Radius based DNIS -> TCP forwarding » History » Version 1
laforge, 05/01/2022 08:45 AM
| 1 | 1 | laforge | h1. Radius based DNIS -> TCP forwarding |
|---|---|---|---|
| 2 | |||
| 3 | With the [[Livingston_Portmaster_3]], it is relatively easy to configure a setup where the _Called Party Number_ (the destination number dialled by the caller, in the US called DNIS) is used to determine a remote host/IP and port number to which to forward the asynchronous stream of bytes leaving a modem, a [[V.120]], [[X.75]] or [[V.110]] async ISDN data call. |
||
| 4 | |||
| 5 | This setup is surprisingly difficult (so far impossible for @laforge) to replicate on Cisco AS5400 systems. |
||
| 6 | |||
| 7 | In theory, this should all work, as Cisco offers the following functionality: |
||
| 8 | * AAA Pre-authorization based on DNIS |
||
| 9 | ** this means that a Radius qery is made based on the called party number, before a call is accepted and before any user prompt - just like the _Call-Check_ feature of the Portmaster |
||
| 10 | * Radius-based specification of a remote IP/Port to forward to, by means of |
||
| 11 | <pre> |
||
| 12 | Service-Type = Login-User, |
||
| 13 | Login-Service = Telnet, |
||
| 14 | Login-IP-Host = 192.168.7.2, |
||
| 15 | Login-TCP-Port = 23 |
||
| 16 | </pre> |
||
| 17 | |||
| 18 | Unfortunately, after way too many hours wasted, it still doesn't work. |
||
| 19 | |||
| 20 | h2. Some observations |
||
| 21 | |||
| 22 | h3. Radius client correctly understands Login-* |
||
| 23 | |||
| 24 | As we can see in the debug log below, the pre-auth for the DNIS works correctly, the cisco radius client receives the telnet IP/Port and appears to internally construct an _autocommand_ from it (@telnet192.168.7.2 9000@). For _Login-Service=TCP-Clear_, it appends a @/stream@ to that command. |
||
| 25 | |||
| 26 | <pre> |
||
| 27 | *Aug 19 00:16:30.675: RADIUS(0000005A): Send Access-Request to 192.168.7.2:1645 id 1645/91, len 159 |
||
| 28 | *Aug 19 00:16:30.675: RADIUS: authenticator 1F FE AD FC 80 28 17 B3 - 22 3D 30 A0 0A 1B 9E 60 |
||
| 29 | *Aug 19 00:16:30.675: RADIUS: User-Name [1] 13 "03012344001" |
||
| 30 | *Aug 19 00:16:30.675: RADIUS: User-Password [2] 18 * |
||
| 31 | *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 32 |
||
| 32 | *Aug 19 00:16:30.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
| 33 | *Aug 19 00:16:30.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
| 34 | *Aug 19 00:16:30.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
| 35 | *Aug 19 00:16:30.675: RADIUS: Called-Station-Id [30] 13 "03012344001" |
||
| 36 | *Aug 19 00:16:30.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
| 37 | *Aug 19 00:16:30.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
| 38 | *Aug 19 00:16:30.675: RADIUS: NAS-Port [5] 6 20028 |
||
| 39 | *Aug 19 00:16:30.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:28" |
||
| 40 | *Aug 19 00:16:30.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
| 41 | *Aug 19 00:16:30.675: RADIUS: Received from id 1645/91 192.168.7.2:1645, Access-Accept, len 105 |
||
| 42 | *Aug 19 00:16:30.675: RADIUS: authenticator 2D 8D D1 52 5D 6C A3 84 - B6 71 98 21 5A 8B 78 40 |
||
| 43 | *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 31 |
||
| 44 | *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=0" |
||
| 45 | *Aug 19 00:16:30.679: RADIUS: Vendor, Cisco [26] 30 |
||
| 46 | *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
| 47 | *Aug 19 00:16:30.679: RADIUS: Service-Type [6] 6 Login [1] |
||
| 48 | *Aug 19 00:16:30.679: RADIUS: Login-Service [15] 6 Telnet [0] |
||
| 49 | *Aug 19 00:16:30.679: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
| 50 | *Aug 19 00:16:30.679: RADIUS: login-tcp-port [16] 6 9000 |
||
| 51 | *Aug 19 00:16:30.679: RADIUS(0000005A): Received from id 1645/91 |
||
| 52 | *Aug 19 00:16:30.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
| 53 | *Aug 19 00:16:30.679: RADIUS: Constructed " telnet 192.168.7.2 9000 " |
||
| 54 | *Aug 19 00:16:30.679: AAA SRV(0000005A): protocol reply PASS for Authorization |
||
| 55 | *Aug 19 00:16:30.679: AAA SRV(0000005A): Return Authorization status=PASS |
||
| 56 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Preauth: |
||
| 57 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): auth-required |
