Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA-H.323 cannot handle reverse authentication

I am writing a TCL IVR authentication script

which should allow accees to anybody _except_

for ANIs in a "black list".

I have setup the list of undesirable numbers in a

FreeRADIUS server. It seems that there is a bug

(feature?) in AAA for H.323: and as soon as the

AAA authentication fails, calls are no allowed

to proceed.

This behavior should be under the control of MY

script and not under the assumptions of Cisco

engineers.

This code makes the problem evident (see full script

in my other posting):

-------------------------------------------------

proc act_Setup { } {

set ani [infotag get leg_ani]

puts "\ngoing to aaa authenticate $ani <no password>\n"

aaa authenticate $ani ""

}

proc act_Authorized { } {

set ani [infotag get leg_ani]

set status [infotag get evt_status]

if { $status == "au_000" } {

puts "\n\nwe have a hit: $ani\n"

} else {

puts "\n\n unknown ANI ($ani), proceed\n"

}

leg setupack leg_incoming

set dnis [infotag get leg_dnis]

puts "\n\nconnecting call to # $dnis\n"

leg proceeding leg_incoming

leg setup $dnis callInfo leg_incoming

}

-------------------------------------------------

As you can see above, the call should proceed

unimpeded, regardless of the authentication's

result, which is used only for debugging.

When I see the message "we have a hit", the call

goes through, but when the message says "unknown

ANI, proceed"), the call gets aborted with an

ls_003 event ("The call setup failed because of a lack of resources in the network").

Thanks for any tips or comments,

-Ramon F Herrera

AS-5300

c5300-is-mz.123-3.bin

2 REPLIES
New Member

Re: AAA-H.323 cannot handle reverse authentication

This is the full script:

#

# A very simple call app

#

proc init { } {

global param

}

proc act_Setup { } {

set ani [infotag get leg_ani]

puts "\ngoing to aaa authenticate $ani \n"

aaa authenticate $ani ""

}

proc act_Authorized { } {

set ani [infotag get leg_ani]

set status [infotag get evt_status]

if { $status == "au_000" } {

puts "\n\nwe have a hit: $ani\n"

} else {

puts "\n\n unknown ANI ($ani), proceed\n"

}

leg setupack leg_incoming

set dnis [infotag get leg_dnis]

puts "\n\nconnecting call to # $dnis\n"

leg proceeding leg_incoming

leg setup $dnis callInfo leg_incoming

}

proc act_CallSetupDone { } {

set status [infotag get evt_status]

puts "\n\nEntering act_CallSetupDone\n"

if { $status != "ls_000"} {

puts "\n\nCall [infotag get con_all] got event $status\n"

puts "\n\nwhile placing an outgoing call\n"

call close

}

}

proc act_Cleanup { } {

puts "\n\nEntering act_Cleanup\n"

call close

}

proc act_Abort { } {

puts "\n\nUnexpected event - entering act_Abort\n"

call close

}

init

#----------------------------------

# State Machine

#----------------------------------

set TopFSM(any_state,ev_disconnected) "act_Abort,same_state"

set TopFSM(CALL_INIT,ev_setup_indication) "act_Setup,AUTHORIZE"

set TopFSM(AUTHORIZE,ev_authenticate_done) "act_Authorized,PLACECALL"

set TopFSM(PLACECALL,ev_setup_done) "act_CallSetupDone,CALLACTIVE"

set TopFSM(CALLACTIVE,ev_disconnected) "act_Cleanup,CALLDISCONNECTED"

set TopFSM(CALLDISCONNECTED,ev_disconnect_done) "act_Cleanup,same_state"

fsm define TopFSM CALL_INIT

New Member

Re: AAA-H.323 cannot handle reverse authentication

One possible workaround comes to mind:

should I modify and recompile radiusd to

return the boolean complement of the

authentication?

-Ramon

169
Views
0
Helpful
2
Replies
CreatePlease login to create content