9.5 หัวข้อ [RasSrv::AssignedAlias]
This allows the assigning of aliases to endpoints as they register, allowing them to set their fully qualified E.164 or URI addresses.


Example:

[RasSrv::AssignedAlias]
1234=3323465777,me@mysite.com

9.6 หัวข้อ [AssignedAliases::SQL]

This section configures GnuGk to read the assigned aliases from a database. You can use the same database parameters as defined in [SQLPasswordAuth].


Query=SELECT ...
Default: N/A

Defines the SQL query used to retrieve the assigned aliases from the database.

One parameter is defined:

%u - endpoint alias
Sample query string:

SELECT assignedalias FROM users WHERE alias = '%u' AND active

9.7 หัวข้อ [RasSrv::AssignedGatekeeper]

This allows the assigning of a gatekeeper based upon the H323ID or the apparent source IP address of the registering endpoint. The received H323ID in the GRQ is checked to see if it has a prefix for an assigned gatekeeper or the IP is in a range of an assigned gatekeeper. The endpoint is then advised in the GCF to register with that gatekeeper. You may have multiple gatekeepers for a specific prefix. The first is assigned as the primary and others are then the alternates. (requires H.323v6)


Examples:

[RasSrv::AssignedGKs]
;; For Endpoint with H323ID starting with 01234
01234=x.x.x.x:1719
;; For Endpoints in the range of 195.71.129.0/24 or 195.71.131.0/24
^195\.71\.(129|131)\.[0-9]+$=x.x.x.x:1719

9.8 หัวข้อ [AssignedGatekeepers::SQL]

This section allows GnuGk to read the assigned gatekeepers from a database. You can use the same database parameters as defined in [SQLPasswordAuth].


Query=SELECT ...
Default: N/A

Defines the SQL query used to retrieve the assigned gatekeepers from the database.

Two parameters are defined:

%u - endpoint alias
%i - endpoint IP
Sample query string:

SELECT assignedgatekeeper FROM users WHERE alias = '%u' AND active

9.9 หัวข้อ [NATedEndpoints]

The gatekeeper can automatically detect whether an endpoint is behind NAT. However, if the detection fails, you can specify it manually in this section.


Format:
alias=true,yes,1,...

Example:
Specify an endpoint with alias 601 is behind NAT.

601=true

10. Authentication Configuration

10.1 หัวข้อ [Gatekeeper::Auth]

The section defines the authentication mechanism for the gatekeeper.


Syntax:

authrule=actions

<authrule> := SimplePasswordAuth | AliasAuth | FileIPAuth | PrefixAuth | RadAuth | RadAliasAuth | SQLAuth | SQLAliasAuth | SQLPasswordAuth | CapacityControl | ...
<actions> := <control>[;<ras>|<q931>,<ras>|<q931>,...]
<control> := optional | required | sufficient | alternative
<ras> := GRQ | RRQ | URQ | ARQ | BRQ | DRQ | LRQ | IRQ
<q931> := Setup | SetupUnreg

A rule may results in one of these three codes: ok, fail, next.

ok - The request is authenticated by this module.
fail - The authentication fails and should be rejected.
next - The rule cannot determine the request.
There are also three ways to control a rule:
optional - If the rule cannot determine the request or accepts it, it is passed to next rule. Otherwise processing stops and the request is rejected.
required - The requests should be authenticated by this module, or it would be rejected. The authenticated request would then be passed to next rule.
sufficient - If the request is authenticated, it is accepted, or it would be rejected. That is, the rule determines the fate of the request. No rule should be put after a sufficient rule, since it won't take effect.
alternative - similar to the sufficient rule, except that if the module cannot determine request fate, the request is passed to a next module.
Currently supported modules: (most only support a subset of the ras or q931 actions)

SimplePasswordAuth/SQLPasswordAuth/H350PasswordAuth
These modules check the tokens or cryptoTokens fields of RAS message. The tokens should contain at least generalID and password. For cryptoTokens, cryptoEPPwdHash tokens hashed by simple MD5 and nestedcryptoToken tokens hashed by HMAC-SHA1-96 (libssl must be installed!) are now supported. For tokens tokens hashed by CAT (Cisco Access Token) and a clear text username/password are now supported. The ID and password are read from [SimplePasswordAuth] section, or a SQL database for SimplePasswordAuth and SQLPasswordAuth modules. The MySQLPasswordAuth module is supported for backward compatibility. For H.350.2 authentication (H350PasswordAuth) the GkH350::Settings section connection information must be completed.


