>There is a new "SetupUnreg" Gatekeeper::Auth tag in the cvs that triggers >authentication for unregistered endpoints only, so you config should translate >to something like: > >[Gatekeeper::Auth] >RadAuth=optional;RRQ,ARQ >RadAliasAuth=sufficient;RRQ,ARQ,SetupUnreg > >Having Acct-Stop without Acct-Start actually can often quite often, if no signalling >channel has been opened. For example, ARQ has been received and the call record >timed out. I am sure you can easily detect this situation inside a trigger, whether Acct-Stop >inserts a new call record (no Acct-Start) or just updates an existing one. >Also I am not sure if it is a good idea to keep track of simultaneous calls via acct-start/acct-stop. So, what would you suggest as the right way to track simultaneous usage? It should be reliable and simple at the same time. Still, in any situation - couldn't gnugk remember if it had sent acct-start for some call before sending acct-stop?? Anyways, it's not right logic to stop accounting session without ever starting it (regardless Earth's magnetic field, or the way gnugk operates internally...) may be it's ok for other modules (cdr, filaacct,...) but not for radius. >I can easily imagine some situation that will break this (network failure, gatekeeper crash) If gnugk sent it correctly the only problem could be if gnugk dies during a call - in this case user's account stays blocked, but if gnugk fails I can automatically reset counters to zero for users. In any case it doesn't record blindly acct-start and acct-stop, in my billing actually there is not much problems with that (it operates in a more reliable way), but still it's not ok. >and you will end up with incorrect counter. > >----- Original Message ----- >From: "P. P." <block111@xxxxxxx> >Sent: Saturday, June 26, 2004 7:22 AM > > >> Hi, >> I have been doing some tests with billing: it supports h235 auth, static ip, static ip + h235, static ip + alias authorization. >> >> To be able to corretcly bill endpoints that do not support ras or simply call through gnugk as through a gateway I need to enable >AcceptUnregisteredCalls, but in this case I have a big problem with those that authorized by h235 username+pass. >> >> my config is like this: >> >> [Gatekeeper::Auth] >> RadAuth=optional;RRQ,ARQ >> RadAliasAuth=sufficient;RRQ,ARQ,Setup >> >> >> If an endpoint is supposed to be authenticated by h235 username and password then everything goes well until it sends setup and >where gnugk tries to authorize it's call second time and it, of course, fails at this point without h235 fields (it sends clear >username/password pair, but my billing expects chap_password for this user) >> And the worst thing in this scenario is that gnugk sends Acct-Stop WITHOUT sending Acct-Start!!! which is probably a error to send >accouning messages without delivering service, or at least to send acct-stop without acct-start. In my billing acct-stop decrements >simultaneous usage counter (that is incremented by acct-start) and sending acct-stop without acct-start is a security problem for >billing systems that tracks simultaneous usage limit the same way. >> >> Is there any solution for this, has anybody noticed this behavior? >> >> Thanks. > > > ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
