Jump to content
Калькуляторы

Cisco ASR1001 ISG Проблемы c авторизацией

Уважаемы цисководы, просьба помочь при желании.

 

При переезде с cisco 7201 c древней 12-ой IOS на ASR1001 с актуальным на сегодня IOS,

(конфиг перелез практически один-в один) столкнулись с бооольшой проблемой.

 

Пользователи с положительным балансом в биллинге, авторизуются со 2 или 3 го раза!!! ( каждый следующий раз наступает по прошествии 3 х минут - см. class type control SUBSCRIBER-NETWORKS event access-reject

5 set-timer UNAUTH-TIMER 3)

 

НО!!! так не должно быть!! и так не было на 7201 со старым IOS. (привет тем, кто любит обновляться)

авторизацию пользователи проходили моментально.

 

Наши бесценные абоненты каждый день нервничают! когда видят страницу "нет денег" по редиректу....

а наш главный админ разводить руками.....

 

Помогите кто чем может.

 

Привожу почти полный конфиг.

 

ISG_ASR1#show running-config
Building configuration...

Current configuration : 18101 bytes
!
! Last configuration change at 11:11:41 MSK Thu Jul 23 2015 by
! NVRAM config last updated at 11:12:26 MSK Thu Jul 23 2015 by
!
version 15.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname ISG_ASR1
!
boot-start-marker
boot system flash bootflash:asr1001-universalk9.03.13.02.S.154-3.S2-ext.bin
boot system flash bootflash:asr1001-universal.03.05.01.S.152-1.S1.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging console
!
aaa new-model
!
!
aaa group server radius ISG-RADIUS
server 192.168.130.3 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authentication login CONS none
aaa authentication enable default none
aaa authentication ppp ISG-RADIUS group ISG-RADIUS
aaa authorization exec default local
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa authorization subscriber-service default local group ISG-RADIUS
aaa accounting update newinfo periodic 1
aaa accounting network ISG-AUTH-1
action-type start-stop
group ISG-RADIUS
!
aaa accounting network ISG-RADIUS
action-type start-stop
group ISG-RADIUS
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.130.3 server-key 7 xxxxx234234234xxxx
auth-type any
!
aaa session-id common
clock timezone MSK 0 0
no ip source-route
ip icmp rate-limit unreachable DF 2000
!
!
!
!
!
!
!
!
!


ip domain name kit.ru
ip name-server 185.100.22.22

ip dhcp relay information option
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
!
!
!
!
!
!
!
!
!
!
subscriber templating
service-policy type control ISG-CUSTOMERS-POLICY
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
license udi pid ASR1001 sn JAE162101MK
license accept end user agreement
license boot level adventerprise
file prompt quiet
spanning-tree extend system-id
!
username root privilege 15
!
redundancy
mode none
redirect server-group REDIRECT_NOPAY
server ip 22.77.44.4 port 80
!
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host bill_adm 11 root enable
ip rcmd remote-host root 192.168.130.16 root enable
ip rcmd remote-host root 192.168.130.16 www-data enable
class-map type traffic match-any CLASS-BILLING-DOWN
match access-group input name ACL-BILLING-DOWN
match access-group output name ACL-BILLING-DOWN
!
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group input 100
!
class-map type traffic match-any CLASS-TRUSTED
match access-group input 198
!
class-map type control match-any SUBSCRIBER-NETWORKS
match source-ip-address один.0 255.255.255.0
match source-ip-address два.0 255.255.252.0
match source-ip-address три.0 255.255.254.0
match source-ip-address четыре.0 255.255.252.0
!
class-map type control match-all ISG-IP-UNAUTH
match authen-status unauthenticated
match timer UNAUTH-TIMER
!
policy-map type service LOCAL_L4R
1 class type traffic CLASS-TO-REDIRECT
redirect to group REDIRECT_NOPAY
!
class type traffic default input
drop
!
!
policy-map type service SERVICE-TRUSTED
1 class type traffic CLASS-TRUSTED
police input 64000 8000 16000
police output 64000 8000 16000
!
class type traffic default input
drop
!
!
policy-map type service allow_for_unauthen
1 class type traffic CLASS-TRUSTED
police input 512000
police output 512000
!
class type traffic default input
drop
!
!
policy-map type service SERVICE-BILLING-DOWN
class type traffic CLASS-BILLING-DOWN
timeout absolute 1800
police input 10000000
police output 10000000
!
class type traffic default input
drop
!
!
policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control SUBSCRIBER-NETWORKS event session-start
10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
!
class type control SUBSCRIBER-NETWORKS event access-reject
5 set-timer UNAUTH-TIMER 3
10 service-policy type service name SERVICE-TRUSTED
20 service-policy type service name LOCAL_L4R
!
class type control SUBSCRIBER-NETWORKS event radius-timeout
5 set-timer UNAUTH-TIMER 3
10 service-policy type service name SERVICE-BILLING-DOWN
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel2
description ===SUBSCRIBERS-MAIN===
no ip address
no negotiation auto
!
interface Port-channel2.10
description OSPF
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.252
!
interface Port-channel2.130
description VLAN130
encapsulation dot1Q 130
ip address 192.168.130.1 255.255.255.0
ip nat inside
ip access-group 199 in
!
interface Port-channel2.144
description GPON_144
encapsulation dot1Q 144
ip address 185.100.144.1 255.255.255.0
ip helper-address cisco_ip
ip verify unicast source reachable-via any
ip access-group 180 out
service-policy type control ISG-CUSTOMERS-POLICY
ip subscriber routed
initiator unclassified ip-address

