Project

General

Profile

Actions

Radius based DNIS -> TCP forwarding

With the Livingston_Portmaster_3, it is relatively easy to configure a setup where the Called Party Number (the destination number dialled by the caller, in the US called DNIS) is used to determine a remote host/IP and port number to which to forward the asynchronous stream of bytes leaving a modem, a V.120, X.75 or V.110 async ISDN data call. This is useful to access BBSs via the RAS server.

This setup is surprisingly difficult (so far impossible for laforge) to replicate on Cisco AS5400 systems.

In theory, this should all work, as Cisco offers the following functionality:
  • AAA Pre-authorization based on DNIS
    • this means that a Radius qery is made based on the called party number, before a call is accepted and before any user prompt - just like the Call-Check feature of the Portmaster
  • Radius-based specification of a remote IP/Port to forward to, by means of
                    Service-Type = Login-User,
                    Login-Service = Telnet,
                    Login-IP-Host = 192.168.7.2,
                    Login-TCP-Port = 23
    

Unfortunately, after way too many hours wasted, it still doesn't work.

Some observations

Radius client correctly understands Login-*

As we can see in the debug log below, the pre-auth for the DNIS works correctly, the cisco radius client receives the telnet IP/Port and appears to internally construct an autocommand from it (telnet192.168.7.2 9000). For Login-Service=TCP-Clear, it appends a /stream to that command.

*Aug 19 00:16:30.675: RADIUS(0000005A): Send Access-Request to 192.168.7.2:1645 id 1645/91, len 159
*Aug 19 00:16:30.675: RADIUS:  authenticator 1F FE AD FC 80 28 17 B3 - 22 3D 30 A0 0A 1B 9E 60
*Aug 19 00:16:30.675: RADIUS:  User-Name           [1]   13  "03012344001" 
*Aug 19 00:16:30.675: RADIUS:  User-Password       [2]   18  *
*Aug 19 00:16:30.675: RADIUS:  Vendor, Cisco       [26]  32  
*Aug 19 00:16:30.675: RADIUS:   Cisco AVpair       [1]   26  "resource-service=reserve" 
*Aug 19 00:16:30.675: RADIUS:  Service-Type        [6]   6   Call Check                [10]
*Aug 19 00:16:30.675: RADIUS:  Calling-Station-Id  [31]  13  "03012342151" 
*Aug 19 00:16:30.675: RADIUS:  Called-Station-Id   [30]  13  "03012344001" 
*Aug 19 00:16:30.675: RADIUS:  Connect-Info        [77]  12  "64000 HDLC" 
*Aug 19 00:16:30.675: RADIUS:  NAS-Port-Type       [61]  6   ISDN                      [2]
*Aug 19 00:16:30.675: RADIUS:  NAS-Port            [5]   6   20028                     
*Aug 19 00:16:30.675: RADIUS:  NAS-Port-Id         [87]  14  "Serial6/0:28" 
*Aug 19 00:16:30.675: RADIUS:  NAS-IP-Address      [4]   6   192.168.7.6               
*Aug 19 00:16:30.675: RADIUS: Received from id 1645/91 192.168.7.2:1645, Access-Accept, len 105
*Aug 19 00:16:30.675: RADIUS:  authenticator 2D 8D D1 52 5D 6C A3 84 - B6 71 98 21 5A 8B 78 40
*Aug 19 00:16:30.675: RADIUS:  Vendor, Cisco       [26]  31  
*Aug 19 00:16:30.679: RADIUS:   Cisco AVpair       [1]   25  "preauth:auth-required=0" 
*Aug 19 00:16:30.679: RADIUS:  Vendor, Cisco       [26]  30  
*Aug 19 00:16:30.679: RADIUS:   Cisco AVpair       [1]   24  "preauth:service-type=1" 
*Aug 19 00:16:30.679: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Aug 19 00:16:30.679: RADIUS:  Login-Service       [15]  6   Telnet                    [0]
*Aug 19 00:16:30.679: RADIUS:  login-ip-addr-host  [14]  6   192.168.7.2               
*Aug 19 00:16:30.679: RADIUS:  login-tcp-port      [16]  6   9000                      
*Aug 19 00:16:30.679: RADIUS(0000005A): Received from id 1645/91
*Aug 19 00:16:30.679: RADIUS/DECODE: VSA service-type=1 maps to Login
*Aug 19 00:16:30.679: RADIUS: Constructed " telnet 192.168.7.2 9000  " 
*Aug 19 00:16:30.679: AAA SRV(0000005A): protocol reply PASS for Authorization
*Aug 19 00:16:30.679: AAA SRV(0000005A): Return Authorization status=PASS
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Preauth:
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A):  auth-required 
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A):  service-type 
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A):  service-type 
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A):  login-service 
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): default username 03012344001
*Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Done - PASSED 

