Implement PAP authentification for Radius ( + tests )

2026-02-11 18:16:24 +05:00 · 2020-03-18 17:45:13 +02:00
parent 45ff034a48
commit 3e09ae79be
17 changed files with 215 additions and 65 deletions
--- a/agents/agentreq.go
+++ b/agents/agentreq.go
@@ -178,17 +178,17 @@ func (ar *AgentRequest) SetFields(tplFlds []*config.FCTemplate) (err error) {
 			default:
 				return fmt.Errorf("unsupported field prefix: <%s> when set fields", fldPath[0])
 			case utils.MetaVars:
-				ar.Vars = config.NewNavigableMap(nil)
+				ar.Vars.RemoveAll()
 			case utils.MetaCgreq:
-				ar.CGRRequest = config.NewNavigableMap(nil)
+				ar.CGRRequest.RemoveAll()
 			case utils.MetaCgrep:
-				ar.CGRReply = config.NewNavigableMap(nil)
+				ar.CGRReply.RemoveAll()
 			case utils.MetaRep:
-				ar.Reply = config.NewNavigableMap(nil)
+				ar.Reply.RemoveAll()
 			case utils.MetaDiamreq:
-				ar.diamreq = config.NewNavigableMap(nil)
+				ar.diamreq.RemoveAll()
 			case utils.MetaTmp:
-				ar.tmp = config.NewNavigableMap(nil)
+				ar.tmp.RemoveAll()
 			}
 		default:
 			out, err := ar.ParseField(tplFld)
--- a/agents/agentreq_test.go
+++ b/agents/agentreq_test.go
@@ -1734,7 +1734,7 @@ func TestAgReqSetFieldsWithRemove(t *testing.T) {
 	eMpRemove = config.NewNavigableMap(nil)
 	if err := agReq.SetFields(tplFldsRemove); err != nil {
 		t.Error(err)
-	} else if !reflect.DeepEqual(agReq.Reply, eMpRemove) {
+	} else if !reflect.DeepEqual(agReq.Reply.Values(), eMpRemove.Values()) {
 		t.Errorf("expecting: %+v,\n received: %+v", eMpRemove, agReq.Reply)
 	}
 }
--- a/agents/dnsagent.go
+++ b/agents/dnsagent.go
@@ -158,7 +158,6 @@ func (da *DNSAgent) handleMessage(w dns.ResponseWriter, req *dns.Msg) {
 		dnsWriteMsg(w, rply)
 		return
 	}
-	fmt.Println(utils.ToJSON(rply))
 	if err = dnsWriteMsg(w, rply); err != nil { // failed sending, most probably content issue
 		rply = new(dns.Msg)
 		rply.SetReply(req)
--- a/agents/radagent.go
+++ b/agents/radagent.go
@@ -87,13 +87,14 @@ func (ra *RadiusAgent) handleAuth(req *radigo.Packet) (rpl *radigo.Packet, err e
 			ra.filterS, nil, nil)
 		agReq.Vars.Set([]string{MetaRadReqType}, utils.StringToInterface(MetaRadAuth), false, true)
 		var lclProcessed bool
-		if lclProcessed, err = ra.processRequest(reqProcessor, agReq, rpl); lclProcessed {
+		if lclProcessed, err = ra.processRequest(req, reqProcessor, agReq); lclProcessed {
 			processed = lclProcessed
 		}
 		if err != nil || (lclProcessed && !reqProcessor.Flags.GetBool(utils.MetaContinue)) {
 			break
 		}
 	}
+
 	if err != nil {
 		utils.Logger.Err(fmt.Sprintf("<%s> error: <%s> ignoring request: %s",
 			utils.RadiusAgent, err.Error(), utils.ToJSON(req)))
@@ -130,7 +131,7 @@ func (ra *RadiusAgent) handleAcct(req *radigo.Packet) (rpl *radigo.Packet, err e
 				config.CgrConfig().GeneralCfg().DefaultTimezone),
 			ra.filterS, nil, nil)
 		var lclProcessed bool
-		if lclProcessed, err = ra.processRequest(reqProcessor, agReq, rpl); lclProcessed {
+		if lclProcessed, err = ra.processRequest(req, reqProcessor, agReq); lclProcessed {
 			processed = lclProcessed
 		}
 		if err != nil || (lclProcessed && !reqProcessor.Flags.GetBool(utils.MetaContinue)) {
@@ -155,8 +156,8 @@ func (ra *RadiusAgent) handleAcct(req *radigo.Packet) (rpl *radigo.Packet, err e
 }

 // processRequest represents one processor processing the request
-func (ra *RadiusAgent) processRequest(reqProcessor *config.RequestProcessor,
-	agReq *AgentRequest, rply *radigo.Packet) (processed bool, err error) {
+func (ra *RadiusAgent) processRequest(req *radigo.Packet, reqProcessor *config.RequestProcessor,
+	agReq *AgentRequest) (processed bool, err error) {
