瞭解身份驗證imsi-auth |用於企業L2TP APN的msisdn-auth配置

簡介

本檔案介紹使用authentication imsi-auth或authentication msisdn-auth設定企業L2TP APN的預期結果。

問題：msisdn-auth和imsi-auth APN組態選項對基於L2TP的APN有特定（非明顯）結果

正式檔案（第19版）指出：

imsi-auth — 將APN配置為嘗試根據使用者的國際移動使用者識別(IMSI)號碼對使用者進行身份驗證。

msisdn-auth - 按照本命令的「使用」部分所述，將APN配置為嘗試根據使用者的Mobile Station International Integrated Services Digital Network(MSISDN)號碼對使用者進行身份驗證。

配置示例：

apn ecs-apn
 ims-auth-service IMSA
 dns primary 192.168.1.128
 dns secondary 192.168.1.129
 ip access-group CSS_ACL in
 ip access-group CSS_ACL out
 authentication imsi-auth username-strip-apn prefer-chap-pco <<<<<<<<<<<<<<<<<<<<<<<<<<<
 ip context-name Gi
 tunnel l2tp peer-address 2.2.2.2 encrypted secret +A3oxne9nnyqmuz16dddqucwcqz92p2hi4t8z21nx3hmmpcgvh4ida preference 1 <<<<<<<<<<<<<<<<<<<<<<<<<<<
 tunnel l2tp peer-address 3.3.3.3 encrypted secret +A2dbz9joxajmv80jxmr5aycl1ka2s6nzmu7s2bte3nnz4o2hgkqxn preference 2 <<<<<<<<<<<<<<<<<<<<<<<<<<<
 loadbalance-tunnel-peers prioritized <<<<<<<<<<<<<<<<<<<<<<<<<<<
 exit

lac-service LAC-SVC <<<<<<<<<<<<<<<<<<<<<<<<<<<
 max-retransmission 1
 retransmission-timeout-max 1
 load-balancing prioritized
 allow aaa-assigned-hostname
 keepalive-interval 30
 peer-lns 2.2.2.2 encrypted secret +A2q4fv7h5tum1a06vc2wblk9l7k3ma98myremkew1552c2vosy2h1
 peer-lns 3.3.3.3 encrypted secret +A16gnydsddbqqx3okh7ln6jrwxz3s3u3lzvzo5bz0ccc0ztr0cvsh
 bind address 1.1.1.1
 #exit

預期行為是，如果為基於L2TP的APN配置了上述選項之一，則網關GPRS支援節點/

如果使用者裝置(UE)未提供使用者名稱，則此選項按預期方式工作。

 二

Friday April 07 2017

INBOUND>>>>>  09:57:08:270 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35664 to 213.151.233.230:2123 (271)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x317962 (3242338)

GTP HEADER
        Version number: 2
        TEID flag: Present
        Piggybacking flag: Not present
        Message Length: 0x010B (267)


INFORMATION ELEMENTS

        IMSI:
            Type: 1  Length: 8  Inst: 0
            Value: 231014450903030
            Hex: 0100 0800 3201 4154 9030 30F0 

        MSISDN:
            Type: 76  Length: 6  Inst: 0
            Value: 421917667546
        Hex: 4C00 0600 2491 7166 5764



        MOBILE EQUIPMENT IDENTITY:
            Type: 75  Length: 8  Inst: 0
            Value: 3594050557927001
            Hex: 4B00 0800 5349 5050 7529 0710



[…]

        ACCESS POINT NAME:
            Type: 71  Length: 38  Inst: 0
            Value: ltpipsec.corp.test.mnc001.mcc231.gprs
            Hex: 4700 2600 086C 7470 6970 7365 6304 636F
                 7270 0474 6573 7406 6D6E 6330 3031 066D
                 6363 3233 3104 6770 7273



        SELECTION MODE:

            Type: 128  Length: 1  Inst: 0
            Value: MS provided APN,subscr not verified (0x01)
            Hex: 8000 0100 01



        PDN TYPE:
            Type: 99  Length: 1  Inst: 0
            Value: IPV4
            Hex: 6300 0100 01 

[…]

