Mailing List Archive: aaa problem

Hello,

I have a problem with my as5350 gateway. I work gateway-to-gateway. I dont`use gatekeeper. I try to terminate calls. My scenario is:

GW1------>myGW---controller e1------------>GSM Channel Bank
|
|
freeradius

If a call comes from GW1 to myGW, first I want to authenticate and authorize call based on the ip address of GW1 via freeradius. Then account. I can only send accounting request to radius. I can not send authenticating and authorizing request to radius. Can you help me?
My config is:
Current configuration : 10036 bytes
!
! Last configuration change at 13:17:29 GMT Sat Jan 1 2000 by shrntrsn
!
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
no boot startup-test
aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login h323 group radius
aaa authentication ppp default group radius
aaa authentication ppp h323 group radius
aaa authorization exec h323 group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting update newinfo
aaa accounting network h323 start-stop group radius
aaa accounting connection h323 start-stop group radius
aaa accounting resource h323 start-stop group radius
aaa session-id common
!
!
resource-pool disable
clock timezone GMT 0
clock calendar-valid
spe country turkey
!
!
!
!
!
ip subnet-zero
ip cef
!
class-map match-all deneme
match none
!
!
policy-map deneme
!
voice call send-alert
voice rtp send-recv
!
voice service pots
!
voice class codec 312
codec preference 1 g729r8
!
voice class codec 99
codec preference 1 g729r8
codec preference 2 g723r63
!
voice class codec 80
codec preference 1 g729r8
!
!
!
voice class h323 1
call start fast
!
voice class h323 99
call start fast
!
voice class h323 80
h225 timeout tcp establish 10
call start fast
!
!
!
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
controller E1 3/0
shutdown
!
controller E1 3/1
shutdown
!
controller E1 3/2
ds0-group 1 timeslots 1-15 type r2-digital
ds0-group 2 timeslots 17-31 type r2-digital
ds0 busyout 28-31 hard
!
controller E1 3/3
shutdown
!
gw-accounting h323
gw-accounting h323 vsa
gw-accounting voip
!
!
interface FastEthernet0/0
ip address x.x.x.x y.y.y.y
ip access-group h323 in
duplex auto
speed auto
no cdp enable
h323-gateway voip bind srcaddr x.x.x.x
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
shutdown
no ip address
no ip mroute-cache
clockrate 2000000
!
interface Serial0/1
no ip address
shutdown
clockrate 2000000
!
interface Async1/00
no ip address
!
interface Async1/01
no ip address
!
interface Async1/02
no ip address
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.y
no ip http server
snmp-server community aaaaa RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps calltracker
snmp-server enable traps tty
snmp-server enable traps modem-health
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps fru-ctrl
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps aaa_server
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messa
ge
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps dlsw
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
snmp-server enable traps xgcp
snmp ifmib ifalias long
!
!
radius-server host qqqq auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server attribute 8 include-in-access-req
radius-server key 222222222
radius-server vsa send accounting
radius-server vsa send authentication
call rsvp-sync
!
voice-port 3/2:1
input gain 6
echo-cancel coverage 16
compand-type a-law
cptone TR
timeouts interdigit 2
timeouts ringing infinity
bearer-cap Speech
!
voice-port 3/2:2
input gain 6
echo-cancel coverage 16
compand-type a-law
cptone TR
timeouts interdigit 2
timeouts ringing infinity
bearer-cap Speech
!
voice-class aaa 1
authentication method h323
authorization method h323
accounting method h323
mgcp profile default
!
dial-peer cor custom
!
!
!
dial-peer voice 99 voip
incoming called-number ssss
voice-class codec 99
voice-class h323 99
dtmf-relay h245-signal h245-alphanumeric
!
dial-peer voice 1 pots
max-conn 20
destination-pattern T
port 3/2:1
forward-digits 11
prefix ,
voice class aaa 1
!
dial-peer voice 2 pots
max-conn 20
destination-pattern
forward-digit 11
port 3/2:2
prefix ,

---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!

Hello Ýsmail,

your configuration looks ok. One thing is missing: TCL application
from your dial-peer.
You are using the default application called session, which doesn't
have RADIUS authentication. You need to download or write tcl script
which collects information required for authentication.
As far as I know, on cisco.com (CCO neeed) you can find a sample
(working) script for your purpose (ip_remote.tcl?).

