Mailing List Archive

Bordin,

Here's a way that I like to do this sort of thing ... i.e. the case
where you have incoming modem calls, and based upon the called number,
you want to invoke different applications. Assuming that those
applications can be invoked via an exec command, then there is no need
for RPM - just do this:


aaa new-model
aaa authentication login default local radius
aaa authentication ppp default radius local
aaa authorization exec default local radius
username 5554446164 nopassword dnis
username 5554446164 autocommand pad 990101803 /cud ABRK /profile krone /quiet
username 5554446163 nopassword dnis
username 5554446163 autocommand telnet 10.1.2.3

etc.

Now, while troubleshooting this, don't use autocommand. Instead, from
the exec prompt, manually enter the "pad" (or whatever) command.
Meanwhile, from another exec prompt, have some debugs running, so you
can see what's going on. Once you have the pad (or whatever) command
working as desired, *then* you can put it into an autocommand.

Hth,

Aaron

P.S. Don't use "no flush-at-activation" on modem lines intended for
character mode - this will tend to deliver garbage to the exec parser or
to your server application.

------------------------------------------------------------------------

bordin@cetrel.lu wrote:
>
> Hello,
>
> I have a problem for a migration of a "old" application Point of Sales.
> Before , the terminal async with Zmodem application is connected to a
> USR Robotics chassis in analogue (V32bis) and ISDN ( the application
> terminal is the same : according to the client we put a modem analogue
> or ISDN modem ) and USR Modems were connected to a pad Telematics.
> Then the call is made in X.25 to the application server.
>
> I have AS5400HPX, configured with "resource-pool".
> I have succeeded to configure for analog modem ( spe modem +
> autocommand pad ) but not for ISDN modem.
> I have tried with vty-async (LAPB-TA) and resource-pool group but It
> doesn't works.
> Has someone a idea ?
>
> Thanks a lot.
>
> Best Regards...
>
> Bordin Patrick
> Cetrel S.A.
> www.cetrel.lu
>
> The config :
>
>
> resource-pool enable
> !
> resource-pool group resource Krone
> range port 1/44
> !
> resource-pool group resource Krone-isdn
> range port 1/58
> !
> resource-pool profile customer Krone
> limit base-size all
> limit overflow-size 0
> resource Krone speech
> dnis group Krone
> !
> resource-pool profile customer Krone-isdn
> limit base-size all
> limit overflow-size 0
> resource Krone-isdn digital
> dnis group Krone-isdn
> !
> aaa new-model
> !
> !
> aaa group server tacacs+ XXXXXXXX
> aaa
>
>
> calltracker enable
> calltracker history max-size 360
> calltracker call-record terse quiet
> spe country germany
> !
> spe call-record modem
> !
> spe default-firmware spe-firmware-1
> no ip source-route
> !
> !
> x29 profile krone 1:0 2:0 3:2 4:6 5:0 6:0 7:0 8:0 9:0 12:0 13:0 14:0
> 15:0 16:0 17:0 18:0
>
> vty-async
> vty-async virtual-template 1
>
> isdn switch-type primary-net5
> !
> x25 routing acknowledge local
>
> modemcap entry
> krone:MSC=&F&D2E0s0=0s2=43s3=13s4=10s5=8s15=1s21=0s22=0s23=1s24=1s53=0s29=1s64=0
>
>
> controller E1 7/3
> pri-group timeslots 1-31
> description ISDN PRI
> !
> ip tcp synwait-time 5
> ip telnet source-interface Loopback0
> ip tftp source-interface Loopback0
> ip ssh version 2
> ip scp server enable
> !
> !
> !
> !
> interface Loopback0
> description Loopback Interface for management
> ip address xxxxxxxxxxxxx 255.255.255.255
> !
> interface FastEthernet0/0
> description DMZ
> ip address ccccccccccccccc 255.255.255.0
> ip virtual-reassembly
> no ip route-cache cef
> no ip route-cache
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> !
> interface Serial7/3:15
> description ISDN PRI
> no ip address
> encapsulation ppp
> dialer rotary-group 1
> dialer-group 1
> autodetect encapsulation v120 lapb-ta
> no snmp trap link-status
> isdn switch-type primary-net5
> isdn overlap-receiving T302 1500
> isdn incoming-voice modem
> no cdp enable
> !
> interface Virtual-Template1
> ip unnumbered Loopback0
> no peer default ip address
> ppp authentication chap
> !
> interface Group-Async0
> no ip address
> encapsulation slip
> async mode interactive
> group-range 1/00 1/70
>
> dialer dnis group Krone
> number yyyyyyyy
> call-type cas speech
> !
> dialer dnis group Krone-isdn
> number zzzzzzzz
> call-type cas digital
> !
> dialer-list 1 protocol ip permit
>
> x25 route ^990101803.* hunt-group FEP xot-keepalive-period 5
> xot-keepalive-tries 3
> !
> privilege exec level 0 pad
> privilege exec level 0 telnet
> privilege exec level 1 enable
>
> line vty 0 4
> access-class 1 in
> logging synchronous level all
> login authentication TAC-CET
> transport preferred none
> transport input ssh
> transport output pad telnet
> escape-character 3
> line vty 5 7
> autocommand pad 990101803 /cud ABRK /profile krone /quiet
> transport input v120 lapb-ta
> transport output pad
>
> line 1/44
> session-timeout 1
> no flush-at-activation
> authorization exec EMPTY
> login authentication EMPTY
> no modem callout
> modem Dialin
> modem autoconfigure type krone
> autocommand pad 990101803 /cud ABRK /profile krone /quiet
> transport preferred pad
> transport input all
> transport output pad
> escape-character NONE
>
> line 1/58
> session-timeout 1
> location libre
> no flush-at-activation
> authorization exec EMPTY
> login authentication EMPTY
> no modem callout
> modem Dialin
> modem autoconfigure type V120
> autocommand pad 990101803 /cud ABRK /profile krone /quiet
> transport preferred none
> transport input v120 lapb-ta
> transport output all
> escape-character NONE
> end
>
> =======================================================================
>
> This electronic message is not binding on its sender nor on Cetrel S.A.
>
> Any use of information of this mail except the use by the addressee
>
> within his or her business relation with Cetrel is strictly forbidden
>
> CETREL S.A. L-2956 Luxembourg; Tel: 00352 35566-1; http://www.cetrel.lu
>
> =======================================================================
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