||
| 58 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type |
||
| 59 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type |
||
| 60 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): login-service |
||
| 61 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): default username 03012344001 |
||
| 62 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Done - PASSED |
||
| 63 | </pre> |
||
| 64 | |||
| 65 | However, whatever code in the cisco calling that raidus client library is not using this information from the pre-authorization phase. |
||
| 66 | |||
| 67 | h3. Cisco respects @preauth:auth-required=0@ |
||
| 68 | |||
| 69 | When passing that vendor-specific Radius attribute in our response, the Cisco skips the _authentication_ step that would normally follow the _pre-authorization_. However, it just simply drops the caller to a vty (cisco prompt). One can then manually enter the telnet command just fine, so it is not a matter of missing privileges. |
||
| 70 | |||
| 71 | If the radius response in pre-auth contains @preauth:auth-required=1@ (or skips that attribute completely), then the Cisco proceeds with normal authentication by displaying a login/password prompt. But that's not what we want. |
||
| 72 | |||
| 73 | |||
| 74 | h3. Cisco requires @aaa authorization exec@ for TCP/Telnet fowarding |
||
| 75 | |||
| 76 | Even if we keep the normal authentication (@preauth:auth-required=1@), and log in using a radius user that has a configuration for TCP/Telnet forwarding, we still get dropped to a normal vty command prompt. |
||
| 77 | |||
| 78 | The automatic execution of the command only works if the @aaa authorization exec@ is defined, for example @aaa authorization exec default group radius@. In this case, there is an additional AAA step (after pre-authorization + authentication), which then respects the radius attributes for login-service/login-host/... |
||
| 79 | |||
| 80 | So it looks like this: |
||
| 81 | |||
| 82 | h4. pre-authorization |
||
| 83 | |||
| 84 | <pre> |
||
| 85 | *Aug 19 00:17:01.675: AAA/BIND(0000005B): Bind i/f Serial6/0:29 |
||
| 86 | *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
| 87 | *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
| 88 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH/(0000005B): DNIS-based preauthentication |
||
| 89 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding port-type to PRI |
||
| 90 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding interface to Serial6/0:29 |
||
| 91 | *Aug 19 00:17:01.675: AAA/AUTHOR (0x5B): Pick method list 'default' |
||
| 92 | *Aug 19 00:17:01.675: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
| 93 | *Aug 19 00:17:01.675: AAA SRV(0000005B): process author req |
||
| 94 | *Aug 19 00:17:01.675: AAA SRV(0000005B): Author method=SERVER_GROUP radius |
||
| 95 | *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B):Orig. component type = ISDN |
||
| 96 | *Aug 19 00:17:01.675: RADIUS(0000005B): Config NAS IP: 0.0.0.0 |
||
| 97 | *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B): acct_session_id: 91 |
||
| 98 | *Aug 19 00:17:01.675: RADIUS(0000005B): sending |
||
| 99 | *Aug 19 00:17:01.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
| 100 | *Aug 19 00:17:01.675: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/92, len 159 |
||
| 101 | *Aug 19 00:17:01.675: RADIUS: authenticator F1 4A 9E B5 81 29 22 DB - F8 C4 22 E2 73 A2 37 68 |
||
| 102 | *Aug 19 00:17:01.675: RADIUS: User-Name [1] 13 "03012344002" |
||
| 103 | *Aug 19 00:17:01.675: RADIUS: User-Password [2] 18 * |
||
| 104 | *Aug 19 00:17:01.675: RADIUS: Vendor, Cisco [26] 32 |
||
| 105 | *Aug 19 00:17:01.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
| 106 | *Aug 19 00:17:01.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
| 107 | *Aug 19 00:17:01.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
| 108 | *Aug 19 00:17:01.675: RADIUS: Called-Station-Id [30] 13 "03012344002" |
||
| 109 | *Aug 19 00:17:01.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
| 110 | *Aug 19 00:17:01.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
| 111 | *Aug 19 00:17:01.675: RADIUS: NAS-Port [5] 6 20029 |
||
| 112 | *Aug 19 00:17:01.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:29" |
||