 	if pass, err := ra.filterS.Pass(agReq.Tenant,
 		reqProcessor.Filters, agReq); err != nil || !pass {
 		return pass, err
@@ -303,16 +304,18 @@ func (ra *RadiusAgent) processRequest(reqProcessor *config.RequestProcessor,
 		}
 	case utils.MetaCDRs: // allow this method
 	case utils.MetaRadauth:
-		// To be implemented
-		//// radius pass will be taken from request directly
-		//radiusPass := "CGRateS.org"
-		//userPass, err := agReq.Vars.FieldAsString([]string{utils.UserPassword})
-		//if err != nil {
-		//	return false, err
-		//}
-		//if radiusPass != userPass {
-		//	agReq.CGRReply.Set([]string{utils.Error}, "Failed to authenticate request", false, false)
-		//}
+		// try to get UserPassword from Vars as slice of NMItems
+		nmItems, err := agReq.Vars.FieldAsInterface([]string{utils.UserPassword})
+		if err != nil {
+			return false, err
+		}
+		avps := req.AttributesWithName("User-Password", utils.EmptyString)
+		if len(avps) == 0 {
+			return false, fmt.Errorf("cannot find User-Password  AVP in request")
+		}
+		if string(avps[0].RawValue) != nmItems.([]*config.NMItem)[0].Data {
+			agReq.CGRReply.Set([]string{utils.Error}, "Failed to authenticate request", false, false)
+		}
 	}
 	// separate request so we can capture the Terminate/Event also here
 	if reqProcessor.Flags.HasKey(utils.MetaCDRs) {
@@ -324,6 +327,7 @@ func (ra *RadiusAgent) processRequest(reqProcessor *config.RequestProcessor,
 			agReq.CGRReply.Set([]string{utils.Error}, err.Error(), false, false)
 		}
 	}
+
 	if err := agReq.SetFields(reqProcessor.ReplyFields); err != nil {
 		return false, err
 	}
@@ -331,12 +335,12 @@ func (ra *RadiusAgent) processRequest(reqProcessor *config.RequestProcessor,
 	if reqProcessor.Flags.HasKey(utils.MetaLog) {
 		utils.Logger.Info(
 			fmt.Sprintf("<%s> LOG, Radius reply: %s",
-				utils.RadiusAgent, utils.ToIJSON(rply)))
+				utils.RadiusAgent, utils.ToIJSON(agReq.Reply)))
 	}
 	if reqType == utils.MetaDryRun {
 		utils.Logger.Info(
 			fmt.Sprintf("<%s> DRY_RUN, Radius reply: %s",
-				utils.RadiusAgent, utils.ToJSON(rply)))
+				utils.RadiusAgent, utils.ToJSON(agReq.Reply)))
 	}
 	return true, nil
 }
--- a/agents/radagent_it_test.go
+++ b/agents/radagent_it_test.go
@@ -50,7 +50,8 @@ var (
 		testRAitStartEngine,
 		testRAitApierRpcConn,
 		testRAitTPFromFolder,
-		testRAitAuth,
+		testRAitAuthSuccess,
+		testRAitAuthFail,
 		testRAitAcctStart,
 		testRAitAcctStop,
 		testRAitStopCgrEngine,
@@ -80,7 +81,6 @@ func TestRAit(t *testing.T) {
 	}
 }

-/*
 func TestRAitDispatcher(t *testing.T) {
 	if *encoding == utils.MetaGOB {
 		t.SkipNow()
@@ -97,7 +97,7 @@ func TestRAitDispatcher(t *testing.T) {
 	engine.KillEngine(100)
 	isDispatcherActive = false
 }
-*/
+
 func testRAitInitCfg(t *testing.T) {
 	raCfgPath = path.Join(*dataDir, "conf", "samples", raonfigDIR)
 	// Init config first
@@ -192,7 +192,7 @@ func testRadiusitTPLoadData(t *testing.T) {
 	}
 }

-func testRAitAuth(t *testing.T) {
+func testRAitAuthSuccess(t *testing.T) {
 	if raAuthClnt, err = radigo.NewClient("udp", "127.0.0.1:1812", "CGRateS.org", dictRad, 1, nil); err != nil {
 		t.Fatal(err)
 	}
@@ -200,9 +200,9 @@ func testRAitAuth(t *testing.T) {
 	if err := authReq.AddAVPWithName("User-Name", "1001", ""); err != nil {
 		t.Error(err)
 	}
-	//if err := authReq.AddAVPWithName("User-Password", "CGRateS.org", ""); err != nil {
-	//	t.Error(err)
-	//}
+	if err := authReq.AddAVPWithName("User-Password", "CGRateSPassword1", ""); err != nil {
+		t.Error(err)
+	}
 	if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
 		t.Error(err)
 	}