Hi,

On Tue, May 12, 2009 at 09:24:41AM -0700, Aaron Leonard wrote:
> username 5554446164 nopassword dnis

What exactly does this do? "use the called-number as user name"?

How does this play together with the "aaa authentication login ... radius",
that is "which username and password will radius see"?

amazed and curious,

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

Hi Geert,

>> username 5554446164 nopassword dnis
>>
>
> What exactly does this do? "use the called-number as user name"?
>

Yes.

> How does this play together with the "aaa authentication login ... radius",
> that is "which username and password will radius see"?
>

Well, this is a local username. I.e. the idea is that with:

aaa authentication login ... local
aaa authorization exec ... local
username 5554446164 nopassword dnis
username 5554446164 autocommand telnet 1.2.3.4

Then: when a client dials into 5554446164, the session will
automatically login as user "5554446164", then automatically execute the
command "telnet 1.2.3.4".

If someone dials into a number that does *not* have a "username <number>
dnis" entry, then that session will be presented with the regular
Username: prompt.

Now, if you want to mix in RADIUS ... there are a couple of approaches.
With something like:

aaa authentication login ... local radius

then matching local users (including DNIS users) will go thru local
authentication / authorization. Non-matching users will go thru RADIUS.

If you want to control everything from RADIUS ... you could do something
similar, with RADIUS preauthentication and cisco-avpair =
"shell:autocmd=telnet 1.2.3.4"

> amazed and curious,
>
> gert
>

Cheers,

Aaron
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Hello Aaron,

Ok for don't use resource-pool manager.
But I have already configured aaa authentication and authorization :


aaa new-model
!
!
aaa group server tacacs+ TACACS-CETREL
server xxxxxxxxxxxx
server xxxxxxxxxxxx
!
aaa authentication login TAC-CET group TACACS-CETREL enable
aaa authentication login EMPTY none
aaa authentication enable default group TACACS-CETREL enable
aaa authorization exec default group TACACS-CETREL none
aaa authorization exec EMPTY none
aaa authorization exec TAC-CET group TACACS-CETREL local
!


