Radius based DNIS -> TCP forwarding » History » Version 6
laforge, 05/01/2022 09:00 AM
1 | 3 | laforge | {{>toc}} |
---|---|---|---|
2 | 2 | laforge | |
3 | 1 | laforge | h1. Radius based DNIS -> TCP forwarding |
4 | |||
5 | With the [[Livingston_Portmaster_3]], it is relatively easy to configure a setup where the _Called Party Number_ (the destination number dialled by the caller, in the US called DNIS) is used to determine a remote host/IP and port number to which to forward the asynchronous stream of bytes leaving a modem, a [[V.120]], [[X.75]] or [[V.110]] async ISDN data call. |
||
6 | |||
7 | This setup is surprisingly difficult (so far impossible for @laforge) to replicate on Cisco AS5400 systems. |
||
8 | |||
9 | In theory, this should all work, as Cisco offers the following functionality: |
||
10 | * AAA Pre-authorization based on DNIS |
||
11 | ** this means that a Radius qery is made based on the called party number, before a call is accepted and before any user prompt - just like the _Call-Check_ feature of the Portmaster |
||
12 | * Radius-based specification of a remote IP/Port to forward to, by means of |
||
13 | <pre> |
||
14 | Service-Type = Login-User, |
||
15 | Login-Service = Telnet, |
||
16 | Login-IP-Host = 192.168.7.2, |
||
17 | Login-TCP-Port = 23 |
||
18 | </pre> |
||
19 | |||
20 | Unfortunately, after way too many hours wasted, it still doesn't work. |
||
21 | |||
22 | h2. Some observations |
||
23 | |||
24 | h3. Radius client correctly understands Login-* |
||
25 | |||
26 | As we can see in the debug log below, the pre-auth for the DNIS works correctly, the cisco radius client receives the telnet IP/Port and appears to internally construct an _autocommand_ from it (@telnet192.168.7.2 9000@). For _Login-Service=TCP-Clear_, it appends a @/stream@ to that command. |
||
27 | |||
28 | <pre> |
||
29 | *Aug 19 00:16:30.675: RADIUS(0000005A): Send Access-Request to 192.168.7.2:1645 id 1645/91, len 159 |
||
30 | *Aug 19 00:16:30.675: RADIUS: authenticator 1F FE AD FC 80 28 17 B3 - 22 3D 30 A0 0A 1B 9E 60 |
||
31 | *Aug 19 00:16:30.675: RADIUS: User-Name [1] 13 "03012344001" |
||
32 | *Aug 19 00:16:30.675: RADIUS: User-Password [2] 18 * |
||
33 | *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 32 |
||
34 | *Aug 19 00:16:30.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
35 | *Aug 19 00:16:30.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
36 | *Aug 19 00:16:30.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
37 | *Aug 19 00:16:30.675: RADIUS: Called-Station-Id [30] 13 "03012344001" |
||
38 | *Aug 19 00:16:30.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
39 | *Aug 19 00:16:30.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
40 | *Aug 19 00:16:30.675: RADIUS: NAS-Port [5] 6 20028 |
||
41 | *Aug 19 00:16:30.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:28" |
||
42 | *Aug 19 00:16:30.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
43 | *Aug 19 00:16:30.675: RADIUS: Received from id 1645/91 192.168.7.2:1645, Access-Accept, len 105 |
||
44 | *Aug 19 00:16:30.675: RADIUS: authenticator 2D 8D D1 52 5D 6C A3 84 - B6 71 98 21 5A 8B 78 40 |
||
45 | *Aug 19 00:16:30.675: RADIUS: Vendor, Cisco [26] 31 |
||
46 | *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=0" |
||
47 | *Aug 19 00:16:30.679: RADIUS: Vendor, Cisco [26] 30 |
||
48 | *Aug 19 00:16:30.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
49 | *Aug 19 00:16:30.679: RADIUS: Service-Type [6] 6 Login [1] |
||
50 | *Aug 19 00:16:30.679: RADIUS: Login-Service [15] 6 Telnet [0] |
||