@@ -235,6 +235,49 @@ func testRAitAuth(t *testing.T) {
 	}
 }

+func testRAitAuthFail(t *testing.T) {
+	if raAuthClnt, err = radigo.NewClient("udp", "127.0.0.1:1812", "CGRateS.org", dictRad, 1, nil); err != nil {
+		t.Fatal(err)
+	}
+	authReq := raAuthClnt.NewRequest(radigo.AccessRequest, 1) // emulates Kamailio packet out of radius_load_caller_avps()
+	if err := authReq.AddAVPWithName("User-Name", "1001", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("User-Password", "CGRateSPassword2", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("Called-Station-Id", "1002", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("Acct-Session-Id", "e4921177ab0e3586c37f6a185864b71a@0:0:0:0:0:0:0:0", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("Sip-From-Tag", "51585361", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("NAS-IP-Address", "127.0.0.1", ""); err != nil {
+		t.Error(err)
+	}
+	if err := authReq.AddAVPWithName("Event-Timestamp", "1497106115", ""); err != nil {
+		t.Error(err)
+	}
+	reply, err := raAuthClnt.SendRequest(authReq)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if reply.Code != radigo.AccessReject {
+		t.Errorf("Received reply: %+v", reply)
+	}
+	if len(reply.AVPs) != 1 { // make sure max duration is received
+		t.Errorf("Received AVPs: %+v", reply.AVPs)
+	} else if !reflect.DeepEqual([]byte("Failed to authenticate request"), reply.AVPs[0].RawValue) {
+		t.Errorf("Received: %s", string(reply.AVPs[0].RawValue))
+	}
+}
+
 func testRAitAcctStart(t *testing.T) {
 	if raAcctClnt, err = radigo.NewClient("udp", "127.0.0.1:1813", "CGRateS.org", dictRad, 1, nil); err != nil {
 		t.Fatal(err)
@@ -273,7 +316,7 @@ func testRAitAcctStart(t *testing.T) {
 	if err := req.AddAVPWithName("Ascend-User-Acct-Time", "1497106115", ""); err != nil {
 		t.Error(err)
 	}
-	if err := req.AddAVPWithName("NAS-Port-Id", "5060", ""); err != nil {
+	if err := req.AddAVPWithName("NAS-Port", "5060", ""); err != nil {
 		t.Error(err)
 	}
 	if err := req.AddAVPWithName("Acct-Delay-Time", "0", ""); err != nil {
@@ -349,7 +392,7 @@ func testRAitAcctStop(t *testing.T) {
 	if err := req.AddAVPWithName("Ascend-User-Acct-Time", "1497106115", ""); err != nil {
 		t.Error(err)
 	}
-	if err := req.AddAVPWithName("NAS-Port-Id", "5060", ""); err != nil {
+	if err := req.AddAVPWithName("NAS-Port", "5060", ""); err != nil {
 		t.Error(err)
 	}
 	if err := req.AddAVPWithName("Acct-Delay-Time", "0", ""); err != nil {
--- a/config/navigablemap.go
+++ b/config/navigablemap.go
@@ -665,3 +665,9 @@ func (nM *NavigableMap) Remove(path []string) {
 		mp = oData.(map[string]interface{}) // so we can check further down
 	}
 }
+
+// RemoveAll will clean the data and the odrder from NavigableMap
+func (nM *NavigableMap) RemoveAll() {
+	nM.data = make(map[string]interface{})
+	nM.order = make([][]string, 0)
+}
--- a/data/conf/samples/dispatchers/radagent/cgrates.json
+++ b/data/conf/samples/dispatchers/radagent/cgrates.json
@@ -58,13 +58,12 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*accounts","*dispatchers"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
-				// {"tag": "*api_key", "path": "*api_key", "type": "*constant", "value": "ses12345"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
-					"value": "*prepaid", "mandatory": true},	
-				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*variable",
+					"value": "*prepaid", "mandatory": true},
+				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*composed",
 					"value": "~*req.Acct-Session-Id;-;~*req.Sip-From-Tag", "mandatory": true},
 				{"tag": "Account", "path": "*cgreq.Account", "type": "*variable",
