了解认证imsi-auth|公司L2TP APNs的msisdnauth配置

Introduction

本文描述配置公司L2TP的预期结果APNs用认证imsi-auth或认证msisdnauth。

问题：msisdnauth和imsi-auth APN配置选项有L2TP基于APNs的一个Speciffic (非明显)结果

正式文档(版本19)状态：

imsi-auth -配置APN尝试验证根据他们的国际便携用户标识(IMSI)编号的订户。

msisdnauth -配置APN尝试验证根据他们的便携位置国际综合业务数字网络(MSISDN)编号的订户正如此命令的使用方法部分所描述。

示例配置：

apn ecs-apn
 ims-auth-service IMSA
 dns primary 192.168.1.128
 dns secondary 192.168.1.129
 ip access-group CSS_ACL in
 ip access-group CSS_ACL out
 authentication imsi-auth username-strip-apn prefer-chap-pco <<<<<<<<<<<<<<<<<<<<<<<<<<<
 ip context-name Gi
 tunnel l2tp peer-address 2.2.2.2 encrypted secret +A3oxne9nnyqmuz16dddqucwcqz92p2hi4t8z21nx3hmmpcgvh4ida preference 1 <<<<<<<<<<<<<<<<<<<<<<<<<<<
 tunnel l2tp peer-address 3.3.3.3 encrypted secret +A2dbz9joxajmv80jxmr5aycl1ka2s6nzmu7s2bte3nnz4o2hgkqxn preference 2 <<<<<<<<<<<<<<<<<<<<<<<<<<<
 loadbalance-tunnel-peers prioritized <<<<<<<<<<<<<<<<<<<<<<<<<<<
 exit

lac-service LAC-SVC <<<<<<<<<<<<<<<<<<<<<<<<<<<
 max-retransmission 1
 retransmission-timeout-max 1
 load-balancing prioritized
 allow aaa-assigned-hostname
 keepalive-interval 30
 peer-lns 2.2.2.2 encrypted secret +A2q4fv7h5tum1a06vc2wblk9l7k3ma98myremkew1552c2vosy2h1
 peer-lns 3.3.3.3 encrypted secret +A16gnydsddbqqx3okh7ln6jrwxz3s3u3lzvzo5bz0ccc0ztr0cvsh
 bind address 1.1.1.1
 #exit

一个期望的工作情况是，如果其中一个上述选项为L2TP基于APN被配置，网关GPRS支持节点

选项运作得正如所料，万一没有用户设备提供的用户名(UE)。

 ii

Friday April 07 2017

INBOUND>>>>>  09:57:08:270 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35664 to 213.151.233.230:2123 (271)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x317962 (3242338)

GTP HEADER
        Version number: 2
        TEID flag: Present
        Piggybacking flag: Not present
        Message Length: 0x010B (267)


INFORMATION ELEMENTS

        IMSI:
            Type: 1  Length: 8  Inst: 0
            Value: 231014450903030
            Hex: 0100 0800 3201 4154 9030 30F0 

        MSISDN:
            Type: 76  Length: 6  Inst: 0
            Value: 421917667546
        Hex: 4C00 0600 2491 7166 5764



        MOBILE EQUIPMENT IDENTITY:
            Type: 75  Length: 8  Inst: 0
            Value: 3594050557927001
            Hex: 4B00 0800 5349 5050 7529 0710



[…]

        ACCESS POINT NAME:
            Type: 71  Length: 38  Inst: 0
            Value: ltpipsec.corp.test.mnc001.mcc231.gprs
            Hex: 4700 2600 086C 7470 6970 7365 6304 636F
                 7270 0474 6573 7406 6D6E 6330 3031 066D
                 6363 3233 3104 6770 7273



        SELECTION MODE:

            Type: 128  Length: 1  Inst: 0
            Value: MS provided APN,subscr not verified (0x01)
            Hex: 8000 0100 01



        PDN TYPE:
            Type: 99  Length: 1  Inst: 0
            Value: IPV4
            Hex: 6300 0100 01 

[…]