        PCO:
            Type: 78  Length: 32  Inst: 0
            Container id: 0xC023 (PAP)
            Container length: 0x06 (6)
            Container content:
                 Auth-Req(0), Name=, Passwd=
            Container id: 0x8021 (IPCP)
            Container length: 0x10 (16)
            Container content:
                 Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
            Container id: 0x000D (IPv4-DNS-Server)
            Container length: 0x00 (0)
            Container content:
                DNS Address: Request for IPv4 DNS Address allocation
            Hex: 4E00 2000 80C0 2306 0100 0006 0000 8021
                 1001 0000 1081 0600 0000 0083 0600 0000
                 0000 0D00

[…]

Friday April 07 2017
<<<<OUTBOUND  09:57:08:295 Eventid:25001(0)
PPP Tx PDU (20)
PAP 20:          Auth-Req(1), Name=421917667546, Passwd=   <-- username is replaced with MSISDN as the APN is configured with “msisdn-auth”

如果UE提供了使用者名稱，則此選項不起作用。在這種情況下，GGSN/PGW會傳送在APN中配置的使用者名稱和密碼。
如果沒有配置任何內容

Friday April 07 2017
INBOUND>>>>> 09:47:51:254 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35824 to 213.151.233.230:2123 (279)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x5C4D6C (6049132)
GTP HEADER
 Version number: 2
 TEID flag: Present
 Piggybacking flag: Not present
 Message Length: 0x0113 (275)

INFORMATION ELEMENTS
 IMSI:
 Type: 1 Length: 8 Inst: 0
 Value: 231014450903030
 Hex: 0100 0800 3201 4154 9030 30F0

MSISDN:
 Type: 76 Length: 6 Inst: 0
 Value: 421917667546
 Hex: 4C00 0600 2491 7166 5764

MOBILE EQUIPMENT IDENTITY:
 Type: 75 Length: 8 Inst: 0
 Value: 3594050557927001
 Hex: 4B00 0800 5349 5050 7529 0710


[..]

PCO:
 Type: 78 Length: 40 Inst: 0
 Container id: 0xC023 (PAP)
 Container length: 0x0E (14)
 Container content:
 Auth-Req(0), Name=null, Passwd=null
 Container id: 0x8021 (IPCP)
 Container length: 0x10 (16)
 Container content:
 Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
 Container id: 0x000D (IPv4-DNS-Server)
 Container length: 0x00 (0)
 Container content:
 DNS Address: Request for IPv4 DNS Address allocation
 Hex: 4E00 2800 80C0 230E 0100 000E 046E 756C
 6C04 6E75 6C6C 8021 1001 0000 1081 0600
 0000 0083 0600 0000 0000 0D00

[…]

Friday April 07 2017
<<<<OUTBOUND 09:47:51:334 Eventid:25001(0)
PPP Tx PDU (16)
PAP 16: Auth-Req(1), Name=null, Passwd=null <-- username is the same as in the APN

解決方案

根據設計需要觀察行為。

如果沒有傳入協定配置選項(PCO)使用者名稱，則會使用authentication imsi-auth username-strip-apn prefer-chap-pco(或authentication msisdn-auth username-strip-apn prefer-chap-pco)配置。

這是網路存取識別碼(NAI)建構組態的優先順序：

1. 如果在APN中配置了出站使用者名稱<1-128 char string>，這將覆蓋所有其他配置/IE，並在PAP/CHAP請求中傳送。
   
   
2. 如果UE傳送它從UE傳送的PCO使用者名稱/密碼，則在密碼身份驗證協定/質詢握手身份驗證協定(PAP/CHAP)請求中將其傳送到LNS。
   
   
3. 如果沒有從UE傳送使用者名稱，則預設情況下在PAP/CHAP請求中將msisdn/imsi@APN作為使用者名稱傳送。 
   
   
4. 此外，此CLI - authentication msisdn/imsi-auth username-strip-apn可用於剝離APN並僅傳送PAP/CHAP請求中的msisdn/imsi。

請注意，如果驗證是由Radius（本地）完成，則會按預期在Access-Request訊息中傳送IMSI（或MSISDN）。

在L2TP的案例中，如果驗證是由RADIUS完成（在LAC端），則預期使用者名稱（IMSI或MSISDN）會在存取要求訊息中看到，但不會在針對LNS的授權要求中看到。