And when I configured

username 11111111 nopassword dnis
username 11111111 autocommand pad 990101803 /cud ABRK /profile krone
/quiet


I have this debug :


May 13 17:05:17.135: ISDN Se7/3:15 Q931: RX <- SETUP pd = 8 callref =
0x6A9A
Bearer Capability i = 0x8890
Standard = CCITT
Transfer Capability = Unrestricted Digital
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xA9839D
Exclusive, Channel 29
Calling Party Number i = 0x0081, '999999999'
Plan:Unknown, Type:Unknown
Called Party Number i = 0xC1, '11111111'
Plan:ISDN, Type:Subscriber(local)
May 13 17:05:17.135: ISDN Se7/3:15 EVENT: process_rxstate: ces/callid
1/0x124 calltype 1 CALL_INCOMING
May 13 17:05:17.135: ISDN Se7/3:15 EVENT: call_incoming: call_id 0x0124,
Guid = 4D904F3D8124
May 13 17:05:17.135: AAA/BIND(0000015D): Bind i/f Serial7/3:28
May 13 17:05:17.135: AAA/ACCT/DS0: channel=28, ds1=3, t3=0, slot=7,
ds0=117452828
May 13 17:05:17.135: AAA/ACCT/DS0: channel=28, ds1=3, t3=0, slot=7,
ds0=117452828
May 13 17:05:17.135: ISDN Se7/3:15 Q931: TX -> CALL_PROC pd = 8 callref =
0xEA9A
Channel ID i = 0xA9839D
Exclusive, Channel 29
May 13 17:05:17.139: AAA: parse name=DS0:0:7:3:28 idb type=-1 tty=-1
May 13 17:05:17.139: AAA/MEMORY: create_user (0x6606ED54) user='11111111'
ruser='NULL' ds0=0 port='DS0:0:7:3:28' rem_addr='999999999'
authen_type=NONE service=NONE priv=0 initial_task_id='0', vrf= (id=0)
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
Port='DS0:0:7:3:28' list='default' service=RM
May 13 17:05:17.139: AAA/AUTHOR/RM call-accept: DS0:0:7:3:28(3726381892)
user='11111111'
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV service=resource-management
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV protocol=call-accept
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV rm-protocol-version=1.0
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV rm-nas-state=1661397100
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV rm-call-type=digital
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV rm-request-type=dial-in
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
send AV rm-link-type=isdn
May 13 17:05:17.139: AAA/AUTHOR/RM call-accept(3726381892) no method list
defined
Type "resource-manager" list "default". Using method "local"
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM call-accept(3726381892):
Method=LOCAL
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received DNIS=11111111
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received CLID=999999999
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received Port=DS0:0:7:3:28
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV service=resource-management
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV protocol=call-accept
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV rm-protocol-version=1.0
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV rm-nas-state=1661397100
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV rm-call-type=digital
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV rm-request-type=dial-in
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/local (3726381892):
Received AV rm-link-type=isdn
May 13 17:05:17.139: AAA/AUTHOR (3726381892): Post authorization status =
FAIL
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV service=resource-management
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV protocol=call-accept
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV rm-protocol-version=1.0
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV server-name*local
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV rm-response-code=no-customer-profile
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV rm-call-handle=290
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV rm-call-treatment=cna
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV rm-call-type=digital
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM/call-accept (3726381892):
Processing AV rm-nas-state=1661397100
May 13 17:05:17.139: DS0:0:7:3:28 AAA/AUTHOR/RM (3726381892):
authorization failed. Disallow call.
May 13 17:05:17.139: AAA/SERVERMSG: DS0:0:7:3:28 AAA/AUTHOR/RM: ERROR in
local-rm-authorization
May 13 17:05:17.139: AAA/MEMORY: free_user (0x6606ED54) user='11111111'
ruser='NULL' port='DS0:0:7:3:28' rem_addr='999999999' authen_type=NONE
service=NONE priv=0 vrf= (id=0)
May 13 17:05:17.143: ISDN Se7/3:15 EVENT: UserIdle: callid 0x124 received
REJECT_CALL (0x14)
sigma#
May 13 17:05:17.143: ISDN Se7/3:15 **ERROR**: process_dialer_command:
Resource Manager/Caller ID screening failed, rejecting call
May 13 17:05:17.143: ISDN Se7/3:15 Q931: TX -> DISCONNECT pd = 8 callref
= 0xEA9A
Cause i = 0x80AC - Requested circuit/channel not available
May 13 17:05:17.207: ISDN Se7/3:15 Q931: RX <- RELEASE pd = 8 callref =
0x6A9A
May 13 17:05:17.211: ISDN Se7/3:15 EVENT: process_rxstate: ces/callid
1/0x124 calltype 1 CALL_CLEARED
May 13 17:05:17.211: AAA/ACCT/DS0: channel=28, ds1=3, t3=0, slot=7,
ds0=117452828
May 13 17:05:17.211: ISDN Se7/3:15 Q931: TX -> RELEASE_COMP pd = 8 callref
= 0xEA9A
sigma#


We can see that the user is sending to the service "resource-manager".

