已有帐户?

  •   个性化内容
  •   您的产品和支持

需要帐户?

创建帐户

配置在CPAR 8.0的自定义脚本

下载选项

  • PDF     (244.1 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (80.5 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (69.3 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2019 年 10 月 5 日
文档 ID:214839
关于翻译

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

    本文描述如何定制与使用的Cisco头等访问登记(CPAR) 8.0行为脚本和扩展点。

    先决条件

    要求

    Cisco 建议您了解以下主题:

    • CPAR 8.0管理

    使用的组件

    本文档中的信息基于以下软件和硬件版本:

    • CPAR 8.0已安装在CentOS 6.5 64位 

    本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。

    背景信息

    CPAR可以被内部和外部脚本修改。脚本在C/C++/Java/TCL可以写入。脚本可以用于修改处理RADIUS、TACACS和直径数据包。脚本可以被参考在扩展点的CPAR。扩展点是出现在某些配置元素下并且准许参考脚本的设置/属性。根据参考指南CPAR对自定义脚本造成的任何数据丢失、损伤等等不负责。 

    这是两个扩展点示例在网络设备配置下

    [ //localhost/Radius/Clients/piborowi ]
    Name = piborowi
    Description =
    Protocol = tacacs-and-radius
    IPAddress = 192.168.255.15
    SharedSecret = <encrypted>
    Type = NAS
    Vendor =
    IncomingScript~ =                          // Extension point for incomming traffic
    OutgoingScript~ =                          // Extension point for outgoing traffic
    EnableDynamicAuthorization = FALSE
    NetMask =
    EnableNotifications = FALSE
    EnforceTrafficThrottling = TRUE

    根据CPAR管理指南,有多个可用的扩展点。一份流入脚本可以被参考在这些扩展点中的每一个:

    • RADIUS 服务器
    • 供应商(立即客户端)
    • 客户端(个人NAS)
    • Nas供应商在后这代理
    • 客户端在后这代理
    • 远程服务器(类型RADIUS)
    • 服务

    验证或授权脚本可以被参考在这些扩展点中的每一个:

    • 组验证
    • 用户身份验证
    • 组授权
    • 用户授权

    流出的脚本可以被参考在这些扩展点中的每一个:

    • 服务
    • 客户端在后这代理
    • Nas供应商在后这代理
    • 客户端(个人NAS)
    • NAS供应商
    • RADIUS 服务器

    了解脚本由CPAR执行的命令是关键的,因为有多个分机点。参考的表看到29个可用的写脚本/扩展点定货的管理员指南7-1。

    一份内部脚本是直接地在CPAR CLI的那个(aregcmd)配置。它不要求任何外部文件和编程的知识。一份外部脚本是在操作系统的一个文件存储的那个(CENTOS或RHEL)和被参考CPAR CLI。 

    配置

    流出流量的内部脚本

    在内部写脚本您能使用这些修正值:

    1. +rsp :-添加和属性到答复

    2. - rsp :-从答复去除属性

    3. #rsp :-用新的值替换属性

    4. 在能用于上req (请求/incomming的数据包和env,是环境字典)。示例+req :或者- env :

    添加一份内部脚本在/Radius/Scripts下。配置用访问接受信息包将返回的两个其他AVP :过滤器ID和根据厂商的一个(加入语音域)。 

    --> ls -R

[ //localhost/Radius/Scripts/addattr ]
    Name = addattr
    Description =
    Language = internal
    Statements/
        1. +rsp:Filter-Id=PhoneACL
        2. +rsp:Cisco-AVPair=device-traffic-class=voice

--> ls -R

[ Services/local-users ]
    Name = local-users
    Description =
    Type = local
    IncomingScript~ =
    OutgoingScript~ = addattr
    OutagePolicy~ = RejectAll
    OutageScript~ =
    UserList = Default
    EnableDeviceAccess = True
    DefaultDeviceAccessAction~ = DenyAll
    DeviceAccessRules/
        1. switches

    与使用的测验本地radclient :

