diff options
-rw-r--r-- | doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg | 1 | ||||
-rw-r--r-- | doc/examples/osmo-sgsn/osmo-sgsn.cfg | 1 | ||||
-rw-r--r-- | doc/manuals/vty/sgsn_vty_reference.xml | 7 | ||||
-rw-r--r-- | src/gprs/sgsn_vty.c | 37 |
4 files changed, 45 insertions, 1 deletions
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg index b47878a21..85112f41c 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg @@ -10,6 +10,7 @@ sgsn ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication optional auth-policy accept-all ! ns diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg index 263bd00e2..3be4d4935 100644 --- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg +++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg @@ -10,6 +10,7 @@ sgsn ggsn 0 remote-ip 127.0.0.2 ggsn 0 gtp-version 1 ggsn 0 echo-interval 60 + authentication required auth-policy remote gsup remote-ip 127.0.0.1 gsup remote-port 4222 diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml index 7619215d5..ed117778e 100644 --- a/doc/manuals/vty/sgsn_vty_reference.xml +++ b/doc/manuals/vty/sgsn_vty_reference.xml @@ -2230,6 +2230,13 @@ <param name='remote' doc='Use remote subscription data only (HLR)' /> </params> </command> + <command id='authentication (optional|required)'> + <params> + <param name='authentication' doc='Whether to enforce MS authentication in GERAN' /> + <param name='optional' doc='Allow MS to attach via GERAN without authentication' /> + <param name='required' doc='Always require authentication' /> + </params> + </command> <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'> <params> <param name='encryption' doc='Set encryption algorithm for SGSN' /> diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index 6389d92ac..29c97718e 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,6 +211,8 @@ static int config_write_sgsn(struct vty *vty) if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); + vty_out(vty, " authentication %s%s", + g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -693,6 +695,27 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd, return CMD_SUCCESS; } +DEFUN(cfg_authentication, cfg_authentication_cmd, + "authentication (optional|required)", + "Whether to enforce MS authentication in GERAN\n" + "Allow MS to attach via GERAN without authentication\n" + "Always require authentication\n") +{ + int required = (argv[0][0] == 'r'); + + if (vty->type != VTY_FILE) { + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) { + vty_out(vty, "%% Authentication is not possible without HLR, " + "consider setting 'auth-policy' to 'remote'%s", + VTY_NEWLINE); + return CMD_WARNING; + } + } + + g_cfg->require_authentication = required; + return CMD_SUCCESS; +} + DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, "auth-policy (accept-all|closed|acl-only|remote)", "Configure the Authorization policy of the SGSN. This setting determines which subscribers are" @@ -705,9 +728,12 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, int val = get_string_value(sgsn_auth_pol_strs, argv[0]); OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE); g_cfg->auth_policy = val; - g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE); g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); + /* Authentication is not possible without HLR */ + if (val != SGSN_AUTH_POLICY_REMOTE) + g_cfg->require_authentication = 0; + return CMD_SUCCESS; } @@ -1391,6 +1417,7 @@ int sgsn_vty_init(struct sgsn_config *cfg) install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd); install_element(SGSN_NODE, &cfg_imsi_acl_cmd); install_element(SGSN_NODE, &cfg_auth_policy_cmd); + install_element(SGSN_NODE, &cfg_authentication_cmd); install_element(SGSN_NODE, &cfg_encrypt_cmd); install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd); install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd); @@ -1462,6 +1489,14 @@ int sgsn_parse_config(const char *config_file) return rc; } + if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE + && g_cfg->require_authentication) { + fprintf(stderr, "Configuration error:" + " authentication is not possible without HLR." + " Consider setting 'auth-policy' to 'remote'\n"); + return -EINVAL; + } + if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !(g_cfg->gsup_server_addr.sin_addr.s_addr && g_cfg->gsup_server_port)) { |