Re: RAS Server allowing multiple clients in and telnet redirecti

Cisco_Kid-jesgenes · ‎01-24-2010

Product being used:

IOS (tm) 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.3(26), RELEASE SOFTWARE (fc2)

cisco 3725 (R7000) processor (revision 0.1) with 118784K/12288K bytes of memory.

R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache

MICA-6DM Firmware: CP ver 2940 - 7/24/2002, SP ver 2940 - 7/24/2002.

Bridging software.

X.25 software, Version 3.0.0.

Primary Rate ISDN software, Version 1.1.

2 FastEthernet/IEEE 802.3 interface(s)

24 Serial network interface(s)

24 terminal line(s)

1 Channelized T1/PRI port(s)

In combination with a server running:

tac_plus version F4.0.3.alpha.v9 (Extended Tac_plus)

• The goal is create a RAS Server to allow multiple clients to call in and separate them via DNIS.

Then specify an auto-command to send the traffic to the correct receiver of that call.

We are not stuck on doing this with tacacs if there is a more efficient way of doing this.

The thought was to only send the authorization to tacacs to allow for the dnis map to point the traffic to the correct receiver.

aaa authentication login DIALIN none

aaa authorization exec DIALIN none

• If we set aaa authentication login DIALIN none it works without any issues but does not go to the tacacs server and therefore does not allow us to use the dnis map commands.

aaa authentication login DIALIN group AAA-mydial

aaa authorization exec DIALIN none

• If we set aaa authentication login DIALIN group AAA-mydial using the aaa group server tacacs+ AAA-mydial it goes out to the tacacs server as expected but then it requires a login ID at least in order to get into a session.

aaa authentication login DIALIN none

aaa authorization exec DIALIN group AAA-mydial

• When we change the aaa authorization exec DIALIN group AAA-mydial it fails and does not even send the information out to the tacacs server.

aaa authentication login DIALIN “see above for options “

aaa authorization exec DIALIN “see above for options”

!

aaa new-model

!

aaa group server tacacs+ AAA-2035554677

server 172.16.0.109

!

aaa group server tacacs+ AAA-2035554570

server 172.16.0.109

!

aaa group server tacacs+ AAA-2035554571

server 172.16.0.109

!

aaa group server tacacs+ AAA-mydial

server 172.16.0.109

!

aaa authentication login DIALIN none

aaa accounting exec default start-stop group AAA-2035554570

aaa dnis map enable

aaa dnis map 2035554677 authorization network group AAA-2035554677

aaa dnis map 2035554677 accounting network start-stop group AAA-2035554677

aaa dnis map 2035554570 authentication login group AAA-2035554570

aaa dnis map 2035554570 authorization network group AAA-2035554570

aaa dnis map 2035554570 accounting network start-stop group AAA-203554570

aaa dnis map 2035554571 authorization network group AAA-2035554571

aaa dnis map 2035554571 accounting network start-stop group AAA-2035554571

aaa session-id common

ip subnet-zero

ip cef

!

line con 0

line 65 88

no motd-banner

no exec-banner

privilege level 15

no vacant-message

login authentication DIALIN

modem Dialin

transport preferred none

transport output telnet

escape-character NONE

telnet transparent

line aux 0

line vty 0

exec-timeout 0 0

password cisco

line vty 1

exec-timeout 0 0

transport preferred telnet

transport input all

Cisco_Kid-jesgenes · ‎02-12-2010

NOTHING LIKE ANSWERING YOUR OWN POST:::

--Well after looking around I found the following on a forum which seems to have gotten us to our destination but uses local authentication to direct the DNIS numbers to the correct receiving system. Just need to give things a final polishing to make the configuration as clean as possible.

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 65536 debugging

enable password cisco

!

clock timezone EDT -5

clock summer-time EDT recurring

aaa new-model

!

aaa user profile TEST

!

aaa group server tacacs+ AAA-mydial

server 172.16.0.109

!

!!!!! Below defines the AAA-mydial group you are sending the accounting information to.

!

aaa group server radius AAA-myradius

server 172.16.0.109 auth-port 1645 acct-port 1646

!

!!!!! Below you are using the DNISTEST local group for authentication and authorization.

!

aaa authentication banner ^C^C

aaa authentication login DNISTEST local

aaa authorization exec DNISTEST local

aaa accounting update newinfo

aaa accounting connection DNISTEST start-stop group tacacs+ group AAA-mydial

aaa session-id common

ip subnet-zero

ip cef

!

ip audit po max-events 100

!

isdn switch-type primary-ni

isdn voice-call-failure 0

isdn logging

!

!!!!! Below you are directing which DNIS number goes to which receiving host.

!

username cisco-kid password 0 cisco

username DNIS##1212 nopassword dnis

username DNIS##1212 autocommand telnet 172.16.0.5 22 /stream /quiet

username DNIS##4677 nopassword dnis

username DNIS##4677 autocommand telnet 172.16.0.6 22 /stream /quiet

username DNIS##4570 nopassword dnis

username DNIS##4570 autocommand telnet 172.16.0.7 22 /stream /quiet

!

controller T1 1/0

framing esf

linecode b8zs

pri-group timeslots 1-24

!

interface FastEthernet0/0

ip address 172.16.0.35 255.255.255.0

speed auto

full-duplex

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0:23

no ip address

encapsulation hdlc

isdn switch-type primary-ni

isdn incoming-voice modem

no cdp enable

!

interface Group-Async0

no ip address

encapsulation slip

dialer in-band

dialer-group 1

async mode interactive

group-range 65 88

!

interface Dialer0

no ip address

dialer in-band

dialer idle-timeout 3600

dialer-group 1

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.254

!

no ip http server

no ip http secure-server

ip tacacs source-interface FastEthernet0/0

!

dialer-list 1 protocol ip permit

!

!!!!! Below you are further defining the tacacs server and the encryption key to be used.

!

tacacs-server host 172.16.0.109 key cisco

no tacacs-server directed-request

radius-server host 172.16.0.109 auth-port 1645 acct-port 1646 key ras-secret123

!

line con 0

!

!!!!! Below you are directing all calls to go to DNISTEST for authentication, authorization, & accounting.

!!!!! Then we are stripping all prompting so that the connection is completely clean.

!!!!! The only issue was that the aaa banner was still there which is why there is a

!!!!! “aaa authentication banner ^C^C” above in the aaa section.

!

line 65 88

no motd-banner

no exec-banner

privilege level 15

authorization exec DNISTEST

accounting connection DNISTEST

no vacant-message

login authentication DNISTEST

modem Dialin

transport preferred none

transport output telnet

escape-character NONE

telnet transparent

line aux 0

line vty 0 4

exec-timeout 0 0

password cisco

transport preferred telnet

transport input all

transport output all

escape-character NONE

telnet transparent

!

end

tacacs+ config just needs to have an accounting log file defined and all output will be logged there:

Here is my tac_plus.cfg file:

===========================================================

key = "cisco"

accounting file = /var/log/tac_plus-f404.log

----------------------- the info below this line is irrelevant ---------------------------

--- Just from me trying to use tacacs for the authentication & authroization----

user = default {

login = nopassword

service = exec {

autocmd = "telnet 172.16.0.5 22 /stream /quiet"

}

user = Router {

login = nopassword

member = dialup

}

group = dialup {

default service = permit

expires = "Apr 1 2010"

service = exec {

idletime = 15

autocmd = "telnet 172.16.0.5 22 /stream /quiet"

}

cmd = disconnect {

permit .*

}

user = test {

name = "Dial"

login = nopassword

member = dialup

}

RAS Server allowing multiple clients in and telnet redirection to correct reciever.