Giter VIP home page Giter VIP logo

ergw_aaa's Introduction

erGW-AAA - AAA component for the erGW project

Build Status Coverage Status Erlang Versions

This is a companion project for the erGW project to provide an abstract AAA (Authentication, Authorization and Accounting) interface for protocols based on erGW.

Supported backend providers are:

  • a local dummy (mock)
  • RADIUS

Work on progress:

  • DIAMETER
  • flexible configuration
  • the dropped attribute_map feature might be readded

In the future possible other providers are:

  • LDAP (Authentication and Authorization only)

TERMINATION CAUSE MAPPING

When ergw needs to terminate an AAA session, the termination reasons to be included in those messages (e.g. CCR-T or ACR stop in diameter and Accounting-Request stop in Radius) are provided by the ergw to the ergw_aaa in the session data in the format of atoms. Each AAA handler can have a mapping configured to map these to termination causes of the corresponding protocol/interface. See RFCs: RFC2866, RFC3588. An example of this mapping:

%% DIAMETER config example
% ...
{handlers, [
    % ...
    {ergw_aaa_ro, [
        {function, 'ergw-pgw-epc-ro'},
        {'Destination-Realm', <<"test.apn.net">>},
        {termination_cause_mapping, [
            {normal, 1},           
            {administrative, 4}, 
            {link_broken, 5},      
            {upf_failure, 5},      
            {remote_failure, 1},   
            {cp_inactivity_timeout, 1},
            {up_inactivity_timeout, 1},
            {peer_restart, 1},
            {'ASR', 1},
            {error, 1},
            {timeout, 1},
            {conn_error, 1},
            {rate_limit, 1},
            {ocs_hold_end, 1},
            {peer_reject, 1}
        ]}
    ]}
    % ...
]},
%...
% RADIUS config example
% ...
{ergw_aaa_radius, [
    {server, {{192,168,255,1}, 1813, <<"radproxy">>}},
        {termination_cause_mapping, [
            {normal, 1},
            {administrative, 6},
            {link_broken, 2},
            {upf_failure, 9},
            {remote_failure, 9},
            {cp_inactivity_timeout, 4},
            {up_inactivity_timeout, 4},
            {peer_restart, 7},
            {'ASR', 6},
            {error, 9},
            {timeout, 4},
            {conn_error, 10},
            {rate_limit, 10},
            {ocs_hold_end, 10},
            {peer_reject, 10}
        ]}
]}
% ...

BUILDING

Using rebar3:

# rebar3 compile

CONFIGURATION

For all releases in the 3.x stream, the configuration syntax might change at any point and might not be backward compatible.

Example of possible config.

 {ergw_aaa,
  [{functions,
    [{'ergw-pgw-epc',
      [{handler, ergw_aaa_diameter},
       {'Origin-Host', <<"ergw-pgw.dia.example.net">>},
       {'Origin-Realm', <<"dia.example.net">>},
       {transports, [
           [{connect_to, <<"aaa://srv1.dia.example.net;transport=sctp">>},
            {recbuf, 32768}]
        ]},
      ]}
    ]},
   {handlers,
    [{ergw_aaa_static,
        [{'NAS-Identifier',          <<"NAS-Identifier">>},
         {'Acct-Interim-Interval',   600},
         {'Framed-Protocol',         'PPP'},
         {'Service-Type',            'Framed-User'},
         {'Node-Id',                 <<"PGW-001">>},
         {'Charging-Rule-Base-Name', <<"m2m0001">>},
         {rules, #{'Default' =>
                       #{'Rating-Group' => [3000],
                         'Flow-Information' =>
                             [#{'Flow-Description' => [<<"permit out ip from any to assigned">>],
                                'Flow-Direction'   => [1]    %% DownLink
                               },
                              #{'Flow-Description' => [<<"permit out ip from any to assigned">>],
                                'Flow-Direction'   => [2]    %% UpLink
                               }],
                         'Metering-Method'  => [1],
                         'Precedence' => [100]
                        }
                  }
         }
        ]},
     {ergw_aaa_radius, [
        {server, {{127,0,0,1}, 1812, <<"secret">>}},
        {termination_cause_mapping, [
            {normal, 1},
            {administrative, 6},
            {link_broken, 2},
            {upf_failure, 9},
            {remote_failure, 9},
            {cp_inactivity_timeout, 4},
            {up_inactivity_timeout, 4},
            {peer_restart, 7},
            {'ASR', 6},
            {error, 9},
            {timeout, 4},
            {conn_error, 10},
            {rate_limit, 10},
            {ocs_hold_end, 10},
            {peer_reject, 10}
        ]}
     ]},
     {ergw_aaa_rf, [{transport, 'ergw-pgw-epc'}]},
     {ergw_aaa_ro, [
        {transport, 'ergw-pgw-epc'},
        {termination_cause_mapping, [
            {normal, 1},           
            {administrative, 4}, 
            {link_broken, 5},      
            {upf_failure, 5},      
            {remote_failure, 1},   
            {cp_inactivity_timeout, 1},  
            {up_inactivity_timeout, 1},
            {peer_restart, 1},
            {'ASR', 1},
            {error, 1},
            {timeout, 1},
            {conn_error, 1},
            {rate_limit, 1},
            {ocs_hold_end, 1},
            {peer_reject, 1}
        ]}
     ]}
    ]},

