alex@nac.net wrote:
> Does anyone have some examples of this?
Too Many (I'm seeing L2TP tunnels in my sleep) <G>
> As an aside, but related, is a link:
>
> http://www.livingston.com/tech/docs/release/rabm110.html#how
>
> which says, "For the method based on Called-Station-Id, see the technote
> "pattern.matching.for.callcheck.txt" in the http/docs directory."
> I can't seem to find this document anywhere; pointers?
That's part of the RADIUS ABM install. It's an application note on the
various ways to use call check with RADIUS ABM.
Few things to keep in mind about call-check. The most important is what to
send back to the server on an access-request:
http://www.livingston.com/tech/docs/release/release38.html#how
1) a RADIUS access-accept with attributes, to accept the call and provide
the indicated service (such as connecting the user via a netdata connection
to a given host and TCP port)
2) a RADIUS access-accept with no attributes to accept the call and perform
the usual RADIUS authentication
3) a RADIUS access-reject to reject the call.
The most common mistake I've seen is to return something in the
access-accept and user get on without authentication (Case #1).
Next is that Order of the entries is very important.
For example if the number they are calling is 123-555-1111 for the telnet
service and 123-555-1112 for the normal users that require additional
authentication and the login host is 192.168.1.1 you would want something
like this:
DEFAULT1 Service-Type=Call-Check, Called-Station-Id="1235551111"
Service-Type = Login-User,
Login-Service = Telnet,
Login-IP-Host = 192.168.1.1
DEFAULT2 Service-Type=Call-Check, Called-Station-Id="5551111"
Service-Type = Login-User,
Login-Service = Telnet,
Login-IP-Host = 192.168.1.1
DEFAULT3 Service-Type=Call-Check, Called-Station-Id="1235551112"
DEFAULT4 Service-Type=Call-Check, Called-Station-Id="5551112"
DEFAULT5 Service-Type=Call-Check, Auth-Type=Reject
And then the rest of your entries. What this does is as follows:
DEFAULT1 matchs any call-check request (Service-Type=Call-check) that was
dialed to to the full 10 digit phone number for the automatic telnet
sessions. The Access-acept will contain session configuration information
so that session will be setup automatically ( See rule #1).
DEFAULT2 is the same as DEFAULT1 with the exception that it matches the 7
digit phone number. You also may need to add additional entries if the PRI
is part of a centrix group that allows 3 or 4 digit dial.
DEFAULT3 will match any call-check requests that were dial to you standard
access number. In this case no attributes are returned so the user is
authenticated normally after the call is answered (See rule #2)
DEFAULT4 is the same as DEFAULT3 with the exception that it matches the 7
digit phone number. You also may need to add additional entries if the PRI
is part of a centrix group that allows 3 or 4 digit dial.
DEFAULT5 catches any call-check requests that miss the others and sends an
access-reject as we do not know what number they called so ewe do not answer
it (See rule #3).
You may want to make DEFAULT5 just return an access accept and try to auth
normally depending on your setup. I would place these at the top of your
user file for speed as every call to the PM will use them. They will not
interfere with normal RADIUS authentication as only call-check requests will
match the check item of Service-Type=Call-Check. Any other requests will
fall through to the rest of your users file.
Hope this helps.
-- Thomas C Kinnen - <tkinnen@ra.lucent.com> <tkinnen@sobhrach.com> [RADIUS Test Engineer] - LUCENT Technologies RABU "All of the opinions stated above are my own and not my employer's, unless they were given to me by my employer" - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>