Question : "resource-management" is it "resource-pool management" ?

Why it does not work ?

Thanks a lot.

Patrick.






Aaron Leonard <Aaron@cisco.com>
12/05/2009 18:24

To
bordin@Cetrel.LU
cc
cisco-nas@puck.nether.net
Subject
Re: [cisco-nas] Autocommand PAD over ISDN






---------------------------------------------------------------
ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION
Ce mail provient de l'exterieur (Internet). Ne prenez aucune
action basee uniquement sur le contenu de ce mail, meme si
l'auteur semble etre la direction! SEC
---------------------------------------------------------------

Bordin,

Here's a way that I like to do this sort of thing ... i.e. the case where
you have incoming modem calls, and based upon the called number, you want
to invoke different applications. Assuming that those applications can be
invoked via an exec command, then there is no need for RPM - just do this:

aaa new-model
aaa authentication login default local radius
aaa authentication ppp default radius local
aaa authorization exec default local radius
username 5554446164 nopassword dnis
username 5554446164 autocommand pad 990101803 /cud ABRK /profile krone
/quiet
username 5554446163 nopassword dnis
username 5554446163 autocommand telnet 10.1.2.3

etc.

Now, while troubleshooting this, don't use autocommand. Instead, from the
exec prompt, manually enter the "pad" (or whatever) command. Meanwhile,
from another exec prompt, have some debugs running, so you can see what's
going on. Once you have the pad (or whatever) command working as desired,
then you can put it into an autocommand.

Hth,

Aaron

P.S. Don't use "no flush-at-activation" on modem lines intended for
character mode - this will tend to deliver garbage to the exec parser or
to your server application.


bordin@cetrel.lu wrote:

Hello,

I have a problem for a migration of a "old" application Point of Sales.
Before , the terminal async with Zmodem application is connected to a USR
Robotics chassis in analogue (V32bis) and ISDN ( the application terminal
is the same : according to the client we put a modem analogue or ISDN
modem ) and USR Modems were connected to a pad Telematics. Then the call
is made in X.25 to the application server.

I have AS5400HPX, configured with "resource-pool".
I have succeeded to configure for analog modem ( spe modem + autocommand
pad ) but not for ISDN modem.
I have tried with vty-async (LAPB-TA) and resource-pool group but It
doesn't works.
Has someone a idea ?

Thanks a lot.

Best Regards...

Bordin Patrick
Cetrel S.A.
www.cetrel.lu

The config :


resource-pool enable
!
resource-pool group resource Krone
range port 1/44
!
resource-pool group resource Krone-isdn
range port 1/58
!
resource-pool profile customer Krone
limit base-size all
limit overflow-size 0
resource Krone speech
dnis group Krone
!
resource-pool profile customer Krone-isdn
limit base-size all
limit overflow-size 0
resource Krone-isdn digital
dnis group Krone-isdn
!
aaa new-model
!
!
aaa group server tacacs+ XXXXXXXX
aaa


calltracker enable
calltracker history max-size 360
calltracker call-record terse quiet
spe country germany
!
spe call-record modem
!
spe default-firmware spe-firmware-1
no ip source-route
!
!
x29 profile krone 1:0 2:0 3:2 4:6 5:0 6:0 7:0 8:0 9:0 12:0 13:0 14:0 15:0
16:0 17:0 18:0

vty-async
vty-async virtual-template 1

isdn switch-type primary-net5
!
x25 routing acknowledge local

modemcap entry
krone:MSC=&F&D2E0s0=0s2=43s3=13s4=10s5=8s15=1s21=0s22=0s23=1s24=1s53=0s29=1s64=0


controller E1 7/3
pri-group timeslots 1-31
description ISDN PRI
!
ip tcp synwait-time 5
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
ip ssh version 2
ip scp server enable
!
!
!
!
interface Loopback0
description Loopback Interface for management
ip address xxxxxxxxxxxxx 255.255.255.255
!
interface FastEthernet0/0
description DMZ
ip address ccccccccccccccc 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial7/3:15
description ISDN PRI
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
autodetect encapsulation v120 lapb-ta
no snmp trap link-status
isdn switch-type primary-net5
isdn overlap-receiving T302 1500
isdn incoming-voice modem
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback0
no peer default ip address
ppp authentication chap
!
interface Group-Async0
no ip address
encapsulation slip
async mode interactive
group-range 1/00 1/70