51 | *Aug 19 00:16:30.679: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
52 | *Aug 19 00:16:30.679: RADIUS: login-tcp-port [16] 6 9000 |
||
53 | *Aug 19 00:16:30.679: RADIUS(0000005A): Received from id 1645/91 |
||
54 | *Aug 19 00:16:30.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
55 | *Aug 19 00:16:30.679: RADIUS: Constructed " telnet 192.168.7.2 9000 " |
||
56 | *Aug 19 00:16:30.679: AAA SRV(0000005A): protocol reply PASS for Authorization |
||
57 | *Aug 19 00:16:30.679: AAA SRV(0000005A): Return Authorization status=PASS |
||
58 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Preauth: |
||
59 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): auth-required |
||
60 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type |
||
61 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): service-type |
||
62 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): login-service |
||
63 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): default username 03012344001 |
||
64 | *Aug 19 00:16:30.679: AAA/AUTHOR/PREAUTH/(0000005A): Done - PASSED |
||
65 | </pre> |
||
66 | |||
67 | However, whatever code in the cisco calling that raidus client library is not using this information from the pre-authorization phase. |
||
68 | |||
69 | h3. Cisco respects @preauth:auth-required=0@ |
||
70 | |||
71 | When passing that vendor-specific Radius attribute in our response, the Cisco skips the _authentication_ step that would normally follow the _pre-authorization_. However, it just simply drops the caller to a vty (cisco prompt). One can then manually enter the telnet command just fine, so it is not a matter of missing privileges. |
||
72 | |||
73 | If the radius response in pre-auth contains @preauth:auth-required=1@ (or skips that attribute completely), then the Cisco proceeds with normal authentication by displaying a login/password prompt. But that's not what we want. |
||
74 | |||
75 | |||
76 | h3. Cisco requires @aaa authorization exec@ for TCP/Telnet fowarding |
||
77 | |||
78 | Even if we keep the normal authentication (@preauth:auth-required=1@), and log in using a radius user that has a configuration for TCP/Telnet forwarding, we still get dropped to a normal vty command prompt. |
||
79 | |||
80 | The automatic execution of the command only works if the @aaa authorization exec@ is defined, for example @aaa authorization exec default group radius@. In this case, there is an additional AAA step (after pre-authorization + authentication), which then respects the radius attributes for login-service/login-host/... |
||
81 | |||
82 | So it looks like this: |
||
83 | |||
84 | h4. pre-authorization |
||
85 | |||
86 | <pre> |
||
87 | *Aug 19 00:17:01.675: AAA/BIND(0000005B): Bind i/f Serial6/0:29 |
||
88 | *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
89 | *Aug 19 00:17:01.675: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
90 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH/(0000005B): DNIS-based preauthentication |
||
91 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding port-type to PRI |
||
92 | *Aug 19 00:17:01.675: AAA/AUTHOR/PREAUTH(0000005B): overriding interface to Serial6/0:29 |
||
93 | *Aug 19 00:17:01.675: AAA/AUTHOR (0x5B): Pick method list 'default' |
||
94 | *Aug 19 00:17:01.675: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
95 | *Aug 19 00:17:01.675: AAA SRV(0000005B): process author req |
||
96 | *Aug 19 00:17:01.675: AAA SRV(0000005B): Author method=SERVER_GROUP radius |
||
97 | *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B):Orig. component type = ISDN |