 					"value": "~*req.User-Name", "mandatory": true},
@@ -76,28 +75,44 @@
 					"value": "~*req.Event-Timestamp", "mandatory": true},
 				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*variable",
 					"value": "~*req.Event-Timestamp", "mandatory": true},
+				{"tag": "PasswordFromAttributes", "path": "*cgreq.PasswordFromAttributes", "type": "*constant",
+					"value": "*attributes"}
 			],
 			"reply_fields":[
 				{"tag": "MaxUsage", "path": "*rep.SIP-AVP", "type": "*variable",
 					"value": "session_max_time#;~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true},
 			],
 		},
+		{
+			"id": "RadiusPAPAuth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+			"flags": ["*radauth", "*log"],
+			"request_fields":[
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
+					"value": "~*cgrep.Attributes.PasswordFromAttributes"},
+			],
+			"reply_fields":[
+				{"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
+				{"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+			]
+		},
 		{
 			"id": "KamailioAccountingStart",
 			"filters": ["*string:~*req.Acct-Status-Type:Start"],
-			"flags": ["*initiate", "*attributes", "*resources", "*accounts","*dispatchers"],
-			"request_fields":[	
+			"flags": ["*initiate", "*attributes", "*resources", "*accounts"],
+			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
-				// {"tag": "*api_key", "path": "*api_key", "type": "*constant", "value": "ses12345"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
-					"value": "*prepaid", "mandatory": true},	
-				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*variable",
+					"value": "*prepaid", "mandatory": true},
+				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*composed",
 					"value": "~*req.Acct-Session-Id;-;~*req.Sip-From-Tag;-;~*req.Sip-To-Tag", "mandatory": true},
 				{"tag": "OriginHost", "path": "*cgreq.OriginHost", "type": "*variable",
 					"value": "~*req.NAS-IP-Address", "mandatory": true},
 				{"tag": "Account", "path": "*cgreq.Account", "type": "*variable",
 					"value": "~*req.User-Name", "mandatory": true},
-				{"tag": "Subject", "path": "*cgreq.Subject", "type": "*variable",
+				{"tag": "Subject", "path": "*cgreq.Subject", "type": "*composed",
 					"value": "~*req.User-Name", "mandatory": true},
 				{"tag": "Destination", "path": "*cgreq.Destination", "type": "*variable",
 					"value": "~*req.Called-Station-Id", "mandatory": true},
@@ -112,19 +127,18 @@
 		{
 			"id": "KamailioAccountingStop",
 			"filters": ["*string:~*req.Acct-Status-Type:Stop"],
-			"flags": ["*terminate", "*resources", "*accounts", "*cdrs","*dispatchers"],
-			"request_fields":[	
+			"flags": ["*terminate", "*resources", "*accounts", "*cdrs"],
+			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
-				// {"tag": "*api_key", "path": "*api_key", "type": "*constant", "value": "ses12345"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
-					"value": "*prepaid", "mandatory": true},	
-				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*variable",
+					"value": "*prepaid", "mandatory": true},
+				{"tag": "OriginID", "path": "*cgreq.OriginID", "type": "*composed",
 					"value": "~*req.Acct-Session-Id;-;~*req.Sip-From-Tag;-;~*req.Sip-To-Tag", "mandatory": true},
 				{"tag": "OriginHost", "path": "*cgreq.OriginHost", "type": "*variable",
 					"value": "~*req.NAS-IP-Address", "mandatory": true},
 				{"tag": "Account", "path": "*cgreq.Account", "type": "*variable",
 					"value": "~*req.User-Name", "mandatory": true},
-				{"tag": "Subject", "path": "*cgreq.Subject", "type": "*variable",