........
тридесятка подобных
........

!
interface GigabitEthernet0/0/0
description MEGA
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.911
description MEGA_911_TRANK
encapsulation dot1Q 911
ip address 888.999.333.111 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0/1
description MEGA_Line1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
description MEGA_Line2
no ip address
negotiation auto
channel-group 2
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
channel-group 2
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 77777
bgp router-id 66.77.111.1
bgp log-neighbor-changes
neighbor MEGA peer-group
neighbor MEGA remote-as #mega_AS
neighbor 88.44.44.44 peer-group MEGA
neighbor 88.44.44.44 description MegaFon
!
address-family ipv4
network один.0 mask 255.255.255.0
network два.0 mask 255.255.252.0
network три.0 mask 255.255.252.0
network четыре.0 mask 255.255.252.0
redistribute connected
neighbor MEGA send-community
neighbor MEGA prefix-list PR-TO-MEGA out
neighbor MEGA route-map MAP-FROM-MEGA in
neighbor MEGA route-map MAP-TO-MEGA out
neighbor 88.54.44.44 activate
exit-address-family
!
ip forward-protocol nd
!
ip bgp-community new-format
ip as-path access-list 8 permit 43
ip as-path access-list 8 permit ^12
ip as-path access-list 8 permit ^1
ip as-path access-list 8 permit 34
ip as-path access-list 8 permit ^1
ip as-path access-list 8 permit ^12
ip as-path access-list 8 permit ^12
ip as-path access-list 8 permit ^12
ip as-path access-list 8 permit ^12
ip as-path access-list 8 permit ^1
ip as-path access-list 8 permit ^12
ip as-path access-list 8 permit ^123
ip as-path access-list 8 permit ^123
ip as-path access-list 8 permit ^123
ip as-path access-list 8 permit ^12
ip as-path access-list 8 deny _57
ip as-path access-list 8 permit ^12
no ip http server
no ip http secure-server
ip route 66.77.140.0 255.255.255.0 Null0 254
ip route 88.44.212.0 255.255.252.0 Null0 254
ip route 88.44.212.244 255.255.255.252 81.4.212.243
ip route 88.44.214.80 255.255.255.252 81.4.214.79
ip route 88.44.214.84 255.255.255.252 81.4.214.78
ip route 88.44.222.0 255.255.254.0 Null0 254
ip route 172.16.28.0 255.255.252.0 10.10.10.2 // osfp интерфейс на L3
ip route 88.44.24.0 255.255.252.0 Null0 254
!
ip access-list extended ACL-BILLING-DOWN
permit ip any any
!
!
ip prefix-list PR-TO-MEGA seq 10 permit один.0/24
ip prefix-list PR-TO-MEGA seq 20 permit два.0/22
ip prefix-list PR-TO-MEGA seq 30 permit три.0/22
ip prefix-list PR-TO-MEGA seq 40 permit четыре.0/22
access-list 11 permit 192.168.130.3 // ip биллинга
access-list 11 deny any
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any eq www any
access-list 180 permit tcp host ип_один один 0.0.3.255 eq www
access-list 180 permit tcp host ип_два один 0.0.3.255 eq www
.....................
access-list 180 permit tcp any any
access-list 180 permit ip any any
access-list 197 permit tcp any eq www any
access-list 197 deny ip any any
access-list 198 permit udp any any eq domain
access-list 198 permit udp any eq domain any
access-list 198 permit icmp any any
access-list 198 permit tcp any host 213.180.204.10
access-list 198 permit tcp host 213.180.204.10 any
access-list 198 permit tcp any host 91.200.28.169
access-list 198 permit tcp host 91.200.28.169 any
access-list 198 permit tcp any host 91.209.85.201
access-list 198 permit tcp host 91.209.85.201 any
access-list 198 permit tcp any 194.54.14.0 0.0.0.255
access-list 198 permit tcp 194.54.14.0 0.0.0.255 any
access-list 198 permit tcp any host 195.225.39.52
access-list 198 permit tcp host 195.225.39.52 any
access-list 198 permit tcp any host 212.118.48.43
access-list 198 permit tcp host 212.118.48.43 any
access-list 198 permit tcp any host 213.180.204.32
access-list 198 permit tcp host 213.180.204.32 any
access-list 198 permit tcp any host 216.136.151.51
access-list 198 permit tcp host 216.136.151.51 any
access-list 198 permit tcp any host 93.190.87.221
access-list 198 permit tcp host 93.190.87.221 any
access-list 198 permit tcp any host 109.235.163.229
access-list 198 permit tcp host 109.235.163.229 any
access-list 198 permit tcp any host 80.93.62.195
access-list 198 permit tcp host 80.93.62.195 any
access-list 198 deny ip any any
access-list 199 permit ip 192.168.130.0 0.0.0.255 192.168.130.0 0.0.0.255
access-list 199 deny ip any any
!
route-map MAP-FROM-MEGA permit 9
set local-preference 109
!
route-map MAP-TO-MEGA permit 10
!
snmp-server community sssssssss RW
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 31 mac format unformatted
radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333
radius-server vsa send cisco-nas-port
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
transport input telnet
!
ntp master 5
ntp server 
ntp server 
!
end