||
98 | *Aug 19 00:17:01.675: RADIUS(0000005B): Config NAS IP: 0.0.0.0 |
||
99 | *Aug 19 00:17:01.675: RADIUS/ENCODE(0000005B): acct_session_id: 91 |
||
100 | *Aug 19 00:17:01.675: RADIUS(0000005B): sending |
||
101 | *Aug 19 00:17:01.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
102 | *Aug 19 00:17:01.675: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/92, len 159 |
||
103 | *Aug 19 00:17:01.675: RADIUS: authenticator F1 4A 9E B5 81 29 22 DB - F8 C4 22 E2 73 A2 37 68 |
||
104 | *Aug 19 00:17:01.675: RADIUS: User-Name [1] 13 "03012344002" |
||
105 | *Aug 19 00:17:01.675: RADIUS: User-Password [2] 18 * |
||
106 | *Aug 19 00:17:01.675: RADIUS: Vendor, Cisco [26] 32 |
||
107 | *Aug 19 00:17:01.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
108 | *Aug 19 00:17:01.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
109 | *Aug 19 00:17:01.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
110 | *Aug 19 00:17:01.675: RADIUS: Called-Station-Id [30] 13 "03012344002" |
||
111 | *Aug 19 00:17:01.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
112 | *Aug 19 00:17:01.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
113 | *Aug 19 00:17:01.675: RADIUS: NAS-Port [5] 6 20029 |
||
114 | *Aug 19 00:17:01.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:29" |
||
115 | *Aug 19 00:17:01.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
116 | *Aug 19 00:17:01.679: RADIUS: Received from id 1645/92 192.168.7.2:1645, Access-Accept, len 153 |
||
117 | *Aug 19 00:17:01.679: RADIUS: authenticator 4E 3F 3F 31 3E 0E 89 C3 - 68 51 DB 9A BF 2D D6 58 |
||
118 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 31 |
||
119 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=1" |
||
120 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 30 |
||
121 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
122 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 33 |
||
123 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 27 "preauth:username=mahlzeit" |
||
124 | *Aug 19 00:17:01.679: RADIUS: Vendor, Cisco [26] 39 |
||
125 | *Aug 19 00:17:01.679: RADIUS: Cisco AVpair [1] 33 "autocmd=telnet 192.168.7.2 9000" |
||
126 | *Aug 19 00:17:01.679: RADIUS(0000005B): Received from id 1645/92 |
||
127 | *Aug 19 00:17:01.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
128 | *Aug 19 00:17:01.679: AAA SRV(0000005B): protocol reply PASS for Authorization |
||
129 | *Aug 19 00:17:01.679: AAA SRV(0000005B): Return Authorization status=PASS |
||
130 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Preauth: |
||
131 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): auth-required |
||
132 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): service-type |
||
133 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): add username mahlzeit |
||
134 | *Aug 19 00:17:01.679: AAA/AUTHOR/PREAUTH/(0000005B): Done - PASSED |
||
135 | </pre> |
||
136 | |||
137 | h4. authentication |
||
138 | |||
139 | This is the step that we would want to skip, but which we have enabled for the point of illustrating one (other) working configuration. |
||
140 | |||
141 | It looks as expected. First the user is prompted for username and password (ignoring the @preauth:username@ which is sent in the above radius response, contrary to cisco documentation). Then a radius query is sent using those credentials, to which the radius responds with the telnet login ip/port attributes. |
||
142 | |||
143 | <pre> |
||
144 | *Aug 19 00:17:01.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 |
||
