Summary:ASTERISK-01186: [patch] RADIUS Authentication Accounting and call routing
Reporter:dbruce (dbruce)Labels:
Date Opened:2004-03-09 20:19:20.000-0600Date Closed:2011-06-07 14:04:57
Versions:Frequency of
Environment:Attachments:( 0) res_radius_beta_0.2.tgz
( 1) res_radius_beta_0.2.tgz
( 2) res_radius.h
( 3) res_radius.tar
Description:BETA RADIUS support for Asterisk

Rationale: Required integration between our Cisco AS5300 and Asterisk. The AS5300 runs custom scripts for a prepaid/postpaid service with least cost routing. The radius server authenticates a caller and returns provider id, route to use, callers account balance, callers time available for the specified destination, and prepaid/postpaid status.

Consists of:
  res_radius.c - place in asterisk/res/ - impliments the 'radius' command and a radius CDR backend
  radius.conf - placed in /etc/asterisk/ - configuration file that defines the radius servers and attribute dictionaries the 'radius' application will use.
  Makefile - placed in asterisk/res/ - makefile to include the res_radius package in the build process
  freeradius-0.8.1 or higher - uses code from the libradius.a library provided by freeradius-0.8.1 available from http://www.freeradius.org/

1) ensure your system has libradius.a by installing freeradius.
2) define your radius servers in radius.conf
3) modify the code in res_radius.c to suit your specific radius configuration. eventually, based on feedback, this will be accomplished with configuration options in radius.conf
4) modify extentions.conf to use the radius application.

 The radius application does authentication and routing based upon the servers configured radius.conf. When passed a dialstring, the application will build a radius authentication request based on the callers ANI and send it to a radius server (selected by the channels SIPDOMAIN variable or radius_profile variable). The radius reply is parsed and execution of the dialplan is continued in context [provider-XXXX] where XXXX is the id for the provider as provided by the radius server and a start record is sent to the radius server. If the callers account is prepaid the absolute timeout for the call is set once the channel is answered.

Once the channel is disconnected, the CDR backend will send a stop record to the radius server.

  The radius attributes returned are assumed to be in a specific format (outlined under 'additional information' below). This will need to be modified to suit your specific needs. Plans are to eventually make the parsing a configuration option.

  The format and specific attributes sent to the radius server as in a specific format. They will need to be changed to reflect the specific requirements of your radius server.

Configuration - radius.conf:
  The radius configuration consists of a [general] section for general parameters and a section for each radius server, in the form:

; RadiusDial configuration for Asterisk
radiusdir = /etc/raddb/ct-test
timeout = 3.5    ; request timeout in seconds
retries = 3      ; number of times to retry on failure

[domain1.com]          ; profile name
server =     ; ip address of server
secret = testing123    ; secret used by this server
type = Cisco
authport = 1862        ; port used for authentication
acctport = 1863        ; port used for accounting
timeout = 4.5          ; overide the general timeout
retries = 4            ; overide the general retries
dictionary = /etc/raddb/ct-test   ; absolute path to attribute dictionary

The radius attribute dictionary is same format as for freeradius.

Since this code was developed based on calls from SIP clients, the profile name [domain1.com] should match the SIPDOMAIN variable of the channel. If you are not using SIP clients, this can be set to a specific value by using:

setvar(radius_provider=profile_name) in your dialplan before calling the radius application.


Radius request and response assumptions:

The radius Authentication request sent to the server is of the form:

user-name=(calling number)
calling-station-id=(calling number)
called-station-id=(called number)

and the radius server responds with:

h323-billing-model = "h323-billing-model=postpaid"  ; either 'postpaid' or 'prepaid'
h323-credit-amount = "h323-credit-amount=xx.xx"  ; the balance on their account
h323-prompt-id = "h323-prompt-id=xx:yy:zz:aaaa:b.bb"  ; info required for our AS5300 IVR system
h323-return-code = "h323-return-code=1500" ; route id of calling number
h323-credit-time = "h323-credit-time=xxxxxx"  ; available time for call in seconds
Cisco-AVPair = "h323-ivr-in=2347:205:0.0130=0.0390:5:6=6"     ; destination info

the h323-ivr-in parameter is in the form:

Comments:By: dbruce (dbruce) 2004-03-09 20:25:27.000-0600

Before the powers that be ask... a disclaimer IS on the way...

By: James Golovich (jamesgolovich) 2004-03-09 21:14:37.000-0600

All I'm going to add to this is that we would need an exception from the FreeRadius folk (I guess I'm kinda one of them I still have commit on their CVS) to use their GPL lib in asterisk just like we have for openh323.  If someone is serious about something like this included the library needs to be BSD licensed or possibly LGPL depending on the situation

By: dbruce (dbruce) 2004-03-10 01:14:59.000-0600

I forgot to add the header file to the tarball...

place it in asterisk/include/asterisk/

my appologies....

By: jerjer (jerjer) 2004-03-10 02:50:28.000-0600

This is a joke, right?

By: jerjer (jerjer) 2004-03-10 03:03:27.000-0600

btw, we have lots of 5300s and zero radius servers, so please do not think RADIUS is required

By: dbruce (dbruce) 2004-03-10 05:29:35.000-0600

JerJer: btw, we have 5300 and we use radius... and so do the people who code the various radius servers and the people who code gnugk... and...

I realize that it must bug you no end that some people want to intergrate their Asterisk server with their legacy equipment and use radius in the process... but that's what open source is about... the ability to choose to do something your own way.. and the ability to share your efforts with others that want to do the same...

I choose to use radius... It does what I need it to do...