dialer dnis group Krone
number yyyyyyyy
call-type cas speech
!
dialer dnis group Krone-isdn
number zzzzzzzz
call-type cas digital
!
dialer-list 1 protocol ip permit

x25 route ^990101803.* hunt-group FEP xot-keepalive-period 5
xot-keepalive-tries 3
!
privilege exec level 0 pad
privilege exec level 0 telnet
privilege exec level 1 enable

line vty 0 4
access-class 1 in
logging synchronous level all
login authentication TAC-CET
transport preferred none
transport input ssh
transport output pad telnet
escape-character 3
line vty 5 7
autocommand pad 990101803 /cud ABRK /profile krone /quiet
transport input v120 lapb-ta
transport output pad

line 1/44
session-timeout 1
no flush-at-activation
authorization exec EMPTY
login authentication EMPTY
no modem callout
modem Dialin
modem autoconfigure type krone
autocommand pad 990101803 /cud ABRK /profile krone /quiet
transport preferred pad
transport input all
transport output pad
escape-character NONE

line 1/58
session-timeout 1
location libre
no flush-at-activation
authorization exec EMPTY
login authentication EMPTY
no modem callout
modem Dialin
modem autoconfigure type V120
autocommand pad 990101803 /cud ABRK /profile krone /quiet
transport preferred none
transport input v120 lapb-ta
transport output all
escape-character NONE
end
=======================================================================
This electronic message is not binding on its sender nor on Cetrel S.A.
Any use of information of this mail except the use by the addressee
within his or her business relation with Cetrel is strictly forbidden
CETREL S.A. L-2956 Luxembourg; Tel: 00352 35566-1; http://www.cetrel.lu
=======================================================================



_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

For this scheme to work, the session needs to go through local exec
authorization (aaa authorization exec ... local).

Cheers,

Aaron

------------------------------------------------------------------------

bordin@cetrel.lu wrote:
>
> Hello Aaron,
>
> Ok for don't use resource-pool manager.
> But I have already configured aaa authentication and authorization :
>
>
> aaa new-model
> !
> !
> aaa group server tacacs+ TACACS-CETREL
> server xxxxxxxxxxxx
> server xxxxxxxxxxxx
> !
> aaa authentication login TAC-CET group TACACS-CETREL enable
> aaa authentication login EMPTY none
> aaa authentication enable default group TACACS-CETREL enable
> aaa authorization exec default group TACACS-CETREL none
> aaa authorization exec EMPTY none
> aaa authorization exec TAC-CET group TACACS-CETREL local
> !
>
>
> And when I configured
>
> username 11111111 nopassword dnis
> username 11111111 autocommand pad 990101803 /cud ABRK /profile krone
> /quiet
>
>
> I have this debug :
>
> [ ... ]
> May 13 17:05:17.139: AAA/AUTHOR/RM call-accept(3726381892) no method
> list defined
> Type "resource-manager" list "default". Using method "local"
> [ ... ]
> May 13 17:05:17.139: AAA/AUTHOR (3726381892): Post authorization
> status = FAIL
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Hi,

On Wed, May 13, 2009 at 08:30:53AM -0700, Aaron Leonard wrote:
> >> username 5554446164 nopassword dnis
> > What exactly does this do? "use the called-number as user name"?
> Yes.

Fascinating.

> > How does this play together with the "aaa authentication login ... radius",
> > that is "which username and password will radius see"?
>
> Well, this is a local username. I.e. the idea is that with:
>
> aaa authentication login ... local
> aaa authorization exec ... local
> username 5554446164 nopassword dnis
> username 5554446164 autocommand telnet 1.2.3.4
>
> Then: when a client dials into 5554446164, the session will
> automatically login as user "5554446164", then automatically execute the
> command "telnet 1.2.3.4".

Even more fascinating :-)

I have been a bit out of touch with "dial technologies on routers" for
the last few years, and the amount of singing and dancing you can do
with Cisco dial-in boxes keeps amazing me.