145 | *Aug 19 00:17:01.679: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 |
||
146 | *Aug 19 00:17:01.679: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=0 |
||
147 | *Aug 19 00:17:01.679: serial_autodetect_needed: TRUE |
||
148 | *Aug 19 00:17:01.679: Ser-Autodetect Se6/0:29: starting |
||
149 | *Aug 19 00:17:01.995: V120: Autodetect trying to detect V120 mode on Se6/0:29 |
||
150 | *Aug 19 00:17:01.995: V120 sampled pkt: 3 bytes: 8 1 7F |
||
151 | *Aug 19 00:17:01.995: Ser-Autodetect Se6/0:29: Autodetected v120 encaps |
||
152 | *Aug 19 00:17:01.995: Serial6/0:29: copy pkt, tmp->flags 0x200, idb->encsize 4 |
||
153 | *Aug 19 00:17:01.995: size 3 |
||
154 | 0x8 0x1 0x7F |
||
155 | *Aug 19 00:17:01.995: AAA/AUTHEN/LOGIN (0000005B): Pick method list 'default' |
||
156 | *Aug 19 00:17:01.995: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
157 | *Aug 19 00:17:01.995: AAA SRV(0000005B): process authen req |
||
158 | *Aug 19 00:17:01.995: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
159 | *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): ask "Username: " |
||
160 | *Aug 19 00:17:01.995: RADIUS/ENCODE(0000005B): send packet; GET_USER |
||
161 | *Aug 19 00:17:01.995: AAA SRV(0000005B): protocol reply GET_USER for Authentication |
||
162 | *Aug 19 00:17:01.995: AAA SRV(0000005B): Return Authentication status=GET_USER |
||
163 | *Aug 19 00:17:08.651: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
164 | *Aug 19 00:17:08.655: AAA SRV(0000005B): process authen req |
||
165 | *Aug 19 00:17:08.655: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
166 | *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): ask "Username: " |
||
167 | *Aug 19 00:17:08.655: RADIUS/ENCODE(0000005B): send packet; GET_USER |
||
168 | *Aug 19 00:17:08.655: AAA SRV(0000005B): protocol reply GET_USER for Authentication |
||
169 | *Aug 19 00:17:08.655: AAA SRV(0000005B): Return Authentication status=GET_USER |
||
170 | *Aug 19 00:17:09.623: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
171 | *Aug 19 00:17:09.623: AAA SRV(0000005B): process authen req |
||
172 | *Aug 19 00:17:09.623: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
173 | *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): ask "Password: " |
||
174 | *Aug 19 00:17:09.623: RADIUS/ENCODE(0000005B): send packet; GET_PASSWORD |
||
175 | *Aug 19 00:17:09.623: AAA SRV(0000005B): protocol reply GET_PASSWORD for Authentication |
||
176 | *Aug 19 00:17:09.623: AAA SRV(0000005B): Return Authentication status=GET_PASSWORD |
||
177 | *Aug 19 00:17:09.931: AAA/IPC(0000005B): Sending authen/author message to AAA server pid 74 |
||
178 | *Aug 19 00:17:09.931: AAA SRV(0000005B): process authen req |
||
179 | *Aug 19 00:17:09.931: AAA SRV(0000005B): Authen method=SERVER_GROUP radius |
||
180 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B):Orig. component type = ISDN |
||
181 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off |
||
182 | *Aug 19 00:17:09.931: RADIUS(0000005B): Config NAS IP: 0.0.0.0 |
||
183 | *Aug 19 00:17:09.931: RADIUS/ENCODE(0000005B): acct_session_id: 91 |
||
184 | *Aug 19 00:17:09.931: RADIUS(0000005B): sending |
||
185 | *Aug 19 00:17:09.931: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
186 | *Aug 19 00:17:09.931: RADIUS(0000005B): Send Access-Request to 192.168.7.2:1645 id 1645/93, len 104 |
||
187 | *Aug 19 00:17:09.931: RADIUS: authenticator 64 FD 26 15 C1 2A A2 C2 - B1 82 4A C1 2B BE 02 99 |
||
188 | *Aug 19 00:17:09.931: RADIUS: User-Name [1] 4 "as" |
||
189 | *Aug 19 00:17:09.931: RADIUS: User-Password [2] 18 * |
||
