10.6 หัวข้อ [SQLAliasAuth]

Authenticate endpoints using rules stored in the SQL database (the rules conform to the format defined in the [RasSrv::RRQAuth] section). This section defines which SQL driver to use, SQL database connection parameters and the query to use to retrieve the patterns.


Driver=MySQL | PostgreSQL | Firebird | ODBC | SQLite
Default: N/A

SQL database driver to use. Currently, MySQL, PostgreSQL, Firebird, ODBC and SQLite drivers are implemented.


Host=DNS[:PORT] | IP[:PORT]
Default: localhost

SQL server host address. Can be in the form of DNS[:PORT] or IP[:PORT]. Like sql.mycompany.com or sql.mycompany.com:3306 or 192.168.3.100.


Database=billing
Default: N/A

The database name to connect to.


Username=gnugk

The username used to connect to the database.


Password=secret

The password used to connect to the database. If the password is not specified, a database connection attempt without any password will be made. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


CacheTimeout=120
Default: 0

This field defines how long (alias;authrule) pairs retrieved from the database will be cached in the local memory. The cache timeout value is expressed in seconds. 0 means not to cache rules, while a negative value means the cache never expires (only reload command will refresh the cache).


MinPoolSize=5
Default: 1

Define the number of active SQL connections. This allows for better performance under heavy load, because more than 1 concurrent query can be executed at the same time. Setting MinPoolSize=1 will simulate the old behavior, when access to the SQL database was serialized (one query at time).


Query=SELECT ...
Default: N/A

Defines SQL query used to retrieve alias rule from the database. The query is parameterized - that means parameter replacement is made before each query is executed. Parameter placeholders are denoted by %1, %2, ... strings. Specify %% to embed a percent character before a digit into string (like %%1), specify %{1} to allow expansion inside complex expressions like %{1}123. For SQLAliasAuth two parameters are defined:

%1 - the actual alias to query the rule for
%2 - the gatekeeper identifier
Sample query strings:

SELECT authrule FROM users WHERE alias = '%1' AND active
SELECT 'sigip:' || host(ip) || port FROM users WHERE alias = '%1'

10.7 หัวข้อ [SQLAuth]

Authenticate and authorize endpoints/calls using a SQL database. Support for RRQ, ARQ, LRQ and Setup events is provided.


Driver=MySQL | PostgreSQL | Firebird | ODBC | SQLite
Default: N/A

SQL database driver to use. Currently, MySQL, PostgreSQL, Firebird, ODBC and SQLite drivers are implemented.


Host=DNS[:PORT] | IP[:PORT]
Default: localhost

SQL server host address. Can be in the form of DNS[:PORT] or IP[:PORT]. Like sql.mycompany.com or sql.mycompany.com:3306 or 192.168.3.100.


Database=billing
Default: N/A

The database name to connect to.


Username=gnugk

The username used to connect to the database.


Password=secret

The password used to connect to the database. If the password is not specified, a database connection attempt without any password will be made. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


MinPoolSize=5
Default: 1

Define the number of active SQL connections. This allows for better performance under heavy load, because more than 1 concurrent query can be executed at the same time. Setting MinPoolSize=1 will simulate the old behavior, when access to the SQL database was serialized (one query at time).


RegQuery=SELECT ...
Default: N/A

Define a SQL query to be used to perform authentication and authorization of endpoint registrations. The query is parameterized - that means parameter replacement is made before each query is executed. The following parameters are defined:

%g - the gatekeeper identifier
%{gkip} - a gatekeeper IP the request has been received on
%u - username associated with an endpoint (usually a H.323 ID)
%{callerip} - caller's IP (the request has been received from - NAT IP for natted endpoints)
%{aliases} - a comma separated list of endpoint aliases
If the query returns no rows, the result is undefined, which basically means failure for required rules and "try next" for optional rules. Otherwise, the first result row is examined to determine the result of the authentication request and to get additional information:

1. The first column is converted into a boolean value (1, T, TRUE, allow, y, yes means true) and is an authentication result (accept/reject).
2. If the registration is authenticated successfully, remaining columns are examined:
1. If there exists a column called 'aliases', replace original endpoint aliases with these new ones
2. If there exists a column called 'billingmode', set a billing mode associated with the endpoint (0 - credit,
0 - debit)
3. If there exists a column called 'creditamount', set account balance associated with the endpoint (this is an arbitrary string)
Query string examples:

SELECT 1, 0 AS billingmode, '12.00 USD' AS creditamount
SELECT NOT disabled, assignaliases AS aliases, balance FROM users WHERE h323id = '%u'
SELECT * FROM get_registration_auth('%g', '%u', '%{callerip}', '%{aliases}') AS result(accept, aliases, billingmode, creditamount)


NbQuery=SELECT ...
Default: N/A

Define a SQL query to be used to perform authentication and authorization of location requests sent from neighbors. The query is parameterized - that means parameter replacement is made before each query is executed. The following parameters are defined:

%g - the gatekeeper identifier
%{gkip} - a gatekeeper IP the request has been received on
%{nbid - neighbor identifier from the config
%{nbip} - neighbor IP (the request has been received from)
%{Calling-Station-Id} - caller's number, if available
%{src-info} - content of sourceInfo LRQ field, if available
%{Called-Station-Id} - destination number
%{dest-info} - content of destinationInfo LRQ field
%{bandwidth} - requested bandwidth, if present in the LRQ
If the query returns no rows, the result is undefined, which basically means failure for required rules and "try next" for optional rules. Otherwise, the first result row is examined to determine the result of the authentication and to get additional information:

1. The first column is converted into a boolean value (1, T, TRUE, allow, y, yes means true) and is an authentication result (accept/reject).
2. If the request is authenticated successfully, remaining columns are examined:
1. If there exists a column called 'destination', populate the original destinationInfo field with these new aliases - this may affect routing decision, which is made after auth step.
Query string examples:

SELECT active FROM neighbors WHERE name = '%{nbid}' AND ip = '%{nbip}' UNION SELECT 0


CallQuery=SELECT ...
Default: N/A

Define a SQL query to be used to perform authentication and authorization of calls (ARQ and Setup). The query is parameterized - that means parameter replacement is made before each query is executed. The following parameters are defined:

%g - the gatekeeper identifier
%{gkip} - a gatekeeper IP the request has been received on
%u - an username associated with the caller
%{callerip} - caller's IP (the request has been received from - NAT IP for natted endpoints)
%{Calling-Station-Id} - caller's number, if available
%{Called-Station-Id} - destination number
%{Dialed-Number} - original destination number (before rewrite)
%{CallId} - H.323 call identifier (16 hex 8-bit digits)
%{bandwidth} - requested bandwidth, if present in the ARQ
%{answer} - 1, if the request is an answering ARQ
%{arq} - 1 for ARQ triggered query, 0 for Setup triggered query
If the query returns no rows, the result is undefined, which basically means failure for required rules and "try next" for optional rules. Otherwise, the first result row is examined to determine the authentication result and to get additional information:

1. The first column is converted into a boolean value (1, T, TRUE, allow, y, yes means true) and is an authentication result (accept/reject the call).
2. If the request is authenticated successfully, remaining columns are examined:
1. If there exists a column called 'billingmode', set a billing mode associated with the endpoint (0 - credit,
0 - debit)
2. If there exists a column called 'creditamount', set account balance associated with the endpoint (this is an arbitrary string)
3. If there exists a column called 'credittime', use its integer value to set call duration limit
4. If there exists a column called 'redirectnumber', replace the original destination number with this one. You can put multiple numbers (that correspond to multiple 'redirectip' entries) separated by a semicolon. You can also specify an outbound number (to be sent to a terminating gateway) by appending it with an '=' to the rewritten number (like 485811001001=1234485811001001)
5. If there exists a column called 'redirectip', force the call to be sent to the specified IP (one can put multiple destinations separated by a semicolon)
6. If there exists a column called 'proxy', force the gatekeeper to enable/disable (depends on the 'proxy' column value) RTP proxy for this call
7. If there exists a column called 'clientauthid', the gatekeeper will store this ID in its call record and send it back on all accounting events. This must be an unsigned integer with a maximum of 64 bits (eg. 'bigint unsigned' in MySQL).
3. If the request is denied, the remaining columns are examined:
1. If there exists a column called 'q931cause', set a Q.931 cause in a Release Complete to this value
2. If there exists a column called 'clientauthid', the gatekeeper will store this ID in its call record and send it back on all accounting events. This must be an unsigned integer with a maximum of 64 bits (eg. 'bigint unsigned' in MySQL).
Query string examples:

SELECT 1, 360 AS credittime, 0 AS proxy
SELECT * FROM auth_call('%g', '%u', '%{Calling-Station-Id}', '%{callerip}', '%{Called-Station-Id}') AS result(accept, credittime)
SELECT 1, '1234' AS redirectnumber, '192.168.1.1' AS redirectip

10.8 หัวข้อ [PrefixAuth]

The section defines the authentication rule for the PrefixAuth module. Currently, only ARQs and LRQs can be authorized by this module.

First, the most specific prefix is selected according to the destinationInfo field of the received request. Then the request is accepted or rejected according to the matched rules with the most specific netmask. If no matched prefix is found, and the default option is specified, the request is accepted or rejected according to that. Otherwise it is rejected or passed to the next authentication module according to the module requirement.


Format:

prefix=authrule[|authrule|...]


Syntax:

<authrule> := <result> <authrule>

<result> := deny | allow
<authrule> := [!]ipv4:<iprule> | [!]alias:<aliasrule>

Where <iprule> can be specified in decimal dot notation or CIDR notation, <aliasrule> is expressed in regular expression. If the `!' flag precedes the rule, the sense is inverted.

Example:

555=deny ipv4:10.0.0.0/27|allow ipv4:0/0
5555=allow ipv4:192.168.1.1|deny ipv4:192.168.1.0/255.255.255.0
86=deny !ipv4:172.16.0.0/24
09=deny alias:^188884.*
ALL=allow ipv4:ALL

In this configuration, all endpoints except those from network 10.0.0.0/27 are allowed to call prefix 555 (except 5555). Endpoints from 192.168.1.0/24 are not allowed to call prefix 5555, except 192.168.1.1. Endpoints not from 172.16.0.0/24 are denied to call prefix 86. Endpoints having an alias beginning with 188884 are not allowed to call prefix 09. All other situations are allowed.

10.9 หัวข้อ [RadAuth]

This section defines configuration settings that enable RADIUS authentication based on H.235 CATs (Cisco Access Tokens) present in RRQ, ARQ RAS requests and Q.931 Setup messages.

Servers=SERVER1[:AUTH_PORT[:ACCT_PORT[:SECRET]]];SERVER2[:AUTH_PORT[:ACCT_PORT[:SECRET]]];...
Default: N/A

RADIUS servers to be used for authentication. The list can contain an arbitrary number of servers. The order of servers is important, because servers will be queried by the RADIUS module in the given order. If no port information is provided, port number from DefaultAuthPort will be used. If no secret is set, the default shared secret from SharedSecret is taken. Servers names can be IP addresses or DNS names.


Sample Servers lines:
Servers=192.168.1.1
Servers=192.168.1.1:1645
Servers=192.168.1.1:1645:1646:secret1
Servers=radius1.mycompany.com:1812
Servers=radius1.mycompany.com;radius2.mycompany.com
Servers=radius1.mycompany.com:1812:1813:secret1;radius2.mycompany.com:1812:1813:secret2



LocalInterface=IP_OR_FQDN
Default: N/A

The specific local network interface that GnuGk should use in order to communicate with RADIUS servers. This parameter can be useful on NAT machines to restrict which network interfaces are used for RADIUS communication. By default this value is empty and allows RADIUS requests to be sent on any (best suitable) network interface. If you are not sure what you are doing, it is better to leave this option unset.


RadiusPortRange=10000-11000
Default: N/A

By default, GnuGk allocates ports dynamically as specified by the operating system. If you want to restrict which ports it should use then configure this parameter.


DefaultAuthPort=PORT_NO
Default: 1812

Default port number to be used for RADIUS authentication requests (Access-Request packets). Can be overridden by Servers attribute.


SharedSecret=SECRET
Default: N/A (empty string)

Secret used to authenticate this GnuGk (NAS client) to RADIUS server. It should be a cryptographically strong password. This is the default value used if no server-specific secret is set in the Servers configuration option. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


RequestTimeout=TIMEOUT_MS
Default: 2000 (milliseconds)

Timeout (milliseconds) for RADIUS server response to a request sent by GnuGk. If no response is received within this time period, the next RADIUS server is queried.


IdCacheTimeout=TIMEOUT_MS
Default: 9000 (milliseconds)

Timeout (milliseconds) for RADIUS request 8-bit identifiers to be unique. If the entire 8-bit identifier range is exhausted within this period, a new client socket (UDP socket) will be allocated by the RADIUS module. Let's take the example: we have approximately 60 RRQs/sec - after ca. 4 seconds 8-bit identifiers range gets exhausted - new socket allocated - after next 4 seconds the second 8-bit identifiers range gets exhausted - third socket allocated - after 9th second identifiers from the pool 1 are available again.