   {services,
    [{'Default',     [{handler, 'ergw_aaa_static'}]},
     {'RADIUS-Auth', [{handler, 'ergw_aaa_radius'},
                      {server, {{127,1,0,1}, 1812, <<"secret">>}}]},
     {'RADIUS-Acct', [{handler, 'ergw_aaa_radius'},
                      {server, {{127,2,0,1}, 1813, <<"secret">>}}]},
     {'Rf',          [{handler, 'ergw_aaa_rf'}]},
     {'Gx',          [{handler, 'ergw_aaa_gx'}]}
     {'Gy',          [{handler, 'ergw_aaa_ro'}]}
    ]},

   {apps,
    [ {'Origin-Host', <<"local.host">>},
      {procedures,
        [{default,
          [{session, ['Default']},
           {procedures, [{authenticate, ['RADIUS-Auth']},
                         {authorize,    ['RADIUS-Auth']},
                         {start,     ['RADIUS-Acct', 'Rf']},
                         {interim,   ['RADIUS-Acct', 'Rf']},
                         {stop,      ['RADIUS-Acct', 'Rf']},
                         {{gx, 'CCR-Initial'},   ['Gx']},
                         {{gx, 'CCR-Update'},    ['Gx']},
                         {{gx, 'CCR-Terminate'}, ['Gx']},
                         {{gy, 'CCR-Initial'},   ['Gy']},
                         {{gy, 'CCR-Update'},    ['Gy']},
                         {{gy, 'CCR-Terminate'}, ['Gy']}]}
          ]}
        ]}
    ]}
  ]},

ergw_aaa's People

Contributors

0xax avatar fholzhauser avatar mgumz avatar platinumthinker avatar roadrunnr avatar surik avatar tlnd avatar tolbrino avatar vijay-hirani avatar vkatsuba avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

surik platinumthinker tlnd bambotza 0xax mmanoj javiermtorres

ergw_aaa's Issues

Dictionary inherits

In diameter_3gpp_ts32_299_ro.dia you have @inherits diameter_rfc7155_nasreq
And in diameter_3gpp_ts29_212.dia which is also inherited by diameter_3gpp_ts32_299_ro.dia you have
@inherits diameter_rfc4005_nasreq.

Wouldn't these two versions of the nasreq application participating in the same final dictionary cause a potential conflict?

Avoid termination of unknown sessions

erGW-AAA version

4.3.1

Erlang/OTP version

N/A

Description

  • Motivation
    Failures of Gy updates with reason code UNKNOWN_SESSION_ID (5002) trigger a termination CCR with the same session ID. This message will (naturally) be answered with another 5002 from the OCS.

  • Proposal
    If a 5002 message is received for a session, consider that the session has ended locally and do not send a followup termination CCR.

Support source IP/port binding for transport configurations

For some use cases, it is desirable or even required to bind the socket for a transport connection to a dedicated IP/port. Hence, some additional options should be introduced to specify the address and port to bind to, e.g.

{transports, [
           [{connect_to, <<"aaa://srv1.dia.example.net;transport=sctp">>},
            {recbuf, 32768}, {ip, {192,168,12,12}}, {port, 3868}]
        ]},

Add OTP 23.X to Travis CI

erGW-AAA version

3.6.9

Description

In Travis CI of eradius is missed 23.X OTP release.

Current behavior

The OTP release 23.X is missed in Travis CI.

Expected behavior

The OTP release 23.X is added to Travis CI.

No enumerated list of values for AVP Flow_Status (511)

erGW-AAA version

Release/Tag 4.1.4

Erlang/OTP version

OTP 24.3

Description

No description for enumeration for APV Flow_Status (511):

type enumerated Flow_Status (511)
{
  ENABLED_UPLINK      (0),
  ENABLED_DOWNLINK    (1),
  ENABLED             (2),
  DISABLED            (3),
  REMOVED             (4)
}

Describe proposal of the solution ...