190 | *Aug 19 00:17:09.931: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
191 | *Aug 19 00:17:09.931: RADIUS: Called-Station-Id [30] 13 "03012344002" |
||
192 | *Aug 19 00:17:09.931: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
193 | *Aug 19 00:17:09.931: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
194 | *Aug 19 00:17:09.931: RADIUS: NAS-Port [5] 6 20029 |
||
195 | *Aug 19 00:17:09.931: RADIUS: NAS-Port-Id [87] 6 "tty3" |
||
196 | *Aug 19 00:17:09.931: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
197 | *Aug 19 00:17:09.935: RADIUS: Received from id 1645/93 192.168.7.2:1645, Access-Accept, len 44 |
||
198 | *Aug 19 00:17:09.935: RADIUS: authenticator 50 04 BF 13 D3 DE 32 39 - 55 1A ED 3F 5D C3 5C E0 |
||
199 | *Aug 19 00:17:09.935: RADIUS: Service-Type [6] 6 Login [1] |
||
200 | *Aug 19 00:17:09.935: RADIUS: Login-Service [15] 6 Telnet [0] |
||
201 | *Aug 19 00:17:09.935: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
202 | *Aug 19 00:17:09.935: RADIUS: login-tcp-port [16] 6 23 |
||
203 | *Aug 19 00:17:09.935: RADIUS(0000005B): Received from id 1645/93 |
||
204 | *Aug 19 00:17:09.935: RADIUS: Constructed " telnet 192.168.7.2 23 " |
||
205 | *Aug 19 00:17:09.935: AAA SRV(0000005B): protocol reply PASS for Authentication |
||
206 | *Aug 19 00:17:09.935: AAA SRV(0000005B): Return Authentication status=PASS |
||
207 | </pre> |
||
208 | |||
209 | h4. exec-authorization |
||
210 | |||
211 | 4 | laforge | last, but not least, now that @aaa authorization exec@ is enabled, we get the following debug output. Note that there is *no additional radius query* at this point (not in the cisco logfile, and not on the wire / tcpdump). It seems to just use the existing radius attributes obtained during the previous authentication step. |
212 | 1 | laforge | |
213 | <pre> |
||
214 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV noescape=1 |
||
215 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV autocmd= telnet 192.168.7.2 23 |
||
216 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): processing AV service-type=1 |
||
217 | *Aug 19 00:17:09.935: AAA/AUTHOR/EXEC(0000005B): Authorization successful |
||
218 | *Aug 19 00:18:09.967: AAA/ACCT/DS0: channel=29, ds1=0, t3=0, slot=6, ds0=100663325 |
||
219 | *Aug 19 00:18:09.967: pm7366_up:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 |
||
220 | *Aug 19 00:18:09.967: pm7366_down:slot=6 channel=29 freedm_chan=56 freedm_no=0 link_no=0 prov=1 |
||
221 | *Aug 19 00:18:09.971: as_free_hdlc: Free slot 6, port 0, map 0x00000002 to hdlc chip 0 link 0, map 0x20000000 |
||
222 | </pre> |
||
223 | |||
224 | After this point, the telnet connection is established, and the dialled-in user is getting whatever telnet based service. |
||
225 | 5 | laforge | |
226 | h3. Trying with pre-auth + exec-auth but no authentication |
||
227 | |||
228 | This would be the logical step, given that |
||
229 | * we want pre-auth to return the radius attributes |
||
230 | * we don't want a login/password prompt (authentication stage) |
||
231 | * we need exec-auth to actually perform the automatic telnet command |
||
232 | |||
233 | Unfortunately, this fails: |
||
234 | |||
235 | h4. pre-auth with auth-required=0 |
||
236 | |||
237 | <pre> |
||
238 | *Aug 19 00:18:34.675: AAA/BIND(0000005C): Bind i/f Serial6/0:30 |
||
239 | *Aug 19 00:18:34.675: AAA/ACCT/DS0: channel=30, ds1=0, t3=0, slot=6, ds0=100663326 |
||
240 | *Aug 19 00:18:34.675: AAA/ACCT/DS0: channel=30, ds1=0, t3=0, slot=6, ds0=100663326 |
||
241 | *Aug 19 00:18:34.675: AAA/AUTHOR/PREAUTH/(0000005C): DNIS-based preauthentication |
