|
|
Table Of Contents
Cisco H.235 Accounting and Security Enhancements for Cisco Gateways
Supported Standards, MIBs, and RFCs
Configuring the IVR Inbound Dial Peer
Enabling Security on the Gateway
Cisco H.235 Accounting and Security Enhancements for Cisco Gateways
Feature History
This document describes the Cisco H.235 Accounting and Security Gateway Enhancements. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
The Cisco H.323 gateway now supports the use of CryptoH323Tokens for authentication. The CryptoH323Token is defined in H.225 Version 2 and is used in a "password-with-hashing" security scheme as described in section 10.3.3 of the H.235 specification.
A cryptoToken can be included in any RAS message and is used to authenticate the sender of the message. You can use a separate database for user ID and password verification.
With this release, Cisco H.323 gateways support three levels of authentication:
•
•
•
You can configure the level of authentication for the gateway using the Cisco IOS software command line interface. For more information, see the "Command Reference" section.
CryptoTokens for registration requests (RRQ), unregistration request (URQ), disengage request (DRQ) and the terminating side of admission request (ARQ) messages contain information about the gateway that generated the token, including the gateway ID (which is the H.323 ID configured on the gateway) and the gateway password. CryptoTokens for the originating side ARQ messages contain information about the user that is placing the call, including the user ID and personal identification number (PIN).
Benefits
Gateway Security and Accounting
This feature provides sender validation by using an authentication key in the gateway's RAS messages. This key is used by the gatekeeper to authenticate the source of the messages and ensure secure communication.
Related Documents
Configuring H.323 VoIP Gateway for Cisco Access Platforms
Supported Platforms
•
•
•
•
•
•
•
•
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of MIBs supported by platform and Cisco IOS release and to download MIB modules, go to the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Enabling security on the Cisco gateway will result in the RAS messages containing a secure key. In order to secure the RAS messages and calls, it is essential that the gatekeeper provides authentication based on the secure key. The gatekeeper must support H.235 security using the same security scheme as the Cisco gateway.
•
•
Configuration Tasks
See the following sections for configuration tasks for the Cisco H.235 Accounting and Security features:
•
•
Note
For the Cisco AS5300 access server, port designation is port.
For the Cisco AS5800 access server, port designation is shelf/slot/port.Downloading IVR Scripts
Download the appropriate Tool Command Language (TCL) IVR scripts from the CCO Software Support Center. The IVR feature was first made available to customers in Cisco IOS Release 11.(3)NA2, with the Service Provider Voice over IP feature set. Scripts using Tool Command Language (TCL) were introduced with Cisco IOS Release 12.0(4)XH. These TCL IVR scripts are the default scripts that must be used with the IVR application in Cisco IOS Release 12.0(4)XH and future releases.
The TCL IVR scripts are the default scripts for all Cisco voice features using IVR. All IVR scripts that were developed for releases before Cisco IOS Release 12.0(5)T have been modified and secured with a proprietary Cisco locking mechanism using TCL. Only Cisco internal technical support personnel can open and modify these scripts. When the TCL script is activated, the system verifies the Cisco signature level. If the script is inconsistent with the authorized signature level, the script does not load and the customer's console screen displays an error message.
You can download TCL scripts from the CCO Software Center at the following URL:
http://www.cisco.com/pcgi-bin/ibld/all.pl?i=support&c=3
Note
Configuring the IVR Inbound Dial Peer
To call an IVR script and enable security, enter the following commands:
Note
Enabling Security on the Gateway
Verifying Security
The command show running configuration displays the security password and level when it is enabled. By default, security is disabled.
Router# show running configsecurity password 151E0A0E level allConfiguration Examples
This section provides the following configuration examples:
Security Enabled
The following example illustrates the resulting configuration in which an IVR script is called and security is enabled on the gateway.