+				{"tag": "Subject", "path": "*cgreq.Subject", "type": "*composed",
 					"value": "~*req.User-Name", "mandatory": true},
 				{"tag": "Destination", "path": "*cgreq.Destination", "type": "*variable",
 					"value": "~*req.Called-Station-Id", "mandatory": true},
@@ -138,7 +152,6 @@
 			],
 			"reply_fields":[],
 		},
-		
 	],

 },
--- a/data/conf/samples/radagent_internal/cgrates.json
+++ b/data/conf/samples/radagent_internal/cgrates.json
@@ -70,7 +70,7 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*attributes", "*accounts", "*continue", "*log"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
--- a/data/conf/samples/radagent_internal_gob/cgrates.json
+++ b/data/conf/samples/radagent_internal_gob/cgrates.json
@@ -78,7 +78,7 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*accounts"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
@@ -95,12 +95,29 @@
 					"value": "~*req.Event-Timestamp", "mandatory": true},
 				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*variable",
 					"value": "~*req.Event-Timestamp", "mandatory": true},
+				{"tag": "PasswordFromAttributes", "path": "*cgreq.PasswordFromAttributes", "type": "*constant",
+					"value": "*attributes"}
 			],
 			"reply_fields":[
 				{"tag": "MaxUsage", "path": "*rep.SIP-AVP", "type": "*variable",
 					"value": "session_max_time#;~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true},
 			],
 		},
+		{
+			"id": "RadiusPAPAuth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+			"flags": ["*radauth", "*log"],
+			"request_fields":[
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
+					"value": "~*cgrep.Attributes.PasswordFromAttributes"},
+			],
+			"reply_fields":[
+				{"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
+				{"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+			]
+		},
 		{
 			"id": "KamailioAccountingStart",
 			"filters": ["*string:~*req.Acct-Status-Type:Start"],
@@ -154,7 +171,7 @@
 				{"tag": "RemoteAddr" , "path": "*cgreq.RemoteAddr", "type": "*remote_host"},
 			],
 			"reply_fields":[],
-		},
+		}
 	]
 },

--- a/data/conf/samples/radagent_mongo/cgrates.json
+++ b/data/conf/samples/radagent_mongo/cgrates.json
@@ -73,7 +73,7 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*accounts"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
@@ -90,12 +90,29 @@
 					"value": "~*req.Event-Timestamp", "mandatory": true},
 				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*variable",
 					"value": "~*req.Event-Timestamp", "mandatory": true},
+				{"tag": "PasswordFromAttributes", "path": "*cgreq.PasswordFromAttributes", "type": "*constant",
+					"value": "*attributes"}
 			],
 			"reply_fields":[
 				{"tag": "MaxUsage", "path": "*rep.SIP-AVP", "type": "*variable",
 					"value": "session_max_time#;~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true},
 			],
 		},
+		{
+			"id": "RadiusPAPAuth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+			"flags": ["*radauth", "*log"],
+			"request_fields":[
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
+					"value": "~*cgrep.Attributes.PasswordFromAttributes"},
+			],
+			"reply_fields":[
+				{"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
+				{"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+			]
+		},
 		{
 			"id": "KamailioAccountingStart",
 			"filters": ["*string:~*req.Acct-Status-Type:Start"],
@@ -149,7 +166,7 @@
 				{"tag": "RemoteAddr" , "path": "*cgreq.RemoteAddr", "type": "*remote_host"},
 			],
 			"reply_fields":[],
-		},
+		}
 	]
 },

--- a/data/conf/samples/radagent_mongo_gob/cgrates.json
+++ b/data/conf/samples/radagent_mongo_gob/cgrates.json