In general, if you have too long a timeout then too many resources will be consumed. If you have too short a timeout, then the RADIUS server may take incoming packets as duplicates and therefore drop them.


SocketDeleteTimeout=TIMEOUT_MS
Default: 60000 (milliseconds) - 60 s

Timeout for unused RADIUS sockets to be closed. It is used in conjunction with IdCacheTimeout - additional sockets created during heavy gatekeeper load periods for serving incoming requests are closed during idle periods.


RequestRetransmissions=NUMBER
Default: 2

How many times a single RADIUS request is transmitted to every configured RADIUS server (if no response is received). 1 means one transmission attempt and no re-transmission, 2 - single re-transmission, ... . Exact retransmission method is defined by RoundRobinServers attribute.


RoundRobinServers=BOOLEAN
Default: 1

RADIUS requests retransmission method.

If set to 1, RADIUS request is transmitted in the following way (until response is received):

Server #1 Attempt #1, Server #2 Attempt #1, ..., Server #N Attempt #1
...
Server #1 Attempt #RequestRetransmissions, ..., Server #1 Attempt #RequestRetransmissions

If set to 0, the following sequence is preserved:

Server #1 Attempt #1, ..., Server #1 Attempt #RequestRetransmissions
...
Server #N Attempt #1, ..., Server #N Attempt #RequestRetransmissions


AppendCiscoAttributes=BOOLEAN
Default: 0

If set, Cisco Vendor Specific RADIUS attributes are included in RADIUS requests (h323-conf-id,h323-call-origin,h323-call-type).


IncludeTerminalAliases=BOOLEAN
Default: 1

If set, Cisco VSA 'h323-ivr-out' attribute is sent with a list of aliases the endpoint is registering (RRQ.m_terminalAlias). This attribute is provided in order to provide fine control over the list of aliases the endpoint is allowed to register with. Format of this attribute is:

Cisco-AV-Pair = "h323-ivr-out=terminal-alias:" alias [,alias] [;]
Example:
Cisco-AV-Pair = "h323-ivr-out=terminal-alias:helpdesk,support,77771;"


UseDialedNumber=BOOLEAN
Default: 0

Select Called-Station-Id number type between the original one (as dialed by the user) - UseDialedNumber=1 - and the rewritten one - UseDialedNumber=0.


[RadAuth] Access-Request Radius Attribute

This section defines configuration settings that enable RADIUS authentication based on H.235 CATs (Cisco Access Tokens) present in RRQ, ARQ RAS requests and Q.931 Setup messages.

Servers=SERVER1[:AUTH_PORT[:ACCT_PORT[:SECRET]]];SERVER2[:AUTH_PORT[:ACCT_PORT[:SECRET]]];...
Default: N/A

RADIUS servers to be used for authentication. The list can contain an arbitrary number of servers. The order of servers is important, because servers will be queried by the RADIUS module in the given order. If no port information is provided, port number from DefaultAuthPort will be used. If no secret is set, the default shared secret from SharedSecret is taken. Servers names can be IP addresses or DNS names.


Sample Servers lines:
Servers=192.168.1.1
Servers=192.168.1.1:1645
Servers=192.168.1.1:1645:1646:secret1
Servers=radius1.mycompany.com:1812
Servers=radius1.mycompany.com;radius2.mycompany.com
Servers=radius1.mycompany.com:1812:1813:secret1;radius2.mycompany.com:1812:1813:secret2



LocalInterface=IP_OR_FQDN
Default: N/A

The specific local network interface that GnuGk should use in order to communicate with RADIUS servers. This parameter can be useful on NAT machines to restrict which network interfaces are used for RADIUS communication. By default this value is empty and allows RADIUS requests to be sent on any (best suitable) network interface. If you are not sure what you are doing, it is better to leave this option unset.


RadiusPortRange=10000-11000
Default: N/A

By default, GnuGk allocates ports dynamically as specified by the operating system. If you want to restrict which ports it should use then configure this parameter.


DefaultAuthPort=PORT_NO
Default: 1812

Default port number to be used for RADIUS authentication requests (Access-Request packets). Can be overridden by Servers attribute.


SharedSecret=SECRET
Default: N/A (empty string)

Secret used to authenticate this GnuGk (NAS client) to RADIUS server. It should be a cryptographically strong password. This is the default value used if no server-specific secret is set in the Servers configuration option. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


RequestTimeout=TIMEOUT_MS
Default: 2000 (milliseconds)

Timeout (milliseconds) for RADIUS server response to a request sent by GnuGk. If no response is received within this time period, the next RADIUS server is queried.


IdCacheTimeout=TIMEOUT_MS
Default: 9000 (milliseconds)

Timeout (milliseconds) for RADIUS request 8-bit identifiers to be unique. If the entire 8-bit identifier range is exhausted within this period, a new client socket (UDP socket) will be allocated by the RADIUS module. Let's take the example: we have approximately 60 RRQs/sec - after ca. 4 seconds 8-bit identifiers range gets exhausted - new socket allocated - after next 4 seconds the second 8-bit identifiers range gets exhausted - third socket allocated - after 9th second identifiers from the pool 1 are available again.

In general, if you have too long a timeout then too many resources will be consumed. If you have too short a timeout, then the RADIUS server may take incoming packets as duplicates and therefore drop them.


SocketDeleteTimeout=TIMEOUT_MS
Default: 60000 (milliseconds) - 60 s

Timeout for unused RADIUS sockets to be closed. It is used in conjunction with IdCacheTimeout - additional sockets created during heavy gatekeeper load periods for serving incoming requests are closed during idle periods.


RequestRetransmissions=NUMBER
Default: 2

How many times a single RADIUS request is transmitted to every configured RADIUS server (if no response is received). 1 means one transmission attempt and no re-transmission, 2 - single re-transmission, ... . Exact retransmission method is defined by RoundRobinServers attribute.


RoundRobinServers=BOOLEAN
Default: 1

RADIUS requests retransmission method.

If set to 1, RADIUS request is transmitted in the following way (until response is received):

Server #1 Attempt #1, Server #2 Attempt #1, ..., Server #N Attempt #1
...
Server #1 Attempt #RequestRetransmissions, ..., Server #1 Attempt #RequestRetransmissions

If set to 0, the following sequence is preserved:

Server #1 Attempt #1, ..., Server #1 Attempt #RequestRetransmissions
...
Server #N Attempt #1, ..., Server #N Attempt #RequestRetransmissions


AppendCiscoAttributes=BOOLEAN
Default: 0

If set, Cisco Vendor Specific RADIUS attributes are included in RADIUS requests (h323-conf-id,h323-call-origin,h323-call-type).


