Все действия выполняются на
gw-regit#sh ver
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.2(33)SRE1, RELEASE SOFTWARE (fc2)
Настройка L4 редиректа.
Разрешаем только 80 порт, правило необходимо для работы L4
редиректа на биллинг
Extended IP access list 197 (Compiled)
10 permit tcp any any eq www
20 permit tcp any eq www any
30 deny ip any any
Создаем классификатор определяющий какой трафик следует редиректить
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group output 197
match access-group input 197
Создаем группу серверов для редиректа
redirect server-group REDIRECT_NOPAY
server ip [ip] port 80
Настройка Радиуса
Определяем Радиус сервер с которым мы будем работать
aaa group server radius ISG-RADIUS
server-private 10.255.15.6 auth-port 1812 acct-port 1813 key 7 бла-бла-бла
ip vrf forwarding v0:MANAG
ip radius source-interface Loopback0
В нашем случае сервер находится в vrf v0:MANAG. И для того чтоб не было разночтений при указании
NAS в настройках Радиус сервера явно указываем с какого интерфейса слать пакеты. В нашем случае это
interface Loopback0
description description ---GRT:MAIN:MGMT---
ip vrf forwarding v0:MANAG
ip address 10.255.0.1 255.255.255.255
Настройки Радиус сервера мы не рассматриваем, но в нашем случае это Lanbilling агент lbarcd.
Далее прописываем AAA
aaa authorization subscriber-service default local group ISG-RADIUS
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS
Для сервиса ISG-AUTH1 используем группу радиус серверов ISG-RADIUS
Не забываем добавить
aaa accounting update periodic 1 jitter maximum 0
aaa accounting delay-start
для посылки interim update пакетов
Интервал посылки определается на Радиус сервере в настройках сервиса, но не может быть менее 60 секунд
Для 60 секундного интервала добавляем
Acct-Interim-Interval = 60
Строка
aaa authorization subscriber-service default local group ISG-RADIUS
Определяет место расположение сервисов. В нашем случае сервисы можно определять как локально,
так и задавать на Радиус сервере.
Создание сервисов и политик
Создаем определение сервисов LOCAL и INET500
В LOCAL скорость на acl 196 ограничивается до 10000000 байт/сек
В INET500 acl 195 ограничивается скорость до 500000 байт/сек
Создаем access-list 196 и 195
Extended IP access list 196 (Compiled)
50 permit ip any any
Extended IP access list 195 (Compiled)
5 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
10 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
15 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
20 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
50 deny ip any any
В них определяем какие сети попадают под сервис.
Далее начинаем создавать упрявляющие политики
Данная политика редиректа будет применяться при проблемах у абонента :)
Хранится локально.
policy-map type service LOCAL_L4R
ip access-group 197 in
ip access-group 197 out
1 class type traffic CLASS-TO-REDIRECT
redirect to group REDIRECT_NOPAY
!
class type traffic default in-out
drop
Для последующей политики создаем требуемые класс мапы
В этот будет попадать неаудентифицированные клиенты
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
Создаем две управляющии политики
первая для авторизации клиентов по IP адресам
policy-map type control ISG-IP-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event quota-depleted
1 set-param drop-traffic FALSE
!
class type control always event credit-exhausted
1 service-policy type service name LOCAL_L4R
!
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
Вторая для авторизации на основе интерфейса
policy-map type control ISG-INTERFACE-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier nas-port
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
!
class type control always event session-restart
10 authorize aaa list ISG-AUTH-1 password cisco identifier nas-port
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
Разберем более подробно
1. class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
Все IP сессии ( flow ) попадающие в класс ISG-IP-UNAUTH ( то есть, неавторизованные ) рвем
2. class type control always event quota-depleted
1 set-param drop-traffic FALSE
Правило опеределяем политику поведения после наступления события quota-depleted ( исчерпания лимита трафика ),
трафик не отбрасывается, а продолжает маршрутизироваться, а вот после наступления credit-exhausted
3. class type control always event credit-exhausted
1 service-policy type service name LOCAL_L4R
выполняется редирект на quota-depleted
4. class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
Тут определяем параметры инициализации сессии:
1. Производится авторизация с использованием aaa list ISG-AUTH-1 по source-ip-address
2. на случай неудачи устанавливается таймер UNAUTH-TIMER на одну минуту
3. выполняется сервис SERVICE_L4R
Пример создания сервисов в Радиусе
Создаем сервис для интернет трафика. Учитываем трафик по acl.
