CTLENGINE="FIFO"

## path to FIFO file
# OSER_FIFO="FIFO"

## check ACL names; default on (1); off (0)
VERIFY_ACL=1

## ACL names - if VERIFY_ACL is set, only the ACL names from below list
## are accepted
ACL_GROUPS="local ld int voicemail free-pstn"

## verbose - debug purposes - default '0'
VERBOSE=1



12. Freeradius configuration
cp /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/radiusd.conf.bak
vi /usr/local/etc/raddb/radiusd.conf
add:
modules {
...
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
...
}
authorize {
...
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest
...
}
...
authenticate {
...
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
...
}

cp /usr/local/etc/raddb/directionary /usr/local/etc/raddb/directionary.bak
vi directionary
add
$INCLUDE /usr/local/etc/radiusclient-ng/dictionary.openser


cp /usr/local/etc/raddb/clients.conf /usr/local/etc/raddb/clients.conf
vi clients.conf
add:
client x.x.x.x {
secret = testing123
shortname = x.x.x.x
nastype = other
}


cp /usr/local/etc/raddb/users /usr/local/etc/raddb/users
vi uesrs
edit:
#DEFAULT Auth-Type = System
# Fall-Through = 1

add: (example)
### --- avps ---
0003@x.x.x.x Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
Sip-Avp += "#3#0",
Sip-Avp += "#4:08:00",
Sip-Avp += "#5:16:00",
Sip-Avp += "#6:Mon,Wed,Thu,Fri"

0005@x.x.x.x Auth-Type := Accept, Service-Type == "SIP-Callee-AVPs"
Sip-Avp += "#3#0",
Sip-Avp += "#4:08:00",
Sip-Avp += "#5:16:00",
Sip-Avp += "#6:Mon,Wed,Thu,Free"
# #3#1= enable the time-base checking

### --- group checking ---
0003@x.x.x.x Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
Reply-Message = "Authorized"
0003@x.x.x.x Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
Reply-Message = "Authorized"

0005@x.x.x.x Auth-Type := Accept, Sip-Group == "voip", Service-Type == "Group-Check"
Reply-Message = "Authorized"
0005@x.x.x.x Auth-Type := Accept, Sip-Group == "pstn", Service-Type == "Group-Check"
Reply-Message = "Authorized"
DEFAULT Auth-Type := Reject, Service-Type == "Group-Check"

### --- user authentication ---
0003@x.x.x.x Auth-Type := Digest, User-Password == "0003"
Sip-Avp += "rpid:0003",
Sip-Avp += "#2:x.x.x.x",
Reply-Message = "Authenticated"

0005@x.x.x.x Auth-Type := Digest, User-Password == "0005"
Sip-Avp += "rpid:0005",
Sip-Avp += "#2:x.x.x.x",
Reply-Message = "Authenticated"


13. Asterisk configuration
edit /etc/asterisk/sip.conf
bindport=5070 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=x.x.x.x
checkmwi=10

[openser]
type=friend
context=default
host=localhost
insecure=very

edit /etc/asterisk/extconfig.conf
;for Mysql driver (asterisk add-on needed)
;sipusers => mysql,asterisk,sipusers
;sippeers => mysql,asterisk,sipusers
;voicemail => mysql,asterisk,vmusers

;for odbc driver (unixODBC needed )
sipusers => odbc,asterisk,sipusers
sippeers => odbc,asterisk,sipusers
voicemail => odbc,asterisk,vmusers

PS cannot use both two drivers as the same time!
for storing voicemail into database, ODBC is required.

;edit /etc/asterisk/res_mysql.conf insert:
;[general]
;dbhost = localhost
;dbname = asterisk
;dbuser = asterisk (or root)
;dbpass = asterisk (or root-password if user is root)
;dbport = 3306

edit /etc/asterisk/res_odbc.conf:
[asterisk]
enabled => yes
dsn => MySQL-asterisk
username => asterisk
password => asterisk
pre-connect => yes

vi /etc/odbc.ini
[MySQL-asterisk]
Description = MySQL Asterisk database
Trace = Off
TraceFile = stderr
Driver = MySQL
SERVER = localhost
USER = asterisk
PASSWORD = asterisk
PORT = 3306
DATABASE = asterisk

vi /etc/odbcinst.ini
[MySQL]
Description = MySQL driver
Driver = /usr/lib/libmyodbc3.so
Setup = /usr/lib/libodbcmyS.so
CPTimeout =
CPReuse =
UsageCount = 1

edit /etc/asterisk/extensions.conf
exten => 1,1,Ringing
exten => 1,2,VoicemailMain(${CALLERID(num)})
exten => 1,3,Hangup

exten => 11,1,Ringing
exten => 11,2,VoicemailMain()
exten => 11,3,Hangup

exten => _1XXXX,1,Ringing
;exten => _1XXXX,2,MailboxExists(${EXTEN:1})
;exten => _1XXXX,3,Playback(invalid)
;exten => _1XXXX,4,Hangup
;exten => _1XXXX,103,Voicemail(u${EXTEN:1})
;exten => _1XXXX,104,Hangup
exten => _1XXXX,2,Voicemail(u${EXTEN:1})
exten => _1XXXX,3,Hangup

No comments:

Post a Comment