However, whatever code in the cisco calling that raidus client library is not using this information from the pre-authorization phase.

Cisco respects preauth:auth-required=0

When passing that vendor-specific Radius attribute in our response, the Cisco skips the authentication step that would normally follow the pre-authorization. However, it just simply drops the caller to a vty (cisco prompt). One can then manually enter the telnet command just fine, so it is not a matter of missing privileges.

If the radius response in pre-auth contains preauth:auth-required=1 (or skips that attribute completely), then the Cisco proceeds with normal authentication by displaying a login/password prompt. But that's not what we want.

Cisco requires aaa authorization exec for TCP/Telnet fowarding

Even if we keep the normal authentication (preauth:auth-required=1), and log in using a radius user that has a configuration for TCP/Telnet forwarding, we still get dropped to a normal vty command prompt.

The automatic execution of the command only works if the aaa authorization exec is defined, for example aaa authorization exec default group radius. In this case, there is an additional AAA step (after pre-authorization + authentication), which then respects the radius attributes for login-service/login-host/...

So it looks like this:

pre-authorization

*Aug 19 00:17:01.675: AAA/BIND(0000005B): Bind i/f Serial6/0:29 
*Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325
*Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325
*Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH/(0000005B): DNIS-based preauthentication
*Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding port-type to PRI
*Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding interface to Serial6/0:29
*Aug 19 00:17:01.675: AAA/AUTHOR (0x5B): Pick method list 'default'
*Aug 19 00:17:01.675: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74
*Aug 19 00:17:01.675: AAA SRV(0000005B): process author req
*Aug 19 00:17:01.675: AAA SRV(0000005B): Author method=SERVER_GROUP radius
*Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B):Orig. component type = ISDN
*Aug 19 00:17:01.675: RADIUS(0000005B): Config NAS IP: 0.0.0.0
*Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B): acct_session_id: 91
*Aug 19 00:17:01.675: RADIUS(0000005B): sending
*Aug 19 00:17:01.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2
*Aug 19 00:17:01.675: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/92, len 159
*Aug 19 00:17:01.675: RADIUS:  authenticator F1 4A 9E B5 81 29 22 DB - F8 C4 22 E2 73 A2 37 68
*Aug 19 00:17:01.675: RADIUS:  User-Name           [1]   13  "03012344002" 
*Aug 19 00:17:01.675: RADIUS:  User-Password       [2]   18  *
*Aug 19 00:17:01.675: RADIUS:  Vendor, Cisco       [26]  32  
*Aug 19 00:17:01.675: RADIUS:   Cisco AVpair       [1]   26  "resource-service=reserve" 
*Aug 19 00:17:01.675: RADIUS:  Service-Type        [6]   6   Call Check                [10]
*Aug 19 00:17:01.675: RADIUS:  Calling-Station-Id  [31]  13  "03012342151" 
*Aug 19 00:17:01.675: RADIUS:  Called-Station-Id   [30]  13  "03012344002" 
*Aug 19 00:17:01.675: RADIUS:  Connect-Info        [77]  12  "64000 HDLC" 
*Aug 19 00:17:01.675: RADIUS:  NAS-Port-Type       [61]  6   ISDN                      [2]
*Aug 19 00:17:01.675: RADIUS:  NAS-Port            [5]   6   20029                     
*Aug 19 00:17:01.675: RADIUS:  NAS-Port-Id         [87]  14  "Serial6/0:29" 
*Aug 19 00:17:01.675: RADIUS:  NAS-IP-Address      [4]   6   192.168.7.6               
*Aug 19 00:17:01.679: RADIUS: Received from id 1645/92 192.168.7.2:1645, Access-Accept, len 153
*Aug 19 00:17:01.679: RADIUS:  authenticator 4E 3F 3F 31 3E 0E 89 C3 - 68 51 DB 9A BF 2D D6 58
*Aug 19 00:17:01.679: RADIUS:  Vendor, Cisco       [26]  31  
*Aug 19 00:17:01.679: RADIUS:   Cisco AVpair       [1]   25  "preauth:auth-required=1" 
*Aug 19 00:17:01.679: RADIUS:  Vendor, Cisco       [26]  30  
*Aug 19 00:17:01.679: RADIUS:   Cisco AVpair       [1]   24  "preauth:service-type=1" 
*Aug 19 00:17:01.679: RADIUS:  Vendor, Cisco       [26]  33  
*Aug 19 00:17:01.679: RADIUS:   Cisco AVpair       [1]   27  "preauth:username=mahlzeit" 
*Aug 19 00:17:01.679: RADIUS:  Vendor, Cisco       [26]  39  
*Aug 19 00:17:01.679: RADIUS:   Cisco AVpair       [1]   33  "autocmd=telnet 192.168.7.2 9000" 
*Aug 19 00:17:01.679: RADIUS(0000005B): Received from id 1645/92
*Aug 19 00:17:01.679: RADIUS/DECODE: VSA service-type=1 maps to Login
*Aug 19 00:17:01.679: AAA SRV(0000005B): protocol reply PASS for Authorization
*Aug 19 00:17:01.679: AAA SRV(0000005B): Return Authorization status=PASS
*Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Preauth:
*Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B):  auth-required 
*Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B):  service-type 
*Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B):  add username mahlzeit
*Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Done - PASSED 

