Hi -
This is yet another Prepaid Calling Card setup. Briefly, h323-credit-amount
is getting to the Cisco, and the Cisco even seems to see it arrive ('debug
radius'), but the TCL IVR 1.0 script cannot fetch the creditAmount value.
Attempts to do so return "Uknown variable name" (via getVariable radius)
or 0 (via getVariable aaa).
I've already checked the list archives, grepping for 'h323-credit-amount'
and 'cisco + VSA'), maybe I missed something? At this point the only
thing I can think it could be is the Cisco config (shown below) or the
TCL script (from Cisco) but I can't see why.
IOS version 12.2(13b), C2600-JSX-M. TCL IVR version 1.0 (not that Cisco
tells you this in 'show vers', or anywhere else I've found).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1. VSAs sent by RADIUS
cisco_vsa_hack is set to 'no'. VSAs are being returned to the Cisco in
their required format (attrib = "attrib=value"). radtest demonstrates
this as follows:
localhost--# radtest 1234567890 1234 hostname1:1812 1234 SecreT
Sending Access-Request of id 198 to hostname1:1812
User-Name = "1234567890"
User-Password = "e\361\306t(\310\367=\014\314z~UG\276\323"
NAS-IP-Address = hostname2
NAS-Port = 1234
rad_recv: Access-Accept packet from host hostname1:1812, id=198, length=76
H323-Credit-Amount = "h323-credit-amount=432"
H323-Return-Code = "h323-return-code=0"
This comes from the 'users' entry:
1234567890 Password == "1234"
h323-credit-amount = "h323-credit-amount=432",
h323-return-code = "h323-return-code=0"
(I've also tried w/o the H323-Return-Code, and with just plain 'attr=val'
instead of 'attr="attr=val"'.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. VSAs received by Cisco
The Cisco shows the VSA arriving.
First, the script authorizes with RADIUS:
3d18h: authorization
3d18h: account=1234567890
3d18h: password=1234
3d18h: destination=
3d18h: start_authorization service: ivr tcl authentication
3d18h: AAA/AUTHEN/START (1094823784): port='ISDN 0:D:1' list='h323'
action=LOGIN service=LOGIN
3d18h: AAA/AUTHEN/START (1094823784): found list h323
3d18h: AAA/AUTHEN/START (1094823784): Method=radius (radius)
3d18h: AAA/AUTHEN (1094823784): status = GETPASS
3d18h: AAA/AUTHEN/CONT (1094823784): continue_login (user='1234567890')
3d18h: AAA/AUTHEN (1094823784): status = GETPASS
3d18h: AAA/AUTHEN (1094823784): Method=radius (radius)
3d18h: RADIUS: ustruct sharecount=3
3d18h: Radius: radius_port_info() success=0 radius_nas_port=1
3d18h: RADIUS: added cisco VSA 2 len 10 "ISDN 0:D:1"
3d18h: RADIUS: added cisco VSA 24 len 48 "h323-conf-id=B996E907 571111D7
828D812
3d18h: RADIUS: Initial Transmit ISDN 0:D:1 id 9 192.168.1.1:1812,
Access-Request, len 185
3d18h: Attribute 4 6 41DD4447
3d18h: Attribute 26 18 00000009020C4953
3d18h: Attribute 61 6 00000000
3d18h: Attribute 1 12 31323334
3d18h: Attribute 26 56 0000000918326833
3d18h: Attribute 31 12 37343037
3d18h: Attribute 2 18 3F556F0E
3d18h: Attribute 26 37 00000009011F6833
Then, it receives the response:
3d18h: RADIUS: Received from id 9 192.168.1.1:1812, Access-Accept, len 76
3d18h: Attribute 26 30 0000000965186833
3d18h: Attribute 26 26 0000000967146833
that include vendor 0x09 (Cisco) VSAs 0x65 and 0x67, i.e., h323-credit-amount
and h323-return-code, both of which start with 0x6833 ('h3'). If there's
a way to get RADIUS to send the full response, I don't know about it.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. TCL IVR script requesting VSAs:
The TCL IVR script (debitcard_acct_pin.1.1.3.tcl) excerpts are:
(from proc do_first_authorize):
set ev [authorize $account $pin "" [ani] info]
set returncode [getVariable radius returnCode]
if { $ev == "authorized" } {
set amt [getVariable radius creditAmount]
set state get_dest
return 0
}
which returns $amt as "Uknown variable name" [sic] (and which, in the
original script, is >999999.99, giving me the IVR response "you have
more than one million dollars in your account". Whoopie.)
I've also tried the new "getVariable aaa":
set rc [getVariable aaa h323-credit-amount creditAmount]
which returns $rc == 0, i.e., it couldn't find any h323-credit-amount
VSAs in the RADIUS response. By the way, if I set $amt to, say, 123
after the [getVariable radius creditAmount] part, it acts normally,
so I know the problem is in fetching h323-credit-amount. I also know
$ev is returning "authorized" in the above.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4. Cisco config:
Excerpts from the Cisco's config (BTW, I know the uid-length specified
in the config doesn't match the username length from RADIUS. The IVR
script only seems to accept 10-digit usernames).
aaa new-model
aaa authentication login default line
aaa authentication login h323 group radius
aaa accounting connection h323 start-stop group radius
call rsvp-sync
call application voice debitcard
tftp://192.168.1.2/tclware/debitcard_acct_pin.1.1.3.tcl
call application voice debitcard pin-length 4
call application voice debitcard uid-length 8
call application voice debitcard language 1 en
call application voice debitcard set-location en 0
tftp://192.168.1.2/tclware/prompts/en/
gw-accounting syslog
gw-accounting h323 vsa
gw-accounting voip
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server key 7 097F4B0A0B0023
radius-server vsa send accounting
radius-server vsa send authentication
dial-peer voice 103 pots
application debitcard
incoming called-number 5893300
direct-inward-dial
port 1/0:23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thanks for any help. I've been working on this for several days now.
-- Bill
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
