Re: GateKeeper and Gateway

wongsusanto · ‎04-22-2002

Hi,

I am having a problem setting up a gatekeep and some Voip gateways. I want to set a security if the gateways try to register to the gatekeeper. I am using radius as an authentication server. Does any one have the sample config...? I tried to follow the sample on cisco web site but it doens't work. The gateways always try to authenticate but the radius didn;t accept it because there is invalid...These are the configs on my routers

GateKeeperaaa new-model

!

aaa authentication login h323 group radius

aaa authentication ppp h323 group radius

aaa authentication nasi h323 group radius

aaa accounting network h323 start-stop group radius

aaa accounting connection h323 start-stop group radius

aaa session-id common

radius-server host 192.168.0.32 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key test

radius-server vsa send accounting

radius-server vsa send authentication

gatekeeper

zone local HQ cisco.com 192.168.0.232

accounting vsa

security h323-id

security password default h323

arq reject-unknown-prefix

lrq forward-queries

no shutdown

GATEWAY

interface FastEthernet0/0

ip address 192.168.0.243 255.255.255.0

duplex auto

speed auto

h323-gateway voip interface

h323-gateway voip id HQ ipaddr 192.168.0.232 1718

h323-gateway voip h323-id BR2

h323-gateway voip tech-prefix 200#

h323-gateway voip bind srcaddr 192.168.0.243

gateway

security password 02243609 level all

Debugging result : radius and aaa authentication

01:17:29: AAA: parse name=<no string> idb type=-1 tty=-1

01:17:29: AAA/MEMORY: create_user (0x63942684) user='BR2' ruser='NULL' ds0=0 port='NULL' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=0 initial_task_id='0'

01:17:29: AAA/AUTHEN/START (3421315262): port='' list='h323' action=LOGIN service=LOGIN

01:17:29: AAA/AUTHEN/START (3421315262): found list h323

01:17:29: AAA/AUTHEN/START (3421315262): Method=radius (radius)

01:17:29: AAA/AUTHEN(3421315262): Status=GETPASS

01:17:29: AAA/H323: Password:

01:17:29: AAA/AUTHEN/CONT (3421315262): continue_login (user='BR2')

01:17:29: AAA/AUTHEN(3421315262): Status=GETPASS

01:17:29: AAA/AUTHEN(3421315262): Method=radius (radius)

01:17:29: RADIUS: ustruct sharecount=1

01:17:29: Radius: radius_port_info() success=0 radius_nas_port=1

01:17:29: RADIUS: Send to unknown id 42 192.168.0.32:1812, Access-Request, len 55

01:17:29: RADIUS: authenticator 88 5F 76 55 D9 B5 1B 1C - 5A 7E 55 F1 D0 5B B2 C5

01:17:29: RADIUS: NAS-IP-Address [4] 6 192.168.0.232

01:17:29: RADIUS: NAS-Port-Type [61] 6 Async [0]

01:17:29: RADIUS: User-Name [1] 5 "BR2"

01:17:29: RADIUS: User-Password [2] 18 *

R8#

01:17:34: RADIUS: Retransmit id 42

01:17:34: RADIUS: Received from id 42 192.168.0.32:1812, Access-Reject, len 20

01:17:34: RADIUS: authenticator 13 E4 71 47 D9 AD FD 66 - D5 17 5C 4E 8A 10 1A 49

01:17:34: RADIUS: saved authorization data for user 63942684 at 0

01:17:34: AAA/AUTHEN(3421315262): Status=FAIL

01:17:34: AAA/MEMORY: free_user (0x63942684) user='BR2' ruser='NULL' port='NULL' rem_addr='NULL' authen_type=ASCII service=H323 priv=0

01:17:34: RADIUS: Received from id 42 192.168.0.32:1812, Access-Reject, len 20

01:17:34: RADIUS: Cannot find corresponding request for response

Thanks and Regards

pacameron · ‎04-23-2002

Make sure the gateways and gatekeepers are NTP synchronised. The time difference between the 2 devices has to be within around 30 seconds of each other otherwise they will not authenticate.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/h323v2p2.htm#xtocid255056

"The security mechanisms described above require the gateway and

gatekeeper clocks to be synchronized within 30 seconds of each other by

using a Network Time Protocol (NTP) server."

If you don't have access to a NTP server, set up the gatekeeper as a NTP master and set the router clock, then point the gateways to the gatekeeper so they sync their time off it:

gatekeeper router -

ntp master

gateway router -

ntp server

The radius server needs to have a username of the remote router and a corresponding password in it's database. You also need the following line in the gatekeeper config-

security token required-for all

Here are configs for 2 gateways authenticating to a gatekeeper -

multi-3-3#sh run

Building configuration...

