Radius based DNIS -> TCP forwarding » History » Revision 3
Revision 2 (laforge, 05/01/2022 08:45 AM) → Revision 3/7 (laforge, 05/01/2022 08:45 AM)
{{>toc}} {{>toc} h1. Radius based DNIS -> TCP forwarding With the [[Livingston_Portmaster_3]], it is relatively easy to configure a setup where the _Called Party Number_ (the destination number dialled by the caller, in the US called DNIS) is used to determine a remote host/IP and port number to which to forward the asynchronous stream of bytes leaving a modem, a [[V.120]], [[X.75]] or [[V.110]] async ISDN data call. This setup is surprisingly difficult (so far impossible for @laforge) to replicate on Cisco AS5400 systems. In theory, this should all work, as Cisco offers the following functionality: * AAA Pre-authorization based on DNIS ** this means that a Radius qery is made based on the called party number, before a call is accepted and before any user prompt - just like the _Call-Check_ feature of the Portmaster * Radius-based specification of a remote IP/Port to forward to, by means of <pre> Service-Type = Login-User, Login-Service = Telnet, Login-IP-Host = 192.168.7.2, Login-TCP-Port = 23 </pre> Unfortunately, after way too many hours wasted, it still doesn't work. h2. Some observations h3. Radius client correctly understands Login-* As we can see in the debug log below, the pre-auth for the DNIS works correctly, the cisco radius client receives the telnet IP/Port and appears to internally construct an _autocommand_ from it (@telnet192.168.7.2 9000@). For _Login-Service=TCP-Clear_, it appends a @/stream@ to that command. <pre> *Aug 19 00:16:30.675: RADIUS(0000005A): Send Access-Request to 192.168.7.2:1645 id 1645/91, len 159 *Aug 19 00:16:30.675: RADIUS: authenticator 1F FE AD FC 80 28 17 B3 - 22 3D 30 A0 0A 1B 9E 60 *Aug 19 00:16:30.675: RADIUS: User-Name [1] 13 "03012344001" *Aug 19 00:16:30.675: RADIUS: User-Password [2] 18 * *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 32 *Aug 19 00:16:30.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" *Aug 19 00:16:30.675: RADIUS: Service-Type [6] 6 Call Check [10] *Aug 19 00:16:30.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" *Aug 19 00:16:30.675: RADIUS: Called-Station-Id [30] 13 "03012344001" *Aug 19 00:16:30.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" *Aug 19 00:16:30.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] *Aug 19 00:16:30.675: RADIUS: NAS-Port [5] 6 20028 *Aug 19 00:16:30.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:28" *Aug 19 00:16:30.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 *Aug 19 00:16:30.675: RADIUS: Received from id 1645/91 192.168.7.2:1645, Access-Accept, len 105 *Aug 19 00:16:30.675: RADIUS: authenticator 2D 8D D1 52 5D 6C A3 84 - B6 71 98 21 5A 8B 78 40 *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 31 *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=0" *Aug 19 00:16:30.679: RADIUS: Vendor, Cisco [26] 30 *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" *Aug 19 00:16:30.679: RADIUS: Service-Type [6] 6 Login [1] *Aug 19 00:16:30.679: RADIUS: Login-Service [15] 6 Telnet [0] *Aug 19 00:16:30.679: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 *Aug 19 00:16:30.679: RADIUS: login-tcp-port [16] 6 9000 *Aug 19 00:16:30.679: RADIUS(0000005A): Received from id 1645/91 *Aug 19 00:16:30.679: RADIUS/DECODE: VSA service-type=1 maps to Login *Aug 19 00:16:30.679: RADIUS: Constructed " telnet 192.168.7.2 9000 " *Aug 19 00:16:30.679: AAA SRV(0000005A): protocol reply PASS for Authorization *Aug 19 00:16:30.679: AAA SRV(0000005A): Return Authorization status=PASS *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Preauth: *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): auth-required *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): login-service *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): default username 03012344001 *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Done - PASSED </pre> However, whatever code in the cisco calling that raidus client library is not using this information from the pre-authorization phase. h3. Cisco respects @preauth:auth-required=0@ When passing that vendor-specific Radius attribute in our response, the Cisco skips the _authentication_ step that would normally follow the _pre-authorization_. However, it just simply drops the caller to a vty (cisco prompt). One can then manually enter the telnet command just fine, so it is not a matter of missing privileges. If the radius response in pre-auth contains @preauth:auth-required=1@ (or skips that attribute completely), then the Cisco proceeds with normal authentication by displaying a login/password prompt. But that's not what we want. h3. Cisco requires @aaa authorization exec@ for TCP/Telnet fowarding Even if we keep the normal authentication (@preauth:auth-required=1@), and log in using a radius user that has a configuration for TCP/Telnet forwarding, we still get dropped to a normal vty command prompt. The automatic execution of the command only works if the @aaa authorization exec@ is defined, for example @aaa authorization exec default group radius@. In this case, there is an additional AAA step (after pre-authorization + authentication), which then respects the radius attributes for login-service/login-host/... So it looks like this: h4. pre-authorization <pre> *Aug 19 00:17:01.675: AAA/BIND(0000005B): Bind i/f Serial6/0:29 *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH/(0000005B): DNIS-based preauthentication *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding port-type to PRI *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding interface to Serial6/0:29 *Aug 19 00:17:01.675: AAA/AUTHOR (0x5B): Pick method list 'default' *Aug 19 00:17:01.675: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 *Aug 19 00:17:01.675: AAA SRV(0000005B): process author req *Aug 19 00:17:01.675: AAA SRV(0000005B): Author method=SERVER_GROUP radius *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B):Orig. component type = ISDN *Aug 19 00:17:01.675: RADIUS(0000005B): Config NAS IP: 0.0.0.0 *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B): acct_session_id: 91 *Aug 19 00:17:01.675: RADIUS(0000005B): sending *Aug 19 00:17:01.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 *Aug 19 00:17:01.675: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/92, len 159 *Aug 19 00:17:01.675: RADIUS: authenticator F1 4A 9E B5 81 29 22 DB - F8 C4 22 E2 73 A2 37 68 *Aug 19 00:17:01.675: RADIUS: User-Name [1] 13 "03012344002" *Aug 19 00:17:01.675: RADIUS: User-Password [2] 18 * *Aug 19 00:17:01.675: RADIUS: Vendor, Cisco [26] 32 *Aug 19 00:17:01.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" *Aug 19 00:17:01.675: RADIUS: Service-Type [6] 6 Call Check [10] *Aug 19 00:17:01.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" *Aug 19 00:17:01.675: RADIUS: Called-Station-Id [30] 13 "03012344002" *Aug 19 00:17:01.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" *Aug 19 00:17:01.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] *Aug 19 00:17:01.675: RADIUS: NAS-Port [5] 6 20029 *Aug 19 00:17:01.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:29" *Aug 19 00:17:01.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 *Aug 19 00:17:01.679: RADIUS: Received from id 1645/92 192.168.7.2:1645, Access-Accept, len 153 *Aug 19 00:17:01.679: RADIUS: authenticator 4E 3F 3F 31 3E 0E 89 C3 - 68 51 DB 9A BF 2D D6 58 *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 31 *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=1" *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 30 *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 33 *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 27 "preauth:username=mahlzeit" *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 39 *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 33 "autocmd=telnet 192.168.7.2 9000" *Aug 19 00:17:01.679: RADIUS(0000005B): Received from id 1645/92 *Aug 19 00:17:01.679: RADIUS/DECODE: VSA service-type=1 maps to Login *Aug 19 00:17:01.679: AAA SRV(0000005B): protocol reply PASS for Authorization *Aug 19 00:17:01.679: AAA SRV(0000005B): Return Authorization status=PASS *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Preauth: *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): auth-required *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): service-type *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): add username mahlzeit *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Done - PASSED </pre> h4. authentication This is the step that we would want to skip, but which we have enabled for the point of illustrating one (other) working configuration. It looks as expected. First the user is prompted for username and password (ignoring the @preauth:username@ which is sent in the above radius response, contrary to cisco documentation). Then a radius query is sent using those credentials, to which the radius responds with the telnet login ip/port attributes. <pre> *Aug 19 00:17:01.