For those who have also chosen also use radius, and have provided me with feedback, I appreciate your comments and encouragement.

By: jerjer (jerjer) 2004-03-10 05:33:06.000-0600

I've been there and directly experienced the nastyness of RADIUS in a VoIP implemenation.  At some point it will bite you, hard.

Don't take my advice, I've only been doing this since 1996.

By: damin (damin) 2004-03-11 10:02:46.000-0600

Thanks for posting this. I'll take a look at the code and throw my comments up here. We have an existing billing system that will bill customers based on Source, Destintation and Number of minutes used, and this will be an interesting experiment to see how that system works for a small, non critical system with about 150 hours of calls a month. While it won't handle real-time call rating, for some applications that isn't critical. However, this will allow our customers to view their call histories directly online with the same interface they already use to view their Dial Up histories.

By: sw (sw) 2004-03-13 01:00:24.000-0600

4) modify extentions.conf to use the radius application.

How ?

By: dbruce (dbruce) 2004-03-13 19:00:32.000-0600

New version now available:


1) modified to compile cleanly on current CVS
2) modified to no longer require linking to libradius.a
3) added sample configuration files


1) download res_radius_beta_0.2.tar to a temporary directory
2) untar in temp directory with tar -xzf res_radius_beta_0.2.tgz
3) copy Makefile.diff, res_radius.c, res_radius.h, res_radius_lib.h to asterisk/res/
4) change directory to you asterisk/res directory
5) patch the Makefile with patch <Makefile.diff
6) modify res_radiusl.c to suit your specific radius server configuration
6) recompile (the compiler warnings are harmless and can be safely ignored
7) reconfigure your asterisk system using the example files as a guide

By: elprincipe (elprincipe) 2004-03-13 19:36:33.000-0600

This new file have a BAD compress, res_radius_beta_0.2.tgz, please paste again.



By: mlh (mlh) 2004-03-13 23:13:01.000-0600

I must say that JerJer is right, if your old system needs radius, then  upgrade it, it will be worth it in the end. There are SOOOO many better ways to do this.

By: elprincipe (elprincipe) 2004-03-14 13:02:51.000-0600

Dear mlh, let us decide how we want do our nets. Thank you for your suggest. We routing 35 Millons of minutes for month using radius w/o problem for 6 years and some how us continue thinking that is a better solution for mix pops in many countrys and different devices.


By: elprincipe (elprincipe) 2004-03-18 13:41:15.000-0600

We cant do work it.. Can you help us.


Thank you.


By: Olle Johansson (oej) 2004-03-20 08:43:14.000-0600

We need to find a new home for this addition to Asterisk, it's not a bug and because of licensing will not find it's way as a new feature into the CVS.

I acknowledge that a lot of users need it, even though some people is opposed to it.

We're looking for new platforms for handling this kind of additional features. Keep testing it and adding comments here to get it streamlined for Asterisk. Don't be upset if a bug marshal closes the bug, it's just to keep this system manageable.

By: twisted (twisted) 2004-03-24 14:44:40.000-0600

Can this not be added as a contrib, or placed into asterisk-addons, the same way mysql was handled during the licensing issue?

By: twisted (twisted) 2004-03-24 14:52:31.000-0600

Also, have we checked out http://appradius.minitelecom.org ?

edited on: 03-24-04 14:18

By: Paul Cadach (pcadach) 2004-03-24 15:11:52.000-0600

Reminder sent to twisted

Checked: The domain name does not exist.

By: twisted (twisted) 2004-03-24 15:29:12.000-0600

Reminders aren't necessary w/o response in a few days.  It was a typo, fixed.

By: truemetal (truemetal) 2004-04-18 22:50:08

If we are using Cisco VSA attributes, perhaps they should be used according to the Cisco specifications?

>h323-billing-model = "h323-billing-model=postpaid" ; either 'postpaid' or 'prepaid'
Cisco has different opinion:
h323-billing-model = value
0 = credit customer (post-paid)
1= debit card (prepaid)
2= limited service (prepaid)

>h323-return-code = "h323-return-code=1500" ; route id of calling number
Not exactly: "Return codes are instructions from the server to the voice gateway. Table 3 lists return code values." - there is a whole list of them, e.g. 13 means "unlimited call duration", 3 - "Play the account-blocked prompt and end the call." and so on... If you need some custom parameters, it is better to put them into the h323-ivr-in attribute

3) h323-credit-amount and h323-credit-time should not be provided in the single RADIUS access response message. If the request includes Called-Station-Id, then h323-credit-time will be provided in the response, otherwise h323-credit-amount

By: truemetal (truemetal) 2004-04-18 23:21:53

>Cisco-AVPair = "h323-ivr-in=2347:205:0.0130=0.0390:5:6=6" ; destination info
h323-ivr-in is a generic attribute, so the billing is free to send any name:value pairs, e.g. Tariff:Wholesale or DURATION:100. If you have such specific destination info data, it should look like:
otherwise you will have troubles when your code will try to interpret "Tariff:Wholesale" as a destination info

By: Brian West (bkw918) 2004-05-03 00:53:28

This is a good idea but I dont see it going into CVS maybe into addons once its stable.  Once its stable find a bug marshal on #asterisk-bugs and we can talk to kram about putting this into addons.

By: Philipp Kolmann (pkolmann) 2004-09-08 07:20:49

Reminder sent to dbruce


I just found this Bug Report (ASTERISK-1186) and would like to use it, but the files doen't compile anymore.

Do you have any updated files, for current cvs?
Pls send them to me: kolmann@zid.tuwien.ac.at

Thanks a lot
Philipp Kolmann