authentication

This is the step that we would want to skip, but which we have enabled for the point of illustrating one (other) working configuration.

It looks as expected. First the user is prompted for username and password (ignoring the preauth:username which is sent in the above radius response, contrary to cisco documentation). Then a radius query is sent using those credentials, to which the radius responds with the telnet login ip/port attributes.

*Aug 19 00:17:01.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000
*Aug 19 00:17:01.679: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0
*Aug 19 00:17:01.679: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0
*Aug 19 00:17:01.679: serial_autodetect_needed: TRUE
*Aug 19 00:17:01.679: Ser-Autodetect Se6/0:29: starting
*Aug 19 00:17:01.995: V120: Autodetect trying to detect V120 mode on Se6/0:29
*Aug 19 00:17:01.995: V120 sampled pkt:  3 bytes:  8 1 7F
*Aug 19 00:17:01.995: Ser-Autodetect Se6/0:29: Autodetected v120 encaps
*Aug 19 00:17:01.995: Serial6/0:29: copy pkt, tmp->flags 0x200, idb->encsize 4
*Aug 19 00:17:01.995: size 3
0x8 0x1 0x7F 
*Aug 19 00:17:01.995: AAA/AUTHEN/LOGIN (0000005B): Pick method list 'default' 
*Aug 19 00:17:01.995: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74
*Aug 19 00:17:01.995: AAA SRV(0000005B): process authen req
*Aug 19 00:17:01.995: AAA SRV(0000005B): Authen method=SERVER_GROUP radius
*Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): ask "Username: " 
*Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): send packet; GET_USER
*Aug 19 00:17:01.995: AAA SRV(0000005B): protocol reply GET_USER for Authentication
*Aug 19 00:17:01.995: AAA SRV(0000005B): Return Authentication status=GET_USER
*Aug 19 00:17:08.651: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74
*Aug 19 00:17:08.655: AAA SRV(0000005B): process authen req
*Aug 19 00:17:08.655: AAA SRV(0000005B): Authen method=SERVER_GROUP radius
*Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): ask "Username: " 
*Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): send packet; GET_USER
*Aug 19 00:17:08.655: AAA SRV(0000005B): protocol reply GET_USER for Authentication
*Aug 19 00:17:08.655: AAA SRV(0000005B): Return Authentication status=GET_USER
*Aug 19 00:17:09.623: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74
*Aug 19 00:17:09.623: AAA SRV(0000005B): process authen req
*Aug 19 00:17:09.623: AAA SRV(0000005B): Authen method=SERVER_GROUP radius
*Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): ask "Password: " 
*Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): send packet; GET_PASSWORD
*Aug 19 00:17:09.623: AAA SRV(0000005B): protocol reply GET_PASSWORD for Authentication
*Aug 19 00:17:09.623: AAA SRV(0000005B): Return Authentication status=GET_PASSWORD
*Aug 19 00:17:09.931: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74
*Aug 19 00:17:09.931: AAA SRV(0000005B): process authen req
*Aug 19 00:17:09.931: AAA SRV(0000005B): Authen method=SERVER_GROUP radius
*Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B):Orig. component type = ISDN
*Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Aug 19 00:17:09.931: RADIUS(0000005B): Config NAS IP: 0.0.0.0
*Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): acct_session_id: 91
*Aug 19 00:17:09.931: RADIUS(0000005B): sending
*Aug 19 00:17:09.931: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2
*Aug 19 00:17:09.931: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/93, len 104
*Aug 19 00:17:09.931: RADIUS:  authenticator 64 FD 26 15 C1 2A A2 C2 - B1 82 4A C1 2B BE 02 99
*Aug 19 00:17:09.931: RADIUS:  User-Name           [1]   4   "as" 
*Aug 19 00:17:09.931: RADIUS:  User-Password       [2]   18  *
*Aug 19 00:17:09.931: RADIUS:  Calling-Station-Id  [31]  13  "03012342151" 
*Aug 19 00:17:09.931: RADIUS:  Called-Station-Id   [30]  13  "03012344002" 
*Aug 19 00:17:09.931: RADIUS:  Connect-Info        [77]  12  "64000 HDLC" 
*Aug 19 00:17:09.931: RADIUS:  NAS-Port-Type       [61]  6   ISDN                      [2]
*Aug 19 00:17:09.931: RADIUS:  NAS-Port            [5]   6   20029                     
*Aug 19 00:17:09.931: RADIUS:  NAS-Port-Id         [87]  6   "tty3" 
*Aug 19 00:17:09.931: RADIUS:  NAS-IP-Address      [4]   6   192.168.7.6               
*Aug 19 00:17:09.935: RADIUS: Received from id 1645/93 192.168.7.2:1645, Access-Accept, len 44
*Aug 19 00:17:09.935: RADIUS:  authenticator 50 04 BF 13 D3 DE 32 39 - 55 1A ED 3F 5D C3 5C E0
*Aug 19 00:17:09.935: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Aug 19 00:17:09.935: RADIUS:  Login-Service       [15]  6   Telnet                    [0]
*Aug 19 00:17:09.935: RADIUS:  login-ip-addr-host  [14]  6   192.168.7.2               
*Aug 19 00:17:09.935: RADIUS:  login-tcp-port      [16]  6   23                        
*Aug 19 00:17:09.935: RADIUS(0000005B): Received from id 1645/93
*Aug 19 00:17:09.935: RADIUS: Constructed " telnet 192.168.7.2 23  " 
*Aug 19 00:17:09.935: AAA SRV(0000005B): protocol reply PASS for Authentication
*Aug 19 00:17:09.935: AAA SRV(0000005B): Return Authentication status=PASS

exec-authorization

last, but not least, now that aaa authorization exec is enabled, we get the following debug output. Note that there is no additional radius query at this point (not in the cisco logfile, and not on the wire / tcpdump). It seems to just use the existing radius attributes obtained during the previous authentication step.

*Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV noescape=1
*Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV autocmd= telnet 192.168.7.2 23  
*Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV service-type=1
*Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): Authorization successful
*Aug 19 00:18:09.967: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325
*Aug 19 00:18:09.967: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1
*Aug 19 00:18:09.967: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1
*Aug 19 00:18:09.971: as_free_hdlc: Free slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000

After this point, the telnet connection is established, and the dialled-in user is getting whatever telnet based service.

