Radius based DNIS -> TCP forwarding » History » Version 3
laforge, 05/01/2022 08:45 AM
1 | 3 | laforge | {{>toc}} |
---|---|---|---|
2 | 2 | laforge | |
3 | 1 | laforge | h1. Radius based DNIS -> TCP forwarding |
4 | |||
5 | With the [[Livingston_Portmaster_3]], it is relatively easy to configure a setup where the _Called Party Number_ (the destination number dialled by the caller, in the US called DNIS) is used to determine a remote host/IP and port number to which to forward the asynchronous stream of bytes leaving a modem, a [[V.120]], [[X.75]] or [[V.110]] async ISDN data call. |
||
6 | |||
7 | This setup is surprisingly difficult (so far impossible for @laforge) to replicate on Cisco AS5400 systems. |
||
8 | |||
9 | In theory, this should all work, as Cisco offers the following functionality: |
||
10 | * AAA Pre-authorization based on DNIS |
||
11 | ** this means that a Radius qery is made based on the called party number, before a call is accepted and before any user prompt - just like the _Call-Check_ feature of the Portmaster |
||
12 | * Radius-based specification of a remote IP/Port to forward to, by means of |
||
13 | <pre> |
||
14 | Service-Type = Login-User, |
||
15 | Login-Service = Telnet, |
||
16 | Login-IP-Host = 192.168.7.2, |
||
17 | Login-TCP-Port = 23 |
||
18 | </pre> |
||
19 | |||
20 | Unfortunately, after way too many hours wasted, it still doesn't work. |
||
21 | |||
22 | h2. Some observations |
||
23 | |||
24 | h3. Radius client correctly understands Login-* |
||
25 | |||
26 | As we can see in the debug log below, the pre-auth for the DNIS works correctly, the cisco radius client receives the telnet IP/Port and appears to internally construct an _autocommand_ from it (@telnet192.168.7.2 9000@). For _Login-Service=TCP-Clear_, it appends a @/stream@ to that command. |
||
27 | |||
28 | <pre> |
||
29 | *Aug 19 00:16:30.675: RADIUS(0000005A): Send Access-Request to 192.168.7.2:1645 id 1645/91, len 159 |
||
30 | *Aug 19 00:16:30.675: RADIUS: authenticator 1F FE AD FC 80 28 17 B3 - 22 3D 30 A0 0A 1B 9E 60 |
||
31 | *Aug 19 00:16:30.675: RADIUS: User-Name [1] 13 "03012344001" |
||
32 | *Aug 19 00:16:30.675: RADIUS: User-Password [2] 18 * |
||
33 | *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 32 |
||
34 | *Aug 19 00:16:30.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
35 | *Aug 19 00:16:30.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
36 | *Aug 19 00:16:30.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
37 | *Aug 19 00:16:30.675: RADIUS: Called-Station-Id [30] 13 "03012344001" |
||
38 | *Aug 19 00:16:30.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
39 | *Aug 19 00:16:30.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
40 | *Aug 19 00:16:30.675: RADIUS: NAS-Port [5] 6 20028 |
||
41 | *Aug 19 00:16:30.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:28" |
||
42 | *Aug 19 00:16:30.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
43 | *Aug 19 00:16:30.675: RADIUS: Received from id 1645/91 192.168.7.2:1645, Access-Accept, len 105 |
||
44 | *Aug 19 00:16:30.675: RADIUS: authenticator 2D 8D D1 52 5D 6C A3 84 - B6 71 98 21 5A 8B 78 40 |
||
45 | *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 31 |
||
46 | *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=0" |
||
47 | *Aug 19 00:16:30.679: RADIUS: Vendor, Cisco [26] 30 |
||
48 | *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
49 | *Aug 19 00:16:30.679: RADIUS: Service-Type [6] 6 Login [1] |
||
50 | *Aug 19 00:16:30.679: RADIUS: Login-Service [15] 6 Telnet [0] |
||
51 | *Aug 19 00:16:30.679: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
52 | *Aug 19 00:16:30.679: RADIUS: login-tcp-port [16] 6 9000 |
||
53 | *Aug 19 00:16:30.679: RADIUS(0000005A): Received from id 1645/91 |
||
54 | *Aug 19 00:16:30.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
55 | *Aug 19 00:16:30.679: RADIUS: Constructed " telnet 192.168.7.2 9000 " |
||
56 | *Aug 19 00:16:30.679: AAA SRV(0000005A): protocol reply PASS for Authorization |
||
57 | *Aug 19 00:16:30.679: AAA SRV(0000005A): Return Authorization status=PASS |
||
58 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Preauth: |
||
59 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): auth-required |
