Wednesday, August 8, 2012

Adventures with CISCO AS-5350 [Integration with RADIUS Server for AAA of calls]

Continuing from the last blog-post on setting up a remote syslog server for CISCO devices. In this writeup I will share the configurations I did to integrate the CISCO universal gateway with my FreeRadius server for AAA of calls made from a specific dial-peer.


Define the RADIUS Server:


!
radius-server host 192.168.137.85 auth-port 1812 acct-port 1813 key 0 radius-pa$$w0rd
radius-server vsa send accounting
radius-server vsa send authentication
!

Bind SIP services on the Public interface of CISCO AS


!
voice service voip 
 sip
  bind control source-interface FastEthernet0/0
  bind media source-interface FastEthernet0/0
  header-passing 
  registrar server
!


Set AAA options:


!
aaa new-model
!aaa accounting connection voip start-stop group radius
aaa dnis map enable
!
aaa preauth
    group radius 
    clid required 
    dnis required 
!
aaa session-id common


Create a Voice Class for AAA


!
voice class aaa 2
 authentication method voip
 authorization method voip
 accounting method voip
 accounting template out-bound
!
[OPTIONAL] Create a Codec class

!
voice class codec 1
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
 codec preference 3 g723ar53
 codec preference 4 g729br8
!



Creating a Dial-Peer:
!

dial-peer voice 10 voip
 destination-pattern [0-9].%
 voice-class aaa 2
 voice-class codec 1
 voice-class sip url sip
 session protocol sipv2
 session target ipv4:192.168.137.87
 session transport udp
!




Where 192.168.137.87 is the IP address of my Kamailio server which will receive the calls.

"destination-pattern [0-9].%" Will Match everything of any length

Send CDR on Accounting Server:
To automatically generate accounting packets by enabling voice accounting, enter the gw-accounting aaa command in global configuration mode. Use Callhistory-detail to Send All VSAs (default and new) to the accounting server:

!
gw-accounting aaa
 acct-template callhistory-detail
!


[OPTIONAL] set SIP-UA parameters.

!
sip-ua 
 registrar ipv4: 192.168.137.87  expires 3600
 sip-server ipv4:192.168.137.87
!

I think thats pretty much it. Now calls matching dial-peer 10 will send AAA info to the RADIUS server.


Reference URLs:
[1] http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_chapter09186a00800b5de9.html#1028579
[2]
http://docwiki.cisco.com/wiki/Cisco_IOS_Voice_Troubleshooting_and_Monitoring_--_AAA_for_Voice_Troubleshooting
[3]
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/ft_trg.html#wp1077327
[4]
http://www.cisco.com/en/US/docs/ios/12_3/security/configuration/guide/scgrdat3.html

And some 5/6 PDF Manuals/Books from CISCO around 1200 pages !

Adventures with CISCO AS-5350 [Setting up remote Log server]

Though not really an adventure but more sort of a dream to be at-least as good on CISCO VoIP things as I'm with OpenSource VoIP projects. So I keep on practicing CISCO stuff on my GNS3. So that I be ready if someday I be given opportunity to work full-time with these devices.

I was cleaning my drives for space and found something useful to share on experience with CISCO AS-5350, which is a Universal Gateway supporting T1/ E1 configurations that provides universal port data, voice, and fax services on any port at any time.

So before deleting, I wanted to share it here so it could be useful for not just me but for all who might be interested.

Current post is about setting up a remote SYSLOG server for our cisco devices. So, basically in a network environment all the logs should be sent to a secure remote logging server. This is a big thing to analyse what happened on a particular device.

This is the version info of the cisco device.

Cisco IOS Software, 5350 Software (C5350-JS-M), Version 12.4(18), RELEASE SOFTWARE (fc1)


ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1)
BOOTLDR: 5350 Software (C5350-BOOT-M), Version 12.2(2)XB2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

System image file is "flash:c5350-js-mz.124-18.bin"


Setting up Remote-Logs:

I've set the device to send everything on a remote-log server and record everything happening, from logins to commands  executed.