        PCO:
            Type: 78  Length: 32  Inst: 0
            Container id: 0xC023 (PAP)
            Container length: 0x06 (6)
            Container content:
                 Auth-Req(0), Name=, Passwd=
            Container id: 0x8021 (IPCP)
            Container length: 0x10 (16)
            Container content:
                 Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
            Container id: 0x000D (IPv4-DNS-Server)
            Container length: 0x00 (0)
            Container content:
                DNS Address: Request for IPv4 DNS Address allocation
            Hex: 4E00 2000 80C0 2306 0100 0006 0000 8021
                 1001 0000 1081 0600 0000 0083 0600 0000
                 0000 0D00

[…]

Friday April 07 2017
<<<<OUTBOUND  09:57:08:295 Eventid:25001(0)
PPP Tx PDU (20)
PAP 20:          Auth-Req(1), Name=421917667546, Passwd=   <-- username is replaced with MSISDN as the APN is configured with “msisdn-auth”

如果有UE，提供的用户名选项不工作。在这种情况下， GGSN/PGW发送用户名和密码被配置在APN里面。
如果没有配置得什么都那里

Friday April 07 2017
INBOUND>>>>> 09:47:51:254 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35824 to 213.151.233.230:2123 (279)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x5C4D6C (6049132)
GTP HEADER
 Version number: 2
 TEID flag: Present
 Piggybacking flag: Not present
 Message Length: 0x0113 (275)

INFORMATION ELEMENTS
 IMSI:
 Type: 1 Length: 8 Inst: 0
 Value: 231014450903030
 Hex: 0100 0800 3201 4154 9030 30F0

MSISDN:
 Type: 76 Length: 6 Inst: 0
 Value: 421917667546
 Hex: 4C00 0600 2491 7166 5764

MOBILE EQUIPMENT IDENTITY:
 Type: 75 Length: 8 Inst: 0
 Value: 3594050557927001
 Hex: 4B00 0800 5349 5050 7529 0710


[..]

PCO:
 Type: 78 Length: 40 Inst: 0
 Container id: 0xC023 (PAP)
 Container length: 0x0E (14)
 Container content:
 Auth-Req(0), Name=null, Passwd=null
 Container id: 0x8021 (IPCP)
 Container length: 0x10 (16)
 Container content:
 Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
 Container id: 0x000D (IPv4-DNS-Server)
 Container length: 0x00 (0)
 Container content:
 DNS Address: Request for IPv4 DNS Address allocation
 Hex: 4E00 2800 80C0 230E 0100 000E 046E 756C
 6C04 6E75 6C6C 8021 1001 0000 1081 0600
 0000 0083 0600 0000 0000 0D00

[…]

Friday April 07 2017
<<<<OUTBOUND 09:47:51:334 Eventid:25001(0)
PPP Tx PDU (16)
PAP 16: Auth-Req(1), Name=null, Passwd=null <-- username is the same as in the APN

解决方案

观察行为根据设计被期望。

使用认证imsi-auth用户名小条apn prefer CHAPpco (或认证msisdnauth用户名小条apn prefer CHAPpco)配置，当没有进来协议配置选项(PCO)时的用户名。

这是优先级顺序网络访问标识符(NAI)建筑配置的：

1. 如果outbound用户名<1-128字符string>被配置在APN里面，这在PAP/CHAP req改写其他配置/IE和被发送。
   
   
2. 如果从UE被发送的UE发送PCO用户名/密码，被发送到在密码认证协议/挑战握手验证协议(PAP/CHAP) req的LNS。
   
   
3. 如果用户名从UE没有被发送，默认情况下则msisdn/imsi@APN被发送作为在PAP/CHAP req的用户名。 
   
   
4. 进一步此CLI -认证msisdn/imsi-auth用户名小条apn可以用于剥离APN和发送仅msisdn/imsi在PAP/CHAP req。

请注意，万一认证由Radius完成(localy) IMSI (或MSISDN)在访问请求消息被发送正如所料。

在L2TP方案，如果认证由RADIUS完成(在LAC边)，期望的用户名(IMSI或MSISDN)被看到在访问请求消息，但是不在往LNS的Auth Req。