Trying with pre-auth + exec-auth but no authentication

This would be the logical step, given that
  • we want pre-auth to return the radius attributes
  • we don't want a login/password prompt (authentication stage)
  • we need exec-auth to actually perform the automatic telnet command

Unfortunately, this fails:

pre-auth with auth-required=0

*Aug 19 00:18:34.675: AAA/BIND(0000005C): Bind i/f Serial6/0:30 
*Aug 19 00:18:34.675: AAA/ACCT/DS0: channel=30, ds1=0, t3=0, slot=6, ds0=100663326
*Aug 19 00:18:34.675: AAA/ACCT/DS0: channel=30, ds1=0, t3=0, slot=6, ds0=100663326
*Aug 19 00:18:34.675: AAA/AUTHOR/PREAUTH/(0000005C): DNIS-based preauthentication
*Aug 19 00:18:34.675: AAA/AUTHOR/PREAUTH(0000005C): overriding port-type to PRI
*Aug 19 00:18:34.675: AAA/AUTHOR/PREAUTH(0000005C): overriding interface to Serial6/0:30
*Aug 19 00:18:34.675: AAA/AUTHOR (0x5C): Pick method list 'default'
*Aug 19 00:18:34.675: AAA/IPC(0000005C): Sending authen/author message to AAA server pid 74
*Aug 19 00:18:34.675: AAA SRV(0000005C): process author req
*Aug 19 00:18:34.675: AAA SRV(0000005C): Author method=SERVER_GROUP radius
*Aug 19 00:18:34.675: RADIUS/ENCODE(0000005C):Orig. component type = ISDN
*Aug 19 00:18:34.675: RADIUS(0000005C): Config NAS IP: 0.0.0.0
*Aug 19 00:18:34.675: RADIUS/ENCODE(0000005C): acct_session_id: 92
*Aug 19 00:18:34.675: RADIUS(0000005C): sending
*Aug 19 00:18:34.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2
*Aug 19 00:18:34.675: RADIUS(0000005C): Send Access-Request to 192.168.7.2:1645 id 1645/94, len 159
*Aug 19 00:18:34.675: RADIUS:  authenticator FA 27 9D B4 07 93 D4 71 - C9 B2 61 08 8B C2 BB D7
*Aug 19 00:18:34.675: RADIUS:  User-Name           [1]   13  "03012344001" 
*Aug 19 00:18:34.675: RADIUS:  User-Password       [2]   18  *
*Aug 19 00:18:34.675: RADIUS:  Vendor, Cisco       [26]  32  
*Aug 19 00:18:34.675: RADIUS:   Cisco AVpair       [1]   26  "resource-service=reserve" 
*Aug 19 00:18:34.675: RADIUS:  Service-Type        [6]   6   Call Check                [10]
*Aug 19 00:18:34.675: RADIUS:  Calling-Station-Id  [31]  13  "03012342151" 
*Aug 19 00:18:34.675: RADIUS:  Called-Station-Id   [30]  13  "03012344001" 
*Aug 19 00:18:34.675: RADIUS:  Connect-Info        [77]  12  "64000 HDLC" 
*Aug 19 00:18:34.675: RADIUS:  NAS-Port-Type       [61]  6   ISDN                      [2]
*Aug 19 00:18:34.675: RADIUS:  NAS-Port            [5]   6   20030                     
*Aug 19 00:18:34.675: RADIUS:  NAS-Port-Id         [87]  14  "Serial6/0:30" 
*Aug 19 00:18:34.675: RADIUS:  NAS-IP-Address      [4]   6   192.168.7.6               
*Aug 19 00:18:34.679: RADIUS: Received from id 1645/94 192.168.7.2:1645, Access-Accept, len 105
*Aug 19 00:18:34.679: RADIUS:  authenticator D3 2B 65 EF EB 8A B0 FC - 9F 00 62 58 90 55 87 D5
*Aug 19 00:18:34.679: RADIUS:  Vendor, Cisco       [26]  31  
*Aug 19 00:18:34.679: RADIUS:   Cisco AVpair       [1]   25  "preauth:auth-required=0" 
*Aug 19 00:18:34.679: RADIUS:  Vendor, Cisco       [26]  30  
*Aug 19 00:18:34.679: RADIUS:   Cisco AVpair       [1]   24  "preauth:service-type=1" 
*Aug 19 00:18:34.679: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Aug 19 00:18:34.679: RADIUS:  Login-Service       [15]  6   Telnet                    [0]
*Aug 19 00:18:34.679: RADIUS:  login-ip-addr-host  [14]  6   192.168.7.2               
*Aug 19 00:18:34.679: RADIUS:  login-tcp-port      [16]  6   9000                      
*Aug 19 00:18:34.679: RADIUS(0000005C): Received from id 1645/94
*Aug 19 00:18:34.679: RADIUS/DECODE: VSA service-type=1 maps to Login
*Aug 19 00:18:34.679: RADIUS: Constructed " telnet 192.168.7.2 9000  " 
*Aug 19 00:18:34.679: AAA SRV(0000005C): protocol reply PASS for Authorization
*Aug 19 00:18:34.679: AAA SRV(0000005C): Return Authorization status=PASS
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): Preauth:
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C):  auth-required 
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C):  service-type 
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C):  service-type 
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C):  login-service 
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): default username 03012344001
*Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): Done - PASSED 
This
  • works as expected
  • cisco confirms it has received telnet IP/port and consturcted an autocmd from it
  • no login prompt appears