Передаем accounting update через 180 сек, разрываем соединение через 600 секунд
простоя. Для аккаунтинга используем группу ISG-AUTH-1.
PREPAID_INTERNET Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "ip:traffic-class=in default drop",
Acct-Interim-Interval = 180,
Idle-Timeout = "600",
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Пример сервиса для локального трафика, трафик мы не учитываем, только ограничиваем скорость по acl
LOCAL Password == "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 195",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 195",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"
Пример безлимитного интернет тарифа, полисер на 500000 бит/сек. Трафик по acl. Трафик считаем раз в 30 минут.
INET500 Password == "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 196",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVpair += "subscriber:accounting-list=ISG-AUTH-1",
Acct-Interim-Interval = 1800,
Cisco-Service-Info += "QU;500000;750000;D;500000;750000"
В настройках ip:traffic-class приоритет идет от большего к меньшему. В случае перекрывающихся acl назначать разные приоритеты.
Настройка сервисов локально на ISG
Опредаляем классы трафика
class-map type traffic match-any LOCAL
match access-group output 196
match access-group input 196
class-map type traffic match-any LOCAL
match access-group output 195
match access-group input 195
Создаем сами сервисы
policy-map type service LOCAL
5 class type traffic LOCAL
!
class type traffic default in-out
drop
!
!
policy-map type service INET500
200 class type traffic INET500
accounting aaa list ISG-AUTH-1
!
class type traffic default in-out
drop
Настройка freeradius для работы с ISG ( только и исключительно для тестирования )
В /etc/raddb/radiusd.conf указываем acc port, auth port
В /etc/raddb/clients.conf прописывает адрес NAS и пароль
В /etc/raddb/users создаем тестового пользователя и сервисы
[ip] Cleartext-Password := "cisco"
Framed-IP-Address = [ip],
Framed-IP-Netmask = 255.255.255.255,
Cisco-Account-Info += ALOCAL,
Cisco-Account-Info += NLOCAL,
Cisco-Account-Info += APREPAID_INTERNET
INET500 Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVpair += "subscriber:accounting-list=ISG-AUTH-1",
Acct-Interim-Interval = 1800,
Idle-Timeout = "600" ,
Cisco-Service-Info += "QU;500000;750000;D;500000;750000"
LOCAL Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 195 priority 5",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 195 priority 5",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"
PREPAID_INTERNET Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "ip:traffic-class=in default drop",
Acct-Interim-Interval = 180,
Idle-Timeout = "600",
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Пример создания сервиса редиректа на Радиус сервере.
SERVICE_L4R Cleartext-Password := "cisco"
Cisco-AVPair += "ip:l4redirect=redirect list 197 to group REDIRECT_NOPAY",
Cisco-AVpair += "traffic-class=input access-group 197",
Cisco-AVpair += "traffic-class=output access-group 197",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "ip:traffic-class=in default drop",
Idle-Timeout = "600"
Запускаем sudo /usr/sbin/radiusd -X
Смотрим в логи
Ready to process requests.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=14, length=155
User-Name = "[ip]"
User-Password = "cisco"
Framed-IP-Address = [ip]
Cisco-Account-Info = "S[ip]"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002015"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "[ip]", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry [ip] at line 87
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 14 to 10.255.0.1 port 1645
Framed-IP-Address = [ip]
Framed-IP-Netmask = 255.255.255.255
Cisco-Account-Info += "ALOCAL"
Cisco-Account-Info += "NLOCAL"
Cisco-Account-Info += "APREPAID_INTERNET"
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=15, length=128
User-Password = "cisco"
User-Name = "PREPAID_INTERNET"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002015"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PREPAID_INTERNET", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry PREPAID_INTERNET at line 217
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 15 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
Acct-Interim-Interval = 180
Idle-Timeout = 600
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=16, length=117
User-Password = "cisco"
User-Name = "LOCAL"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002015"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "LOCAL", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry LOCAL at line 237
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 16 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "ip:traffic-class=out access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=46, length=224
Acct-Session-Id = "0000000000002016"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002015"
User-Name = "[ip]"
Acct-Status-Type = Start
Framed-IP-Address = [ip]
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 22 2010 15:07:10 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002016",User-Name = "[ip]"'
[acct_unique] Acct-Unique-Session-ID = "e14be63c61da7b4a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "[ip]", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] expand: %t -> Thu Jul 22 15:07:10 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> [ip]
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> [ip]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 46 to 10.255.0.1 port 1646
Finished request 12.