    --> simple <username> <password>
p011
--> p011 send
p014
--> p014
Packet: code = Access-Accept, id = 18, length = 64, attributes =
        Filter-Id = PhoneACL
        Cisco-AVPair = device-traffic-class=voice

    跟踪:

    07/31/2019 10:31:26.254: P2363: Running Service local-users's OutgoingScript: addattr
07/31/2019 10:31:26.254: P2363: Internal Script for 1   +rsp:Filter-Id=PhoneACL : Filter-Id = PhoneACL
07/31/2019 10:31:26.254: P2363: Setting value PhoneACL for attribute Filter-Id
07/31/2019 10:31:26.254: P2363: Trace of Response Dictionary
07/31/2019 10:31:26.254: P2363: Trace of Access-Request packet
07/31/2019 10:31:26.254: P2363:    identifier = 18
07/31/2019 10:31:26.254: P2363:    length = 30
07/31/2019 10:31:26.254: P2363:    respauth = fb:63:14:3f:c1:fb:ac:03:7d:16:29:61:ba:ef:13:4f
07/31/2019 10:31:26.254: P2363:    Filter-Id = PhoneACL
07/31/2019 10:31:26.254: P2363: Internal Script for 2   +rsp:Cisco-AVPair=device-traffic-class=voice : Cisco-AVPair = device-traffic-class=voice
07/31/2019 10:31:26.254: P2363: Setting value device-traffic-class=voice for attribute Cisco-AVPair
07/31/2019 10:31:26.254: P2363: Trace of Response Dictionary
07/31/2019 10:31:26.254: P2363: Trace of Access-Request packet
07/31/2019 10:31:26.254: P2363:    identifier = 18
07/31/2019 10:31:26.254: P2363:    length = 64
07/31/2019 10:31:26.254: P2363:    respauth = fb:63:14:3f:c1:fb:ac:03:7d:16:29:61:ba:ef:13:4f
07/31/2019 10:31:26.254: P2363:    Filter-Id = PhoneACL
07/31/2019 10:31:26.254: P2363:    Cisco-AVPair = device-traffic-class=voice

    流入的数据流的内部脚本

    创建新脚本替换在格式user@domain的所有用户名对的匿名并且应用它,服务的incomming的脚本您使用。

    配置:

    --> cd /Radius/Scripts

    --> add test

    --> set language internal

    --> cd Statements

    --> add 1

    --> cd 1 

    --> set statements "#req:User-Name=~(.*)(@[a-z]+.[a-z]+)~\anonymous"

    --> ls -R

[ //localhost/Radius/Scripts/test ]
    Name = test
    Description =
    Language = internal
    Statements/
        1. #env:User-Name=~(.*)~anonymous

--> ls -R /Radius/Services/employee-service/

[ /Radius/Services/employee-service ]
    Name = employee-service
    Description =
    Type = local
    IncomingScript~ = test
    OutgoingScript~ =
    OutagePolicy~ = RejectAll
    OutageScript~ =
    UserList = default
    EnableDeviceAccess = FALSE
    DefaultDeviceAccessAction~ = DenyAll

    测试与radclient (请求很可能已拒绝,因为用户名更改对匿名) :

    --> simple <username>@cisco.com <password>
p01e

    --> p01e
    Packet: code = Access-Request, id = 27, length = 72, attributes =
    User-Name = <username>@cisco.com
    User-Password = <password>
    NAS-Identifier = localhost
    NAS-Port = 7
    
--> p01e send
p020
--> p020
Packet: code = Access-Reject, id = 27, length = 35, attributes =
        Reply-Message = Access Denied

    Trace :

    在员工服务被执行前,三份脚本被调用。第一CPAR调用CiscoIncomingScript,然后调用附加对localhost客户端/network设备配置的ParseServiceHints。它在环境字典解压缩从数据包的用户名并且放置它。第二份脚本,测验被调用,并且在环境字典的用户名从<username>更改到匿名

    localhost客户端:

    [ //localhost/Radius/Clients/localhost ]
    Name = localhost
    Description =
    Protocol = radius
    IPAddress = 127.0.0.1
    SharedSecret = <encrypted>
    Type = NAS+Proxy
    Vendor = Cisco
    IncomingScript~ = ParseServiceHints
    OutgoingScript~ =
    EnableDynamicAuthorization = FALSE
    NetMask =
    EnableNotifications = FALSE
    EnforceTrafficThrottling = TRUE

    Trace输出:

    07/31/2019 11:38:53.522: P2855: PolicyEngine: [SelectPolicy] Successful
07/31/2019 11:38:53.522: P2855: Using Client: localhost
07/31/2019 11:38:53.522: P2855: Using Vendor: Cisco
07/31/2019 11:38:53.522: P2855: Running Vendor Cisco's IncomingScript: CiscoIncomingScript
07/31/2019 11:38:53.522: P2855: Running Client localhost IncomingScript: ParseServiceHints
07/31/2019 11:38:53.522: P2855: Rex: environ->get( "Request-Type" ) -> "Access-Request"
07/31/2019 11:38:53.522: P2855: Rex: environ->get( "Request-Type" ) -> "Access-Request"
07/31/2019 11:38:53.522: P2855: Rex: environ->get( "User-Name" ) -> "<username>"


07/31/2019 11:38:53.522: P2855: Authenticating and Authorizing with Service employee-service
07/31/2019 11:38:53.522: P2855: Running Service employee-service's IncomingScript: test
07/31/2019 11:38:53.522: P2855: Numbered attribute got for the radius / tacacs packet. ignoring # User-Name
07/31/2019 11:38:53.523: P2855: Numbered attribute got for the radius / tacacs packet. ignoring # User-Name
07/31/2019 11:38:53.523: P2855: Numbered attribute got for the radius / tacacs packet. ignoring # User-Name
07/31/2019 11:38:53.523: P2855: Internal Script for 1   #env:User-Name=~(.*)~anonymous : User-Name = anonymous
07/31/2019 11:38:53.523: P2855: Setting value anonymous for attribute User-Name
07/31/2019 11:38:53.523: P2855: Trace of Environment Dictionary
07/31/2019 11:38:53.523: P2855:            User-Name = anonymous
07/31/2019 11:38:53.523: P2855:            NAS-Name-And-IPAddress = localhost (127.0.0.1)
07/31/2019 11:38:53.523: P2855:            Authorization-Service = employee-service
07/31/2019 11:38:53.523: P2855:            Source-Port = 51169
07/31/2019 11:38:53.523: P2855:            Authentication-Service = employee-service
07/31/2019 11:38:53.523: P2855:            Trace-Level = 1000
07/31/2019 11:38:53.523: P2855:            Destination-Port = 1812
07/31/2019 11:38:53.523: P2855:            Destination-IP-Address = 127.0.0.1
07/31/2019 11:38:53.523: P2855:            Source-IP-Address = 127.0.0.1
07/31/2019 11:38:53.523: P2855:            Enforce-Traffic-Throttling = TRUE
07/31/2019 11:38:53.523: P2855:            Request-Type = Access-Request
07/31/2019 11:38:53.523: P2855:            Script-Level = 6
07/31/2019 11:38:53.523: P2855:            Provider-Identifier = Default
07/31/2019 11:38:53.523: P2855:            Request-Authenticator = 5f:62:5a:72:0f:7b:a2:2a:9c:06:ba:2e:bd:f4:e4:4b
07/31/2019 11:38:53.523: P2855:            Realm = cisco.com
07/31/2019 11:38:53.523: P2855: Getting User anonymous's UserRecord from UserList Default
07/31/2019 11:38:53.523: P2855: Failed to get User anonymous's UserRecord from UserList Default
07/31/2019 11:38:53.523: P2855: Running Vendor Cisco's OutgoingScript: CiscoOutgoingScript
07/31/2019 11:38:53.523: P2855: Trace of Access-Reject packet
07/31/2019 11:38:53.523: P2855:    identifier = 27
07/31/2019 11:38:53.523: P2855:    length = 35
07/31/2019 11:38:53.523: P2855:    respauth = d3:7d:b3:f6:05:47:2c:66:d9:c0:01:7d:67:d7:93:99
07/31/2019 11:38:53.523: P2855:    Reply-Message = Access Denied
07/31/2019 11:38:53.523: P2855: Sending response to 127.0.0.1