| 113 | *Aug 19 00:17:01.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
| 114 | *Aug 19 00:17:01.679: RADIUS: Received from id 1645/92 192.168.7.2:1645, Access-Accept, len 153 |
||
| 115 | *Aug 19 00:17:01.679: RADIUS: authenticator 4E 3F 3F 31 3E 0E 89 C3 - 68 51 DB 9A BF 2D D6 58 |
||
| 116 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 31 |
||
| 117 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=1" |
||
| 118 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 30 |
||
| 119 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
| 120 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 33 |
||
| 121 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 27 "preauth:username=mahlzeit" |
||
| 122 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 39 |
||
| 123 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 33 "autocmd=telnet 192.168.7.2 9000" |
||
| 124 | *Aug 19 00:17:01.679: RADIUS(0000005B): Received from id 1645/92 |
||
| 125 | *Aug 19 00:17:01.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
| 126 | *Aug 19 00:17:01.679: AAA SRV(0000005B): protocol reply PASS for Authorization |
||
| 127 | *Aug 19 00:17:01.679: AAA SRV(0000005B): Return Authorization status=PASS |
||
| 128 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Preauth: |
||
| 129 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): auth-required |
||
| 130 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): service-type |
||
| 131 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): add username mahlzeit |
||
| 132 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Done - PASSED |
||
| 133 | </pre> |
||
| 134 | |||
| 135 | h4. authentication |
||
| 136 | |||
| 137 | This is the step that we would want to skip, but which we have enabled for the point of illustrating one (other) working configuration. |
||
| 138 | |||
| 139 | It looks as expected. First the user is prompted for username and password (ignoring the @preauth:username@ which is sent in the above radius response, contrary to cisco documentation). Then a radius query is sent using those credentials, to which the radius responds with the telnet login ip/port attributes. |
||
| 140 | |||
| 141 | <pre> |
||
| 142 | *Aug 19 00:17:01.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 |
||
| 143 | *Aug 19 00:17:01.679: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 |
||
| 144 | *Aug 19 00:17:01.679: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 |
||
| 145 | *Aug 19 00:17:01.679: serial_autodetect_needed: TRUE |
||
| 146 | *Aug 19 00:17:01.679: Ser-Autodetect Se6/0:29: starting |
||
| 147 | *Aug 19 00:17:01.995: V120: Autodetect trying to detect V120 mode on Se6/0:29 |
||
| 148 | *Aug 19 00:17:01.995: V120 sampled pkt: 3 bytes: 8 1 7F |
||
| 149 | *Aug 19 00:17:01.995: Ser-Autodetect Se6/0:29: Autodetected v120 encaps |
||
| 150 | *Aug 19 00:17:01.995: Serial6/0:29: copy pkt, tmp->flags 0x200, idb->encsize 4 |
||
| 151 | *Aug 19 00:17:01.995: size 3 |
||
| 152 | 0x8 0x1 0x7F |
||
| 153 | *Aug 19 00:17:01.995: AAA/AUTHEN/LOGIN (0000005B): Pick method list 'default' |
||
| 154 | *Aug 19 00:17:01.995: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
| 155 | *Aug 19 00:17:01.995: AAA SRV(0000005B): process authen req |
||
| 156 | *Aug 19 00:17:01.995: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
| 157 | *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): ask "Username: " |
||
| 158 | *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): send packet; GET_USER |
||
| 159 | *Aug 19 00:17:01.995: AAA SRV(0000005B): protocol reply GET_USER for Authentication |
||
| 160 | *Aug 19 00:17:01.995: AAA SRV(0000005B): Return Authentication status=GET_USER |
||
| 161 | *Aug 19 00:17:08.651: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
| 162 | *Aug 19 00:17:08.655: AAA SRV(0000005B): process authen req |
||
| 163 | *Aug 19 00:17:08.655: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
| 164 | *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): ask "Username: " |
||
| 165 | *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): send packet; GET_USER |
||
| 166 | *Aug 19 00:17:08.655: AAA SRV(0000005B): protocol reply GET_USER for Authentication |
||
| 167 | *Aug 19 00:17:08.655: AAA SRV(0000005B): Return Authentication status=GET_USER |
||