AliasAuth/SQLAliasAuth
The module can only be used to authenticate RegistrationRequest (RRQ). The IP of an endpoint with a given alias should match a specified pattern. For AliasAuth the pattern is defined in [RasSrv::RRQAuth] the section. For SQLAliasAuth, the pattern is retrieved from a SQL database as defined in the [SQLAliasAuth] section.


FileIPAuth
This module provides a simple way to restrict access to the gatekeeper based on caller's IP or network.


PrefixAuth
The IP or aliases of a request with a given prefix must match a specified pattern. See section [PrefixAuth] for details. Currently the module can only authorize AdmissionRequest (ARQ) and LocationRequest (LRQ).


RadAuth
Provides authentication based on H.235 username/password security scheme. Authenticates RRQ, ARQ and Q.931 Setup through remote RADIUS servers. It passes to RADIUS servers the usernames and passwords extracted from CAT (Cisco Access Tokens) tokens carried inside RRQ, ARQ or Setup packets. Therefore if your endpoints do not support CATs or you do not need an authentication scheme based on individually assigned usernames/password then this module would not be appropriate (but you may check the RadAliasAuth module). See section [RadAuth] for details.


RadAliasAuth
Provides authentication based on endpoint aliases and/or call signaling IP addresses with remote RADIUS servers. It does not need any H.235 tokens inside RAS messages, so it can be used on a wider range of systems as compared to RadAuth. RRQ, ARQ and Q.931 Setup messages can be authenticated using this module. See section [RadAliasAuth] for details.


SQLAuth
A powerful module to authenticate and authorize RRQ, ARQ, LRQ and Setup messages. It can perform checks based on various parameters such as caller's number, destination number, username and more. It also supports enforcing call duration limit, number rewriting, call routing, alias verification and assignment. See section [SQLAuth] for more details.


CapacityControl
A flexible module to control inbound call volume with ability to configure various conditions. IMPORTANT: It must be used in conjunction with the CapacityControl accounting module. See section [CapacityControl] for more details.


You can also configure a rule to check only for specific RAS messages. The following example configures SimplePasswordAuth as an optional rule to check RRQ and ARQ. If a RRQ is not checked (does not contain tokens or cryptoTokens fields), it is checked by AliasAuth. The default is to accept all requests.


Example 1:
SimplePasswordAuth=alternative;RRQ,ARQ
AliasAuth=sufficient;RRQ


The example below authenticates all calls, checking signaling Setup message details, using the RadAliasAuth module.


Example 2:
RadAliasAuth=required;Setup
default=allow

This example checks endpoint registrations (RRQ) and call admissions (ARQ) either by means of username/password (RadAuth) or alias/IP (RadAliasAuth). Additionally, if the call is from an unregistered endpoint (and therefore no RRQ or ARQ authentication has been performed), Setup message authentication using RadAliasAuth takes place (SetupUnreg).


Example 3:
RadAuth=alternative;RRQ,ARQ
RadAliasAuth=alternative;RRQ,ARQ,SetupUnreg
default=reject

10.2 หัวข้อ [FileIPAuth]

This section defines a list of IP addresses/networks which are allowed to access gatekeeper resources. A list of allowed prefixes can be specified together with an IP address. Supported Gatekeeper::Auth events are: GRQ, RRQ, LRQ, Setup and SetupUnreg. Format of a single entry is:

IP=[allow | reject][;prefix[,prefix...]]

where IP is a single IP address, a network address (in A.B.C.D/M.M.M.M or A.B.C.D/LENGTH format) or a string 'any' or '*' to match any address. The access list can also be loaded from an external file using include directive. During authentication, network mask length defines a priority for each entry, so rule 192.168.1.1=allow takes precedence over 192.168.1.0/24=reject.


Example #1:

[Gatekeeper::Auth]
FileIPAuth=required;RRQ,LRQ,Setup

[FileIPAuth]
192.168.1.240=reject
192.168.1.0/24=allow
192.168.2.0/255.255.255.0=allow;48,49,44
any=reject


Example #2:

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
include=/etc/gnugk/accesslist.ini

(EOF)

Contents of /etc/gnugk/accesslist.ini:

[FileIPAuth]
192.168.1.1=allow
192.168.1.100=allow
any=reject

10.3 หัวข้อ [SimplePasswordAuth]

The section defines the userid and password pairs used by SimplePasswordAuth module. All passwords are encrypted using the addpasswd utility.