(Is there a "book of magic" somewhere? Of course there's reference
documentation for all these commands - but that won't tell you what
magic tricks you can do with the right combination of stuff...)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

>>> How does this play together with the "aaa authentication login ... radius",
>>> that is "which username and password will radius see"?
>>>
>> Well, this is a local username. I.e. the idea is that with:
>>
>> aaa authentication login ... local
>> aaa authorization exec ... local
>> username 5554446164 nopassword dnis
>> username 5554446164 autocommand telnet 1.2.3.4
>>
>> Then: when a client dials into 5554446164, the session will
>> automatically login as user "5554446164", then automatically execute the
>> command "telnet 1.2.3.4".
>>
>
> Even more fascinating :-)
>
> I have been a bit out of touch with "dial technologies on routers" for
> the last few years, and the amount of singing and dancing you can do
> with Cisco dial-in boxes keeps amazing me.
>
> (Is there a "book of magic" somewhere? Of course there's reference
> documentation for all these commands - but that won't tell you what
> magic tricks you can do with the right combination of stuff...)
>
> gert
>

Well ... I've been pretty much out of the "dial technologies on routers"
business myself, since '03 or so (I now focus on 802.11.) But generally
speaking, it hasn't changed any since then.

The best general overview of setting up modem services on AS5000 routers
is given in the "Cisco AS5x00 Case Study for Basic IP Modem Services".
This document has alas gone missing from cisco.com, but it can still be
found for the nonce here, thanks to hsdn.org, whoever they are:
http://noc.hsdn.org/files/univercd/cc/td/doc/product/access/acs_serv/as5800/sw_conf/ax5xip/index.htm
.

That said ... for obscure stuff such as character mode operation (rather
than PPP) ... the best tips are the ones that reside in my private
folder internal to Cisco :-(

Aaron
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

Hello,

Finally, I used a another solution than aaa+username.
Because, with my configuration (resource-pool enable) the AAA
authorization send always the call to the service "resource-management",
then a profile is needed.
When I define resource-pool to disable, your method works well, but I need
resource-pool.

Then I used a resource-pool profile + vty-async virtual-template , and I
added :



aaa authentication login EMPTY none
aaa authorization exec EMPTY none

line vty 5 7
authorization exec EMPTY
login authentication EMPTY

And it works.
It's not logical because a modem is used and a vty is used, but it works.
I installed the setup in production.

Thank you very much for your informations.


Patrick






Aaron Leonard <Aaron@cisco.com>
13/05/2009 20:09

To
Gert Doering <gert@greenie.muc.de>
cc
bordin@Cetrel.LU, cisco-nas@puck.nether.net
Subject
Re: [cisco-nas] Autocommand PAD over ISDN







---------------------------------------------------------------
ATTENTION ATTENTION ATTENTION ATTENTION ATTENTION
Ce mail provient de l'exterieur (Internet). Ne prenez aucune
action basee uniquement sur le contenu de ce mail, meme si
l'auteur semble etre la direction! SEC
---------------------------------------------------------------


>>> How does this play together with the "aaa authentication login ...
radius",
>>> that is "which username and password will radius see"?
>>>
>> Well, this is a local username. I.e. the idea is that with:
>>
>> aaa authentication login ... local
>> aaa authorization exec ... local
>> username 5554446164 nopassword dnis
>> username 5554446164 autocommand telnet 1.2.3.4
>>
>> Then: when a client dials into 5554446164, the session will
>> automatically login as user "5554446164", then automatically execute
the
>> command "telnet 1.2.3.4".
>>
>
> Even more fascinating :-)
>
> I have been a bit out of touch with "dial technologies on routers" for
> the last few years, and the amount of singing and dancing you can do
> with Cisco dial-in boxes keeps amazing me.
>
> (Is there a "book of magic" somewhere? Of course there's reference
> documentation for all these commands - but that won't tell you what
> magic tricks you can do with the right combination of stuff...)
>
> gert
>

Well ... I've been pretty much out of the "dial technologies on routers"
business myself, since '03 or so (I now focus on 802.11.) But generally
speaking, it hasn't changed any since then.

The best general overview of setting up modem services on AS5000 routers
is given in the "Cisco AS5x00 Case Study for Basic IP Modem Services".
This document has alas gone missing from cisco.com, but it can still be
found for the nonce here, thanks to hsdn.org, whoever they are:
http://noc.hsdn.org/files/univercd/cc/td/doc/product/access/acs_serv/as5800/sw_conf/ax5xip/index.htm

.

That said ... for obscure stuff such as character mode operation (rather
than PPP) ... the best tips are the ones that reside in my private
folder internal to Cisco :-(

Aaron


=======================================================================
This electronic message is not binding on its sender nor on Cetrel S.A.
Any use of information of this mail except the use by the addressee
within his or her business relation with Cetrel is strictly forbidden
CETREL S.A. L-2956 Luxembourg; Tel: 00352 35566-1; http://www.cetrel.lu
=======================================================================