    创建外部脚本

    添加一个文件nadip.tcl到/opt/CSCOar/scripts/radius/tcl/目录并且添加此内容:

    [root@piborowi-cpar80-16 tcl]# cat /opt/CSCOar/scripts/radius/tcl/nadip.tcl
    proc UpdateNASIP {request response environ} {
     $request trace 2 "TCL CUSTOM_SCRIPT Updating NAS IP ADDRESS"
     $request trace 2 "Before put: " [ $request get NAS-IP-Address ]
     $request put NAS-IP-Address 1.2.3.4
     $request trace 2 "After put: " [ $request get NAS-IP-Address ]
    }

    nadip.tcl内容解释一行行:

    线路#1程序定义和参数。请求,答复,包围和三个可用的字典您能修改会话/数据包数据的地方。

    线路#2作为跟踪级别能将打印的脚本的调试线路2。

    nas-ip-address在请求字典的属性线路#3内容,在您集此值前。

    线路#4设置nas-ip-address在请求字典的属性重视1.2.3.4。

    nas-ip-address线路#5再打印属性。

    一旦脚本在操作系统创建并且保存,请配置对脚本的CPAR参考。设置语言作为TCL,文件名必须是与分机(在这种情况下它的确切的文件名是nadip.tcl)。EntryPoint是步骤的名称在您希望执行作为脚本的文件的。参考创建CPAR脚本在与radclient的服务(incomingScript)和测验下。

    线路#2, #3, #5在trace可以被观察:

    --> ls -R /Radius/scripts/nadipaddress/

[ /Radius/Scripts/nadipaddress ]
    Name = nadipaddress
    Description =
    Language = tcl             <<<<<<<<
    Filename = nadip.tcl       <<<<<<<<
    EntryPoint = UpdateNASIP   <<<<<<<<
    InitEntryPoint =
    InitEntryPointArgs =

--> ls -R /Radius/services/employee-service/

[ /Radius/Services/employee-service ]
    Name = employee-service
    Description =
    Type = local
    IncomingScript~ = nadipaddress    <<<<<<<<
    OutgoingScript~ =
    OutagePolicy~ = RejectAll
    OutageScript~ =
    UserList = default
    EnableDeviceAccess = FALSE
    DefaultDeviceAccessAction~ = DenyAll

    Trace :

    07/31/2019 13:40:53.615: P3490: Running Service employee-service's IncomingScript: nadipaddress
07/31/2019 13:40:53.615: P3490: TCL CUSTOM_SCRIPT Updating NAS IP ADDRESS
07/31/2019 13:40:53.616: P3490:     Tcl: request trace 2 TCL CUSTOM_SCRIPT Updating NAS IP ADDRESS -> OK
07/31/2019 13:40:53.616: P3490:     Tcl: request get NAS-IP-Address -> <empty>
07/31/2019 13:40:53.616: P3490: Before put:
07/31/2019 13:40:53.616: P3490:     Tcl: request trace 2 Before put:   -> OK
07/31/2019 13:40:53.616: P3490:     Tcl: request put NAS-IP-Address 1.2.3.4 -> OK
07/31/2019 13:40:53.616: P3490:     Tcl: request get NAS-IP-Address -> 1.2.3.4
07/31/2019 13:40:53.616: P3490: After put: 1.2.3.4
07/31/2019 13:40:53.616: P3490:     Tcl: request trace 2 After put:  1.2.3.4 -> OK
    TAC Authored

    由思科工程师提供

    • Farid Yusifov
      Cisco TAC工程师
    • Piotr Borowiec
      Cisco TAC工程师

    此文档是否有帮助?

    Feedback反馈

    联系我们

    相关的思科社区讨论

    本文档适用于以下产品