[Openh323gk-users] RADIUS + Child Gatekeepers

[Mark Lipscombe <markl@gasupnow.com>]

Hi,

I've configured gnugk talking to my RADIUS daemon (xtradius), and 
clients connecting directly to the gatekeeper are successfully authorised.

My RADIUS daemon is configured with a list of users which are e164 
numbers, so the default choice for the User-Name RADIUS field was 
unsuitable, so I made a small addition to send Calling-Station-Id in the 
Login-Check request, which picks e_dialedDigits over other fields.  I'm 
not sure if this is the most desirable way to do this, but I've attached 
the patch to radauth.cxx to this message.

The problem I have right now is that I need to have some child 
gatekeepers talking to this gatekeeper.  On the child gatekeeper, I've 
configured the [Endpoint] section like this:

[Endpoint]
Gatekeeper=192.168.xx.xx
Type=Gateway
H323ID=ProxyGK
E164=188600
Password=test123
Prefix=1886
TimeToLive=900
RRQRetryInterval=10
ARQTimeout=2

But when the child gatekeeper attempts to connect, it sends a 
registration request that seems to contain a cryptoToken (trace of RRQ 
below), but the parent gatekeeper says there's no m_tokens and the 
request never hits the RADIUS server:

2003/08/24 09:49:42.606 1             RasSrv.cxx(927)   GK      RRQ Received
2003/08/24 09:49:42.607 3            radauth.cxx(465)   RADAUTH RRQ Auth 
failed - no m_tokens
2003/08/24 09:49:42.607 2               gkauth.h(88)    GkAuth  RadAuth 
check failed
2003/08/24 09:49:42.607 2             RasSrv.cxx(1182) 
RRJ|192.168.xx.xx|ProxyGK:<1>=188600:<0>|gateway,gatekeeper|<11>;

And here's the registration request, which results in a securityDenial 
from the parent gk:

registrationRequest {
    requestSeqNum = 1
    protocolIdentifier = 0.0.8.2250.0.2
    discoveryComplete = FALSE
    callSignalAddress = 1 entries {
      [0]=ipAddress {
        ip =  4 octets {
          c0 a8 0a 01                                        ....
        }
        port = 1721
      }
    }
    rasAddress = 1 entries {
      [0]=ipAddress {
        ip =  4 octets {
          c0 a8 0a 01                                        ....
        }
        port = 1719
      }
    }
    terminalType = {
      gatekeeper = {
      }
      gateway = {
        protocol = 1 entries {
          [0]=voice {
            supportedPrefixes = 1 entries {
              [0]={
                prefix = dialedDigits "1886"
              }
            }
          }
        }
      }
      mc = FALSE
      undefinedNode = FALSE
    }
    terminalAlias = 2 entries {
      [0]=h323_ID  7 characters {
        0050 0072 006f 0078 0079 0047 004b        ProxyGK
      }
      [1]=dialedDigits "188600"
    }
    endpointVendor = {
      vendor = {
        t35CountryCode = 0
        t35Extension = 0
        manufacturerCode = 0
      }
      productId =  57 octets {
        47 4e 55 20 47 61 74 65  6b 65 65 70 65 72 20 6f   GNU Gatekeeper o
        6e 20 4c 69 6e 75 78 20  69 36 38 36 20 32 2e 34   n Linux i686 2.4
        2e 32 30 2c 20 41 75 67  20 32 34 20 32 30 30 33   .20, Aug 24 2003
        20 30 39 3a 31 30 3a 33  32                         09:10:32
      }
      versionId =  13 octets {
        56 65 72 73 69 6f 6e 20  32 2e 30 2e 35            Version 2.0.5
      }
    }
    timeToLive = 900
    cryptoTokens = 1 entries {
      [0]=cryptoEPPwdHash {
        alias = dialedDigits "188600"
        timeStamp = 1061683040
        token = {
          algorithmOID = 1.2.840.113549.2.5
          paramS = {
          }
          hash = Hex:  0c 1a 86 44 92 66 19 2e  bd 41 03 49 b1 a3 e3 9d
        }
      }
    }
    keepAlive = FALSE
    willSupplyUUIEs = FALSE
    maintainConnection = FALSE
    supportsAltGK = <<null>>
    multipleCalls = TRUE
  }
2003/08/24 09:57:20.561 2             RasSrv.cxx(2132)  GK      Read 
from 192.168.10.200:1719
2003/08/24 09:57:20.587 3             RasSrv.cxx(2145)  GK
registrationReject {
    requestSeqNum = 1
    protocolIdentifier = 0.0.8.2250.0.2
    rejectReason = securityDenial <<null>>
    gatekeeperIdentifier =  10 characters {
      004f 0070 0065 006e 0048 0033 0032 0033   OpenH323
      0047 004b                                 GK
    }
    cryptoTokens = 1 entries {
      [0]=cryptoEPPwdHash {
        alias = dialedDigits "188600"
        timeStamp = 1061683040
        token = {
          algorithmOID = 1.2.840.113549.2.5
          paramS = {
          }
          hash = Hex:  0c 1a 86 44 92 66 19 2e  bd 41 03childgk1 49 b1 
a3 e3 9d
        }
      }
    }
  }

Is it possible to do what I am trying to do?  If it requires code 
changes, I'm happy to make them and contribute the changes back if 
someone can point me in the right direction.

Cheers,
Mark


Index: radauth.cxx
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/radauth.cxx,v
retrieving revision 1.1.2.17
diff -u -r1.1.2.17 radauth.cxx
--- radauth.cxx	31 Jul 2003 22:59:24 -0000	1.1.2.17
+++ radauth.cxx	23 Aug 2003 23:51:51 -0000
@@ -362,6 +362,14 @@
 				
 				// append User-Name
 				*pdu += new RadiusAttr( RadiusAttr::UserName, id );
+
+				PString stationId;
+				stationId = GetBestAliasAddressString(aliases,
+					H225_AliasAddress::e_dialedDigits,
+					H225_AliasAddress::e_partyNumber,
+					H225_AliasAddress::e_h323_ID);
+				if(!stationId.IsEmpty())
+					*pdu += new RadiusAttr( RadiusAttr::CallingStationId, stationId );
 				
 				// build CHAP-Password
 				char password[17];