ISG_ASR1# 

Share this post


Link to post
Share on other sites

Так надо смотреть лог радиуса, че он там отвечает.

Share this post


Link to post
Share on other sites

Так надо смотреть лог радиуса, че он там отвечает.

С биллинга я так понимаю ?

Share this post


Link to post
Share on other sites

таймаут поставьте повыше на радиус. поди радиус ваш захлебывается

Share this post


Link to post
Share on other sites

Так надо смотреть лог радиуса, че он там отвечает.

С биллинга я так понимаю ?

 

Да хоть откуда.

 

можно дебажить на кисе

 

debug raduis

 

можно нюхать tcpdump на сервере:

 

tcpdump -s0 -nnvvi eth0 udp and host cisco_asr

 

можно смотреть средставми билинга если позволяет

Share this post


Link to post
Share on other sites

Я с циской только на вы )

Поэтому если только скажите что нажать - результат покажу.

 

Авторизация по IP

Вот sh log ( после debag radius )

ISG_ASR1#sh log

Syslog logging: enabled (0 messages dropped, 253 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

 

No Active Message Discriminator.

 

 

 

No Inactive Message Discriminator.

 

 

Console logging: disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 1113170 messages logged, xml disabled,

filtering disabled

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

 

No active filter modules.

 

Trap logging: level informational, 228176 message lines logged

Logging Source-Interface: VRF Name:

 

Log Buffer (4096 bytes):

DIUS: Acct-Delay-Time [41] 6 0

792871: Jul 31 06:19:30.704 MSK: RADIUS(000AC988): Sending a IPv4 Radius Packet

792872: Jul 31 06:19:30.705 MSK: RADIUS(000AC988): Started 5 sec timeout

792873: Jul 31 06:19:30.706 MSK: RADIUS: Received from id 1646/163 192.168.130.3:1813, Accounting-response, len 20

792874: Jul 31 06:19:30.706 MSK: RADIUS: authenticator AC 44 F4 C3 1D 39 7C - 37 FA A6 37 04 2B 72

792875: Jul 31 06:19:31.055 MSK: RADIUS/ENCODE(000AC844):Orig. component type = Iedge IP SIP

792876: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Config NAS IP: 0.0.0.0

792877: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Config NAS IPv6: ::

792878: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Config NAS IP: 0.0.0.0

792879: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): sending

792880: Jul 31 06:19:31.055 MSK: RADIUS/ENCODE: Best Local IP-Address 192.168.130.1 for Radius-Server 192.168.130.3

792881: Jul 31 06:19:31.055 MSK: RADIUS(000AC844): Send Accounting-Request to 192.168.130.3:1813 id 1646/164, len 342

792882: Jul 31 06:19:31.055 MSK: RADIUS: authenticator A4 6B 9D 6B 13 62 - 0A 3E 42 43 10 FE

