Re: [Openh323gk-users] RADIUS + Child Gatekeepers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Zygmuntowicz Michal wrote:
Endpoint receive in RCF a list of accepted aliases. But due to matters
of security, half working endpoints etc. we should simply reject endpoint with invalid aliases now - and this logic should be hidden
inside radius backend - if h323-ivr-out contains invalid alias, then
Access-Reject will be sent. h323-ivr-in can be sent if other alias policy
is permitted, and the alias list should be updated.

My suggestion is to not bother with h323-ivr-in attribute now (let's place it in TODO)
and just make h323-ivr-out being sent. Another important this that this
should be present as an option in gk.ini file. Let's name this config variable like:

IncludeTerminalAlias = 1 or 0

and this option will be active only if "AppendCiscoAttributes" is also active,
since h323-ivr-out is Cisco VSA. h323-ivr-out should be formatted like:

h323-ivr-out = "terminal-alias:alias[,alias]...[;]"

optional semicolon can be emitted to prevent "missing ;" bugs
if other variable will be appended to h323-ivr-out.


Based on my reading of the Cisco URL you sent, the format of this message should be:

Cisco-AVPair = "h323-ivr-out=terminal-alias:alias[,alias]...[;]"

On that basis, I've made a patch to the r2_0 branch which implements exactly that for both RadAuth and RadAliasAuth. It honours a IncludeTerminalAliases bool, and depends on AppendCiscoAttributes being true. I've tested it and it works quite well. Included in the patch is an update to the configuration templates etc/radauth.ini and etc/radaliasauth.ini to reflect the new option.

Also, I back-ported the Cisco Access Token support from CVS HEAD, attached is a patch which acheives this. The only thing I'm not sure about in this one is how to go about setting m_authMode correctly. Currently I've hardcoded it to e_authenticationBES, and I'm not sure of the consequences of that.

Cheers,
Mark

Index: GkClient.cxx
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/GkClient.cxx,v
retrieving revision 1.11.4.43
diff -u -r1.11.4.43 GkClient.cxx
--- GkClient.cxx	11 Mar 2003 01:57:29 -0000	1.11.4.43
+++ GkClient.cxx	24 Aug 2003 22:26:49 -0000
@@ -253,6 +253,8 @@
 	m_useAltGKPermanent = false;
 	m_rewriteInfo = new Toolkit::RewriteData(GkConfig(), RewriteE164Section);
 
+	m_authMode = H235_AuthenticationMechanism::e_authenticationBES;
+
 	SendRRQ();
 }
 
@@ -757,6 +759,18 @@
 	}
 	return false;
 }
+
+#ifdef OPENH323_NEWVERSION
+void GkClient::SetClearTokens(H225_ArrayOf_ClearToken & clearTokens, const PString & id)
+{
+	clearTokens.RemoveAll();
+	H235AuthCAT auth;
+	auth.SetLocalId(id);
+	auth.SetPassword(m_password);
+	H225_ArrayOf_CryptoH323Token dumbTokens;
+	auth.PrepareTokens(clearTokens, dumbTokens);
+}
+#endif
 
 void GkClient::SetCryptoTokens(H225_ArrayOf_CryptoH323Token & cryptoTokens, const PString & id)
 {
Index: GkClient.h
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/GkClient.h,v
retrieving revision 1.6.4.13
diff -u -r1.6.4.13 GkClient.h
--- GkClient.h	30 Oct 2002 06:37:03 -0000	1.6.4.13
+++ GkClient.h	24 Aug 2003 22:26:49 -0000
@@ -53,6 +53,7 @@
 class H225_LocationConfirm;
 class H225_InfoRequest;
 class H225_Setup_UUIE;
+class H225_ArrayOf_ClearToken;
 class H225_ArrayOf_CryptoH323Token;
 class Q931;
 class H323RasSrv;
@@ -106,8 +107,10 @@
 	template<class RAS> void SetPassword(RAS & rasmsg, const PString & id)
 	{
 		if (!m_password) {
-			rasmsg.IncludeOptionalField(RAS::e_cryptoTokens);
-			SetCryptoTokens(rasmsg.m_cryptoTokens, id);
+			if(m_authMode == 7)
+				rasmsg.IncludeOptionalField(RAS::e_tokens), SetClearTokens(rasmsg.m_tokens, id);
+			else
+				rasmsg.IncludeOptionalField(RAS::e_cryptoTokens), SetCryptoTokens(rasmsg.m_cryptoTokens, id);
 		}
 	}
 	template<class RAS> void SetPassword(RAS & rasmsg)
@@ -125,6 +128,7 @@
 	int  BuildARQ(H225_AdmissionRequest &);
 	bool GetAdmission(H225_RasMessage &, H225_RasMessage &);
 	bool RewriteString(PString &, bool) const;
+	void SetClearTokens(H225_ArrayOf_ClearToken &, const PString &);
 	void SetCryptoTokens(H225_ArrayOf_CryptoH323Token &, const PString &);
 	void Unregister();
 	void RemoveNATThread();
@@ -157,6 +161,7 @@
 	ReceivedLCF *m_lcfHook;
 
 	H235AuthSimpleMD5 auth;
+	unsigned m_authMode;
 };
 
 #endif // __gkclient_h_

Index: radauth.cxx
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/radauth.cxx,v
retrieving revision 1.1.2.17
diff -u -r1.1.2.17 radauth.cxx
--- radauth.cxx	31 Jul 2003 22:59:24 -0000	1.1.2.17
+++ radauth.cxx	24 Aug 2003 22:30:36 -0000
@@ -159,6 +159,10 @@
 			RadAuthConfigSectionName, "IncludeEndpointIP", TRUE
 			)
 		),
+	includeTerminalAliases( cfg->GetBoolean(
+			RadAuthConfigSectionName, "IncludeTerminalAliases", TRUE
+			)
+		),
 	localInterface( cfg->GetString(
 			RadAuthConfigSectionName, "LocalInterface", ""
 			)
@@ -362,7 +366,7 @@
 				