Regards,
Thomas

Tuesday, July 6, 2004, 4:28:31 PM, you wrote:

ÝC> Hello,
ÝC>
ÝC> I have a problem with my as5350 gateway. I work
ÝC> gateway-to-gateway. I dont`use gatekeeper. I try to terminate
ÝC> calls. My scenario is:
ÝC>
ÝC>
GW1------>>myGW---controller e1------------>GSM Channel Bank
ÝC>                    |
ÝC>                    |
ÝC>                freeradius
ÝC>
ÝC> If a call comes from GW1 to myGW, first I want to
ÝC> authenticate and authorize call based on the ip address of GW1 via
ÝC> freeradius. Then account. I can only send accounting request to
ÝC> radius. I can not send authenticating and authorizing request to
ÝC> radius. Can you help me?
ÝC> My config is:
ÝC> Current configuration : 10036 bytes
ÝC> !
ÝC> ! Last configuration change at 13:17:29 GMT Sat Jan 1 2000 by shrntrsn
ÝC> !
ÝC> version 12.2
ÝC> service tcp-keepalives-in
ÝC> service tcp-keepalives-out
ÝC> service timestamps debug datetime msec
ÝC> service timestamps log datetime msec
ÝC> service password-encryption
ÝC> !
ÝC> hostname Router
ÝC> !
ÝC> no boot startup-test
ÝC> aaa new-model
ÝC> !
ÝC> !
ÝC> aaa authentication login default group radius
ÝC> aaa authentication login h323 group radius
ÝC> aaa authentication ppp default group radius
ÝC> aaa authentication ppp h323 group radius
ÝC> aaa authorization exec h323 group radius if-authenticated
ÝC> aaa authorization network default group radius if-authenticated
ÝC> aaa accounting update newinfo
ÝC> aaa accounting network h323 start-stop group radius
ÝC> aaa accounting connection h323 start-stop group radius
ÝC> aaa accounting resource h323 start-stop group radius
ÝC> aaa session-id common
ÝC> !
ÝC> !
ÝC> resource-pool disable
ÝC> clock timezone GMT 0
ÝC> clock calendar-valid
ÝC> spe country turkey
ÝC> !
ÝC> !
ÝC> !
ÝC> !
ÝC> !
ÝC> ip subnet-zero
ÝC> ip cef
ÝC> !
ÝC> class-map match-all deneme
ÝC> match none
ÝC> !
ÝC> !
ÝC> policy-map deneme
ÝC> !
ÝC> voice call send-alert
ÝC> voice rtp send-recv
ÝC> !
ÝC> voice service pots
ÝC> !
ÝC> voice class codec 312
ÝC> codec preference 1 g729r8
ÝC> !
ÝC> voice class codec 99
ÝC> codec preference 1 g729r8
ÝC> codec preference 2 g723r63
ÝC> !
ÝC> voice class codec 80
ÝC> codec preference 1 g729r8
ÝC> !
ÝC> !
ÝC> !
ÝC> voice class h323 1
ÝC> call start fast
ÝC> !
ÝC> voice class h323 99
ÝC> call start fast
ÝC> !
ÝC> voice class h323 80
ÝC> h225 timeout tcp establish 10
ÝC> call start fast
ÝC> !
ÝC> !
ÝC> !
ÝC> !
ÝC> !
ÝC> fax interface-type fax-mail
ÝC> mta receive maximum-recipients 0
ÝC> !
ÝC> controller E1 3/0
ÝC> shutdown
ÝC> !
ÝC> controller E1 3/1
ÝC> shutdown
ÝC> !
ÝC> controller E1 3/2
ÝC> ds0-group 1 timeslots 1-15 type r2-digital
ÝC> ds0-group 2 timeslots 17-31 type r2-digital
ÝC> ds0 busyout 28-31 hard
ÝC> !
ÝC> controller E1 3/3
ÝC> shutdown
ÝC> !
ÝC> gw-accounting h323
ÝC> gw-accounting h323 vsa
ÝC> gw-accounting voip
ÝC> !
ÝC> !
ÝC> interface FastEthernet0/0
ÝC> ip address x.x.x.x y.y.y.y
ÝC> ip access-group h323 in
ÝC> duplex auto
ÝC> speed auto
ÝC> no cdp enable
ÝC> h323-gateway voip bind srcaddr x.x.x.x