792883: Jul 31 06:19:31.055 MSK: RADIUS: Acct-Session-Id [44] 18 "C0A88201000AC83A"

792884: Jul 31 06:19:31.055 MSK: RADIUS: Framed-IP-Address [8] 6 185.100.25.3

792885: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 64

792886: Jul 31 06:19:31.056 MSK: RADIUS: ssg-account-info [250] 58 "QU;51200000;1024000;51200000;D;51200000;1024000;51200000"

792887: Jul 31 06:19:31.056 MSK: RADIUS: Framed-Protocol [7] 6 PPP [1]

792888: Jul 31 06:19:31.056 MSK: RADIUS: User-Name [1] 14 "185.100.25.3"

792889: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 32

792890: Jul 31 06:19:31.056 MSK: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"

792891: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 18

792892: Jul 31 06:19:31.056 MSK: RADIUS: ssg-control-info [253] 12 "I0;4196302"

792893: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 19

792894: Jul 31 06:19:31.056 MSK: RADIUS: ssg-control-info [253] 13 "O0;73691300"

792895: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Session-Time [46] 6 10823

792896: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Input-Octets [42] 6 4196302

792897: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Output-Octets [43] 6 73691300

792898: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Input-Packets [47] 6 36922

792899: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Output-Packets [48] 6 56990

792900: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Authentic [45] 6 Local [2]

792901: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]

792902: Jul 31 06:19:31.056 MSK: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

792903: Jul 31 06:19:31.056 MSK: RADIUS: Vendor, Cisco [26] 18

792904: Jul 31 06:19:31.056 MSK: RADIUS: cisco-nas-port [2] 12 "15/0/2/251"

792905: Jul 31 06:19:31.056 MSK: RADIUS: NAS-Port [5] 6 0

792906: Jul 31 06:19:31.056 MSK: RADIUS: NAS-Port-Id [87] 12 "15/0/2/251"

792907: Jul 31 06:19:31.056 MSK: RADIUS: Class [25] 10

792908: Jul 31 06:19:31.056 MSK: RADIUS: 30 30 30 30 36 31 39 39 [ 00006199]

792909: Jul 31 06:19:31.056 MSK: RADIUS: Service-Type [6] 6 Framed [2]

792910: Jul 31 06:19:31.056 MSK: RADIUS: NAS-IP-Address [4] 6 192.168.130.1

792911: Jul 31 06:19:31.056 MSK: RADIUS: home-hl-prefix [151] 10 "3435C16D"

792912: Jul 31 06:19:31.056 MSK: RADIUS: Event-Timestamp [55] 6 1438323571

792913: Jul 31 06:19:31.056 MSK: RADIUS: Nas-Identifier [32] 17 "ISG_ASR1.kit.ru"

792914: Jul 31 06:19:31.056 MSK: RADIUS: Acct-Delay-Time [41] 6 0

ISG_ASR1#

 

и еще

 

Log Buffer (4096 bytes):