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 *Aug 19 00:17:01.679: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 *Aug 19 00:17:01.679: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 *Aug 19 00:17:01.679: serial_autodetect_needed: TRUE *Aug 19 00:17:01.679: Ser-Autodetect Se6/0:29: starting *Aug 19 00:17:01.995: V120: Autodetect trying to detect V120 mode on Se6/0:29 *Aug 19 00:17:01.995: V120 sampled pkt: 3 bytes: 8 1 7F *Aug 19 00:17:01.995: Ser-Autodetect Se6/0:29: Autodetected v120 encaps *Aug 19 00:17:01.995: Serial6/0:29: copy pkt, tmp->flags 0x200, idb->encsize 4 *Aug 19 00:17:01.995: size 3 0x8 0x1 0x7F *Aug 19 00:17:01.995: AAA/AUTHEN/LOGIN (0000005B): Pick method list 'default' *Aug 19 00:17:01.995: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 *Aug 19 00:17:01.995: AAA SRV(0000005B): process authen req *Aug 19 00:17:01.995: AAA SRV(0000005B): Authen method=SERVER_GROUP radius *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): ask "Username: " *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): send packet; GET_USER *Aug 19 00:17:01.995: AAA SRV(0000005B): protocol reply GET_USER for Authentication *Aug 19 00:17:01.995: AAA SRV(0000005B): Return Authentication status=GET_USER *Aug 19 00:17:08.651: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 *Aug 19 00:17:08.655: AAA SRV(0000005B): process authen req *Aug 19 00:17:08.655: AAA SRV(0000005B): Authen method=SERVER_GROUP radius *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): ask "Username: " *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): send packet; GET_USER *Aug 19 00:17:08.655: AAA SRV(0000005B): protocol reply GET_USER for Authentication *Aug 19 00:17:08.655: AAA SRV(0000005B): Return Authentication status=GET_USER *Aug 19 00:17:09.623: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 *Aug 19 00:17:09.623: AAA SRV(0000005B): process authen req *Aug 19 00:17:09.623: AAA SRV(0000005B): Authen method=SERVER_GROUP radius *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): ask "Password: " *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): send packet; GET_PASSWORD *Aug 19 00:17:09.623: AAA SRV(0000005B): protocol reply GET_PASSWORD for Authentication *Aug 19 00:17:09.623: AAA SRV(0000005B): Return Authentication status=GET_PASSWORD *Aug 19 00:17:09.931: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 *Aug 19 00:17:09.931: AAA SRV(0000005B): process authen req *Aug 19 00:17:09.931: AAA SRV(0000005B): Authen method=SERVER_GROUP radius *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B):Orig. component type = ISDN *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off *Aug 19 00:17:09.931: RADIUS(0000005B): Config NAS IP: 0.0.0.0 *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): acct_session_id: 91 *Aug 19 00:17:09.931: RADIUS(0000005B): sending *Aug 19 00:17:09.931: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 *Aug 19 00:17:09.931: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/93, len 104 *Aug 19 00:17:09.931: RADIUS: authenticator 64 FD 26 15 C1 2A A2 C2 - B1 82 4A C1 2B BE 02 99 *Aug 19 00:17:09.931: RADIUS: User-Name [1] 4 "as" *Aug 19 00:17:09.931: RADIUS: User-Password [2] 18 * *Aug 19 00:17:09.931: RADIUS: Calling-Station-Id [31] 13 "03012342151" *Aug 19 00:17:09.931: RADIUS: Called-Station-Id [30] 13 "03012344002" *Aug 19 00:17:09.931: RADIUS: Connect-Info [77] 12 "64000 HDLC" *Aug 19 00:17:09.931: RADIUS: NAS-Port-Type [61] 6 ISDN [2] *Aug 19 00:17:09.931: RADIUS: NAS-Port [5] 6 20029 *Aug 19 00:17:09.931: RADIUS: NAS-Port-Id [87] 6 "tty3" *Aug 19 00:17:09.931: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 *Aug 19 00:17:09.935: RADIUS: Received from id 1645/93 192.168.7.2:1645, Access-Accept, len 44 *Aug 19 00:17:09.935: RADIUS: authenticator 50 04 BF 13 D3 DE 32 39 - 55 1A ED 3F 5D C3 5C E0 *Aug 19 00:17:09.935: RADIUS: Service-Type [6] 6 Login [1] *Aug 19 00:17:09.935: RADIUS: Login-Service [15] 6 Telnet [0] *Aug 19 00:17:09.935: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 *Aug 19 00:17:09.935: RADIUS: login-tcp-port [16] 6 23 *Aug 19 00:17:09.935: RADIUS(0000005B): Received from id 1645/93 *Aug 19 00:17:09.935: RADIUS: Constructed " telnet 192.168.7.2 23 " *Aug 19 00:17:09.935: AAA SRV(0000005B): protocol reply PASS for Authentication *Aug 19 00:17:09.935: AAA SRV(0000005B): Return Authentication status=PASS </pre> h4. exec-authorization last, but not least, now that @aaa authorization exec@ is enabled, we get the following debug output. Note that there is *no additional radius query* at this point. It seems to just use the existing radius attributes obtained during the previous authentication step. <pre> *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV noescape=1 *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV autocmd= telnet 192.168.7.2 23 *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV service-type=1 *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): Authorization successful *Aug 19 00:18:09.967: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 *Aug 19 00:18:09.967: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 *Aug 19 00:18:09.967: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 *Aug 19 00:18:09.971: as_free_hdlc: Free slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 </pre> After this point, the telnet connection is established, and the dialled-in user is getting whatever telnet based service.