hostname um5300!enable password xyz!!!resource-pool disable!!!!!clock timezone EST -5clock summer-time EDT recurringip subnet-zerono ip domain-lookup!isdn switch-type primary-5essisdn voice-call-failure 0call application voice xyz tftp://172.18.16.2/samp/xyz.tclcall application voice load xysmta receive maximum-recipients 1024!xgcp snmp sgcp!controller T1 0framing esfclock source line primarylinecode b8zspri-group timeslots 1-24!controller T1 1framing esfclock source line secondary 1linecode b8zspri-group timeslots 1-24!controller T1 2!controller T1 3!!voice-port 0:D!voice-port 1:D!!dial-peer voice 4001 potsapplication xyzdestination-pattern 4003port 0:Dprefix 4001!dial-peer voice 513 voipdestination-pattern 1513200....session target ras!dial-peer voice 9002 voipdestination-pattern 9002session target ras!dial-peer voice 4191024 potsdestination-pattern 4192001024port 0:Dprefix 4001!dial-peer voice 1513 voipdestination-pattern 1513.......session target ras!dial-peer voice 1001 potsdestination-pattern 14192001001port 0:D!gatewaysecurity password 151E0A0E level all!interface Ethernet0ip address 10.99.99.7 255.255.255.0no ip directed-broadcastshutdown!interface Serial0:23no ip addressno ip directed-broadcastisdn switch-type primary-5essisdn protocol-emulate userisdn incoming-voice modemfair-queue 64 256 0no cdp enable!interface Serial1:23no ip addressno ip directed-broadcastisdn switch-type primary-5essisdn protocol-emulate userisdn incoming-voice modemisdn guard-timer 3000isdn T203 10000fair-queue 64 256 0no cdp enable!interface FastEthernet0ip address 172.18.72.121 255.255.255.192no ip directed-broadcastduplex autospeed autoh323-gateway voip interfaceh323-gateway voip id um5300@vgkcisco3 ipaddr 172.18.72.58 1719h323-gateway voip h323-id um5300h323-gateway voip tech-prefix 1#!no ip http serverip classlessip route 0.0.0.0 0.0.0.0 172.18.72.65!!line con 0exec-timeout 0 0length 0transport input noneline aux 0line vty 0 4password xyzlogin!ntp clock-period 17179974ntp server 172.18.72.124endCommand Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 T command reference publications.
security password level
To control whether H.323 security is enabled on the gateway, use the security password level command. To disable, use the no form of this command.
security password level { endpoint | per-call | all }
no security password level { endpoint | per-call | all }
Syntax Description
Defaults
Both endpoint and per-call authentication is provided.
Command Modes
Global configuration mode
Command History
Usage Guidelines
This command is designed to add security on inbound IP call legs where the call might originate from a gateway you don't know and trust, but routed by a gatekeeper you do know and trust.
It can also be used in the case when you want to do subscriber authentication on the gatekeeper instead of from the gateway.
Examples
The following example shows that each call is authenticated by the gatekeeper:
security password 151E0A0E level per-callDebug Commands
There are no new or modified debug commands for this feature.
Glossary
AAA—Authentication, Authorization, and Accounting. AAA is a suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
ANI—Answer number indication. The calling number (number of calling party).
ARQ—Admission request.
CAS—Channel associated signaling.
dial peer—An addressable call endpoint. In Voice over IP (VoIP), there are two types of dial peers: POTS and VoIP.
endpoint—An H.323 terminal or gateway. An endpoint can call and be called. It generates or terminates the information stream, or both.
gatekeeper—A gatekeeper maintains a registry of devices in the multimedia network. The devices register with the gatekeeper at startup and request admission to a call from the gatekeeper.
The gatekeeper is an H.323 entity on the LAN that provides address translation and control access to the LAN for H.323 terminals and gateways. The gatekeeper may provide other services to the H.323 terminals and gateways, such as bandwidth management and locating gateways.
H.323 RAS—Registration, admission, and status. The RAS signaling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper.
LRQ—Location request.
node—An H.323 entity that uses RAS to communicate with the gatekeeper. For example, an endpoint such as a terminal, proxy, or gateway.
POTS—Plain old telephone service. Basic telephone service supplying standard single-line telephones, telephone lines, and access to the PSTN.
PSTN—Public switched telephone network. PSTN refers to the local telephone company.
QoS—Quality of service, which refers to the measure of service quality provided to the user.
RAS—Registration, admission, and status protocol. This is the protocol that is used between endpoints and the gatekeeper to perform management functions.
RBS—Robbed bit signaling
RRQ—Registration request.
VoIP—Voice over IP. The ability to carry normal telephone-style voice over an IP-based internet with POTS-like functionality, reliability, and voice quality. VoIP is a blanket term that generally refers to Cisco's standards-based (H.323, and so on.) approach to IP voice traffic.
Posted: Wed Jan 25 11:08:03 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