Delay-Time [41] 6 0

916203: Jul 31 06:22:22.593 MSK: RADIUS(000ACA00): Sending a IPv4 Radius Packet

916204: Jul 31 06:22:22.593 MSK: RADIUS(000ACA00): Started 5 sec timeout

916205: Jul 31 06:22:22.595 MSK: RADIUS: Received from id 1646/130 192.168.130.3:1813, Accounting-response, len 20

916206: Jul 31 06:22:22.595 MSK: RADIUS: authenticator 4F 84 39 06 0B A5 C8 - 6E 2F C0 D1 EF 15 C7

916207: Jul 31 06:22:22.721 MSK: RADIUS/ENCODE(000A9586):Orig. component type = Iedge IP SIP

916208: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Config NAS IP: 0.0.0.0

916209: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Config NAS IPv6: ::

916210: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Config NAS IP: 0.0.0.0

916211: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): sending

916212: Jul 31 06:22:22.721 MSK: RADIUS/ENCODE: Best Local IP-Address 192.168.130.1 for Radius-Server 192.168.130.3

916213: Jul 31 06:22:22.721 MSK: RADIUS(000A9586): Send Accounting-Request to 192.168.130.3:1813 id 1646/131, len 357

916214: Jul 31 06:22:22.721 MSK: RADIUS: authenticator 4C 9A 29 84 40 34 09 - 99 DC B5 75 7E 88 59

916215: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Session-Id [44] 18 "C0A88201000A957C"

916216: Jul 31 06:22:22.721 MSK: RADIUS: Framed-IP-Address [8] 6 81.4.214.48

916217: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 62

916218: Jul 31 06:22:22.721 MSK: RADIUS: ssg-account-info [250] 56 "QU;10240000;1024000;1536000;D;10240000;1024000;1536000"

916219: Jul 31 06:22:22.721 MSK: RADIUS: Framed-Protocol [7] 6 PPP [1]

916220: Jul 31 06:22:22.721 MSK: RADIUS: User-Name [1] 13 "81.4.214.48"

916221: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 32

916222: Jul 31 06:22:22.721 MSK: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"

916223: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 20

916224: Jul 31 06:22:22.721 MSK: RADIUS: ssg-control-info [253] 14 "I0;133797405"

916225: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 21

916226: Jul 31 06:22:22.721 MSK: RADIUS: ssg-control-info [253] 15 "O1;1439571421"

916227: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Session-Time [46] 6 76270

916228: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Input-Giga-Word[52] 6 0

916229: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Output-Giga-Wor[53] 6 1

916230: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Input-Octets [42] 6 133797405

916231: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Output-Octets [43] 6 1439571421

916232: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Input-Packets [47] 6 1467613

916233: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Output-Packets [48] 6 4071390

916234: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Authentic [45] 6 Local [2]

916235: Jul 31 06:22:22.721 MSK: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]

916236: Jul 31 06:22:22.721 MSK: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

916237: Jul 31 06:22:22.721 MSK: RADIUS: Vendor, Cisco [26] 19

916238: Jul 31 06:22:22.721 MSK: RADIUS: cisco-nas-port [2] 13 "15/0/2/2141"

916239: Jul 31 06:22:22.721 MSK: RADIUS: NAS-Port [5] 6 0

916240: Jul 31 06:22:22.721 MSK: RADIUS: NAS-Port-Id [87] 13 "15/0/2/2141"

916241: Jul 31 06:22:22.721 MSK: RADIUS: Class [25] 10

916242: Jul 31 06:22:22.721 MSK: RADIUS: 30 30 30 30 35 34 33 30 [ 00005430]

916243: Jul 31 06:22:22.721 MSK: RADIUS: Service-Type [6] 6 Framed [2]

916244: Jul 31 06:22:22.721 MSK: RADIUS: NAS-IP-Address [4] 6 192.168.130.1

916245: Jul 31 06:22:22.721 MSK: RADIUS: home-hl-prefix [151] 10 "385B0EDF"

916246: Jul 31 06:22:22.721 MSK: RADIUS: Event-Timestamp [55] 6 1438323742

ISG_ASR1#

[/code]

 

в 6:20 какраз я всем авторизацию сбрасывал чтобы сессия стартовала пока все спят

По билингу - сейчас есь лог на полтора гига - какие сторики искать / что смотреть ?