 				// append User-Name
 				*pdu += new RadiusAttr( RadiusAttr::UserName, id );
-				
+
 				// build CHAP-Password
 				char password[17];
 				password[0] = (BYTE)randomInt;
@@ -420,6 +424,23 @@
 								);
 					}
 				}
+
+				if( appendCiscoAttributes && includeTerminalAliases )
+				{
+					PString aliasList = "terminal-alias:";
+					for(PINDEX i = 0; i < aliases.GetSize(); i++)
+					{
+						if(i>0)
+							aliasList += ",";
+						PString AliasStr = H323GetAliasAddressString(aliases[i]);
+						aliasList += AliasStr;
+					}
+					*pdu += new RadiusAttr(
+						PString("h323-ivr-out=") + aliasList + PString(";"),
+						9,	// Cisco
+						1	// Cisco-AV-Pair
+						);
+				}
 				
 				// send request and wait for response
 				RadiusPDU* response = NULL;
@@ -891,6 +912,10 @@
 			RadAliasAuthConfigSectionName, "IncludeEndpointIP", TRUE
 			)
 		),
+	includeTerminalAliases( cfg->GetBoolean(
+			RadAliasAuthConfigSectionName,"IncludeTerminalAliases", TRUE
+			)
+		),
 	localInterface( cfg->GetString(
 			RadAliasAuthConfigSectionName, "LocalInterface", ""
 			)
@@ -1105,6 +1130,23 @@
 					addr
 					);
 		}
+	}
+
+	if( appendCiscoAttributes && includeTerminalAliases )
+	{
+		PString aliasList = "terminal-alias:";
+		for(PINDEX i = 0; i < rrq.m_terminalAlias.GetSize(); i++)
+		{
+			if(i>0)
+				aliasList += ",";
+			PString AliasStr = H323GetAliasAddressString(rrq.m_terminalAlias[i]);
+			aliasList += AliasStr;
+		}
+		*pdu += new RadiusAttr(
+			PString("h323-ivr-out=") + aliasList + PString(";"),
+			9,      // Cisco
+			1       // Cisco-AV-Pair
+			);
 	}
 					
 	// send request and wait for response
Index: radauth.h
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/radauth.h,v
retrieving revision 1.1.2.7
diff -u -r1.1.2.7 radauth.h
--- radauth.h	31 Jul 2003 13:09:15 -0000	1.1.2.7
+++ radauth.h	24 Aug 2003 22:30:37 -0000
@@ -204,6 +204,8 @@
 	BOOL appendCiscoAttributes;
 	/// if TRUE endpoint IP is placed inside Framed-IP-Address attribute
 	BOOL includeFramedIp;
+	/// if TRUE an h323-ivr-out tag will be sent with every alias specified by the client
+	BOOL includeTerminalAliases;
 	/// Local interface RADIUS client should be bound to (multihomed hosts)
 	PString localInterface;	
 	/// RADIUS protocol client class associated with this authenticator
@@ -410,6 +412,8 @@
 	BOOL appendCiscoAttributes;
 	/// if TRUE endpoint IP is placed inside Framed-IP-Address attribute
 	BOOL includeFramedIp;
+	/// if TRUE an h323-ivr-out tag will be sent with every alias specified by the client
+	BOOL includeTerminalAliases;
 	/// local interface RADIUS client should be bound to (multihomed hosts)
 	PString localInterface;	
 	/// fixed username to be send in RADIUS requests instead of alias
Index: etc/radaliasauth.ini
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/etc/Attic/radaliasauth.ini,v
retrieving revision 1.1.2.3
diff -u -r1.1.2.3 radaliasauth.ini
--- etc/radaliasauth.ini	31 Jul 2003 13:12:31 -0000	1.1.2.3
+++ etc/radaliasauth.ini	24 Aug 2003 22:30:38 -0000
@@ -85,6 +85,11 @@
 # (h323-conf-id,h323-call-type,h323-call-origin,etc.)
 AppendCiscoAttributes=0
 
+# Set to 1 if RADIUS packets should contain a Cisco h323-ivr-out VSA
+# containing a list of all aliases the endpoint wishes to register
+# AppendCiscoAttributes must be set to 1 above.
+IncludeTerminalAliases=0
+
 # Set to 1 if RADIUS packets should contain endpoint IP
 # address (passed inside Framed-IP-Address attribute)
 IncludeEndpointIP=1
Index: etc/radauth.ini
===================================================================
RCS file: /cvsroot/openh323gk/openh323gk/etc/Attic/radauth.ini,v
retrieving revision 1.1.2.5
diff -u -r1.1.2.5 radauth.ini
--- etc/radauth.ini	19 Jun 2003 16:03:58 -0000	1.1.2.5
+++ etc/radauth.ini	24 Aug 2003 22:30:38 -0000
@@ -84,6 +84,11 @@
 # (h323-conf-id,h323-call-type,h323-call-origin,etc.)
 AppendCiscoAttributes=0
 
+# Set to 1 if RADIUS packets should contain a Cisco h323-ivr-out VSA
+# containing a list of all aliases the endpoint wishes to register
+# AppendCiscoAttributes must be set to 1 above.
+IncludeTerminalAliases=0
+
 # Set to 1 if RADIUS packets should contain endpoint IP
 # address (passed inside Framed-IP-Address attribute)
 IncludeEndpointIP=1
[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux