TCL IVR AAA

Version 1
    This document was generated from CDN thread

    Created by: vinh nguyen on 27-05-2010 04:57:55 AM
    hi all,
     
    I'm trying to setup authentication by radius server using tcl script. here's the flow of the setup:
     
    caller calls DID -> gateway receives -> call handled by tcl script -> tcl script authenticate call by aaa(radius)
     
    I got everything up to the part where tcl is authenticating using radius(aaa). I'm just at lost as how i should set up my aaa on my gateway. Any help would be greatly appreciated.
     
    I read multiple documentation on AAA from cisco. but most of them are not very helpful. As soon as i used a "aaa new-model". everytime i log in via telnet, it prompts me for username and password.

    Subject: RE: TCL IVR AAA
    Replied by: Yawming Chen on 27-05-2010 02:42:10 PM
    Please check out this link
     
    http://www.cisco.com/en/US/docs/ios/voice/aaa/configuration/guide/va_aaa_config_ps10592_TSD_Products_Configuration_Guide_Chapter.html
     
    Thanks !
     

    Subject: RE: TCL IVR AAA
    Replied by: Yawming Chen on 28-05-2010 03:50:10 AM
    Here is an example:
     
    aaa new-model --> Enables
    AAA in GW globally

    !

    !

    aaa authentication login h323 group radius --> Enables AAA authentication for
    Voice call using H323 group

    aaa authorization exec h323 group radius

    aaa accounting connection h323 start-stop group radius --> Enables accounting
    for Voice call using H323 group

    !

    radius-server host 172.1.1.2 auth-port 6680 acct-port 6681 non-standard key
    7 060506324F41  --> Specifies the IP address and port for AAA server
    authentication and accounting port. In the example 172.19.1.2 is the AAA IP
    address, 6680 is authentication port, 6681 is the accounting port.

    radius-server vsa send accounting --> Enables sending of CDR to AAA server.

    !

    call accounting-template voice my_cdr tftp://tftp/mil.cdr -->
    Specifies what information are collected in CDR.

    !

    !

    gw-accounting aaa -->Enables accouting in the GW

    acct-template my_cdr --> Configure the voice template name configured using
    "call accouting-template voice" CLI.

    Subject: RE: TCL IVR AAA
    Replied by: vinh nguyen on 28-05-2010 02:24:19 AM
    i tried some of the example. it was not able to connect to the FreeRadius.
     
    here's the output i get:
     
    *Jun 25 13:51:36.268: AAA/BIND(000000B0): Bind i/f
    *Jun 25 13:51:36.268: AAA/AUTHEN/LOGIN (000000B0): Pick method list 'test'
    *Jun 25 13:51:36.268: RADIUS/ENCODE(000000B0)rig. component type = VOICE
    *Jun 25 13:51:36.268: RADIUS/ENCODE(000000B0): dropping service type, "radius-s            erver attribute 6 on-for-login-auth" is off
    *Jun 25 13:51:36.268: RADIUS(000000B0): Config NAS IP: 0.0.0.0
    *Jun 25 13:51:36.268: RADIUS/ENCODE(000000B0): acct_session_id: 19
    *Jun 25 13:51:36.272: RADIUS(000000B0): sending
    *Jun 25 13:51:36.272: RADIUS/ENCODE: Best Local IP-Address 66.234.136.54 for Ra            dius-Server 66.234.136.53
    *Jun 25 13:51:36.272: ISDN Se7/0:1:23 Q931: TX -> CALL_PROC pd = 8  callref = 0            x808B
            Channel ID i = 0xA98381
                    Exclusive, Channel 1
    *Jun 25 13:51:36.272: ISDN Se7/0:1:23 Q931: TX -> CONNECT pd = 8  callref = 0x8            08B
    *Jun 25 13:51:36.272: RADIUS(000000B0): Send Access-Request to 66.234.136.53:18            12 id 1645/6, len 92
    *Jun 25 13:51:36.272: RADIUS:  authenticator 08 8D 68 49 56 95 FA D3 - 18 7A EF             AE 71 25 59 58
    *Jun 25 13:51:36.272: RADIUS:  User-Name           [1]   12  "7133910467"
    *Jun 25 13:51:36.272: RADIUS:  User-Password       [2]   18  *
    *Jun 25 13:51:36.272: RADIUS:  Vendor, Cisco       [26]  36
    *Jun 25 13:51:36.272: RADIUS:   Cisco AVpair       [1]   30  "h323-ivr-out=tran            sactionID:5"
    *Jun 25 13:51:36.272: RADIUS:  NAS-IP-Address      [4]   6   66.234.136.54                
    *Jun 25 13:51:36.320: ISDN Se7/0:1:23 Q931: RX <- CONNECT_ACK pd = 8  callref =             0x008B
    *Jun 25 13:51:40.600: RADIUS: Retransmit to (66.234.136.53:1812,1813) for id 16            45/6
    *Jun 25 13:51:45.400: RADIUS: Retransmit to (66.234.136.53:1812,1813) for id 16            45/6
    *Jun 25 13:51:50.288: RADIUS: Retransmit to (66.234.136.53:1812,1813) for id 16            45/6
    *Jun 25 13:51:54.816: RADIUS: No response from (66.234.136.53:1812,1813) for id             1645/6
    *Jun 25 13:51:54.816: RADIUS/DECODE: No response from radius-server; parse resp            onse; FAIL
    *Jun 25 13:51:54.816: RADIUS/DECODE: Case error(no response/ bad packet/ op dec            ode);parse response; FAIL

    Subject: RE: TCL IVR AAA
    Replied by: vinh nguyen on 28-05-2010 03:57:50 PM
    I think i nailed it down somewhat and got it working. I have 2 questions:
     
    1 - i want to sent an AV pairs to the AAA server. For example i want to use h323-credit-amount. Do i have to set it in the TCL script?
     
    2 - after i set the aaa new-model with the right informations. My tcl script can authenticate to AAA. But everytime I telnet into my gateway, it asks for Username and Password. Before it was only asking for Password only,it was authenticating using the password i setup when i setup my gateway. How can I fix that?

    Subject: RE: TCL IVR AAA
    Replied by: vinh nguyen on 28-05-2010 11:19:36 PM
    I got the following errors - do you know what that means?
     
     
     
     RADIUS/DECODE: parse VSA parts error
    *Jun 26 10:49:23.075: RADIUS/DECODE: convert VSA string; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: decoder; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: attribute h323-credit-amount; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: cisco VSA type 101; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: VSA; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: decoder; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: attribute Vendor-Specific; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: parse response op decode; FAIL
    *Jun 26 10:49:23.075: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

    Subject: RE: TCL IVR AAA
    Replied by: Yawming Chen on 29-05-2010 12:23:16 AM
    call accounting-template voice my_cdr tftp://tftp/SRT-milliken/mil.cdr -->
    Specifies what information are collected in CDR.
     
    Sample entry in mil.cdr
    file in TFTP server,
     

    h323-setup-time

    gw-rxd-cdn

    gw-rxd-cgn

    h323-ivr-out

    voice-tx-duration

    feature-vsa



    If the CDR template configuration is not provided, a full detail of records are
    created.
     
     

    Subject: RE: TCL IVR AAA
    Replied by: vinh nguyen on 31-05-2010 09:04:30 PM
    What I dont understand is what VSA are needed and what is not. I know what I want but as for the gateway and radius(freeradius) needs in order to communicate is not cleared.

    Subject: RE: TCL IVR AAA
    Replied by: Yawming Chen on 01-06-2010 02:33:17 AM
    Not quite get your latest issue. I am not radius expert if you can be more detail on your issue I can try to find the answer for you.
     
    Thanks !

    Subject: RE: TCL IVR AAA
    Replied by: vinh nguyen on 02-06-2010 02:21:16 AM
    OK, how about a simple task. If i want to send an attibute (VSA) to the radius server, what do I need to do from TCL script?
     
    For instance if i want to sent "opcode:3" to radius server? what must be done from TCL script side?

    Subject: RE: TCL IVR AAA
    Replied by: Yawming Chen on 02-06-2010 02:52:10 AM
    If you want to use Tcl to send use "aaa accountin" command 
     
    The aaa accounting command sends start or update accounting records.
     
    otherwise use  the method use the way I described earlier.
     
    Thanks !