Cleaning up request 12 ID 46 with timestamp +908
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 14 with timestamp +908
Cleaning up request 10 ID 15 with timestamp +908
Cleaning up request 11 ID 16 with timestamp +908
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=47, length=289
Acct-Session-Id = "0000000000002016"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002015"
User-Name = "[ip]"
Cisco-Control-Info = "I0;361188"
Cisco-Control-Info = "O0;5173501"
Acct-Input-Packets = 9015
Acct-Output-Packets = 9037
Acct-Input-Octets = 361188
Acct-Output-Octets = 5173501
Acct-Session-Time = 197
Acct-Status-Type = Interim-Update
Framed-IP-Address = [ip]
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 22 2010 15:10:27 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002016",User-Name = "[ip]"'
[acct_unique] Acct-Unique-Session-ID = "e14be63c61da7b4a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "[ip]", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] expand: %t -> Thu Jul 22 15:10:27 2010
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> [ip]
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> [ip]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 47 to 10.255.0.1 port 1646
Finished request 13.
Cleaning up request 13 ID 47 with timestamp +1105
Going to the next request
Ready to process requests.
Смотрим на ISG
gw-regit#sh subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Unique Session ID: 19
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:06:11, Last Changed: 00:06:11
Policy information:
Context 0E3F2C34: Handle 7B0009E1
AAA_id 000008FB: Flow_handle 1
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Session inbound features:
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 9015, Bytes = 361188
Session outbound features:
Feature: IP Idle Timeout
Timeout value is 600
Idle time is 00:03:26
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 9037, Bytes = 5173501
Configuration sources associated with this session:
Service: PREPAID_INTERNET, Active Time = 00:06:11
--------------------------------------------------
Unique Session ID: 21
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:06:11, Last Changed: 00:06:11
Policy information:
Context 0E3F209C: Handle 990009E2
AAA_id 000008FB: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Session inbound features:
Feature: Policing
Upstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile
Session outbound features:
Feature: Policing
Dnstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile
Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:06:11
--------------------------------------------------
Unique Session ID: 18
Identifier: [ip]
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:06:11, Last Changed: 00:06:11
Policy information:
Context 0E3F32D4: Handle FF0009E0
AAA_id 000008FB: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "NLOCAL"
ssg-account-info "APREPAID_INTERNET"
Downloaded User profile, including services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "NLOCAL"
ssg-account-info "APREPAID_INTERNET"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Access-type: IP Client: SM
Policy event: Service Selection Request
Profile name: [ip], 2 references
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "NLOCAL"
ssg-account-info "APREPAID_INTERNET"
Active services associated with session:
name "LOCAL"
name "PREPAID_INTERNET"
Rules, actions and conditions executed:
subscriber rule-map ISG-CUSTOMERS-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
Session inbound features:
Traffic classes:
Traffic class session ID: 19
ACL Name: 196, Packets = 9015, Bytes = 361188
Traffic class session ID: 21
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0
Session outbound features:
Traffic classes:
Traffic class session ID: 19
ACL Name: 196, Packets = 9037, Bytes = 5173501
Traffic class session ID: 21
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0
Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:06:11
Service: PREPAID_INTERNET, Active Time = 00:06:11
AAA Service ID = 2701131798
Interface: GigabitEthernet0/3.1499, Active Time = 00:06:11
К сожалению по истечению таймера сессия не поднимается
Active services associated with session:
name "LOCAL"
Rules, actions and conditions executed:
subscriber rule-map ISG-IP-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
subscriber rule-map default-internal-rule
condition always event idle-timeout
1 disconnect
Возможно косяк иоса, возможно не все настроено.
