Introduction
本文描述配置公司L2TP的预期结果APNs用认证imsi-auth或认证msisdnauth。
问题:msisdnauth和imsi-auth APN配置选项有L2TP基于APNs的一个Speciffic (非明显)结果
正式文档(版本19)状态:
imsi-auth -配置APN尝试验证根据他们的国际便携用户标识(IMSI)编号的订户。
msisdnauth -配置APN尝试验证根据他们的便携位置国际综合业务数字网络(MSISDN)编号的订户正如此命令的使用方法部分所描述。
示例配置:
apn ecs-apn
ims-auth-service IMSA
dns primary 192.168.1.128
dns secondary 192.168.1.129
ip access-group CSS_ACL in
ip access-group CSS_ACL out
authentication imsi-auth username-strip-apn prefer-chap-pco <<<<<<<<<<<<<<<<<<<<<<<<<<<
ip context-name Gi
tunnel l2tp peer-address 2.2.2.2 encrypted secret +A3oxne9nnyqmuz16dddqucwcqz92p2hi4t8z21nx3hmmpcgvh4ida preference 1 <<<<<<<<<<<<<<<<<<<<<<<<<<<
tunnel l2tp peer-address 3.3.3.3 encrypted secret +A2dbz9joxajmv80jxmr5aycl1ka2s6nzmu7s2bte3nnz4o2hgkqxn preference 2 <<<<<<<<<<<<<<<<<<<<<<<<<<<
loadbalance-tunnel-peers prioritized <<<<<<<<<<<<<<<<<<<<<<<<<<<
exit
lac-service LAC-SVC <<<<<<<<<<<<<<<<<<<<<<<<<<<
max-retransmission 1
retransmission-timeout-max 1
load-balancing prioritized
allow aaa-assigned-hostname
keepalive-interval 30
peer-lns 2.2.2.2 encrypted secret +A2q4fv7h5tum1a06vc2wblk9l7k3ma98myremkew1552c2vosy2h1
peer-lns 3.3.3.3 encrypted secret +A16gnydsddbqqx3okh7ln6jrwxz3s3u3lzvzo5bz0ccc0ztr0cvsh
bind address 1.1.1.1
#exit
一个期望的工作情况是,如果其中一个上述选项为L2TP基于APN被配置,网关GPRS支持节点
信息包数据网络(PDN)网关(GGSN/PGW)使用IMSI或MSISDN PPP认证用L2TP网络服务器(LNS)。
选项运作得正如所料,万一没有用户设备提供的用户名(UE)。
ii
Friday April 07 2017
INBOUND>>>>> 09:57:08:270 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35664 to 213.151.233.230:2123 (271)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x317962 (3242338)
GTP HEADER
Version number: 2
TEID flag: Present
Piggybacking flag: Not present
Message Length: 0x010B (267)
INFORMATION ELEMENTS
IMSI:
Type: 1 Length: 8 Inst: 0
Value: 231014450903030
Hex: 0100 0800 3201 4154 9030 30F0
MSISDN:
Type: 76 Length: 6 Inst: 0
Value: 421917667546
Hex: 4C00 0600 2491 7166 5764
MOBILE EQUIPMENT IDENTITY:
Type: 75 Length: 8 Inst: 0
Value: 3594050557927001
Hex: 4B00 0800 5349 5050 7529 0710
[…]
ACCESS POINT NAME:
Type: 71 Length: 38 Inst: 0
Value: ltpipsec.corp.test.mnc001.mcc231.gprs
Hex: 4700 2600 086C 7470 6970 7365 6304 636F
7270 0474 6573 7406 6D6E 6330 3031 066D
6363 3233 3104 6770 7273
SELECTION MODE:
Type: 128 Length: 1 Inst: 0
Value: MS provided APN,subscr not verified (0x01)
Hex: 8000 0100 01
PDN TYPE:
Type: 99 Length: 1 Inst: 0
Value: IPV4
Hex: 6300 0100 01
[…]
PCO:
Type: 78 Length: 32 Inst: 0
Container id: 0xC023 (PAP)
Container length: 0x06 (6)
Container content:
Auth-Req(0), Name=, Passwd=
Container id: 0x8021 (IPCP)
Container length: 0x10 (16)
Container content:
Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
Container id: 0x000D (IPv4-DNS-Server)
Container length: 0x00 (0)
Container content:
DNS Address: Request for IPv4 DNS Address allocation
Hex: 4E00 2000 80C0 2306 0100 0006 0000 8021
1001 0000 1081 0600 0000 0083 0600 0000
0000 0D00
[…]
Friday April 07 2017
<<<<OUTBOUND 09:57:08:295 Eventid:25001(0)
PPP Tx PDU (20)
PAP 20: Auth-Req(1), Name=421917667546, Passwd= <-- username is replaced with MSISDN as the APN is configured with “msisdn-auth”
如果有UE,提供的用户名选项不工作。在这种情况下, GGSN/PGW发送用户名和密码被配置在APN里面。
如果没有配置得什么都那里
Friday April 07 2017
INBOUND>>>>> 09:47:51:254 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35824 to 213.151.233.230:2123 (279)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x5C4D6C (6049132)
GTP HEADER
Version number: 2
TEID flag: Present
Piggybacking flag: Not present
Message Length: 0x0113 (275)
INFORMATION ELEMENTS
IMSI:
Type: 1 Length: 8 Inst: 0
Value: 231014450903030
Hex: 0100 0800 3201 4154 9030 30F0
MSISDN:
Type: 76 Length: 6 Inst: 0
Value: 421917667546
Hex: 4C00 0600 2491 7166 5764
MOBILE EQUIPMENT IDENTITY:
Type: 75 Length: 8 Inst: 0
Value: 3594050557927001
Hex: 4B00 0800 5349 5050 7529 0710
[..]
PCO:
Type: 78 Length: 40 Inst: 0
Container id: 0xC023 (PAP)
Container length: 0x0E (14)
Container content:
Auth-Req(0), Name=null, Passwd=null
Container id: 0x8021 (IPCP)
Container length: 0x10 (16)
Container content:
Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
Container id: 0x000D (IPv4-DNS-Server)
Container length: 0x00 (0)
Container content:
DNS Address: Request for IPv4 DNS Address allocation
Hex: 4E00 2800 80C0 230E 0100 000E 046E 756C
6C04 6E75 6C6C 8021 1001 0000 1081 0600
0000 0083 0600 0000 0000 0D00
[…]
Friday April 07 2017
<<<<OUTBOUND 09:47:51:334 Eventid:25001(0)
PPP Tx PDU (16)
PAP 16: Auth-Req(1), Name=null, Passwd=null <-- username is the same as in the APN
观察行为根据设计被期望。
使用认证imsi-auth用户名小条apn prefer CHAPpco (或认证msisdnauth用户名小条apn prefer CHAPpco)配置,当没有进来协议配置选项(PCO)时的用户名。
这是优先级顺序网络访问标识符(NAI)建筑配置的:
- 如果outbound用户名<1-128字符string>被配置在APN里面,这在PAP/CHAP req改写其他配置/IE和被发送。
- 如果从UE被发送的UE发送PCO用户名/密码,被发送到在密码认证协议/挑战握手验证协议(PAP/CHAP) req的LNS。
- 如果用户名从UE没有被发送,默认情况下则msisdn/imsi@APN被发送作为在PAP/CHAP req的用户名。
- 进一步此CLI -认证msisdn/imsi-auth用户名小条apn可以用于剥离APN和发送仅msisdn/imsi在PAP/CHAP req。
请注意,万一认证由Radius完成(localy) IMSI (或MSISDN)在访问请求消息被发送正如所料。
在L2TP方案,如果认证由RADIUS完成(在LAC边),期望的用户名(IMSI或MSISDN)被看到在访问请求消息,但是不在往LNS的Auth Req。