||
242 | *Aug 19 00:18:34.675: AAA/AUTHOR/PREAUTH(0000005C): overriding port-type to PRI |
||
243 | *Aug 19 00:18:34.675: AAA/AUTHOR/PREAUTH(0000005C): overriding interface to Serial6/0:30 |
||
244 | *Aug 19 00:18:34.675: AAA/AUTHOR (0x5C): Pick method list 'default' |
||
245 | *Aug 19 00:18:34.675: AAA/IPC(0000005C): Sending authen/author message to AAA server pid 74 |
||
246 | *Aug 19 00:18:34.675: AAA SRV(0000005C): process author req |
||
247 | *Aug 19 00:18:34.675: AAA SRV(0000005C): Author method=SERVER_GROUP radius |
||
248 | *Aug 19 00:18:34.675: RADIUS/ENCODE(0000005C):Orig. component type = ISDN |
||
249 | *Aug 19 00:18:34.675: RADIUS(0000005C): Config NAS IP: 0.0.0.0 |
||
250 | *Aug 19 00:18:34.675: RADIUS/ENCODE(0000005C): acct_session_id: 92 |
||
251 | *Aug 19 00:18:34.675: RADIUS(0000005C): sending |
||
252 | *Aug 19 00:18:34.675: RADIUS/ENCODE: Best Local IP-Address 192.168.7.6 for Radius-Server 192.168.7.2 |
||
253 | *Aug 19 00:18:34.675: RADIUS(0000005C): Send Access-Request to 192.168.7.2:1645 id 1645/94, len 159 |
||
254 | *Aug 19 00:18:34.675: RADIUS: authenticator FA 27 9D B4 07 93 D4 71 - C9 B2 61 08 8B C2 BB D7 |
||
255 | *Aug 19 00:18:34.675: RADIUS: User-Name [1] 13 "03012344001" |
||
256 | *Aug 19 00:18:34.675: RADIUS: User-Password [2] 18 * |
||
257 | *Aug 19 00:18:34.675: RADIUS: Vendor, Cisco [26] 32 |
||
258 | *Aug 19 00:18:34.675: RADIUS: Cisco AVpair [1] 26 "resource-service=reserve" |
||
259 | *Aug 19 00:18:34.675: RADIUS: Service-Type [6] 6 Call Check [10] |
||
260 | *Aug 19 00:18:34.675: RADIUS: Calling-Station-Id [31] 13 "03012342151" |
||
261 | *Aug 19 00:18:34.675: RADIUS: Called-Station-Id [30] 13 "03012344001" |
||
262 | *Aug 19 00:18:34.675: RADIUS: Connect-Info [77] 12 "64000 HDLC" |
||
263 | *Aug 19 00:18:34.675: RADIUS: NAS-Port-Type [61] 6 ISDN [2] |
||
264 | *Aug 19 00:18:34.675: RADIUS: NAS-Port [5] 6 20030 |
||
265 | *Aug 19 00:18:34.675: RADIUS: NAS-Port-Id [87] 14 "Serial6/0:30" |
||
266 | *Aug 19 00:18:34.675: RADIUS: NAS-IP-Address [4] 6 192.168.7.6 |
||
267 | *Aug 19 00:18:34.679: RADIUS: Received from id 1645/94 192.168.7.2:1645, Access-Accept, len 105 |
||
268 | *Aug 19 00:18:34.679: RADIUS: authenticator D3 2B 65 EF EB 8A B0 FC - 9F 00 62 58 90 55 87 D5 |
||
269 | *Aug 19 00:18:34.679: RADIUS: Vendor, Cisco [26] 31 |
||
270 | *Aug 19 00:18:34.679: RADIUS: Cisco AVpair [1] 25 "preauth:auth-required=0" |
||
271 | *Aug 19 00:18:34.679: RADIUS: Vendor, Cisco [26] 30 |
||
272 | *Aug 19 00:18:34.679: RADIUS: Cisco AVpair [1] 24 "preauth:service-type=1" |
||
273 | *Aug 19 00:18:34.679: RADIUS: Service-Type [6] 6 Login [1] |
||
274 | *Aug 19 00:18:34.679: RADIUS: Login-Service [15] 6 Telnet [0] |
||
275 | *Aug 19 00:18:34.679: RADIUS: login-ip-addr-host [14] 6 192.168.7.2 |
||
276 | *Aug 19 00:18:34.679: RADIUS: login-tcp-port [16] 6 9000 |
||
277 | *Aug 19 00:18:34.679: RADIUS(0000005C): Received from id 1645/94 |
||
278 | *Aug 19 00:18:34.679: RADIUS/DECODE: VSA service-type=1 maps to Login |
||
279 | *Aug 19 00:18:34.679: RADIUS: Constructed " telnet 192.168.7.2 9000 " |
||
280 | *Aug 19 00:18:34.679: AAA SRV(0000005C): protocol reply PASS for Authorization |
||
281 | *Aug 19 00:18:34.679: AAA SRV(0000005C): Return Authorization status=PASS |
||
282 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): Preauth: |
||
283 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): auth-required |
||
284 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): service-type |
||
285 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): service-type |
||
