This page contains a Perl hook for the ServerRADSEC portion of your Radiator configuration to set the OpenRoaming Operator-Name from the WBA ID in the connecting peer certificate. 

In OpenRoaming, the Operator-Name MUST either contain a value starting with 4, followed by the WBA ID that is provided by the Wireless Broadband Alliance, OR a value starting with 1, followed by the BASE64-encoded version of the WBA ID, ending with .wballiance.com.

In this hook, the connecting peer should be a WBA-issued certificate. If it is, the value is retrieved, changed to upper case (although it already should be), and then inserted into the Operator-Name attribute, if the attribute does not exist. If the Operator-Name value already exists, check that it matches the alternative format, and if it does not, the existing value is overwritten with the value from the certificate. If either methods fail, the Operator-Name is reset to the generic '4OPENROAMING'. 

Example:

Example WBA ID: CITYROAM:JP

Acceptable Operator-Name values:

  • 4CITYROAM:JP
  • 1Q0lUWVJPQU06SlA.wballiance.com


Radiator PreHandlerHook
sub
{
    my $p = ${$_[0]}; 

    # pick up the peer certificate, pull the WBA ID out
    my $ssl = $p->{Client}->{ssl_streamtls}; 
    my $x509 = Net::SSLeay::get_peer_certificate($ssl);
    my $x509_name = Net::SSLeay::X509_get_subject_name($x509); 
    my $name = Net::SSLeay::X509_NAME_oneline($x509_name);
    &main::log($main::LOG_INFO, "Connection from '$name'", $p);
    my $wbaId = Net::SSLeay::X509_NAME_get_text_by_NID($x509_name, &Net::SSLeay::NID_uniqueIdentifier);
    unless ((defined $wbaId) && ($wbaId ne '')) {
        my @uid = grep /^UID=/, split('/', $name);
        unless (scalar @uid < 1) {
            $wbaId = @uid[0] =~ s/^UID=//gr;
            $wbaId =~ tr/a-z/A-Z/; 
        }
    }

    # Re-set the Operator-Name
    my $oname = $p->get_attr('Operator-Name');
    &main::log($main::LOG_DEBUG,"PreHandlerHook: WBA_RADSEC: Operator-Name before change: '$oname'");
    if ((defined $oname) && ($oname ne '') && ) {
        unless ($oname =~ /^1[0-9A-Za-z]{2,}\.wballiance\.com$/i )) {
            $oname = '4OPENROAMING';
        }
    } elsif ((defined $wbaId) && ($wbaId ne '')) {
        $oname = "4$wbaId";
    } else { 
        $oname = '4OPENROAMING'; 
    } 
    $p->change_attr('Operator-Name',$oname);
    &main::log($main::LOG_DEBUG,"PreHandlerHook: WBA_RADSEC: Operator-Name: '$oname'");
    return;
}


  • No labels