diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml
index ed117778e..e9cd32241 100644
--- a/doc/manuals/vty/sgsn_vty_reference.xml
+++ b/doc/manuals/vty/sgsn_vty_reference.xml
@@ -2232,9 +2232,9 @@
-
-
-
+
+
+
diff --git a/include/osmocom/sgsn/sgsn.h b/include/osmocom/sgsn/sgsn.h
index c80355dba..0a6ea29ea 100644
--- a/include/osmocom/sgsn/sgsn.h
+++ b/include/osmocom/sgsn/sgsn.h
@@ -78,7 +78,9 @@ struct sgsn_config {
struct sockaddr_in gsup_server_addr;
int gsup_server_port;
+ /* Only meaningful if auth_policy is SGSN_AUTH_POLICY_REMOTE */
int require_authentication;
+
int require_update_location;
/* CDR configuration */
diff --git a/src/gprs/gprs_sgsn.c b/src/gprs/gprs_sgsn.c
index f725811d0..58011078d 100644
--- a/src/gprs/gprs_sgsn.c
+++ b/src/gprs/gprs_sgsn.c
@@ -987,6 +987,7 @@ struct sgsn_instance *sgsn_instance_alloc(void *talloc_ctx)
inst = talloc_zero(talloc_ctx, struct sgsn_instance);
inst->cfg.gtp_statedir = talloc_strdup(inst, "./");
inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED;
+ inst->cfg.require_authentication = true; /* only applies if auth_policy is REMOTE */
inst->cfg.gsup_server_port = OSMO_GSUP_PORT;
return inst;
}
diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c
index 29c97718e..edc5b09f9 100644
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c
@@ -211,8 +211,8 @@ static int config_write_sgsn(struct vty *vty)
if (g_cfg->gsup_server_port)
vty_out(vty, " gsup remote-port %d%s",
g_cfg->gsup_server_port, VTY_NEWLINE);
- vty_out(vty, " authentication %s%s",
- g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);
+ if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !g_cfg->require_authentication)
+ vty_out(vty, " authentication optional%s", VTY_NEWLINE);
vty_out(vty, " auth-policy %s%s",
get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
VTY_NEWLINE);
@@ -697,9 +697,9 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd,
DEFUN(cfg_authentication, cfg_authentication_cmd,
"authentication (optional|required)",
- "Whether to enforce MS authentication in GERAN\n"
- "Allow MS to attach via GERAN without authentication\n"
- "Always require authentication\n")
+ "Whether to enforce MS authentication in GERAN (only with auth-policy remote)\n"
+ "Allow MS to attach via GERAN without authentication (default and only possible value for non-remote auth-policy)\n"
+ "Always require authentication (only available for auth-policy remote, default with that auth-policy)\n")
{
int required = (argv[0][0] == 'r');
@@ -730,10 +730,6 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
g_cfg->auth_policy = val;
g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);
- /* Authentication is not possible without HLR */
- if (val != SGSN_AUTH_POLICY_REMOTE)
- g_cfg->require_authentication = 0;
-
return CMD_SUCCESS;
}
@@ -1489,14 +1485,6 @@ int sgsn_parse_config(const char *config_file)
return rc;
}
- if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
- && g_cfg->require_authentication) {
- fprintf(stderr, "Configuration error:"
- " authentication is not possible without HLR."
- " Consider setting 'auth-policy' to 'remote'\n");
- return -EINVAL;
- }
-
if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
&& !(g_cfg->gsup_server_addr.sin_addr.s_addr
&& g_cfg->gsup_server_port)) {