Enumeration Description should be put in:
3GPP TS 29.214
AVP: Flow-Status (511) 3GPP (10415)

Current behavior

Diameter decoding error:

[error] <0.1870.0> ergw_aaa_gx:handle_answer/5:223: <<"PCRF">>: decode of answer from {<0.1454.0>,{diameter_caps,{<<"pgw.234">>,<<"rtepcrf">>},{<<"pcrf.pgw.m234">>,<<"pcrf.pgw.m234">>},{[{127,0,0,129}],[{127,0,122,122}]},{18681,0},{<<"erGW-AAA">>,<<"freediameter">>},{[1748534711],[1687029559]},{[10415,13019,18681],[5535,10415,13019]},{[16777238],[]},{[],[]},{[],[]},{[{'diameter_base_Vendor-Specific-Application-Id',10415,[16777238],[]}],[{'diameter_base_Vendor-Specific-Application-Id',10415,[16777236],[]},{'diameter_base_Vendor-Specific-Application-Id',10415,[16777238],[]}]},{[],[10500]},{[],[]}}} failed, errors [{5004,
{diameter_avp,1001,10415,true,false,
[{diameter_avp,1003,10415,true,false,
[{diameter_avp,511,10415,true,false,<<0,0,0,2>>,'Flow-Status',undefined,'Enumerated',3}],
'Charging-Rule-Definition',undefined,'Grouped',0}
],
'Charging-Rule-Install',undefined,'Grouped',4}
}
]

[error] <0.1863.0> ergw_aaa_gx:handle_cca/5:303: CCA Result: {error,[2001]}

image

Allow decimal format for LI-Location

erGW-AAA version

3.6 and 4.0

Erlang/OTP version

OTP 23

Description

  • Motivation
    Allow a decimal format to be added directly instead of a GPS format in

    ergw_aaa/src/ergw_aaa_radius.erl

    Line 362 in 0bc1a37

    vendor_ituma('LI-Location', #{'CAPWAP-GPS-Latitude' := Latitude,
  • Proposal
    Use a check for latitude and longitude values of type {decimal, Val} to include them directly as decimal values.

Current behavior

Currently, the latitude and longitude values are expected in GPS format.

Expected behavior

Some kind of flag should specify the format (decimal or GPS-like with minutes) in which the latitude and longitude are expected.

Config

No optional configuration is needed.

Implement DIAMETER rate limiter metric collector in erGW-AAA

erGW-AAA version

3.6.7

Description

This ticket is related to the observed behaviour of the diameter rate limiter that (in a yet to be identified error situation) the outstanding request count doesn't decrement and the rate limiter can get "stuck", not allowing requests on the peer. This metric can help identify the situation.
After finding/fixing the related issue, the metrics can be used for tuning the rate limiters operationally.

Current behavior

Metrics for the current status of the rate limiters are not available

Expected behavior

Metrics for the current state of the diameter peer rate limiters (outstanding requests, rate) are exposed

Proposed Implementation

A prometheus collector module could collect the state of the rate limiters and include them in the prometheus metric report

send stop/terminate on all APIs with open session when the session owner dies

erGW-AAA version

  • 3.6.10 and earlier
  • master

Description

  • Motivation

The session process monitors the owner and invokes stop on all handlers. Some handlers (e.g. Gx, Gy, Ro) do not handle stop and will therefore not notify servers about the session end.

  • Proposal

DIAMETER handlers must remember whether a session to a server have been opened and must take the appropriated action (STR, CCR-T, ...) to inform the DIAMETER server about the unexpected termination of the session.

Retrieve User ID data from NASREQ AAA response

erGW-AAA version

3.6 and 4.0

Erlang/OTP version

OTP 23

Description

  • Motivation
    During authentication in a NASREQ dialogue, core user ID information (IMEI, MSISDN, IMEI) is sometimes available to the Diameter server that a NAS uses. This information can be included in the AAA response and handled by the NAS.
  • Proposal
    If available, the following information will be sent:
    • IMSI: 3GPP-IMSI, from diameter_3gpp_base
    • MSISDN: Calling-Station-Id, from diameter_rfc4005_nasreq
    • IMEI: 3GPP-IMEISV, from diameter_3gpp_base

Current behavior

The 3GPP AVPs are not currently present in the AAA response, although Calling-Sttion-Id is.

Expected behavior

If available to the Diameter server, these AVPs will be present in the AAA response.

Config

No optional configuration is needed.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.