Hi List,
Well, I got this working, so I thought I would write a quick "Walkthru" of what
I did to get there.
Others will undoubtly want to do things slightly differently, but I hope this
is useful to other gnugk semi-newbies.
I've masked some of the IPs below, probably unnecessarily, but hey!
Mark
Calling Party Number Authentication
====================================
1) Setup - This can be done by using RadAliasAuth authentication module in the
gnugk.ini file.
The setup below not only matches calling party number, but ensures that it
comes from
a registered Endpoint (in this case a Lucent TNT Gateway). This is
important, as it is very
easy to fake a Calling-Party-ID if you have full control of an Endpoint
configuration. I have
gnugk and radius running on the same machine.
2) Edit /etc/gnugk.ini
[Gatekeeper::Auth]
AliasAuth=required;RRQ
# For AliasAuth the pattern is defined in [RasSrv::RRQAuth] section.
RadAliasAuth=sufficient;ARQ
[RadAliasAuth]
Servers=202.89.x.y:1812
LocalInterface=202.89.x.z
RadiusPortRange=10000-11000
DefaultAuthPort=1812
SharedSecret=testing123
RequestTimeout=2000
IdCacheTimeout=9000
SocketDeleteTimeout=60000
RequestRetransmissions=2
RoundRobinServers=1
AppendCiscoAttributes=0
IncludeEndpointIP=1
[RasSrv::RRQAuth]
testtnt=sigip:202.89.xx.xx:1720
default=reject
[RasSrv::RewriteE164]
0540=0
[RoutedMode]
GKRouted=1
H245Routed=1
3) Edit the radius server (in this case cistron) config files. Add an entry for
each
Calling Party Number that you want to allow from a given gateway.
fnord$ vi users
testtnt Password = "testtnt", Calling-Station-Id = "99149244"
testtnt Password = "testtnt", Calling-Station-Id = "99160300"
Note:These entries need a blank line between them. We are not sending back any
attributes
each each entry, so the blank line acts as an "end of attibutes" delimiter.
Calling-Station-Id is the original Calling Party Number and is mapped into
Calling-Station-Id
from the srcInfo 'token'(?) in the admission request that is sent from the
Endpoint (Gateway)
e.g.
admissionRequest {
...
destinationInfo = 1 entries {
[0]=dialedDigits "054093681030"
}
srcInfo = 1 entries {
[0]=dialedDigits "99160300"
}
...
)
fnord$ vi clients
# Client Name Key
#---------------- ----------
#portmaster1.isp.com testing123
#portmaster2.isp.com testing123
#proxyradius.isp2.com TheirKey
localhost testing123
202.89.x.z testing123
fnord$ vi naslist
# NAS Name Short Name Type
#---------------- ---------- ----
#portmaster1.isp.com pm1.NY livingston
#portmaster2.isp.com pm1.LA livingston
localhost local portslave
202.89.x.z fnord portslave
4) To test Authentication, start radius in debug mode.
root@fnord:$ /usr/local/sbin/radiusd -xxxxx
Starting - reading configuration files ...
Ready to process requests.
When 054093681030 is dialled from 99160300, gnugk will pass the following
radius request
to the radius server. The call is authenticated using the Calling-Station-Id in
the users file.
Two records appear, one for the admission, and one for the call setup.
Below is the debug output from the radius server.
radrecv: Packet from host 202.89.130.5 code=1, id=110, length=92
User-Name = "testtnt"
Password = "\255\362\340Dt\331\204A\002P\032\364\376p\343I"
NAS-IP-Address = 202.89.x.z
NAS-Port-Type = Virtual
Service-Type = Login-User
Framed-IP-Address = 202.89.xx.xx
Calling-Station-Id = "99160300"
Called-Station-Id = "093681030"
users: Matched testtnt at line 44
auth: Local
Sending Ack of id 110 to 202.89.x.z
radrecv: Packet from host 202.89.x.z code=1, id=111, length=92
User-Name = "testtnt"
Password = "+\210\271[\244(k\353\033\313\33C\016\312\010"
NAS-IP-Address = 202.89.x.z
NAS-Port-Type = Virtual
Service-Type = Call-Check
Framed-IP-Address = 202.89.x.z
Calling-Station-Id = "99160300"
Called-Station-Id = "093681030"
users: Matched testtnt at line 44
auth: Local
Sending Ack of id 111 to 202.89.x.z
5) Authentication successful and call completed! The end.
6) Now all I need is for gnugk.ini to honour "Failed" Radius Authentication
requests such as entries
like this in the 'users' file.
DEFAULT Password = "testtnt"
Called-Station-Id = 099146000
This 'users' entry has the Calling-Station-Id missing as a required auth field.
099146000 could be our customer services number or an IVR platform.
Hope to see this in 2.0.6 ?!
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
List: Openh323gk-users@lists.sourceforge.net
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
Homepage: http://www.gnugk.org/