| 168 | *Aug 19 00:17:09.623: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
| 169 | *Aug 19 00:17:09.623: AAA SRV(0000005B): process authen req |
||
| 170 | *Aug 19 00:17:09.623: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
| 171 | *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): ask "Password: " |
||
| 172 | *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): send packet; GET_PASSWORD |
||
| 173 | *Aug 19 00:17:09.623: AAA SRV(0000005B): protocol reply GET_PASSWORD for Authentication |
||
| 174 | *Aug 19 00:17:09.623: AAA SRV(0000005B): Return Authentication status=GET_PASSWORD |
||
| 175 | *Aug 19 00:17:09.931: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
| 176 | *Aug 19 00:17:09.931: AAA SRV(0000005B): process authen req |
||
| 177 | *Aug 19 00:17:09.931: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
| 178 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B):Orig. component type = ISDN |
||
| 179 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off |
||
| 180 | *Aug 19 00:17:09.931: RADIUS(0000005B): Config NAS IP: 0.0.0.0 |
||
| 181 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): acct_session_id: 91 |
||
| 182 | *Aug 19 00:17:09.931: RADIUS(0000005B): sending |
||
| 183 | *Aug 19 00:17:09.931: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
| 184 | *Aug 19 00:17:09.931: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/93, len 104 |
||
| 185 | *Aug 19 00:17:09.931: RADIUS: authenticator 64 FD 26 15 C1 2A A2 C2 - B1 82 4A C1 2B BE 02 99 |
||
| 186 | *Aug 19 00:17:09.931: RADIUS: User-Name [1] 4 "as" |
||
| 187 | *Aug 19 00:17:09.931: RADIUS: User-Password [2] 18 * |
||
| 188 | *Aug 19 00:17:09.931: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
| 189 | *Aug 19 00:17:09.931: RADIUS: Called-Station-Id [30] 13 "03012344002" |
||
| 190 | *Aug 19 00:17:09.931: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
| 191 | *Aug 19 00:17:09.931: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
| 192 | *Aug 19 00:17:09.931: RADIUS: NAS-Port [5] 6 20029 |
||
| 193 | *Aug 19 00:17:09.931: RADIUS: NAS-Port-Id [87] 6 "tty3" |
||
| 194 | *Aug 19 00:17:09.931: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
| 195 | *Aug 19 00:17:09.935: RADIUS: Received from id 1645/93 192.168.7.2:1645, Access-Accept, len 44 |
||
| 196 | *Aug 19 00:17:09.935: RADIUS: authenticator 50 04 BF 13 D3 DE 32 39 - 55 1A ED 3F 5D C3 5C E0 |
||
| 197 | *Aug 19 00:17:09.935: RADIUS: Service-Type [6] 6 Login [1] |
||
| 198 | *Aug 19 00:17:09.935: RADIUS: Login-Service [15] 6 Telnet [0] |
||
| 199 | *Aug 19 00:17:09.935: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
| 200 | *Aug 19 00:17:09.935: RADIUS: login-tcp-port [16] 6 23 |
||
| 201 | *Aug 19 00:17:09.935: RADIUS(0000005B): Received from id 1645/93 |
||
| 202 | *Aug 19 00:17:09.935: RADIUS: Constructed " telnet 192.168.7.2 23 " |
||
| 203 | *Aug 19 00:17:09.935: AAA SRV(0000005B): protocol reply PASS for Authentication |
||
| 204 | *Aug 19 00:17:09.935: AAA SRV(0000005B): Return Authentication status=PASS |
||
| 205 | </pre> |
||
| 206 | |||
| 207 | h4. exec-authorization |
||
| 208 | |||
| 209 | last, but not least, now that @aaa authorization exec@ is enabled, we get the following debug output. Note that there is *no additional radius query* at this point. It seems to just use the existing radius attributes obtained during the previous authentication step. |
||
| 210 | |||
| 211 | <pre> |
||
| 212 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV noescape=1 |
||
| 213 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV autocmd= telnet 192.168.7.2 23 |
||
| 214 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV service-type=1 |
||
| 215 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): Authorization successful |
||
| 216 | *Aug 19 00:18:09.967: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
| 217 | *Aug 19 00:18:09.967: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 |
||
| 218 | *Aug 19 00:18:09.967: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 |
||
| 219 | *Aug 19 00:18:09.971: as_free_hdlc: Free slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 |
||
| 220 | </pre> |
||
| 221 | |||
| 222 | After this point, the telnet connection is established, and the dialled-in user is getting whatever telnet based service. |
