aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVadim Yanitskiy <axilirator@gmail.com>2019-05-27 05:39:06 +0700
committerlaforge <laforge@gnumonks.org>2019-06-06 19:45:34 +0000
commit794f446a284ed1ac6d31eb79a8f4c874d66fc34e (patch)
treea9fd8f5162c2450a58e9a665df2cfb9a30ac94e2
parentf7afd202000ccc7f59e059e3f5581507e3672af7 (diff)
osmo-sgsn: add VTY parameter to toggle authentication
It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
-rw-r--r--doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg1
-rw-r--r--doc/examples/osmo-sgsn/osmo-sgsn.cfg1
-rw-r--r--doc/manuals/vty/sgsn_vty_reference.xml7
-rw-r--r--src/gprs/sgsn_vty.c37
4 files changed, 45 insertions, 1 deletions
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
index b47878a2..85112f41 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
@@ -10,6 +10,7 @@ sgsn
ggsn 0 remote-ip 127.0.0.2
ggsn 0 gtp-version 1
ggsn 0 echo-interval 60
+ authentication optional
auth-policy accept-all
!
ns
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
index 263bd00e..3be4d493 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
@@ -10,6 +10,7 @@ sgsn
ggsn 0 remote-ip 127.0.0.2
ggsn 0 gtp-version 1
ggsn 0 echo-interval 60
+ authentication required
auth-policy remote
gsup remote-ip 127.0.0.1
gsup remote-port 4222
diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml
index 7619215d..ed117778 100644
--- a/doc/manuals/vty/sgsn_vty_reference.xml
+++ b/doc/manuals/vty/sgsn_vty_reference.xml
@@ -2230,6 +2230,13 @@
<param name='remote' doc='Use remote subscription data only (HLR)' />
</params>
</command>
+ <command id='authentication (optional|required)'>
+ <params>
+ <param name='authentication' doc='Whether to enforce MS authentication in GERAN' />
+ <param name='optional' doc='Allow MS to attach via GERAN without authentication' />
+ <param name='required' doc='Always require authentication' />
+ </params>
+ </command>
<command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'>
<params>
<param name='encryption' doc='Set encryption algorithm for SGSN' />
diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c
index 6389d92a..29c97718 100644
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c
@@ -211,6 +211,8 @@ static int config_write_sgsn(struct vty *vty)
if (g_cfg->gsup_server_port)
vty_out(vty, " gsup remote-port %d%s",
g_cfg->gsup_server_port, VTY_NEWLINE);
+ vty_out(vty, " authentication %s%s",
+ g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);
vty_out(vty, " auth-policy %s%s",
get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
VTY_NEWLINE);
@@ -693,6 +695,27 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd,
return CMD_SUCCESS;
}
+DEFUN(cfg_authentication, cfg_authentication_cmd,
+ "authentication (optional|required)",
+ "Whether to enforce MS authentication in GERAN\n"
+ "Allow MS to attach via GERAN without authentication\n"
+ "Always require authentication\n")
+{
+ int required = (argv[0][0] == 'r');
+
+ if (vty->type != VTY_FILE) {
+ if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {
+ vty_out(vty, "%% Authentication is not possible without HLR, "
+ "consider setting 'auth-policy' to 'remote'%s",
+ VTY_NEWLINE);
+ return CMD_WARNING;
+ }
+ }
+
+ g_cfg->require_authentication = required;
+ return CMD_SUCCESS;
+}
+
DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
"auth-policy (accept-all|closed|acl-only|remote)",
"Configure the Authorization policy of the SGSN. This setting determines which subscribers are"
@@ -705,9 +728,12 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
g_cfg->auth_policy = val;
- g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);
+ /* Authentication is not possible without HLR */
+ if (val != SGSN_AUTH_POLICY_REMOTE)
+ g_cfg->require_authentication = 0;
+
return CMD_SUCCESS;
}
@@ -1391,6 +1417,7 @@ int sgsn_vty_init(struct sgsn_config *cfg)
install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd);
install_element(SGSN_NODE, &cfg_imsi_acl_cmd);
install_element(SGSN_NODE, &cfg_auth_policy_cmd);
+ install_element(SGSN_NODE, &cfg_authentication_cmd);
install_element(SGSN_NODE, &cfg_encrypt_cmd);
install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd);
install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd);
@@ -1462,6 +1489,14 @@ int sgsn_parse_config(const char *config_file)
return rc;
}
+ if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
+ && g_cfg->require_authentication) {
+ fprintf(stderr, "Configuration error:"
+ " authentication is not possible without HLR."
+ " Consider setting 'auth-policy' to 'remote'\n");
+ return -EINVAL;
+ }
+
if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
&& !(g_cfg->gsup_server_addr.sin_addr.s_addr
&& g_cfg->gsup_server_port)) {