However....

exec-auth fails :(

*Aug 19 00:18:34.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000001 to hdlc chip 0 link 0, map 0x20000000
*Aug 19 00:18:34.679: pm7366_down:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=0
*Aug 19 00:18:34.679: pm7366_up:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=0
*Aug 19 00:18:34.679: serial_autodetect_needed: TRUE
*Aug 19 00:18:34.679: Ser-Autodetect Se6/0:30: starting
*Aug 19 00:18:34.935: V120: Autodetect trying to detect V120 mode on Se6/0:30
*Aug 19 00:18:34.935: V120 sampled pkt:  3 bytes:  8 1 7F
*Aug 19 00:18:34.935: Ser-Autodetect Se6/0:30: Autodetected v120 encaps
*Aug 19 00:18:34.935: Serial6/0:30: copy pkt, tmp->flags 0x200, idb->encsize 4
*Aug 19 00:18:34.935: size 3
0x8 0x1 0x7F 
*Aug 19 00:18:34.935: AAA/AUTHOR (0x5C): Pick method list 'default'
*Aug 19 00:18:34.935: AAA/AUTHOR/EXEC(0000005C): Authorization FAILED
*Aug 19 00:18:36.959: AAA/ACCT/DS0: channel=30, ds1=0, t3=0, slot=6, ds0=100663326
*Aug 19 00:18:36.959: pm7366_up:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=1
*Aug 19 00:18:36.959: pm7366_down:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=1
*Aug 19 00:18:36.959: as_free_hdlc: Free slot 6, port 0, map 0x00000001 to hdlc chip 0 link 0, map 0x20000000
*Aug 19 00:18:41.455: %CALLTRKR-6-CALL_RECORD: ct_hndl=68, service=Exec, origin=Answer, category=SyncData, DS0 slot/port/ds1/chan=6/0/0/30, called=03012344001, calling=03012342151, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=0.0.0.0, account id=92, setup=08/19/2013 00:18:34, conn=0.03, phys=2.25, service=0.26, authen=0.00, init-rx/tx b-rate=64000/64000, rx/tx chars=12/39, charged units=0, time=2.26, disc subsys=Exec, disc code=0x19, disc text=Login failed, sig type=Auto

So for some strange reason, exec-auth fails if there was no previous authentication. It doesn't use any of the radius attributes or the autocmd that was signaled previously during pre-auth.

I would have hoped it at least then sends a radius query now, but it doesn't, so we cannot send it the radius attributes for telnet ip/port.

Further attempts

It tried, among other, the following approaches:
  • do it without radius (fully local as described in this mailinglist post
    • works, but defeats the purpose of describing the DNIS -> telnet mappings in radius
    • key aspect seems to be the ability to specify users with nopassword attribute. That feature doesn't seem to exist in the context of radius?
  • pre-auth + exec-auth radius but authentication local
    • then the radius attributes for host/port are not present, unless the local user has an 'autocommand' configured :(

Updated by laforge 4 months ago · 7 revisions

Add picture from clipboard (Maximum size: 48.8 MB)