IncludeTerminalAliases=BOOLEAN
Default: 1

If set, Cisco VSA 'h323-ivr-out' attribute is sent with a list of aliases the endpoint is registering (RRQ.m_terminalAlias). This attribute is provided in order to provide fine control over the list of aliases the endpoint is allowed to register with. Format of this attribute is:

Cisco-AV-Pair = "h323-ivr-out=terminal-alias:" alias [,alias] [;]
Example:
Cisco-AV-Pair = "h323-ivr-out=terminal-alias:helpdesk,support,77771;"


UseDialedNumber=BOOLEAN
Default: 0

Select Called-Station-Id number type between the original one (as dialed by the user) - UseDialedNumber=1 - and the rewritten one - UseDialedNumber=0.


[RadAuth] Access-Accept Radius Attributes

For RRQs, the following RADIUS attributes are recognized inside Access-Accept packets:


VSA: VendorId=Cisco, h323-return-code

If present and not 0, the request is rejected. This check is provided to allow interoperability with some poor billing systems, which send Access-Accept with non-zero h323-return-code to reject the call instead of Access-Reject. The attribute can be in the form h323-return-code="1" or h323-return-code="h323-return-code=1". Note that the return code is a string, not an integer.


VSA: VendorId=Cisco, h323-billing-model

Billing mode for this account. Can be 0 (credit), 1 or 2 (debit). If an endpoint can understand H.225.0 CallCreditServiceControl messages, this information is used to build the message.


VSA: VendorId=Cisco, h323-credit-amount

A string representing current user's account balance. If an endpoint can understand H.225.0 CallCreditServiceControl messages, this information is used to build the message.


VSA: VendorId=Cisco, Cisco-AVPair, h323-ivr-in

If present, it is scanned for 'terminal-alias' variable that can contain a list of aliases that should be assigned to the endpoint being registered. All RRQ aliases that do not match this list are removed. The 'disable-codec' variable is also supported to disallow certain codecs for this call. The 'proxy' variable that can contain 'yes' or 'no' for enabling/disabling proxy mode for this call. The format of these attributes is as follows:

Cisco-AVPair = "h323-ivr-in=variable:value;[variable:value;]"


where the "variable" can be "terminal-alias":

Cisco-AVPair = "h323-ivr-in=terminal-alias:alias1[,alias2,...];"


Example 1:

RRQ {
m_terminalAlias = { "myalias", "1234" }
}

if RADIUS server returns the following h323-ivr-in:

Access-Accept {
Cisco-AVPair = "h323-ivr-in=terminal-alias:anotheralias,6789;"
}

the endpoint will get registered with aliases "anotheralias" and "6789".
Also RCF will contain:

RCF {
m_terminalAlias = { "anotheralias", "6789" }
}


Example 2 (add E164 to an existing alias):

RRQ {
m_terminalAlias = { "it_s_me" }
}

if RADIUS server returns the following h323-ivr-in:

Access-Accept {
Cisco-AVPair = "h323-ivr-in=terminal-alias:it_s_me,48586259732;"
}

RCF will contain:

RCF {
m_terminalAlias = { "it_s_me", "48586259732" }
}


Example 3 (disable G.711 and G.729 codecs):

Access-Accept {
Cisco-AVPair = "h323-ivr-in=codec-disable:g711Ulaw64k;g729;g711Alaw64k;g729AnnexA;"
}


Example 4 (enable proxy mode):

Access-Accept {
Cisco-AVPair = "h323-ivr-in=proxy:yes"
}


For ARQs, the following RADIUS attributes are recognized within Access-Accept packets:


VSA: VendorId=Cisco, h323-return-code

If present and not 0, the request is rejected. This check is provided to allow interoperability with some poor billing systems, that send Access-Accept with non-zero h323-return-code to reject the call instead of Access-Reject. The attribute can be in form h323-return-code="1" or h323-return-code="h323-return-code=1". Note that the return code is a string, not an integer.


VSA: VendorId=Cisco, h323-billing-model

Billing mode for this account. Can be 0 (credit), 1 or 2 (debit). If an endpoint can understand H.225.0 CallCreditServiceControl messages, this information is used to build the message.


VSA: VendorId=Cisco, h323-credit-amount

A string representing current user account balance. If an endpoint can understand H.225.0 CallCreditServiceControl messages, this information is used to build the message.


VSA: VendorId=Cisco, h323-credit-time

If present, it enforces maximum call duration (in seconds). The attribute can be in form of h323-credit-time="120" or h323-credit-time="h323-credit-time=120". Note that the return code is a string, not an integer.


Session-Timeout

If present, it enforces maximum call duration (in seconds). This is a standard RADIUS attribute of integer type.


VSA: VendorId=Cisco, h323-redirect-number

If present, a call destination is overwritten with the number present in this attribute.


VSA: VendorId=Cisco, h323-redirect-ip-address

If present, a call is sent to the IP address present in this attribute. You can put multiple destinations separated with a semicolon.

VSA: VendorId=Cisco, h323-redirect-number

If present, a called station id is rewritten to this number. You can put multiple numbers (that correspond to multiple destinations in h323-redirect-ip-address) separated by a semicolon. For each number you can also specify an outbound number (that is sent to a terminating gateway) by appending it with a '='.

If both Session-Timeout and h323-credit-time are present, the smaller value is used.

10.10 หัวข้อ [RadAliasAuth]

This section defines configuration settings that enable RADIUS authentication based on endpoint aliases and/or IP addresses present in a RRQ RAS, ARQ RAS or Q.931 Setup request. This authentication scheme is useful both for endpoints registered at the gatekeeper (ARQ, RRQ) and calls from unregistered endpoints (Setup).


Servers=SERVER1[:AUTH_PORT[:ACCT_PORT[:SECRET]]];SERVER2[:AUTH_PORT[:ACCT_PORT[:SECRET]]];...
Default: N/A

RADIUS servers to be used for RAS requests authentication. This list can contain an arbitrary number of servers. The order of servers is important, because servers will be queried by the RADIUS module in the given order. If no port information is specified, the port number from DefaultAuthPort will be used. If no secret is set, the default shared secret from SharedSecret is used. Servers can be IP addresses or DNS names.


Example:
Servers=192.168.3.1:1645;192.168.3.2:1812:1813:mysecret;radius.mycompany.com


LocalInterface=IP_OR_FQDN
Default: N/A

Specific local network interface that GnuGk should use in order to communicate with RADIUS servers. This parameter can be useful on NAT machines to restrict number of network interfaces used for RADIUS communication. By default this value is empty and allows RADIUS requests to be sent on any (best suitable) network interface. If you are not sure what you are doing, it is better to leave this option unset.


