I haven't done this for radius, but I have read the documentation that setupunreg rule works only with radius. Attach find the necessary changes to make 2.2b5 work with IP Access List.
Freddy
-----Original Message-----
From: openh323gk-users-admin@xxxxxxxxxxxxxxxxxxxxx
[mailto:openh323gk-users-admin@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Vahram
Igityan
Sent: Monday, September 27, 2004 3:03 PM
To: Freddy Parra
Subject: Re[2]: IP based Auth with unregisterd
enpoints.
Hello Freddy,
Thanks a lot for your answer, I'll happy if you can post your modified
code!
Also, can you describe the way through radius, config and what
attributes must be send and received from/to gk.
Thank you.
Monday, September 27, 2004, 9:51:31 PM, you wrote:
FP> Hi,
FP> Right now as far as I know the only way is through radius
FP> authentication which supports setupunreg rule. I do have a hack
FP> for this without using radius. It authenticates based on IP for
FP> unregistered endpoints, and its been running for weeks without any
FP> problem with main carriers. I'll be happy to post source changes
FP> if anyone needs this. This is for 2.2b5. Basically I have an
FP> access list in my Configuration like this
FP> [SetupUnregAuth]
FP> Allow=IP1,IP2,IP3, etc....
FP> Only these IPs will be allowed access. This is good since you
FP> no longer have to worry about keeping your entire network open if
FP> you set
FP> AcceptUnregisteredCalls=1, since this allows anyone to send
FP> calls to your gatekeeper. My codes checks for this before
FP> executing the access list code. In other words if
FP> AcceptUnregisteredCalls=0 then access list is checked.
FP> Regards,
FP> Freddy
FP> -----Original Message-----
FP> From: openh323gk-users-admin@xxxxxxxxxxxxxxxxxxxxx
FP> [mailto:openh323gk-users-admin@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Vahram
FP> Igityan
FP> Sent: Monday, September 27, 2004 12:15 PM
FP> To: openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
FP> Subject: IP based Auth with unregisterd enpoints.
FP> Hello,
FP> I'm very sorry for "lame" question, I just need fast and working
FP> solution.
FP> Here is diagramm
FP> CLIENTS(with static ips) ==> GNUGK ==>{terminator/softswitch}
FP> Clients cannot register on gk (it's softswitches), how can I setup to
FP> authenticate them based on their ip and "forward" they call to
FP> terminator. I need gk to do accounting
--
Best regards,
Vahram mailto:vx@xxxxxxxxxxx
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________________
List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
Homepage: http://www.gnugk.org/
//***********************************************In ProxyChannel.cxx
//In this function edit and add last line
bool CallSignalSocket::OnSetup(H225_Setup_UUIE & Setup, PString &in_rewrite_id, PString &out_rewrite_id)
{
.
.
.
.
if (!rejectCall && !destFound) {
// for compatible to old version
/* Code Section Changed By Me FP*/
//Comment out - if (!(useParent || RasSrv->AcceptUnregisteredCalls(fromIP)))
/*****************************FP-Add This*********************************************************/
if (!(useParent || RasSrv->AcceptUnregisteredCalls(fromIP) || RasSrv->CheckSetupAuthIP(fromIP))) {
/**********************************************************************************************/
.
.
.
.
//***********************************************In RasSrv.h
//Add the last line
class RasServer : public Singleton<RasServer>, public SocketsReader {
public:
typedef PIPSocket::Address Address;
RasServer();
~RasServer();
// override from class SocketsReader
virtual void Stop();
// set routed according to the config file
void SetRoutedMode();
// set routed method
void SetRoutedMode(bool, bool);
bool IsGKRouted() const { return GKRoutedSignaling; }
bool IsH245Routed() const { return GKRoutedH245; }
bool AcceptUnregisteredCalls(const PIPSocket::Address &) const;
/**************FP - Added Authentication for Unregister calls.*******************/
bool CheckSetupAuthIP(const PIPSocket::Address &) const;
/********************************************************************************/
.
.
.
//***********************************************In RasSrv.cxx
//Add this new function
/*FP - Authentication for Unregister calls based on IP address*/
bool RasServer::CheckSetupAuthIP(const PIPSocket::Address & addr) const
{
PString ipAddress = AsString(addr);
PTRACE(2,"Incoming IP Address From Unregister Call Is "<<ipAddress);
PString ipListAllowed = GkConfig()->GetString("SetupUnregAuth","Allow","");
PTRACE(2,"The Access List of Allowed IPs Is: "<<ipListAllowed);
PStringArray fileTokens = ipListAllowed.Tokenise(",",false);
PINDEX totalTokens = fileTokens.GetSize();
PTRACE(2,"Checking Incoming IP Address of Unregister Calls Against Access List");
for(int k=0; k < totalTokens; k++)
{
//PTRACE(2,"IP Allowed: "<<fileTokens[k]);
PTRACE(2,"Checking Incoming IP "<<ipAddress <<" Against Access List IP "<<fileTokens[k]);
if(ipAddress==fileTokens[k])
{
PTRACE(2,"Match Found!");
return true; //Found IP Address
}
}
PTRACE(2,"No Match Found!");
return false; //IP Address Not Found In AccessList
} //End CheckSetupAuthIP
//***********************************************In h323util.cxx
//Add this new function
PString AsString(const PIPSocket::Address &ip)
{
return PString(PString::Printf, "%d.%d.%d.%d",ip[0], ip[1], ip[2], ip[3]);
} //End AsString(const PIPSocket::Address &ip)