Пример настройки авторизации сессии по интерфейсу
policy-map type control ISG-INTERFACE-POLICY
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier nas-port
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
interface GigabitEthernet0/3.1499
description --- ISG_TEST_Subscriber ---
encapsulation dot1Q 1499
ip address [ip] 255.255.255.248
service-policy type control ISG-INTERFACE-POLICY
ip subscriber interface
в Радиусе
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=79, length=333
Acct-Session-Id = "0000000000002842"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002841"
User-Name = "nas-port:10.255.0.1:0/0/3/1499"
Cisco-Control-Info = "I0;0"
Cisco-Control-Info = "O0;0"
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Session-Time = 247
Acct-Terminate-Cause = Admin-Reset
Cisco-AVPair = "disc-cause-ext=Local Admin Disc"
Acct-Status-Type = Stop
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10305
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10305,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002842",User-Name = "nas-port:10.255.0.1:0/0/3/1499"'
[acct_unique] Acct-Unique-Session-ID = "b7405bd7c4f5ffca".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "nas-port:10.255.0.1:0/0/3/1499", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] expand: %t -> Thu Jul 29 11:34:05 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 79 to 10.255.0.1 port 1646
Finished request 0.
Cleaning up request 0 ID 79 with timestamp +3
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=177, length=148
User-Name = "nas-port:10.255.0.1:0/0/3/1499"
User-Password = "cisco"
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002846"
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nas-port:10.255.0.1:0/0/3/1499", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry nas-port:10.255.0.1:0/0/3/1499 at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 177 to 10.255.0.1 port 1645
Framed-IP-Address = [ip]
Framed-IP-Netmask = 255.255.255.255
Cisco-Account-Info += "ALOCAL"
Cisco-Account-Info += "APREPAID_INTERNET"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=178, length=134
User-Password = "cisco"
User-Name = "PREPAID_INTERNET"
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002846"
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PREPAID_INTERNET", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry PREPAID_INTERNET at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 178 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
Acct-Interim-Interval = 180
Idle-Timeout = 600
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=179, length=123
User-Password = "cisco"
User-Name = "LOCAL"
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002846"
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "LOCAL", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry LOCAL at line 242
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 179 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "ip:traffic-class=out access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=80, length=234
Acct-Session-Id = "0000000000002847"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002846"
User-Name = "nas-port:10.255.0.1:0/0/3/1499"
Acct-Status-Type = Start
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10310,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002847",User-Name = "nas-port:10.255.0.1:0/0/3/1499"'
[acct_unique] Acct-Unique-Session-ID = "6b97f5bd043f032f".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "nas-port:10.255.0.1:0/0/3/1499", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] expand: %t -> Thu Jul 29 11:34:05 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 80 to 10.255.0.1 port 1646
Finished request 4.
Cleaning up request 4 ID 80 with timestamp +3
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 177 with timestamp +3
Cleaning up request 2 ID 178 with timestamp +3
Cleaning up request 3 ID 179 with timestamp +3
Ready to process requests.
