Mercurial > hg > waaad

view extensions/radius_gw/design.txt @ 413:844f921713d5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Updated design notes for sessions
author Sebastien Decugis <sdecugis@nict.go.jp>
date Mon, 15 Jun 2009 13:37:13 +0900
parents 0146c60af026
children
line wrap: on
line source

Several extensions will be built from this directory.

radius_gw: base code for the gateway. 
This extension alone does nothing but logging messages with unknown codes or attributes.

Other extensions provide callbacks to handle messages / attributes.
These sub-extensions are loaded according to the configuration of the main extension.

The complete list of RADIUS command codes can be found there: 
http://www.iana.org/assignments/radius-types (RADIUS Packet Type Codes registry)

*** Basic principles ***

When a RADIUS message is received (should be a request):
 - parse and validate the message
   - format
   - authenticator
   - duplicate
   - ... (?)
   - creates a rad_t structure (radius_gw.h) containing the RADIUS message information:
     - message data and metadata
     - attribute list
 - Pass the RADIUS parsed message, and locations for a diameter message and session to all registered extensions, 
     in the order specified in configuration.
   - each extension may modify all its input (it must delete the RADIUS attributes it processed)
   - The extensions return error codes (see radius_gw.h for detail). The meaning is:
     - no error, continue
     - stop processing and return an immediate error (critical error).
     - (eventually for later) continue processing if a fallback extension is registered (not supported in initial version)
     - (eventually for later) An immediate RADIUS answer must be sent, without going to Diameter network. This can be used for example for 
       fragmented RADIUS requests (not supported in initial version, may require change in the design...).
 - When all extensions have been called, the Diameter message is checked for consistency. If it is a valid message,
   it is sent on the Diameter Network, and the RADIUS message is saved until an answer is received.
   
When the Diameter answer is received, the radius_gw retrieves the corresponding RADIUS request, 
then a similar process happens (extensions are the same as for the request). 
 - It calls all registered extensions with:
   - session pointer
   - RADIUS request
   - RADIUS answer (to add attributes)
   - Diameter answer (with linked Diameter Request inside)
 - When all extensions have been called, the RADIUS answer is generated, with appropriate authenticator and all, and 
   sent to the RADIUS client. The session is deleted (radius gateways are stateless).


*** About sessions ***

The session is created the first time an Access-Request is received.
Then a State or Class attribute in the form "Diameter/..." is used to store the information.
More details in http://tools.ietf.org/html/rfc4005#section-9
"Welcome to our mercurial repository"