diff options
| author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-05-27 05:39:06 +0700 |
|---|---|---|
| committer | laforge <laforge@gnumonks.org> | 2019-06-06 19:45:34 +0000 |
| commit | 794f446a284ed1ac6d31eb79a8f4c874d66fc34e (patch) | |
| tree | a9fd8f5162c2450a58e9a665df2cfb9a30ac94e2 | |
| parent | f7afd202000ccc7f59e059e3f5581507e3672af7 (diff) | |
osmo-sgsn: add VTY parameter to toggle authentication
It may be useful to have 'remote' authorization policy, but do not
require authentication in GERAN at the same time, e.g. in combination
with 'subscriber-create-on-demand' feature of OsmoHLR.
This change introduces a new VTY parameter similar to the one
that we already have in OsmoMSC:
authentication (optional|required)
Please note that 'required' only applies if 'auth-policy' is 'remote'.
Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
| -rw-r--r-- | doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg | 1 | ||||
| -rw-r--r-- | doc/examples/osmo-sgsn/osmo-sgsn.cfg | 1 | ||||
| -rw-r--r-- | doc/manuals/vty/sgsn_vty_reference.xml | 7 | ||||
| -rw-r--r-- | src/gprs/sgsn_vty.c | 37 |
4 files changed, 45 insertions, 1 deletions
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg index b47878a21..85112f41c 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg @@ -10,6 +10,7 @@ sgsn ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication optional auth-policy accept-all ! ns diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg index 263bd00e2..3be4d4935 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg @@ -10,6 +10,7 @@ sgsn ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication required auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 4222 diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml index 7619215d5..ed117778e 100644 --- a/doc/manuals/vty/sgsn_vty_reference.xml +++ b/doc/manuals/vty/sgsn_vty_reference.xml @@ -2230,6 +2230,13 @@ <param name='remote' doc='Use remote subscription data only (HLR)' /> </params> </command> + <command id='authentication (optional|required)'> + <params> + <param name='authentication' doc='Whether to enforce MS authentication in GERAN' /> + <param name='optional' doc='Allow MS to attach via GERAN without authentication' /> + <param name='required' doc='Always require authentication' /> + </params> + </command> <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'> <params> <param name='encryption' doc='Set encryption algorithm for SGSN' /> diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index 6389d92ac..29c97718e 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,6 +211,8 @@ static int config_write_sgsn(struct vty *vty) if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); + vty_out(vty, " authentication %s%s", + g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -693,6 +695,27 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd, return CMD_SUCCESS; } +DEFUN(cfg_authentication, cfg_authentication_cmd, + "authentication (optional|required)", + "Whether to enforce MS authentication in GERAN\n" + "Allow MS to attach via GERAN without authentication\n" + "Always require authentication\n") +{ + int required = (argv[0][0] == 'r'); + + if (vty->type != VTY_FILE) { + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) { + vty_out(vty, "%% Authentication is not possible without HLR, " + "consider setting 'auth-policy' to 'remote'%s", + VTY_NEWLINE); + return CMD_WARNING; + } + } + + g_cfg->require_authentication = required; + return CMD_SUCCESS; +} + DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, "auth-policy (accept-all|closed|acl-only|remote)", "Configure the Authorization policy of the SGSN. This setting determines which subscribers are" @@ -705,9 +728,12 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, int val = get_string_value(sgsn_auth_pol_strs, argv[0]); OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE); g_cfg->auth_policy = val; - g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE); g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); + /* Authentication is not possible without HLR */ + if (val != SGSN_AUTH_POLICY_REMOTE) + g_cfg->require_authentication = 0; + return CMD_SUCCESS; } @@ -1391,6 +1417,7 @@ int sgsn_vty_init(struct sgsn_config *cfg) install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd); install_element(SGSN_NODE, &cfg_imsi_acl_cmd); install_element(SGSN_NODE, &cfg_auth_policy_cmd); + install_element(SGSN_NODE, &cfg_authentication_cmd); install_element(SGSN_NODE, &cfg_encrypt_cmd); install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd); install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd); @@ -1462,6 +1489,14 @@ int sgsn_parse_config(const char *config_file) return rc; } + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE + && g_cfg->require_authentication) { + fprintf(stderr, "Configuration error:" + " authentication is not possible without HLR." + " Consider setting 'auth-policy' to 'remote'\n"); + return -EINVAL; + } + if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !(g_cfg->gsup_server_addr.sin_addr.s_addr && g_cfg->gsup_server_port)) { |