Usage:

addpasswd config section userid password

Example:

addpasswd config.ini SimplePasswordAuth frank secret

Options:

KeyFilled=123
Default: 0

Default value to use as a padding byte during password encryption/decryption.


CheckID=1
Default: 0

Check if the aliases match the ID in the tokens.


PasswordTimeout=120
Default: -1

The module SimplePasswordAuth and all its descendants will cache an authenticated password. This field defines the cache timeout value in seconds. 0 means never cache the password, while a negative value means the cache never expires.


DisableAlgorithm=MD5,H.235.1
Default: N/A

Disable H.235 authentication algorithms in the GRQ/GCF negotiation, otherwise all algorithms supported by GnuGk are used. A disabled algorithm will still be used if it is used by an endpoint without negotiation. This switch can be used to avoid incompatibilities with vendor implementations.

10.4 หัวข้อ [SQLPasswordAuth]

Authenticate H.235 enabled endpoints using passwords stored in the SQL database. This section defines the SQL driver to use, SQL database connection parameters and the query to use to retrieve passwords.


Driver=MySQL | PostgreSQL | Firebird | ODBC | SQLite
Default: N/A

SQL database driver to use. Currently, MySQL, PostgreSQL, Firebird, ODBC and SQLite drivers are implemented.


Host=DNS[:PORT] | IP[:PORT]
Default: localhost

SQL server host address. Can be in the form of DNS[:PORT] or IP[:PORT]. Like sql.mycompany.com or sql.mycompany.com:3306 or 192.168.3.100.


Database=billing
Default: N/A

The database name to connect to.


Username=gnugk

The username used to connect to the database.


Password=secret

The password used to connect to the database. If the password is not specified, a database connection attempt without any password will be made. If EncryptAllPasswords is enabled, or a KeyFilled variable is defined in this section, the password is in an encrypted form and should be created using the addpasswd utility.


CacheTimeout=120
Default: 0

This field defines how long (alias;password) pairs retrieved from the database will be cached in the local memory. The cache timeout value is expressed in seconds. 0 means to not cache passwords, while a negative value means the cache never expires (only reload command will refresh the cache).


MinPoolSize=5
Default: 1

Define the number of active SQL connections. This allows for better performance under heavy load, because more than 1 concurrent query can be executed at the same time. Setting MinPoolSize=1 will simulate the old behavior, when access to the SQL database was serialized (one query at time).


Query=SELECT ...
Default: N/A

Defines SQL query used to retrieve H.235 password from the database. The query is parameterized - that means parameter replacement is made before each query is executed. Parameter placeholders are denoted by %1, %2, ... strings. Specify %% to embed a percent character before a digit into string (like %%1), specify %{1} to allow expansion inside complex expressions like %{1}123. For SQLPasswordAuth two parameters are defined:

%1 - the actual alias to query the password for
%2 - the gatekeeper identifier
Sample query strings:

SELECT h235password FROM users WHERE alias = '%1' AND active
SELECT h235password FROM users WHERE alias = '%1' AND gk = '%2'

10.5 หัวข้อ [RasSrv::RRQAuth]

Specify the action on RRQ reception (confirm or deny) for AliasAuth module. The first alias (this will mostly be an H323ID) of the endpoint to register is looked up in this section. If a parameter is found the value will apply as a rule. A rule consists of conditions separated by "&". A registration is accepted when all conditions apply.


Syntax:

<authrules> := empty | <authrule> "&" <authrules>

<authrule> := <authtype> ":" <authparams>
<authtype> := "sigaddr" | "sigip"
<autparams> := [!&]*

The notation and meaning of <authparams> depends on <authtype>:


sigaddr - extended regular expression that has to match against the ``PrintOn(ostream)'' representation of the signal address of the request.
Example:

sigaddr:.*ipAddress .* ip = .* c0 a8 e2 a5 .*port = 1720.*


sigip - specialized form of `sigaddr'. Write the signaling IP address using (commonly used) decimal notation: ``byteA.byteB.byteC.byteD:port''.
Example:

sigip:192.168.242.165:1720


allow - always accept the alias.
deny - always reject the alias.