!

service timestamps debug datetime msec
service timestamps log datetime msec
!

!
login on-failure log

login on-success log
!
archive
   log config
      logging enable
      notify syslog
!
logging history debugging
logging trap debugging
logging facility local6
logging 192.168.137.6
!


no logging buffered
no logging console


!

# Where 192.168.137.6 is the remote syslog server. Make sure that rsyslog server is configured properly.
# My /etc/default/rsyslog contains this line

RSYSLOGD_OPTIONS="-c2 -r514"

A quick look at the "netstat -pln"

root@debian:~# netstat -pln | grep 514
udp   0  0 0.0.0.0:514      0.0.0.0:*     31026/rsyslogd
root@debian:~#

and in the file /etc/rsyslog.conf I've this line

local6.*             -/var/log/cisco/as5350.log

### Back to CISCO ###

An excerpt from the CISCO pages on configuration change notifications and logging [1]:

Only complete commands that result in the invocation of action routines are logged. The following types of entries are not logged:

Commands that result in a syntax error message

Partial commands that invoke the router help system

For each configuration command that is executed, the following information is logged:

The command that was executed

The configuration mode in which the command was executed

The name of the user that executed the command

The time at which the command was executed

A configuration change sequence number

Parser return codes for the command

That concludes this post: 

After those cli commands a router/cisco device should be able to send logs to the remote logging server. Make sure that at least the log port (udp:514 in my case) is accessible between CISCO device and the syslog server.

In next post I will share configuration for Integration with RADIUS server for AAA the calls or even the incoming SIP registrations.

References:

Tuesday, August 7, 2012

FreeSWITCH, making calls via web-browser [using mod_rtmp]


Finally back to blog after a longtime. Continuing from the FreeSWITCH stuff. I learned about the RTMP module which enables us to connect to the FreeSWITCH server via web browser and make calls just like any other Soft-phone.

This is wonderful, I don't need to install any soft-phone or anything, just open up my FS server RTMP phone page - login using my SIP credentials and once authenticated make calls !! simple.

In order to get it working I went back to the source directory of Freeswitch and just compiled thertmp module. Learn more about the FreeSWITCH RTMP Module from this link.

root@FS_HA1#cd /usr/src/freeswitch
root@FS_HA1#make mod_rtmp && make mod_rtmp install

once compiled and installed successfully, enable the rtmp module to be loaded automatically by freeswitch.

root@FS_HA1#cd /usr/local/freeswitch/conf/autoload_configs/

root@FS_HA1#vim modules.conf.xml


Uncomment by removing the "<!--" and "-->"

<load module="mod_rtmp"/>

Save and exit from the file after uncommenting.

Goto FreeSwitch console.

root@FS_HA1#fs_cli

Since my freeswitch was already started so to load RTMP module either I need to restart my Freeswitch server or I can just load the module from the console just like this.

freeswitch@internal> load mod_rtmp

It will print lots of output lines on console. Once loaded successfully edit the module settings to your choice.

root@FS_HA1#cd /usr/local/freeswitch/conf/autoload_configs/


root@FS_HA1#vim rtmp.conf.xml

I didn't need to change anything so I just simply reviewed the rtmp.conf.xml file and exited.

Now, time to copy the web-phone from the source directory to the web root.

root@FS_HA1#cd /usr/src/freeswitch/clients/

root@FS_HA1#cp -rf flex/ /var/www/html/

Now we need to edit the html file and change one small thing there.

root@FS_HA1#vim /var/www/html/flex/freeswitch.html

We need to change the rtmp url to that of our server's public IP.
var flashvars = {
      rtmp_url: 'rtmp://193.195.196.193/phone'
};


Save and exit, now open your browser and type down this URL.

http://193.195.196.193/flex/freeswitch.html

You;ll see a sample dialer. Login using your SIP credentials and if asked for allowing the browser to use your webcam/microphone/speaker accept it.

After successful login you should be able to make calls given the context your user is assigned to is configured likewise.