RadiusPortRange=10000-11000
Default: N/A

By default (if this option is not set) RADIUS client allocates ports dynamically as specified by the operating system. If you want to restrict RADIUS client to use ports from a particular range only - set this parameter.


DefaultAuthPort=PORT_NO
Default: 1812

Default port number to be used for RADIUS authentication requests (Access-Request packets), if not overridden by Servers attribute.


SharedSecret=SECRET
Default: N/A (empty string)

Secret used to authenticate this GnuGk (NAS client) to RADIUS server. It should be a cryptographically strong password. This is the default value used, if no server-specific secret is set in the Servers. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


RequestTimeout=TIMEOUT_MS
Default: 2000 (milliseconds)

Timeout (milliseconds) for RADIUS server response to a request sent by GnuGk. If no response is received within this time period, next RADIUS server is queried.


IdCacheTimeout=TIMEOUT_MS
Default: 9000 (milliseconds)

Timeout (milliseconds) for RADIUS request 8-bit identifiers to be unique. If all 8-bit identifier range is exhausted within this period, new client socket (UDP socket) is allocation by RADIUS module. Let's take the example: we have approximately 60 RRQs/sec - after ca. 4 seconds 8-bit identifiers range gets exhausted - new socket allocated - after next 4 seconds the second 8-bit identifiers range gets exhausted - third socket allocated - after 9th second identifiers from the pool 1 are available again - ... . In general, too long timeout - too much resources consumed, too short timeout - RADIUS server may take incoming packets as duplicated and therefore drop it.


SocketDeleteTimeout=TIMEOUT_MS
Default: 60000 (milliseconds) - 60 s

Timeout for unused RADIUS sockets to be closed. It is used in conjunction with IdCacheTimeout - additional sockets created during heavy gatekeeper load periods for serving incoming requests are closed during idle periods.


RequestRetransmissions=NUMBER
Default: 2

How many times a single RADIUS request is transmitted to every configured RADIUS server (if no response is received). 1 means no retransmission, 2 - single retransmission, ... . Exact retransmission method is defined by RoundRobinServers attribute.


RoundRobinServers=BOOLEAN
Default: 1

RADIUS requests retransmission method.

If set to 1, RADIUS request is transmitted in the following way (until response is received):

Server #1 Attempt #1, Server #2 Attempt #1, ..., Server #N Attempt #1
...
Server #1 Attempt #RequestRetransmissions, ..., Server #1 Attempt #RequestRetransmissions

If set to 0, the following sequence is preserved:

Server #1 Attempt #1, ..., Server #1 Attempt #RequestRetransmissions
...
Server #N Attempt #1, ..., Server #N Attempt #RequestRetransmissions


AppendCiscoAttributes=BOOLEAN
Default: 1

If set, Cisco Vendor Specific RADIUS attributes are included in RADIUS requests (h323-conf-id,h323-call-origin,h323-call-type).


IncludeTerminalAliases=BOOLEAN
Default: 1

If set, Cisco VSA 'h323-ivr-out' attribute is sent with a list of aliases the endpoint is registering (RRQ.m_terminalAlias). This attribute is provided in order to provide fine control over the list of aliases the endpoint is allowed to register with. Format of this attribute is:

Cisco-AV-Pair = "h323-ivr-out=terminal-alias:" alias [,alias] [;]
Example:
Cisco-AV-Pair = "h323-ivr-out=terminal-alias:helpdesk,support,77771;"


FixedUsername
Default: N/A

If this parameter is set, it overwrites a value of User-Name RADIUS attribute for outgoing RADIUS request. That means every Access-Request will be authenticated as for user FixedUsername.


FixedPassword
Default: N/A

If not set, User-Password is a copy of User-Name. For example, if User-Name is 'john' then User-Password will also be set to 'john'. Setting this parameter overrides this behavior and User-Password attribute will be always set to the value of FixedPassword. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


Example 1:

(Neither FixedUsername nor FixedPassword set)

All endpoints will be authenticated using their alias as the username and the password. That means, for example, endpoint 'EP1' will be authenticated with the username 'EP1 and the password 'EP1'.

Example 2:

(FixedUsername not set)
FixedPassword=ppp

All endpoints will be authenticated using their alias and the password 'ppp'.

Example 3:

FixedUsername=ppp
FixedPassword=ppp

All endpoints will be authenticated using the username 'ppp' and the password 'ppp'.

UseDialedNumber=BOOLEAN
Default: 0

Select Called-Station-Id number type between the original one (as dialed by the user) - UseDialedNumber=1 - and the rewritten one - UseDialedNumber=0.


[RadAliasAuth] Access-Request Radius Attributes

For RRQs, the same attributes as with RadAuth are sent, with an exception of username/password attributes (CHAP-Password, CHAP-Challenge, User-Name):


User-Name

Either an endpoint alias from RRQ or a value of FixedUsername config parameter. If no alias is present, an IP address is used


User-Password

Either the same as User-Name or a value of FixedPassword config parameter

For ARQ and Setup messages, the same attributes as with RadAuth are sent, with an exception of username/password attributes (CHAP-Password, CHAP-Challenge, User-Name):

User-Name
Either an endpoint alias or a value of FixedUsername config parameter

User-Password
Either the same as User-Name or a value of FixedPassword config parameter

[RadAliasAuth] Access-Accept Radius Attributes
Exectly the same attributes are recognized as with RadAuth module

[

10.11 หัวข้อ [CapacityControl]

This section contains a set of rules for controlling inbound call volume depending on various conditions. In order for this module to work, CapacityControl authentication and accounting modules have to be enabled like this:

[Gatekeeper::Auth]
CapacityControl=required;Setup

[Gatekeeper::Acct]
CapacityControl=required;start,stop

A capacity rule can be matched by a caller's IP, caller's H.323 ID and/or caller's number (CLI) - in the order specified. In addition, the match can be narrowed by specifying a called number pattern. This module works by keeping lists of current call volume for each inbound route (rule) - this is done by having CapacityControl accounting module configured to add/remove active calls from matching routes. The CapacityControl authentication module checks rules and accepts/rejects a call based on current/max call volume for a matching inbound route.


Format for an inbound route rule:
[ip:CALLER_IP|h323id:CALLER_H323ID|cli:CALLER_NUMBER]=[CALLED NUMBER REGEX PATTERN] MAX_CAPACITY

ip:, h323id: and cli: prefixes define rule type. An inbound call will be matched either by caller's IP, H.323ID or CLI. The optional CALLED NUMBER REGEX PATTERN is a regular expression that the called number should match to apply this rule to. MAX_CAPACITY is maximum number of active calls for this route.

