Use tacppd for authenticate gatekeeper registration of NetMeeting voip terminals

(c) Copyright by Roman Volkov, if you need in more information, in complete solutions or in consultation, please, contact http://tacppd.com
16 Dec 2002

For use this document you should have knowledges in tacppd, h323 networks, Cisco IOS commands, Cisco h323 IOS gatekeeper.

Available hardware/software
2 x Intel Pentium III
Slackware Linux 8.0
tacppd 0.0.6pre1
PostgreSQL 7.2
Cisco 2610 with IOS 12.2(13)T h323 feature set

Devices settings
Cisco IOS gatekeeper:

tacppd host:

NetMeeting host 1:

NetMeeting host 2:

Cisco config
You should know, that IOS gatekeepr doesn't support authorization, so we can do only authentication and also have accounting information.
In first, configure Cisco to use tacppd

aaa new-model
!
!
aaa group server tacacs+ TACPPD
 server 192.168.0.1

tacacs-server host 192.168.0.1 single-connection port 10000 key VOiP

as second step, configure authentication and accounting via tacppd

aaa authentication login h323 group TACPPD
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting connection h323 start-stop group TACPPD
aaa nas port voip

we use aaa nas port voip for see portnames in normal format.
Now we should configure gatekeeper security. I do not write here instructions, how to configure zones, prefixes and other things, see Cisco documentation before. I write how to configure authentication for NetMeeting client. We will use authentication by h323 id.

gatekeeper
 zone local GK-TACPPD-A tacppd.com 192.168.0.2
 accounting vsa		! enable more account information
 security h323-id
 security password separator :
 ! this is recommended strings for do NetMeeting happy
 no use-proxy GK-TACPPD-A default inbound-to terminal
 no use-proxy GK-TACPPD-A default outbound-from terminal
 no shutdown

As result of this strings, any device, which will try to register on our gatekeeper must have strange h323 id: h323-id:password, and it will check this by tacppd server as username=h323-id and password=password

NetMeeting config
Check options, and set up gatekeeper to 192.168.0.2, h323 identifier for host winhost1 as steve:Astra, E164 number to 331, for host winhost2 as john:Moon, E164 number to 332

tacppd config
Configure tacppd for accept gatekeeper device. We do not need in snmp polling (and it will not work here).

 ! configure access list
 access 1
  permit ^192.168.0.2$
  exit

 ! configure tacacs+ listener
 listener 10000
  type tacacs
  maxconnect 10
  acl 1
  exit
 
 ! configure gatekeeper device
 device 192.168.0.2
  description 'vgk'
  tacacskey 'VOiP'
  snmpcommunity 'public'
  loginstring 'login++:'
  pwdstring 'pwd++:'
  defauthorization no
  module none.so
  polldelay 60
  inttrfcount no
  snmppolling no
  icmppolling yes
  shutdown no
  exit

tacppd data
Add users/passwords and access information to tacppd database

host1: {7} % telnet localhost 2222
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


TACPPD user access verification

Username: admin
Password: 
Authentication success


Create config object ... Ok

tacppd>database
tacppd(database)#add user
user name []:steve
password []:Astra
open date [1970-01-01 10:00:00]:
close date [1970-01-01 10:00:00]:2003-01-01 10:00:00
authorization group []:
access group []:vgk
resource group []:
additional data group []:
max sessions [1]:1
Are you shure? [y/n]:y

tacppd(database)#add user
user name []:john
password []:Moon
open date [1970-01-01 10:00:00]:
close date [1970-01-01 10:00:00]:2003-01-01 10:00:00
authorization group []:
access group []:vgk
resource group []:
additional data group []:
max sessions [1]:1
Are you shure? [y/n]:y

tacppd(database)#add access
access group name []:vgk
access by phone []:.*
from specifyed NAS []:192.168.0.2
from specifyed port []:.*
restricted access time []:
Are you shure? [y/n]:y

tacppd(database)#exit
tacppd>exit

We do not need in authorization information, we only check user/password and some access control.

debugging
On NetMeeting side you should see, that you registered on gatekeeper, you can see it in Connect menu. On Cisco IOS gatekeeper side you can check active registrations by show gatekeeper endpoints and see there also user's E164 numbers. Also you can use common debug for control authentication debug aaa authentication, and also control tacacs+ events by debug tacacs events and some authentication-specific things by debug tacacs authentication.

problems
The main problem - NetMeeting doesn't support normal CryptoToken authentication. So you can't use it in your network. The next problem - store passwords in h323-id is unsecure - when you connects to other h323 terminal (for example, other NetMeeting host), than it show your full h323-id with password on other side screen. The use of this method possible only across trusted persons and for prevent external registrations. Passwords goes throught network unencrypted. Next big problem - IOS gatekeeper doesn't authorize E164 numbers, and user can set any number himself, no any restrictions.
So this is only example for your fun, not real solution. Do not use it in real production network if you don't know what you do!

Enjoy!