286 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): login-service |
||
287 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): default username 03012344001 |
||
288 | *Aug 19 00:18:34.679: AAA/AUTHOR/PREAUTH/(0000005C): Done - PASSED |
||
289 | </pre> |
||
290 | |||
291 | This |
||
292 | * works as expected |
||
293 | * cisco confirms it has received telnet IP/port and consturcted an autocmd from it |
||
294 | * no login prompt appears |
||
295 | |||
296 | However.... |
||
297 | |||
298 | h4. exec-auth fails :( |
||
299 | |||
300 | <pre> |
||
301 | *Aug 19 00:18:34.679: as_alloc_hdlc: Allocated slot 6, port 0, map 0x00000001 to hdlc chip 0 link 0, map 0x20000000 |
||
302 | *Aug 19 00:18:34.679: pm7366_down:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=0 |
||
303 | *Aug 19 00:18:34.679: pm7366_up:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=0 |
||
304 | *Aug 19 00:18:34.679: serial_autodetect_needed: TRUE |
||
305 | *Aug 19 00:18:34.679: Ser-Autodetect Se6/0:30: starting |
||
306 | *Aug 19 00:18:34.935: V120: Autodetect trying to detect V120 mode on Se6/0:30 |
||
307 | *Aug 19 00:18:34.935: V120 sampled pkt: 3 bytes: 8 1 7F |
||
308 | *Aug 19 00:18:34.935: Ser-Autodetect Se6/0:30: Autodetected v120 encaps |
||
309 | *Aug 19 00:18:34.935: Serial6/0:30: copy pkt, tmp->flags 0x200, idb->encsize 4 |
||
310 | *Aug 19 00:18:34.935: size 3 |
||
311 | 0x8 0x1 0x7F |
||
312 | *Aug 19 00:18:34.935: AAA/AUTHOR (0x5C): Pick method list 'default' |
||
313 | *Aug 19 00:18:34.935: AAA/AUTHOR/EXEC(0000005C): Authorization FAILED |
||
314 | *Aug 19 00:18:36.959: AAA/ACCT/DS0: channel=30, ds1=0, t3=0, slot=6, ds0=100663326 |
||
315 | *Aug 19 00:18:36.959: pm7366_up:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=1 |
||
316 | *Aug 19 00:18:36.959: pm7366_down:slot=6 channel=30 freedm_chan=57 freedm_no=0 link_no=0 prov=1 |
||
317 | *Aug 19 00:18:36.959: as_free_hdlc: Free slot 6, port 0, map 0x00000001 to hdlc chip 0 link 0, map 0x20000000 |
||
318 | *Aug 19 00:18:41.455: %CALLTRKR-6-CALL_RECORD: ct_hndl=68, service=Exec, origin=Answer, category=SyncData, DS0 slot/port/ds1/chan=6/0/0/30, called=03012344001, calling=03012342151, resource slot/port=(n/a)/(n/a), userid=(n/a), ip=0.0.0.0, account id=92, setup=08/19/2013 00:18:34, conn=0.03, phys=2.25, service=0.26, authen=0.00, init-rx/tx b-rate=64000/64000, rx/tx chars=12/39, charged units=0, time=2.26, disc subsys=Exec, disc code=0x19, disc text=Login failed, sig type=Auto |
||
319 | </pre> |
||
320 | |||
321 | So for some strange reason, exec-auth fails if there was no previous authentication. It doesn't use any of the radius attributes or the autocmd that was signaled previously during pre-auth. |
||
322 | |||
323 | I would have hoped it at least then sends a radius query now, but it doesn't, so we cannot send it the radius attributes for telnet ip/port. |
||
324 | 6 | laforge | |
325 | h3. Further attempts |
||
326 | |||
327 | It tried, among other, the following approaches: |
||
328 | * do it without radius (fully local as described in "this mailinglist post":https://www.opennet.ru/base/cisco/digitip.txt.html |
||
329 | ** works, but defeats the purpose of describing the DNIS -> telnet mappings in radius |
||
330 | ** key aspect seems to be the ability to specify users with @nopassword@ attribute. That feature doesn't seem to exist in the context of radius? |
||
331 | * pre-auth + exec-auth radius but authentication local |
||
332 | ** then the radius attributes for host/port are not present, unless the local user has an 'autocommand' configured :( |