The rules are match in the following order:

IP rules
H.323ID rules
CLI rules
The longest match in the first matching category is used.


Example 1:

[CapacityControl]
ip:192.168.1.0/24=30
ip:any=120

These rules tell that the 192.168.1.0/24 subnet can send up to 30 concurrent calls, while all other IPs can send up to 120 concurrent calls.


Example 2:

[CapacityControl]
%r1% cli:1001=30
%r2% cli:1001=^48(50|51) 5

These rules limit caller with CLI 1001 to send up to 5 calls to 4850/4851 destinations and up to 30 calls to other destinations. %r1% and %r2% are special constructs to allow having the same cli:1001 config key more than once.

10.12 หัวข้อ [GkH350::Settings]

WARNING: This is an experimental feature and not tested very well.

This section defines the LDAP server and standard H.350 directory operating parameters to be used.


ServerName
Default: 127.0.0.1
The LDAP server IP address.


ServerPort
Default: 389
The LDAP server's TCP port (usually 389).


SearchBaseDN
Default: N/A
Entry point into the server's H.350 directory structure. Searches are only made below this root node.


BindUserDN
Default: N/A
The distinguished name the gatekeeper uses to bind to the LDAP server. Leave empty if you want to access the LDAP server anonymously.


BindUserPW
Default: N/A
If you specified BindUserDN, then specify the corresponding password to be used for binding here. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in an encrypted form and should be created using the addpasswd utility.


BindAuthMode
Default: simple
Bind Authentication method choices are simple,sasl,kerberos


ServiceControl=BOOLEAN
Default: 0

Use RRQ/RCF service control field to advise an endpoint of the H.350 directory and searchDN to use for white page lookups.


AssignedAliases=BOOLEAN
Default: 0

Use H.350.1 to advise endpoints of their assigned aliases.


GatekeeperDiscovery=BOOLEAN
Default: 0

Use H.350.1 to resolve on GRQ/GCF the registering endpoints assigned gatekeeper (h323IdentityGKDomain).

11. Accounting Configuration
The following sections in the config file can be used to configure accounting.


11.1 Section [Gatekeeper::Acct]
This section defines a list of modules which may be used to perform accounting. The accounting function can be used for logging gatekeeper on/off events and call start/stop/update events. Each accounting module logs received events to module-specific storage. The various storage options include plain text file, RADIUS server and many more. The configuration is very similar to the one for gatekeeper authentication (see [Gatekeeper::Auth]).

All CDRs are also sent to the status port and can be used by external applications.


Syntax:

acctmod=actions

<acctmod> := FileAcct | RadAcct | SQLAcct | StatusAcct | SyslogAcct | CapacityControl | ...
<actions> := <control>[;<event>,<event>,...]
<control> := optional | required | sufficient | alternative
<event> := start | stop | connect | update | on | off

The event list tells the gatekeeper which events should trigger logging with the given accounting module (if an event type is supported by the module):
start - a call has been started and a Setup message has been received (only available in routed mode)
connect - a call has been connected (only available in routed mode)
update - a call is active and a periodic update is performed to reflect the new call duration. The frequency of these updates is determined by the AcctUpdateInterval variable from the [CallTable] section
stop - a call has been disconnected (removed from the gatekeeper call table)
on - the gatekeeper has been started
off - the gatekeeper has been shut down
An event logged by a module may results in one of three result codes: ok, fail, next.
ok - the event has been logged successfully by this module
fail - the module failed to log the event
next - the event has not been logged by this module, because the module is not configured for/does not support this event type
Accounting modules can be stacked to log events by multiple modules or to create failover setups. The control flag for each module, along with result codes, define what is the final status of the event processing by the entire module stack. If the final result is failure, some special actions may take place. Currently, if a call start event logging fails, the call is disconnected immediately. The following control flags are recognized:
required - if the module fails to log an event, the final status is set to failure and the event is passed down to any remaining modules.
optional - the module tries to log an event, but the final status is not affected by success or failure (except when the module is last on the list). The event is always passed down to any remaining modules.
sufficient - the module determines the final status. If an event is logged successfully, no remaining modules are processed. Otherwise the final status is set to failure and the event is passed down to any remaining modules.
alternative - if the module logs an event successfully, no remaining modules are processed. Otherwise the final status is not modified and the event is passed down to any remaining modules.
Currently supported accounting modules:

FileAcct
A plain Call Detail Report ("CDR") text file logger. It outputs CDR status data to a specified text file. This module only supports the stop accounting event. Configuration settings are read from [FileAcct] section.


RadAcct
This module performs RADIUS accounting. It supports all event types (start, stop, update, on, off). See section [RadAcct] for configuration details.


SQLAcct
This module performs direct SQL accounting. It supports (start, connect, stop, update) event types. See section [SQLAcct] for configuration details.


StatusAcct
This module logs all accounting events on the status port. It can be used to interface to external application in real-time. It supports (start, connect, stop, update) event types. See section [StatusAcct] for configuration details.


SyslogAcct
This module logs all accounting events to the Unix syslog. It supports (start, connect, stop, update) event types. See section [SyslogAcct] for configuration details.


CapacityControl
This module performs inbound call volume logging, required for the CapacityControl authentication module to work correctly. See the section [CapacityControl] for details.


default
This is a special pseudo module - it is used to set the final status if other modules have not determined it. The format is as follows:

Syntax:

default=<status>[;<event>,<event>,...]
<status> := accept | fail
<event> := start | stop | update | on | off


Sample configuration #1 (try to log call start/stop with RADIUS server, and always write a CDR to a text file):

Example:
RadAcct=optional;start,stop
FileAcct=required


Sample configuration #2 (try to log call start/stop with RADIUS server, if it fails use a CDR log file):

Example:
RadAcct=alternative;start,stop
FileAcct=sufficient;stop
default=accept


The default rule is required here to prevent calls from being rejected because of RadAcct start event logging failure. If RadAcct responds with a fail return code, it is passed down to the FileAcct module. The FileAcct module does not support start events, so it returns a next code. If there were no default rule, the final status would be failure, because no module has been able to log the event.
Sample configuration #3 (always log call start and stop events with RADIUS server, if it fails for call stop event, use a CDR file to store call info):

Example:
RadAcct=alternative;start,stop
FileAcct=sufficient;stop
default=fail;start


The default rule is optional here. If RadAcct returns a fail code for the start event, the code is passed to the FileAcct module. The FileAcct module does not support start events, so it returns next return code. The default rule ensures that the call is disconnected if the call start event could not be logged with RadAcct. However, we still want to store a CDR in a text file in case the RADIUS server is down when the call disconnects, so we can fetch call duration into a billing system later.