||
60 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type |
||
61 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type |
||
62 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): login-service |
||
63 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): default username 03012344001 |
||
64 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Done - PASSED |
||
65 | </pre> |
||
66 | |||
67 | However, whatever code in the cisco calling that raidus client library is not using this information from the pre-authorization phase. |
||
68 | |||
69 | h3. Cisco respects @preauth:auth-required=0@ |
||
70 | |||
71 | When passing that vendor-specific Radius attribute in our response, the Cisco skips the _authentication_ step that would normally follow the _pre-authorization_. However, it just simply drops the caller to a vty (cisco prompt). One can then manually enter the telnet command just fine, so it is not a matter of missing privileges. |
||
72 | |||
73 | If the radius response in pre-auth contains @preauth:auth-required=1@ (or skips that attribute completely), then the Cisco proceeds with normal authentication by displaying a login/password prompt. But that's not what we want. |
||
74 | |||
75 | |||
76 | h3. Cisco requires @aaa authorization exec@ for TCP/Telnet fowarding |
||
77 | |||
78 | Even if we keep the normal authentication (@preauth:auth-required=1@), and log in using a radius user that has a configuration for TCP/Telnet forwarding, we still get dropped to a normal vty command prompt. |
||
79 | |||
80 | The automatic execution of the command only works if the @aaa authorization exec@ is defined, for example @aaa authorization exec default group radius@. In this case, there is an additional AAA step (after pre-authorization + authentication), which then respects the radius attributes for login-service/login-host/... |
||
81 | |||
82 | So it looks like this: |
||
83 | |||
84 | h4. pre-authorization |
||
85 | |||
86 | <pre> |
||
87 | *Aug 19 00:17:01.675: AAA/BIND(0000005B): Bind i/f Serial6/0:29 |
||
88 | *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
89 | *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
90 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH/(0000005B): DNIS-based preauthentication |
||
91 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding port-type to PRI |
||
92 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding interface to Serial6/0:29 |
||
93 | *Aug 19 00:17:01.675: AAA/AUTHOR (0x5B): Pick method list 'default' |
||
94 | *Aug 19 00:17:01.675: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
95 | *Aug 19 00:17:01.675: AAA SRV(0000005B): process author req |
||
96 | *Aug 19 00:17:01.675: AAA SRV(0000005B): Author method=SERVER_GROUP radius |
||
97 | *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B):Orig. component type = ISDN |
||
98 | *Aug 19 00:17:01.675: RADIUS(0000005B): Config NAS IP: 0.0.0.0 |
||
99 | *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B): acct_session_id: 91 |
||
100 | *Aug 19 00:17:01.675: RADIUS(0000005B): sending |
||
101 | *Aug 19 00:17:01.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
102 | *Aug 19 00:17:01.675: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/92, len 159 |
||
103 | *Aug 19 00:17:01.675: RADIUS: authenticator F1 4A 9E B5 81 29 22 DB - F8 C4 22 E2 73 A2 37 68 |
||
104 | *Aug 19 00:17:01.675: RADIUS: User-Name [1] 13 "03012344002" |
||
105 | *Aug 19 00:17:01.675: RADIUS: User-Password [2] 18 * |
||
106 | *Aug 19 00:17:01.675: RADIUS: Vendor, Cisco [26] 32 |
||
107 | *Aug 19 00:17:01.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
108 | *Aug 19 00:17:01.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
109 | *Aug 19 00:17:01.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
110 | *Aug 19 00:17:01.675: RADIUS: Called-Station-Id [30] 13 "03012344002" |
||
111 | *Aug 19 00:17:01.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
112 | *Aug 19 00:17:01.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
113 | *Aug 19 00:17:01.675: RADIUS: NAS-Port [5] 6 20029 |
||
114 | *Aug 19 00:17:01.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:29" |
||
