Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GateKeeper and Gateway

Hi,

I am having a problem setting up a gatekeep and some Voip gateways. I want to set a security if the gateways try to register to the gatekeeper. I am using radius as an authentication server. Does any one have the sample config...? I tried to follow the sample on cisco web site but it doens't work. The gateways always try to authenticate but the radius didn;t accept it because there is invalid...These are the configs on my routers

GateKeeperaaa new-model

!

!

aaa authentication login h323 group radius

aaa authentication ppp h323 group radius

aaa authentication nasi h323 group radius

aaa accounting network h323 start-stop group radius

aaa accounting connection h323 start-stop group radius

aaa session-id common

radius-server host 192.168.0.32 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key test

radius-server vsa send accounting

radius-server vsa send authentication

gatekeeper

zone local HQ cisco.com 192.168.0.232

accounting vsa

security h323-id

security password default h323

arq reject-unknown-prefix

lrq forward-queries

no shutdown

GATEWAY

interface FastEthernet0/0

ip address 192.168.0.243 255.255.255.0

duplex auto

speed auto

h323-gateway voip interface

h323-gateway voip id HQ ipaddr 192.168.0.232 1718

h323-gateway voip h323-id BR2

h323-gateway voip tech-prefix 200#

h323-gateway voip bind srcaddr 192.168.0.243

gateway

security password 02243609 level all

Debugging result : radius and aaa authentication

01:17:29: AAA: parse name=<no string> idb type=-1 tty=-1

01:17:29: AAA/MEMORY: create_user (0x63942684) user='BR2' ruser='NULL' ds0=0 port='NULL' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=0 initial_task_id='0'

01:17:29: AAA/AUTHEN/START (3421315262): port='' list='h323' action=LOGIN service=LOGIN

01:17:29: AAA/AUTHEN/START (3421315262): found list h323

01:17:29: AAA/AUTHEN/START (3421315262): Method=radius (radius)

01:17:29: AAA/AUTHEN(3421315262): Status=GETPASS

01:17:29: AAA/H323: Password:

01:17:29: AAA/AUTHEN/CONT (3421315262): continue_login (user='BR2')

01:17:29: AAA/AUTHEN(3421315262): Status=GETPASS

01:17:29: AAA/AUTHEN(3421315262): Method=radius (radius)

01:17:29: RADIUS: ustruct sharecount=1

01:17:29: Radius: radius_port_info() success=0 radius_nas_port=1

01:17:29: RADIUS: Send to unknown id 42 192.168.0.32:1812, Access-Request, len 55

01:17:29: RADIUS: authenticator 88 5F 76 55 D9 B5 1B 1C - 5A 7E 55 F1 D0 5B B2 C5

01:17:29: RADIUS: NAS-IP-Address [4] 6 192.168.0.232

01:17:29: RADIUS: NAS-Port-Type [61] 6 Async [0]

01:17:29: RADIUS: User-Name [1] 5 "BR2"

01:17:29: RADIUS: User-Password [2] 18 *

R8#

R8#

R8#

01:17:34: RADIUS: Retransmit id 42

01:17:34: RADIUS: Received from id 42 192.168.0.32:1812, Access-Reject, len 20

01:17:34: RADIUS: authenticator 13 E4 71 47 D9 AD FD 66 - D5 17 5C 4E 8A 10 1A 49

01:17:34: RADIUS: saved authorization data for user 63942684 at 0

01:17:34: AAA/AUTHEN(3421315262): Status=FAIL

01:17:34: AAA/MEMORY: free_user (0x63942684) user='BR2' ruser='NULL' port='NULL' rem_addr='NULL' authen_type=ASCII service=H323 priv=0

01:17:34: RADIUS: Received from id 42 192.168.0.32:1812, Access-Reject, len 20

01:17:34: RADIUS: Cannot find corresponding request for response

Thanks and Regards

3 REPLIES
Silver

Re: GateKeeper and Gateway

Make sure the gateways and gatekeepers are NTP synchronised. The time difference between the 2 devices has to be within around 30 seconds of each other otherwise they will not authenticate.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/h323v2p2.htm#xtocid255056

"The security mechanisms described above require the gateway and

gatekeeper clocks to be synchronized within 30 seconds of each other by

using a Network Time Protocol (NTP) server."

If you don't have access to a NTP server, set up the gatekeeper as a NTP master and set the router clock, then point the gateways to the gatekeeper so they sync their time off it:

gatekeeper router -

ntp master

gateway router -

ntp server

The radius server needs to have a username of the remote router and a corresponding password in it's database. You also need the following line in the gatekeeper config-

security token required-for all

Here are configs for 2 gateways authenticating to a gatekeeper -

multi-3-3#sh run

Building configuration...

Current configuration : 1534 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname multi-3-3

!

logging buffered 250000 debugging

logging rate-limit console 10 except errors

enable password cisco

!

memory-size iomem 10

ip subnet-zero

!

!

no ip finger

no ip domain-lookup

!

isdn switch-type basic-net3

call rsvp-sync

cns event-service server

!

!

!

!

!

!

!