11.2 Section [FileAcct]
This accounting module writes CDR lines to a specified text file. The CDR format can be a standard one (the same as displayed by the status interface) or a customized one (using parametrized query string).


DetailFile=FULL_PATH_AND_FILENAME
Default: N/A

A full path to the CDR plain text file. If a file with the given name already exists, new CDRs will be appended at the end of the file.


StandardCDRFormat=0
Default: 1

Use a CDR format compatible with the status interface CDR format (1) or build a custom CDR string from the CDRString parametrized string.

The StandardCDRFormat is equivalent to this definition:

TimestampFormat=RFC822
CDRString=CDR|%n|%{CallId}|%d|%{connect-time}|%{disconnect-time}|%{caller-ip}:%{caller-port}|%{caller-epid}|%{callee-ip}:%{callee-port}|{callee-epid}|%{dest-info}|%{src-info}|%g;



CDRString=%s|%g|%u|%{Calling-Station-Id}|%{Called-Station-Id}|%d|%c
Default: N/A

If StandardCDRFormat is disabled (0) or not specified at all, this parametrized string instructs the gatekeeper on how to build a custom CDR. Parameters are specified using % character and can be one letter (like %n) or longer (like %{CallId}). Any remaining characters that are not parameter names are simply copied to the final CDR string. The following parameters are recognized:

%g - gatekeeper name
%n - call number (not unique after gatekeeper restart)
%d - call duration (seconds)
%t - total call duration (from Setup to Release Complete)
%c - Q.931 disconnect cause (decimal integer) as originally received
%{cause-translated} - Q.931 disconnect cause (decimal integer) after translation rules
%r - who disconnected the call (-1 - unknown, 0 - the gatekeeper, 1 - the caller, 2 - the callee)
%p - PDD (Post Dial Delay) in seconds
%s - unique (for this gatekeeper) session identifier (Acct-Session-Id)
%u - H.323 ID of the calling party
%{gkip} - IP address of the gatekeeper
%{CallId} - H.323 call identifier (16 hex 8-bit digits)
%{ConfId} - H.323 conference identifier (16 hex 8-bit digits)
%{CallLink} - Linked H.323 conference identifier (billing account for H.450 call transfer)
%{setup-time} - timestamp string for Q.931 Setup message
%{alerting-time} - timestamp string for Q.931 Alerting message
%{connect-time} - timestamp string for a call connected event
%{disconnect-time} - timestamp string for a call disconnect event
%{ring-time} - time a remote phone was ringing for (from Alerting till Connect or Release Complete)
%{caller-ip} - signaling IP address of the caller
%{caller-port} - signaling port of the caller
%{callee-ip} - signaling IP address of the called party
%{callee-port} - signaling port of the called party
%{src-info} - a colon separated list of source aliases
%{dest-info} - a colon separated list of destination aliases
%{Calling-Station-Id} - calling party number
%{Called-Station-Id} - called party number (rewritten)
%{Dialed-Number} - dialed number (as received from the calling party)
%{caller-epid} - endpoint identifier of the calling party
%{callee-epid} - endpoint identifier of the called party
%{call-attempts} - number of attempts to establish the calls (with failover this can be > 1)
%{last-cdr} - is this the last CDR for this call ? (0 / 1) only when using failover this can be 0
%{media-oip} - caller's RTP media IP (only for H.245 routed/tunneled calls)
%{codec} - audio codec used during the call (only for H.245 routed/tunneled calls)
%{bandwidth} - bandwidth for this call
%{client-auth-id} - an ID provided to GnuGk when authenticating the call (through SqlAuth)



TimestampFormat=Cisco
Default: N/A

Format of timestamp strings printed in CDR strings. If this setting is not specified, the global one from the main gatekeeper section is used.


Rotate=hourly | daily | weekly | monthly | L... | S...
Default: N/A

If set, the CDR file will be rotated based on this setting. Hourly rotation enables rotation once per hour, daily - once per day, weekly - once per week and monthly - once per month. An exact rotation moment is determined by a combination of RotateDay and RotateTime. During rotation, an existing file is renamed to CURRENT_FILENAME.YYYYMMDD-HHMMSS, where YYYYMMDD-HHMMSS is replaced with the current timestamp, and new CDRs are logged to an empty file.
In addition, rotation per number of CDRs written (L...) and per file size (S...) is supported. The L prefix specifies a number of CDR lines written, the S prefix specifies CDR file size. k and m suffixes can be used to specify thousands (kilobytes) and millions (megabytes).


Example 1 - no rotation:
[FileAcct]
DetailFile=/var/log/gk/cdr.log



Example 2 - rotate every hour (00:45, 01:45, ..., 23:45):
[FileAcct]
DetailFile=/var/log/gk/cdr.log
Rotate=hourly
RotateTime=45



Example 3 - rotate every day at 23:00 (11PM):
[FileAcct]
DetailFile=/var/log/gk/cdr.log
Rotate=daily
RotateTime=23:00



Example 4 - rotate every Sunday at 00:59:
[FileAcct]
DetailFile=/var/log/gk/cdr.log
Rotate=weekly
RotateDay=Sun
RotateTime=00:59



Example 5 - rotate on the last day of each month:
[FileAcct]
DetailFile=/var/log/gk/cdr.log
Rotate=monthly
RotateDay=31
RotateTime=23:00



Example 6 - rotate per every 10000 CDRs:
[FileAcct]
DetailFile=/var/log/gk/cdr.log
Rotate=L10000



Example 7 - rotate per every 10 kilobytes:
[FileAcct]
DetailFile=/var/log/gk/cdr.log
Rotate=S10k

11.3 Section [RadAcct]
This accounting module sends accounting data to a RADIUS server. Module configuration is almost the same as for RADIUS authenticators (see [RadAuth] and [RadAliasAuth] for more details on the parameters).


Servers=SERVER1[:AUTH_PORT:ACCT_PORT[:SECRET]];SERVER2[:AUTH_PORT:ACCT_PORT[:SECRET]];...
Default: N/A

RADIUS servers to send accounting data to. If no port information is given, a port number from DefaultAcctPort is be used. If no secret is set, the default shared secret from SharedSecret is used. Server names may be specified by IP address or DNS name.


Sample Servers lines:
Servers=192.168.1.1
Servers=192.168.1.1:1645:1646
Servers=192.168.1.1:1645:1646:secret1
Servers=radius1.mycompany.com:1812:1813
Servers=radius1.mycompany.com;radius2.mycompany.com
Servers=radius1.mycompany.com:1812:1813:secret1;radius2.mycompany.com:1812:1813:secret2



LocalInterface=IP_OR_FQDN
Default: N/A

Specific local network interface that GnuGk should use in order to communicate with RADIUS servers.