Current configuration : 1534 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname multi-3-3

!

logging buffered 250000 debugging

logging rate-limit console 10 except errors

enable password cisco

!

memory-size iomem 10

ip subnet-zero

!

no ip finger

no ip domain-lookup

!

isdn switch-type basic-net3

call rsvp-sync

cns event-service server

!

interface Loopback0

ip address 33.1.1.1 255.255.255.0

h323-gateway voip interface

h323-gateway voip id Gatekeeper3_4 ipaddr 34.1.1.1 1718

h323-gateway voip h323-id Gateway3_3

h323-gateway voip bind srcaddr 33.1.1.1

!

interface FastEthernet0/0

ip address 10.1.1.3 255.255.255.0

speed 10

half-duplex

!

interface BRI1/0

no ip address

isdn switch-type basic-net3

isdn incoming-voice voice

!

interface BRI1/1

no ip address

isdn switch-type basic-net3

!

router eigrp 1

network 10.0.0.0

network 33.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip classless

no ip http server

!

voice-port 1/0/0

compand-type a-law

!

voice-port 1/0/1

!

dial-peer cor custom

!

dial-peer voice 100 pots

destination-pattern 1

port 1/0/0

!

dial-peer voice 200 voip

destination-pattern 2........

session target ras

dtmf-relay cisco-rtp

ip precedence 5

!

gateway

security password 0822455D0A16 level all

!

gatekeeper

shutdown

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

login

!

no scheduler allocate

ntp server 10.1.1.4

end

multi-3-3#

multi-3-4#sh run

Building configuration...

Current configuration : 1499 bytes

!

! Last configuration change at 18:52:04 UTC Mon Dec 10 2001

! NVRAM config last updated at 18:52:41 UTC Mon Dec 10 2001

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname multi-3-4

!

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login h323 local

aaa accounting connection h323 start-stop group radius

enable password cisco

!

username Gateway3_3 password 0 cisco

username Gateway3_5 password 0 cisco

memory-size iomem 30

ip subnet-zero

!

no ip finger

no ip domain-lookup

!

call rsvp-sync

cns event-service server

voice rtp send-recv

!

interface Loopback0

ip address 34.1.1.1 255.255.255.0

h323-gateway voip bind srcaddr 34.1.1.1

!

interface Ethernet0/0

ip address 10.1.1.4 255.255.255.0

half-duplex

!

router eigrp 1

network 10.0.0.0

network 34.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip classless

ip http server

!

voice-port 1/0/0

!

voice-port 1/0/1

!

voice-port 1/1/0

!

voice-port 1/1/1

!

dial-peer cor custom

!

gateway

!

gatekeeper

zone local Gatekeeper3_4 cisco.com 34.1.1.1

zone prefix Gatekeeper3_4 1*

zone prefix Gatekeeper3_4 2*

security token required-for all

gw-type-prefix 1* gw ipaddr 33.1.1.1 1720

gw-type-prefix 2* gw ipaddr 35.1.1.1 1720

no shutdown

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

line vty 5 15

!

ntp master

end

multi-3-4#

multi-3-5#sh run

Building configuration...

Current configuration : 1655 bytes

!

! Last configuration change at 18:50:14 UTC Mon Dec 10 2001

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname multi-3-5

!

logging rate-limit console 10 except errors

enable password cisco

!

memory-size iomem 15

ip subnet-zero

!

no ip finger

no ip domain-lookup

!

isdn switch-type basic-net3

call rsvp-sync

cns event-service server

!

interface Loopback0

ip address 35.1.1.1 255.255.255.0

h323-gateway voip interface

h323-gateway voip id Gatekeeper3_4 ipaddr 34.1.1.1 1718

h323-gateway voip h323-id Gateway3_5

h323-gateway voip bind srcaddr 35.1.1.1

!

interface FastEthernet0/0

ip address 10.1.1.5 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface BRI1/0

no ip address

isdn switch-type basic-net3

isdn incoming-voice voice

!

interface BRI1/1

no ip address

isdn switch-type basic-net3

!

router eigrp 1

network 10.0.0.0

network 35.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip classless

ip http server

!

voice-port 1/0/0

compand-type a-law

!

voice-port 1/0/1

!

dial-peer cor custom

!

dial-peer voice 200 pots

destination-pattern 2

port 1/0/0

!

dial-peer voice 100 voip

destination-pattern 1........

session target ras

dtmf-relay cisco-rtp

ip precedence 5

!

gateway

security password 1511021F0725 level all

!

gatekeeper

shutdown

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

login

line vty 5 15

login

!

no scheduler allocate

ntp clock-period 17179886

ntp server 10.1.1.4

end

multi-3-5#

wongsusanto · ‎04-24-2002

Hi,

It's working NOW...thanks for your help...yo're right i need to synchronize the time using ntp.....but i can't still authenticate using radius server...i think somethig wrong with the radius server i fixed later...anyway...if i follow your configuration...i just can make a call from one site.....when I called 2xxxxxx it will trigger the call to the other router...but from another router i press...1xxxxxx....the call can't go through......i did debugging on the router i called nothing happened....it seems like the call didnt go to the other router.....do you have any idea...why ???

again..thanks for you help....

regards

pacameron · ‎04-24-2002

Have a look at the AAA configs on the config I pasted earlier and use local authentication based on username/password. This will confirm if the problem is with your radius server or not.

If you have a second gateway then the gatekeeper will need a config to route the call back to the other gateway. In the original config I don't see anything that will handle the 1X or the 2X numbers.