115 | *Aug 19 00:17:01.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
116 | *Aug 19 00:17:01.679: RADIUS: Received from id 1645/92 192.168.7.2:1645, Access-Accept, len 153 |
||
117 | *Aug 19 00:17:01.679: RADIUS: authenticator 4E 3F 3F 31 3E 0E 89 C3 - 68 51 DB 9A BF 2D D6 58 |
||
118 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 31 |
||
119 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=1" |
||
120 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 30 |
||
121 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
122 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 33 |
||
123 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 27 "preauth:username=mahlzeit" |
||
124 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 39 |
||
125 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 33 "autocmd=telnet 192.168.7.2 9000" |
||
126 | *Aug 19 00:17:01.679: RADIUS(0000005B): Received from id 1645/92 |
||
127 | *Aug 19 00:17:01.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
128 | *Aug 19 00:17:01.679: AAA SRV(0000005B): protocol reply PASS for Authorization |
||
129 | *Aug 19 00:17:01.679: AAA SRV(0000005B): Return Authorization status=PASS |
||
130 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Preauth: |
||
131 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): auth-required |
||
132 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): service-type |
||
133 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): add username mahlzeit |
||
134 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Done - PASSED |
||
135 | </pre> |
||
136 | |||
137 | h4. authentication |
||
138 | |||
139 | This is the step that we would want to skip, but which we have enabled for the point of illustrating one (other) working configuration. |
||
140 | |||
141 | It looks as expected. First the user is prompted for username and password (ignoring the @preauth:username@ which is sent in the above radius response, contrary to cisco documentation). Then a radius query is sent using those credentials, to which the radius responds with the telnet login ip/port attributes. |
||
142 | |||
143 | <pre> |
||
144 | *Aug 19 00:17:01.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 |
||
145 | *Aug 19 00:17:01.679: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 |
||
146 | *Aug 19 00:17:01.679: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 |
||
147 | *Aug 19 00:17:01.679: serial_autodetect_needed: TRUE |
||
148 | *Aug 19 00:17:01.679: Ser-Autodetect Se6/0:29: starting |
||
149 | *Aug 19 00:17:01.995: V120: Autodetect trying to detect V120 mode on Se6/0:29 |
||
150 | *Aug 19 00:17:01.995: V120 sampled pkt: 3 bytes: 8 1 7F |
||
151 | *Aug 19 00:17:01.995: Ser-Autodetect Se6/0:29: Autodetected v120 encaps |
||
152 | *Aug 19 00:17:01.995: Serial6/0:29: copy pkt, tmp->flags 0x200, idb->encsize 4 |
||
153 | *Aug 19 00:17:01.995: size 3 |
||
154 | 0x8 0x1 0x7F |
||
155 | *Aug 19 00:17:01.995: AAA/AUTHEN/LOGIN (0000005B): Pick method list 'default' |
||
156 | *Aug 19 00:17:01.995: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
157 | *Aug 19 00:17:01.995: AAA SRV(0000005B): process authen req |
||
158 | *Aug 19 00:17:01.995: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
159 | *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): ask "Username: " |
||
160 | *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): send packet; GET_USER |
||
161 | *Aug 19 00:17:01.995: AAA SRV(0000005B): protocol reply GET_USER for Authentication |
||
162 | *Aug 19 00:17:01.995: AAA SRV(0000005B): Return Authentication status=GET_USER |
||
163 | *Aug 19 00:17:08.651: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
164 | *Aug 19 00:17:08.655: AAA SRV(0000005B): process authen req |
||
165 | *Aug 19 00:17:08.655: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
166 | *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): ask "Username: " |
||
167 | *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): send packet; GET_USER |
||
168 | *Aug 19 00:17:08.655: AAA SRV(0000005B): protocol reply GET_USER for Authentication |
||
169 | *Aug 19 00:17:08.655: AAA SRV(0000005B): Return Authentication status=GET_USER |
||