Профиль абонента
nas-port:10.255.0.1:0/0/3/1499 Cleartext-Password := "cisco"
Cisco-Account-Info += ALOCAL,
Cisco-Account-Info += APREPAID_INTERNET
На ISG
gw-regit#sh subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Unique Session ID: 509
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:01:09, Last Changed: 00:01:10
Policy information:
Context 0E3F2C34: Handle CA000F5A
AAA_id 00000C01: Flow_handle 1
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Session inbound features:
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 0, Bytes = 0
Session outbound features:
Feature: IP Idle Timeout
Timeout value is 600
Idle time is 00:01:09
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 0, Bytes = 0
Configuration sources associated with this session:
Service: PREPAID_INTERNET, Active Time = 00:01:09
--------------------------------------------------
Unique Session ID: 511
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:01:09, Last Changed: 00:01:09
Policy information:
Context 0E3F209C: Handle 7F000F5B
AAA_id 00000C01: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Session inbound features:
Feature: Policing
Upstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile
Session outbound features:
Feature: Policing
Dnstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile
Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:01:09
--------------------------------------------------
Unique Session ID: 510
Identifier: nas-port:10.255.0.1:0/0/3/1499
SIP subscriber access type(s): IP-Interface
Current SIP options: None
Session Up-time: 00:01:10, Last Changed: 00:01:09
Interface: GigabitEthernet0/3.1499
Policy information:
Context 0E3F32D4: Handle E3000F59
AAA_id 00000C01: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "APREPAID_INTERNET"
Downloaded User profile, including services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "APREPAID_INTERNET"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Access-type: IP-Interface Client: SM
Policy event: Service Selection Request
Profile name: nas-port:10.255.0.1:0/0/3/1499, 2 references
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "APREPAID_INTERNET"
Active services associated with session:
name "LOCAL"
name "PREPAID_INTERNET"
Rules, actions and conditions executed:
subscriber rule-map ISG-INTERFACE-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier nas-port
Session inbound features:
Traffic classes:
Traffic class session ID: 509
ACL Name: 196, Packets = 0, Bytes = 0
Traffic class session ID: 511
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0
Session outbound features:
Traffic classes:
Traffic class session ID: 509
ACL Name: 196, Packets = 0, Bytes = 0
Traffic class session ID: 511
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0
Non-datapath features:
Feature: IP Config
Peer IP Address: [ip] (F/F)
Address Pool: [None] (F)
Unnumbered Intf: [None]
Feature: Static Routes
Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:01:10
Service: PREPAID_INTERNET, Active Time = 00:01:10
AAA Service ID = 2919235614
Interface: GigabitEthernet0/3.1499, Active Time = 00:01:10
Организация приема CoA пакетов от Радиус сервера
aaa server radius dynamic-author
client 10.255.15.6 vrf v0:MANAG server-key 7 01100F1758040F1C26
Первая строка указывает что использовать надо RFC 3576
Вторая данные клиента определяет.
Совместная настройка IP Unnumbered + dhcp + ISG
Необходимые параметры на ISG на релэя DHCP+opt82 на DHCP сервер.
включаем dhcp
service dhcp
включаем поддержку option82
ip dhcp relay information option
сохраняем пришедшую информацию
ip dhcp relay information policy keep
отключаем проверку пересылаемой информации, не царское это дело
no ip dhcp relay information check
не дропаем пакеты уже содержащии option82
ip dhcp relay information trust-all
Ну и на интерфейсе включаем пересылку dhcp пакетов на указанный dhcp сервер
ip helper-address vrf v0:MANAG 10.255.15.5
Необязательные параметры
не используем vrf информацию для выдачи адресов
no ip dhcp use vrf connected
через сколько секунд убивать привязку
ip dhcp binding cleanup interval 600
Естественно на ISG должны приходить DHCP запросы с option82. На коммутаторе Edge-Core ES3526 ( на ES3528M так же ) это будет выглядеть так
включаем снупинг
ip dhcp snooping
указываем с какими виланами работать
ip dhcp snooping vlan 1498
добавляем option82
ip dhcp snooping information option
сказываем что использовать в agent id
ip dhcp snooping information option remote-id ip-address
не проверять маки
no ip dhcp snooping verify mac-address
сохранять информацию option 82 если она есть
ip dhcp snooping information policy keep
Ну и разрешаем прием dhcp пакетов на интерфейсе
ip dhcp snooping trust
на аплинк порту.
После этого мы увидим
на Cisco 7201
gw-regit#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
[ip] 000e.08dd.b2bf Aug 03 2010 02:09 PM Relay
на es3526
Lenina-3-0#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- ---------
00-0e-08-dd-b2-bf [ip] 282 dhcp-snooping 1498 Eth 1/16
Если абонент подключенный по ip unnumbered жаждет статики без dhcp то придется прописать маршрут
gw-regit(config)#ip route [ip] 255.255.255.255 gigabitEthernet 0/3.1499
Комментариев нет:
Отправить комментарий