ÝC> !
ÝC> interface FastEthernet0/1
ÝC> no ip address
ÝC> shutdown
ÝC> duplex auto
ÝC> speed auto
ÝC> !
ÝC> interface Serial0/0
ÝC> shutdown
ÝC> no ip address
ÝC> no ip mroute-cache
ÝC> clockrate 2000000
ÝC> !
ÝC> interface Serial0/1
ÝC> no ip address
ÝC> shutdown
ÝC> clockrate 2000000
ÝC> !
ÝC> interface Async1/00
ÝC> no ip address
ÝC> !
ÝC> interface Async1/01
ÝC> no ip address
ÝC> !
ÝC> interface Async1/02
ÝC> no ip address
ÝC> ip classless
ÝC> ip route 0.0.0.0 0.0.0.0 y.y.y.y
ÝC> no ip http server
ÝC> snmp-server community aaaaa RO
ÝC> snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
ÝC> snmp-server enable traps calltracker
ÝC> snmp-server enable traps tty
ÝC> snmp-server enable traps modem-health
ÝC> snmp-server enable traps ds0-busyout
ÝC> snmp-server enable traps ds1-loopback
ÝC> snmp-server enable traps isdn call-information
ÝC> snmp-server enable traps isdn layer2
ÝC> snmp-server enable traps isdn chan-not-avail
ÝC> snmp-server enable traps fru-ctrl
ÝC> snmp-server enable traps hsrp
ÝC> snmp-server enable traps config
ÝC> snmp-server enable traps entity
ÝC> snmp-server enable traps envmon
ÝC> snmp-server enable traps aaa_server
ÝC> snmp-server enable traps bgp
ÝC> snmp-server enable traps pim neighbor-change
ÝC> rp-mapping-change invalid-pim-messa
ÝC> ge
ÝC> snmp-server enable traps ipmulticast
ÝC> snmp-server enable traps msdp
ÝC> snmp-server enable traps rsvp
ÝC> snmp-server enable traps frame-relay
ÝC> snmp-server enable traps rtr
ÝC> snmp-server enable traps syslog
ÝC> snmp-server enable traps dlsw
ÝC> snmp-server enable traps dial
ÝC> snmp-server enable traps dsp card-status
ÝC> snmp-server enable traps voice poor-qov
ÝC> snmp-server enable traps dnis
ÝC> snmp-server enable traps xgcp
ÝC> snmp ifmib ifalias long
ÝC> !
ÝC> !
ÝC> radius-server host qqqq auth-port 1812 acct-port 1813
ÝC> radius-server retransmit 3
ÝC> radius-server attribute 8 include-in-access-req
ÝC> radius-server key 222222222
ÝC> radius-server vsa send accounting
ÝC> radius-server vsa send authentication
ÝC> call rsvp-sync
ÝC> !
ÝC> voice-port 3/2:1
ÝC> input gain 6
ÝC> echo-cancel coverage 16
ÝC> compand-type a-law
ÝC> cptone TR
ÝC> timeouts interdigit 2
ÝC> timeouts ringing infinity
ÝC> bearer-cap Speech
ÝC> !
ÝC> voice-port 3/2:2
ÝC> input gain 6
ÝC> echo-cancel coverage 16
ÝC> compand-type a-law
ÝC> cptone TR
ÝC> timeouts interdigit 2
ÝC> timeouts ringing infinity
ÝC> bearer-cap Speech
ÝC> !
ÝC> voice-class aaa 1
ÝC> authentication method h323
ÝC> authorization method h323
ÝC> accounting method h323
ÝC> mgcp profile default
ÝC> !
ÝC> dial-peer cor custom
ÝC> !
ÝC> !
ÝC> !
ÝC> dial-peer voice 99 voip
ÝC> incoming called-number ssss
ÝC> voice-class codec 99
ÝC> voice-class h323 99
ÝC> dtmf-relay h245-signal h245-alphanumeric
ÝC> !
ÝC> dial-peer voice 1 pots
ÝC> max-conn 20
ÝC> destination-pattern T
ÝC> port 3/2:1
ÝC> forward-digits 11
ÝC> prefix ,
ÝC> voice class aaa 1
ÝC> !
ÝC> dial-peer voice 2 pots
ÝC> max-conn 20
ÝC> destination-pattern
ÝC> forward-digit 11
ÝC> port 3/2:2
ÝC> prefix ,