@@ -81,7 +81,7 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*accounts"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
@@ -98,12 +98,29 @@
 					"value": "~*req.Event-Timestamp", "mandatory": true},
 				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*variable",
 					"value": "~*req.Event-Timestamp", "mandatory": true},
+				{"tag": "PasswordFromAttributes", "path": "*cgreq.PasswordFromAttributes", "type": "*constant",
+					"value": "*attributes"}
 			],
 			"reply_fields":[
 				{"tag": "MaxUsage", "path": "*rep.SIP-AVP", "type": "*variable",
 					"value": "session_max_time#;~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true},
 			],
 		},
+		{
+			"id": "RadiusPAPAuth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+			"flags": ["*radauth", "*log"],
+			"request_fields":[
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
+					"value": "~*cgrep.Attributes.PasswordFromAttributes"},
+			],
+			"reply_fields":[
+				{"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
+				{"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+			]
+		},
 		{
 			"id": "KamailioAccountingStart",
 			"filters": ["*string:~*req.Acct-Status-Type:Start"],
@@ -157,7 +174,7 @@
 				{"tag": "RemoteAddr" , "path": "*cgreq.RemoteAddr", "type": "*remote_host"},
 			],
 			"reply_fields":[],
-		},
+		}
 	]
 },

--- a/data/conf/samples/radagent_mysql/cgrates.json
+++ b/data/conf/samples/radagent_mysql/cgrates.json
@@ -69,7 +69,7 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*accounts"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
@@ -86,12 +86,29 @@
 					"value": "~*req.Event-Timestamp", "mandatory": true},
 				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*variable",
 					"value": "~*req.Event-Timestamp", "mandatory": true},
+				{"tag": "PasswordFromAttributes", "path": "*cgreq.PasswordFromAttributes", "type": "*constant",
+					"value": "*attributes"}
 			],
 			"reply_fields":[
 				{"tag": "MaxUsage", "path": "*rep.SIP-AVP", "type": "*variable",
 					"value": "session_max_time#;~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true},
 			],
 		},
+		{
+			"id": "RadiusPAPAuth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+			"flags": ["*radauth", "*log"],
+			"request_fields":[
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
+					"value": "~*cgrep.Attributes.PasswordFromAttributes"},
+			],
+			"reply_fields":[
+				{"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
+				{"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+			]
+		},
 		{
 			"id": "KamailioAccountingStart",
 			"filters": ["*string:~*req.Acct-Status-Type:Start"],
@@ -145,7 +162,7 @@
 				{"tag": "RemoteAddr" , "path": "*cgreq.RemoteAddr", "type": "*remote_host"},
 			],
 			"reply_fields":[],
-		},
+		}
 	]
 },

--- a/data/conf/samples/radagent_mysql_gob/cgrates.json
+++ b/data/conf/samples/radagent_mysql_gob/cgrates.json
@@ -76,7 +76,7 @@
 		{
 			"id": "KamailioAuth",
 			"filters": ["*string:~*vars.*radReqType:*radAuth"],
-			"flags": ["*auth", "*accounts"],
+			"flags": ["*auth", "*attributes", "*accounts", "*continue"],
 			"request_fields":[
 				{"tag": "Category", "path": "*cgreq.Category", "type": "*constant", "value": "call"},
 				{"tag": "RequestType", "path": "*cgreq.RequestType", "type": "*constant",
@@ -93,12 +93,29 @@
 					"value": "~*req.Event-Timestamp", "mandatory": true},
 				{"tag": "AnswerTime", "path": "*cgreq.AnswerTime", "type": "*variable",
 					"value": "~*req.Event-Timestamp", "mandatory": true},
+				{"tag": "PasswordFromAttributes", "path": "*cgreq.PasswordFromAttributes", "type": "*constant",