170 | *Aug 19 00:17:09.623: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
171 | *Aug 19 00:17:09.623: AAA SRV(0000005B): process authen req |
||
172 | *Aug 19 00:17:09.623: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
173 | *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): ask "Password: " |
||
174 | *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): send packet; GET_PASSWORD |
||
175 | *Aug 19 00:17:09.623: AAA SRV(0000005B): protocol reply GET_PASSWORD for Authentication |
||
176 | *Aug 19 00:17:09.623: AAA SRV(0000005B): Return Authentication status=GET_PASSWORD |
||
177 | *Aug 19 00:17:09.931: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
178 | *Aug 19 00:17:09.931: AAA SRV(0000005B): process authen req |
||
179 | *Aug 19 00:17:09.931: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
180 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B):Orig. component type = ISDN |
||
181 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off |
||
182 | *Aug 19 00:17:09.931: RADIUS(0000005B): Config NAS IP: 0.0.0.0 |
||
183 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): acct_session_id: 91 |
||
184 | *Aug 19 00:17:09.931: RADIUS(0000005B): sending |
||
185 | *Aug 19 00:17:09.931: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
186 | *Aug 19 00:17:09.931: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/93, len 104 |
||
187 | *Aug 19 00:17:09.931: RADIUS: authenticator 64 FD 26 15 C1 2A A2 C2 - B1 82 4A C1 2B BE 02 99 |
||
188 | *Aug 19 00:17:09.931: RADIUS: User-Name [1] 4 "as" |
||
189 | *Aug 19 00:17:09.931: RADIUS: User-Password [2] 18 * |
||
190 | *Aug 19 00:17:09.931: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
191 | *Aug 19 00:17:09.931: RADIUS: Called-Station-Id [30] 13 "03012344002" |
||
192 | *Aug 19 00:17:09.931: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
193 | *Aug 19 00:17:09.931: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
194 | *Aug 19 00:17:09.931: RADIUS: NAS-Port [5] 6 20029 |
||
195 | *Aug 19 00:17:09.931: RADIUS: NAS-Port-Id [87] 6 "tty3" |
||
196 | *Aug 19 00:17:09.931: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
197 | *Aug 19 00:17:09.935: RADIUS: Received from id 1645/93 192.168.7.2:1645, Access-Accept, len 44 |
||
198 | *Aug 19 00:17:09.935: RADIUS: authenticator 50 04 BF 13 D3 DE 32 39 - 55 1A ED 3F 5D C3 5C E0 |
||
199 | *Aug 19 00:17:09.935: RADIUS: Service-Type [6] 6 Login [1] |
||
200 | *Aug 19 00:17:09.935: RADIUS: Login-Service [15] 6 Telnet [0] |
||
201 | *Aug 19 00:17:09.935: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
202 | *Aug 19 00:17:09.935: RADIUS: login-tcp-port [16] 6 23 |
||
203 | *Aug 19 00:17:09.935: RADIUS(0000005B): Received from id 1645/93 |
||
204 | *Aug 19 00:17:09.935: RADIUS: Constructed " telnet 192.168.7.2 23 " |
||
205 | *Aug 19 00:17:09.935: AAA SRV(0000005B): protocol reply PASS for Authentication |
||
206 | *Aug 19 00:17:09.935: AAA SRV(0000005B): Return Authentication status=PASS |
||
207 | </pre> |
||
208 | |||
209 | h4. exec-authorization |
||
210 | |||
211 | last, but not least, now that @aaa authorization exec@ is enabled, we get the following debug output. Note that there is *no additional radius query* at this point. It seems to just use the existing radius attributes obtained during the previous authentication step. |
||
212 | |||
213 | <pre> |
||
214 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV noescape=1 |
||
215 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV autocmd= telnet 192.168.7.2 23 |
||
216 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV service-type=1 |
||
217 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): Authorization successful |
||
218 | *Aug 19 00:18:09.967: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
219 | *Aug 19 00:18:09.967: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 |
||
220 | *Aug 19 00:18:09.967: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 |
||
221 | *Aug 19 00:18:09.971: as_free_hdlc: Free slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 |
||
222 | </pre> |
||
223 | |||
224 | After this point, the telnet connection is established, and the dialled-in user is getting whatever telnet based service. |