Re: Per-user ISDN CLID screening with dialer profiles

bergonz · ‎01-14-2002

I am using Dialer profiles with locally defined usernames, on a 3620 with IOS 12.1(11), fast ethernet, 2 E1, 30 MICA modems.

I want to have some users to be allowed to call only from specific ISDN numbers, and some other users to be allowed access from any number (let's disregard the complication of digital modems, I am now concentrating only on digital ISDN calls).

What seemed natural to me was to place no restrictions on the ISDN interface, and to place "dialer caller" commands on the Dialer interface corresponding to the user. This is an excerpt of what I did:

hostname as3620

username netcenter password 7 XXXXXXXXXXXXXX

username bergonz password 7 xxxxxxxxxxxxxxx

isdn switch-type primary-net5

controller E1 1/0

pri-group timeslots 1-16

interface Serial1/0:15

no ip address

encapsulation ppp

dialer pool-member 1 priority 255

isdn switch-type primary-net5

isdn incoming-voice modem

no cdp enable

ppp authentication chap

ppp chap hostname mainsite

interface Dialer1

ip unnumbered FastEthernet1/0

encapsulation ppp

dialer pool 1

dialer remote-name bergonz

dialer-group 1

peer default ip address 172.23.1.151

no cdp enable

ppp authentication chap

interface Dialer50

ip unnumbered FastEthernet1/0

encapsulation ppp

dialer pool 1

dialer remote-name netcenter

dialer caller 516781234

dialer-group 1

no cdp enable

ppp authentication chap

ppp chap password 7 XXXXXXXXXXXXXXXX

But it doesn't work: user netcenter can call in from any number, and the call is bound to Dialer50. I checked with "debug isdn ev" to see that the CLID is received correctly from the ISDN network, and it is.

If I put "isdn caller" in se1/0:15 calls are screened as expected, but obviously for all the users. It appears to me that using "isdn caller" in the dialer profile configuration or "dialer caller" in the se1/0:15 can be done only with legacy DDR, since when I try that I receive error messages suggesting that I remove dialer profiles.

I've read all the docs I could find, and I hope someone can suggest something about what I am missing here. If what I try to accomplish cannot be done, I hope someone can explain to me what is the meaning of the "dialer caller" command in the Dialer Interface configuration, since it appears to me to be completely ignored.

Thanks in advance,

Bergonz

jduffek · ‎01-15-2002

Sounds like a bug. What version of IOS are you running? Can you post the debug isdn q931, and debug dialer for a call that is from a number not configured as a "dialer caller"?

Josh

bergonz · ‎01-18-2002

It happens with different routers, but I've collected some data with a 3620 with this sh ver:

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3620-I-M), Version 12.1(11), RELEASE SOFTWARE (fc1)

Compiled Tue 02-Oct-01 21:40 by kellythw

Image text-base: 0x60008940, data-base: 0x608CE000

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

as3620 uptime is 3 days, 16 hours, 53 minutes

System returned to ROM by reload at 20:10:17 MET Mon Jan 14 2002

System restarted at 20:10:57 MET Mon Jan 14 2002

System image file is "flash:c3620-i-mz.121-11.bin"

cisco 3620 (R4700) processor (revision 0x81) with 26624K/6144K bytes of memory.

Processor board ID 05110004

R4700 CPU at 80Mhz, Implementation 33, Rev 1.0

MICA-6DM Firmware: CP ver 2730 - 5/23/2001, SP ver 2730 - 5/23/2001.

Channelized E1, Version 1.0.

Bridging software.

X.25 software, Version 3.0.0.

Primary Rate ISDN software, Version 1.1.

1 FastEthernet/IEEE 802.3 interface(s)

16 Serial network interface(s)

30 terminal line(s)

2 Channelized E1/PRI port(s)

DRAM configuration is 32 bits wide with parity disabled.

29K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

I repost the configuration, still abridged (i.e. with password, tel numbers and many names removed):

Using 10161 out of 30712 bytes

!

! Last configuration change at 17:10:45 MET Mon Dec 17 2001

! NVRAM config last updated at 17:10:46 MET Mon Dec 17 2001

!

version 12.1

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname as3620

!

logging buffered 4096 informational

enable secret 5 XXXXXXXXXXXXXXX

enable password 7 XXXXXXXXXXXXXXXXX

!

username netcenter password 7 XXXXXXXXXXXXXXXX

username bergonz password 7 XXXXXXXXXXX

! (more username deleted)

!

clock timezone MET 1

clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00

modem call-record terse

modem buffer-size 500

modem country mica italy

ip subnet-zero

ip domain-name internal.XXXXXXXXXXXX.it

ip name-server 172.23.1.121

ip name-server 172.23.1.16

!

ip address-pool local

isdn switch-type primary-net5

chat-script mica ABORT ERROR ABORT BUSY "" "ATZ" OK "ATDT \T" TIMEOUT 30 CONNECT

\c

!

controller E1 1/0

pri-group timeslots 1-16

!

controller E1 1/1

!

interface FastEthernet1/0

ip address 172.23.1.8 255.255.255.0

ip nat outside

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

interface Serial1/0:15

no ip address

encapsulation ppp

dialer pool-member 1 priority 255

isdn switch-type primary-net5

isdn incoming-voice modem

no cdp enable

ppp authentication chap

ppp chap hostname company

!