!

interface Loopback0

ip address 33.1.1.1 255.255.255.0

h323-gateway voip interface

h323-gateway voip id Gatekeeper3_4 ipaddr 34.1.1.1 1718

h323-gateway voip h323-id Gateway3_3

h323-gateway voip bind srcaddr 33.1.1.1

!

interface FastEthernet0/0

ip address 10.1.1.3 255.255.255.0

speed 10

half-duplex

!

interface BRI1/0

no ip address

isdn switch-type basic-net3

isdn incoming-voice voice

!

interface BRI1/1

no ip address

isdn switch-type basic-net3

!

router eigrp 1

network 10.0.0.0

network 33.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip classless

no ip http server

!

!

!

voice-port 1/0/0

compand-type a-law

!

voice-port 1/0/1

!

dial-peer cor custom

!

!

!

dial-peer voice 100 pots

destination-pattern 1

port 1/0/0

!

dial-peer voice 200 voip

destination-pattern 2........

session target ras

dtmf-relay cisco-rtp

ip precedence 5

!

gateway

security password 0822455D0A16 level all

!

!

gatekeeper

shutdown

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

login

!

no scheduler allocate

ntp server 10.1.1.4

end

multi-3-3#

multi-3-4#sh run

Building configuration...

Current configuration : 1499 bytes

!

! Last configuration change at 18:52:04 UTC Mon Dec 10 2001

! NVRAM config last updated at 18:52:41 UTC Mon Dec 10 2001

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname multi-3-4

!

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login h323 local

aaa accounting connection h323 start-stop group radius

enable password cisco

!

username Gateway3_3 password 0 cisco

username Gateway3_5 password 0 cisco

memory-size iomem 30

ip subnet-zero

!

!

no ip finger

no ip domain-lookup

!

call rsvp-sync

cns event-service server

voice rtp send-recv

!

!

!

!

!

!

!

!

interface Loopback0

ip address 34.1.1.1 255.255.255.0

h323-gateway voip bind srcaddr 34.1.1.1

!

interface Ethernet0/0

ip address 10.1.1.4 255.255.255.0

half-duplex

!

router eigrp 1

network 10.0.0.0

network 34.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip classless

ip http server

!

!

!

voice-port 1/0/0

!

voice-port 1/0/1

!

voice-port 1/1/0

!

voice-port 1/1/1

!

dial-peer cor custom

!

!

!

gateway

!

!

gatekeeper

zone local Gatekeeper3_4 cisco.com 34.1.1.1

zone prefix Gatekeeper3_4 1*

zone prefix Gatekeeper3_4 2*

security token required-for all

gw-type-prefix 1* gw ipaddr 33.1.1.1 1720

gw-type-prefix 2* gw ipaddr 35.1.1.1 1720

no shutdown

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

line vty 5 15

!

ntp master

end

multi-3-4#

multi-3-5#sh run

Building configuration...

Current configuration : 1655 bytes

!

! Last configuration change at 18:50:14 UTC Mon Dec 10 2001

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname multi-3-5

!

logging rate-limit console 10 except errors

enable password cisco

!

memory-size iomem 15

ip subnet-zero

!

!

no ip finger

no ip domain-lookup

!

isdn switch-type basic-net3

call rsvp-sync

cns event-service server

!

!

!

!

!

!

!

!

interface Loopback0

ip address 35.1.1.1 255.255.255.0

h323-gateway voip interface

h323-gateway voip id Gatekeeper3_4 ipaddr 34.1.1.1 1718

h323-gateway voip h323-id Gateway3_5

h323-gateway voip bind srcaddr 35.1.1.1

!

interface FastEthernet0/0

ip address 10.1.1.5 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface BRI1/0

no ip address

isdn switch-type basic-net3

isdn incoming-voice voice

!

interface BRI1/1

no ip address

isdn switch-type basic-net3

!

router eigrp 1

network 10.0.0.0

network 35.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip kerberos source-interface any

ip classless

ip http server

!

!

!

voice-port 1/0/0

compand-type a-law

!

voice-port 1/0/1

!

dial-peer cor custom

!

!

!

dial-peer voice 200 pots

destination-pattern 2

port 1/0/0

!

dial-peer voice 100 voip

destination-pattern 1........

session target ras

dtmf-relay cisco-rtp

ip precedence 5

!

gateway

security password 1511021F0725 level all

!

!

gatekeeper

shutdown

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

login

line vty 5 15

login

!

no scheduler allocate

ntp clock-period 17179886

ntp server 10.1.1.4

end

multi-3-5#

New Member

Re: GateKeeper and Gateway

Hi,

It's working NOW...thanks for your help...yo're right i need to synchronize the time using ntp.....but i can't still authenticate using radius server...i think somethig wrong with the radius server i fixed later...anyway...if i follow your configuration...i just can make a call from one site.....when I called 2xxxxxx it will trigger the call to the other router...but from another router i press...1xxxxxx....the call can't go through......i did debugging on the router i called nothing happened....it seems like the call didnt go to the other router.....do you have any idea...why ???

again..thanks for you help....

regards

Silver

Re: GateKeeper and Gateway

Have a look at the AAA configs on the config I pasted earlier and use local authentication based on username/password. This will confirm if the problem is with your radius server or not.

If you have a second gateway then the gatekeeper will need a config to route the call back to the other gateway. In the original config I don't see anything that will handle the 1X or the 2X numbers.

310
Views
0
Helpful
3
Replies
CreatePlease login to create content