RadiusPortRange=10000-11000
Default: N/A

By default (if this option is not set) GnuGk allocates ports dynamically as specified by the operating system. In order to restrict the ports which GnuGk will use then configure this parameter appropriately.


DefaultAcctPort=PORT_NO
Default: 1813

Default port number to be used for RADIUS accounting requests. May be overridden by the Servers attribute.


SharedSecret=SECRET
Default: N/A (empty string)

A secret used to authenticate this GnuGk (NAS client) to a RADIUS server. It should be a cryptographically strong password. This is the default value used if no server-specific secret is set in the Servers. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in encrypted form and should be created using the addpasswd utility.


RequestTimeout=TIMEOUT_MS
Default: 2000 (milliseconds)

Timeout (milliseconds) for a RADIUS server response to a request sent by GnuGk. If no response is received within this time period, then the next RADIUS server is queried.


IdCacheTimeout=TIMEOUT_MS
Default: 9000 (milliseconds)

Timeout (milliseconds) for RADIUS request 8-bit identifiers to be unique.


SocketDeleteTimeout=TIMEOUT_MS
Default: 60000 (milliseconds) - 60 s

Timeout for unused RADIUS sockets to be closed.


RequestRetransmissions=NUMBER
Default: 2

How many times a single RADIUS request is transmitted to every configured RADIUS server (if no response is received).


RoundRobinServers=BOOLEAN
Default: 1

RADIUS requests retransmission method.

If set to 1, RADIUS request is transmitted in the following way (until response is received):

Server #1 Attempt #1, Server #2 Attempt #1, ..., Server #N Attempt #1
...
Server #1 Attempt #RequestRetransmissions, ..., Server #1 Attempt #RequestRetransmissions

If set to 0, the following sequence is preserved:

Server #1 Attempt #1, ..., Server #1 Attempt #RequestRetransmissions
...
Server #N Attempt #1, ..., Server #N Attempt #RequestRetransmissions


AppendCiscoAttributes=BOOLEAN
Default: 0

If set, Cisco Vendor Specific RADIUS attributes are included in RADIUS requests (h323-conf-id,h323-call-origin,h323-call-type).


TimestampFormat=ISO8601
Default: N/A

Format of timestamp strings sent in RADIUS attributes. If this setting is not specified, the global one from the main gatekeeper section is applied.


UseDialedNumber=BOOLEAN
Default: 0

Select Called-Station-Id number type between the original one (as dialed by the user) - UseDialedNumber=1 - and the rewritten one - UseDialedNumber=0.

[RadAcct] Accounting-Request RADIUS Attributes
For an Accounting-Request, the following RADIUS attributes are included within Accounting-Request packets. Each attribute is followed by a list of accounting event types.


Acct-Status-Type (start,update,stop,on,off)

The accounting event type (Start, Interim-Update, Stop, Accounting-On, Accounting-Off).


NAS-IP-Address (start,update,stop,on,off)

An IP address of the gatekeeper.


NAS-Identifier (start,update,stop,on,off)

The gatekeeper identifier (Name= gk parameter).


NAS-Port-Type (start,update,stop,on,off)

Fixed value Virtual.


Service-Type (start,update,stop)

Fixed value Login-User.


Acct-Session-Id (start,update,stop)

A unique accounting session identifier string.


User-Name (start,update,stop)

Calling party's account name.


Framed-IP-Address (start,update,stop)

An IP address for the calling party. Either an endpoint call signaling address or a remote socket address for the signaling channel.


Acct-Session-Time (update,stop)

Call duration (seconds) - for interim-update events this is the actual duration.


Calling-Station-Id (start,update,stop)

Calling party's number.


Called-Station-Id (start,update,stop)

Called party's number.


(optional) VSA: VendorId=Cisco, h323-gw-id (start,update,stop)

The same as NAS-Identifier.


(optional) VSA: VendorId=Cisco, h323-conf-id (start,update,stop)

H.323 Conference ID for the call.


(optional) VSA: VendorId=Cisco, h323-call-origin (start,update,stop)

Fixed string "proxy".


(optional) VSA: VendorId=Cisco, h323-call-type (start,update,stop)

Fixed string "VoIP".


(optional) VSA: VendorId=Cisco, h323-setup-time (start,update,stop)

Timestamp when the Q.931 Setup message has been received by the gk.


(optional) VSA: VendorId=Cisco, h323-connect-time (update,stop)

Timestamp when the call has been connected (Q.931 Setup message has been received or ACF has been sent in direct signaling mode).


(optional) VSA: VendorId=Cisco, h323-disconnect-time (stop)

Timestamp when the call has been disconnected (ReleaseComplete or DRQ has been received).


(optional) VSA: VendorId=Cisco, h323-disconnect-cause (stop)

Q.931 two digit hexadecimal disconnect cause.


(optional) VSA: VendorId=Cisco, h323-remote-address (start,update,stop)

An IP address of the called party (if known).


(optional) VSA: VendorId=Cisco, Cisco-AVPair, h323-ivr-out (start, update, stop)

h323-call-id variable that contains an H.323 Call Identifier. The syntax is as follows: "h323-ivr-out=h323-call-id:123FDE 12348765 9abc1234 12".


(optional) VSA: VendorId=Cisco, Cisco-AVPair, h323-ivr-out (start, update, stop)

rewritten-e164-num contains the rewritten called party's number (independent of the setting of the UseDialedNumber switch).


Acct-Delay-Time (start,update,stop)

Amount of time (seconds) the gatekeeper is trying to send the request. Currently always 0.


(optional) VSA: VendorId=Cisco, Cisco-AVPair, h323_rtp_proxy (stop)

Proxy mode of call (0=off, 1=on)


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTP_source_IP (stop)

RTCP source report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTP_destination_IP (stop)

RTCP source report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_source_packet_count (stop)

RTCP source report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_source_packet_lost (stop)

RTCP source report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_source_jitter (stop)

RTCP source report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_source_sdes_XXX (stop)

RTCP source report data (for each source description (sdes))


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_destination_packet_count (stop)

RTCP destination report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_destination_packet_lost (stop)

RTCP destination report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_destination_jitter (stop)

RTCP destination report data


(optional) VSA: VendorId=Cisco, Cisco-AVPair, RTCP_destination_sdes_XXX (stop)

RTCP destination report data (for each source description (sdes))



[RadAcct] Accounting-Response Radius Attributes
The gatekeeper ignores all attributes present in Accounting-Response Radius packets.