+					"value": "*attributes"}
 			],
 			"reply_fields":[
 				{"tag": "MaxUsage", "path": "*rep.SIP-AVP", "type": "*variable",
 					"value": "session_max_time#;~*cgrep.MaxUsage{*duration_seconds}", "mandatory": true},
 			],
 		},
+		{
+			"id": "RadiusPAPAuth",
+			"filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+			"flags": ["*radauth", "*log"],
+			"request_fields":[
+				{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
+					"value": "~*cgrep.Attributes.PasswordFromAttributes"},
+			],
+			"reply_fields":[
+				{"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
+				{"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+				{"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
+				{"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+			]
+		},
 		{
 			"id": "KamailioAccountingStart",
 			"filters": ["*string:~*req.Acct-Status-Type:Start"],
@@ -152,7 +169,7 @@
 				{"tag": "RemoteAddr" , "path": "*cgreq.RemoteAddr", "type": "*remote_host"},
 			],
 			"reply_fields":[],
-		},
+		}
 	]
 },

--- a/data/tariffplans/oldtutorial/Attributes.csv
+++ b/data/tariffplans/oldtutorial/Attributes.csv
@@ -1,4 +1,4 @@
 #Tenant,ID,Contexts,FilterIDs,ActivationInterval,AttributeFilterIDs,Path,Type,Value,Blocker,Weight
 cgrates.org,ATTR_1,*sessions;*cdrs,*string:~*req.Account:1007,2014-01-14T00:00:00Z,,*req.Account,*constant,1001,false,10
 cgrates.org,ATTR_1,,,,,*req.Subject,*constant,1001,,
-cgrates.org,ATTR_PASS,*sessions,*string:~*req.Account:1001,,,*req.PasswordFromAttributes,*constant,CGRateS.org,false,10
+cgrates.org,ATTR_PASS,*sessions,*string:~*req.Account:1001,,,*req.PasswordFromAttributes,*constant,CGRateSPassword1,false,10
--- a/go.mod
+++ b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/cgrates/fsock v0.0.0-20190623100231-317895b42f1a
 	github.com/cgrates/kamevapi v0.0.0-20191001125829-7dbc3ad58817
 	github.com/cgrates/ltcache v0.0.0-20181016092649-92fb7fa77cca
-	github.com/cgrates/radigo v0.0.0-20200309151443-bb470a5a5c8d
+	github.com/cgrates/radigo v0.0.0-20200318092814-07da25249ae6
 	github.com/cgrates/rpcclient v0.0.0-20200107134035-188454eb71b3
 	github.com/creack/pty v1.1.7
 	github.com/fiorix/go-diameter v3.0.3-0.20190716165154-f4823472d0e0+incompatible
--- a/go.sum
+++ b/go.sum
@@ -73,6 +73,8 @@ github.com/cgrates/radigo v0.0.0-20200306160903-17b28bb0e1bb h1:LnoYQFohxLduxNFZ
 github.com/cgrates/radigo v0.0.0-20200306160903-17b28bb0e1bb/go.mod h1:mTCzHAYfgZlRe0HorDz+jy2JTrNvNuKkHBAUjDZBWq8=
 github.com/cgrates/radigo v0.0.0-20200309151443-bb470a5a5c8d h1:4dDI8QG+rkQTNWwsRmeAQWLaofRvVRd3JgG/h4o9VG0=
 github.com/cgrates/radigo v0.0.0-20200309151443-bb470a5a5c8d/go.mod h1:mTCzHAYfgZlRe0HorDz+jy2JTrNvNuKkHBAUjDZBWq8=
+github.com/cgrates/radigo v0.0.0-20200318092814-07da25249ae6 h1:NLRfnSh1TGtCrgxVnpaSOEiwprmf/sQ+aOTM1kiEvaE=
+github.com/cgrates/radigo v0.0.0-20200318092814-07da25249ae6/go.mod h1:mTCzHAYfgZlRe0HorDz+jy2JTrNvNuKkHBAUjDZBWq8=
 github.com/cgrates/rpcclient v0.0.0-20190505150825-8fcc68b2c38b h1:GC+/hEDN/2Frh8Tjkf7u1XFxj0Z2XtwjBxj0OH6Mzhw=
 github.com/cgrates/rpcclient v0.0.0-20190505150825-8fcc68b2c38b/go.mod h1:Jy5Lv0y57OlxlNATKrkyAxgftYLHqXuxONgd4qsAC1U=
 github.com/cgrates/rpcclient v0.0.0-20191115092211-732f09b356e3 h1:Hr038ZfPZz87OKLV4pRSzf3U06lZ8zjl/cXpwrv7hCM=
--- a/utils/consts.go
+++ b/utils/consts.go
@@ -709,8 +709,6 @@ const (
 	FileName                  = "FileName"
 	MetaRadauth               = "*radauth"
 	UserPassword              = "UserPassword"
-	RadiusPassword            = "RadiusPassword"
-	CHAPPassword              = "CHAP-Password"
 )

 // Migrator Action