interface Group-Async1

ip unnumbered FastEthernet1/0

encapsulation ppp

dialer in-band

dialer pool-member 1

dialer pool-member 2

async mode dedicated

no cdp enable

ppp callback accept

ppp authentication chap

ppp chap hostname company

ppp ipcp accept-address

group-range 1 30

!

interface Dialer1

description Michele Bergonzoni, 0516781926, bergonz@labs.it

ip unnumbered FastEthernet1/0

encapsulation ppp

dialer pool 2

dialer remote-name bergonz

dialer idle-timeout 600 either

dialer enable-timeout 8

dialer-group 1

no peer default ip address

no cdp enable

ppp callback accept

ppp authentication chap

ppp ipcp dns 172.23.1.121

ppp ipcp wins 172.23.1.121

!

interface Dialer50

description Laboratori Fondazione G. Marconi - 0516781911 - bergonz@labs.it

ip unnumbered FastEthernet1/0

ip nat inside

encapsulation ppp

dialer pool 1

dialer remote-name netcenter

dialer string 051678NNNN

dialer caller 516781234

dialer-group 1

no cdp enable

ppp authentication chap

ppp chap password 7 XXXXXXXXXXXXXXX

!

! (more dialers deleted)

!(nat, routing, acls deleted)

dialer-list 1 protocol ip permit

no cdp run

!

snmp-server engineID local XXXXXXXXXXXXXXXXXXXXXXXX

snmp-server community public RO

!

line con 0

line 1 30

script callback mica

login local

modem InOut

transport input telnet

line aux 0

line vty 0 4

password 7 XXXXXXXXXXXXXX

login

!

ntp clock-period 17179647

ntp server 172.23.1.16

end

The user netcenter really has number 051678NNNN, while as you can see I've inserted dialer caller 516781234, which is just a fake. I remove the zero because in the italian telephone system the CLID has no zero, while the number you use to place the call must begin with zero.

This is the "debug isdn q931" and "debug dialer" output when doing a call as user netcenter from number 51678NNNN, which shoud not work but does. I've also obfuscated the called number with x's:

Jan 18 12:07:06: ISDN Se1/0:15: RX <- SETUP pd = 8 callref = 0x005B

Jan 18 12:07:06: Sending Complete

Jan 18 12:07:06: Bearer Capability i = 0x8890

Jan 18 12:07:06: Channel ID i = 0xA9838D

Jan 18 12:07:06: Calling Party Number i = 0x2183, '51678NNNN', Plan:ISDN

, Type:National

Jan 18 12:07:06: Called Party Number i = 0xA1, '51xxxxxxx', Plan:ISDN, T

ype:National

Jan 18 12:07:06: ISDN Se1/0:15: TX -> CALL_PROC pd = 8 callref = 0x805B

Jan 18 12:07:06: Channel ID i = 0xA9838D

Jan 18 12:07:06: %LINK-3-UPDOWN: Interface Serial1/0:12, changed state to up

Jan 18 12:07:06: ISDN Se1/0:15: TX -> CONNECT pd = 8 callref = 0x805B

Jan 18 12:07:06: Channel ID i = 0xA9838D

Jan 18 12:07:06: ISDN Se1/0:15: RX <- CONNECT_ACK pd = 8 callref = 0x005B

Jan 18 12:07:06: ISDN Se1/0:15: CALL_PROGRESS: CALL_CONNECTED call id 0x50, bcha

n 12, dsl 0

Jan 18 12:07:09: Se1/0:12: interface must be fifo queue, force fifo

Jan 18 12:07:09: %DIALER-6-BIND: Interface Se1/0:12 bound to profile Di50

Jan 18 12:07:09: Se1/0:12 DDR: dialer protocol up

Jan 18 12:07:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0:12, c

hanged state to up

Jan 18 12:07:12: %ISDN-6-CONNECT: Interface Serial1/0:12 is now connected to 516

78NNNN netcenter

Hope this helps. Please don't hesitate to ask more details and debugs if needed.

Ragards,

Bergonz

vicente.martinez · ‎01-22-2002

hello,

I have noticed the same bad behavior in a 7507 with 12.0(8), a 2500 with 12.0(9) and a 2500 with 11.3(11b)T1. It seems like the command "dialer caller " has not any effect in the router when we are using dialer profiles joined to the BRI interfaces with pool-members. However the command "dialer caller callback" works fine in the same scenario.

I have tested the next configuration, without pool-members commands, in a 1603 with a 11.2(3):

interface BRI0

no ip address

no ip directed-broadcast

encapsulation ppp

dialer rotary-group 1

no fair-queue

!

interface Dialer1

description Acceso remoto de usuarios a CEFASA

ip unnumbered Ethernet0

no ip directed-broadcast

encapsulation ppp

dialer in-band

dialer idle-timeout 1800

dialer map ip 192.168.100.13 name HP 91111111

dialer caller 91111111

dialer-group 1

peer default ip address pool LOCAL_POOL

no fair-queue

ppp authentication chap pap

ppp chap hostname CEFASA

!

ip local pool LOCAL_POOL 192.168.100.11 192.168.100.12

and the command "dialer caller 91111111" works like we could expect. Only calls from this telephone number are accepted.

Summarizing , I think that the command "dialer caller " has not any effect when we are using DDR with pool-members. I don't know if we don't know to use it or it is bad implemented. I also need to know the answer to this problem.

Best regards,

Vicente