Share this post


Link to post
Share on other sites

таймаут поставьте повыше на радиус. поди радиус ваш захлебывается

 

Спасибо, а как это сделать?

Share this post


Link to post
Share on other sites

radius-server transaction max-tries 5

radius-server timeout 30

 

Чтото ругнулась на первую строчку

ISG_ASR1(config)#radius-server transaction max-tries 5
% Radius retry method reorder not configured
ISG_ASR1(config)#radius-server timeout 30
ISG_ASR1(config)#

 

Может попробвать

Она хочет это ? :

radius-server retry method reorder

Share this post


Link to post
Share on other sites

Кстати !!!

На 7201 было

 

!

radius-server attribute 44 include-in-access-req

radius-server attribute 44 extend-with-addr

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 31 mac format unformatted

radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

!

а на ASR1001 стало

 

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 44 extend-with-addr

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 31 mac format unformatted

radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333

radius-server vsa send cisco-nas-port

!

!

тоесть нехватает строк

radius-server vsa send accounting

radius-server vsa send authentication

 

потомучто она их почемуто не хочет ( хотя и не ругается при их вводе)

 

Может это оно ?

Share this post


Link to post
Share on other sites

792873: Jul 31 06:19:30.706 MSK: RADIUS: Received from id 1646/163 192.168.130.3:1813, Accounting-response, len 20

 

А где запросы на авторизацию и ответы на них?

 

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 44 extend-with-addr

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 31 mac format unformatted

radius-server host 192.168.130.3 auth-port 1812 acct-port 1813 key 7 3333333333333333333

radius-server vsa send cisco-nas-port

!

!

тоесть нехватает строк

radius-server vsa send accounting

radius-server vsa send authentication

 

 

Это нормально, просто сменился метод настройки потому что IOS другой. Старые команды просто транслируюстя в новые для совместимости.

 

Я с циской только на вы )

Поэтому если только скажите что нажать - результат покажу.

 

С такими знаниями к такому лучше не подходить сразу. Нужно тренироваться на чем-то попроще.

Share this post


Link to post
Share on other sites

 

Это нормально, просто сменился метод настройки потому что IOS другой. Старые команды просто транслируюстя в новые для совместимости.

 

Я с циской только на вы )

Поэтому если только скажите что нажать - результат покажу.

 

С такими знаниями к такому лучше не подходить сразу. Нужно тренироваться на чем-то попроще.

 

Спасибо, те кто на ты пока тоже ничего сделать немогут.

Share this post


Link to post
Share on other sites

radius-server transaction max-tries 5

radius-server timeout 30

 

Чтото ругнулась на первую строчку

ISG_ASR1(config)#radius-server transaction max-tries 5
% Radius retry method reorder not configured
ISG_ASR1(config)#radius-server timeout 30
ISG_ASR1(config)#

 

 

А можно без вреда добавить

radius-server retry method reorder
radius-server retransmit 0
radius-server transaction max-tries 5 
radius-server timeout 30

?

Share this post


Link to post
Share on other sites

radius-server retransmit поставьте 2.

 

п.с. logging buffered 80960

в логе нет сообщений про радиус дед ? )

Edited by zhenya`

Share this post


Link to post
Share on other sites

radius-server retransmit поставьте 2.

 

п.с. logging buffered 80960

в логе нет сообщений про радиус дед ? )

 

Спасибо!

Про radius ded невидел сообщений

Поставил

radius-server retransmit 2

logging buffered 80960

 

Наблюдаем.

 

кусок лога в аттаче

 

А где тут режекты искать ?

sh log.txt

Share this post


Link to post
Share on other sites

debug radius authentication включайте такой дебаг.

 

Включил, написала вот что

ISG_ASR1#debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off

log.txt

Share this post


Link to post
Share on other sites

в логе все равно один аккаунтинг.

 

Авторизация просто не попала в лог или не включается в лог ?

Share this post


Link to post
Share on other sites

show radius statistics в студию.

Вот:

ISG_ASR1#show radius statistics
                                 Auth.      Acct.       Both
        Maximum inQ length:         NA         NA       1989
      Maximum waitQ length:         NA         NA       2443
      Maximum doneQ length:         NA         NA        655
      Total responses seen:     521612   33341118   33862730
    Packets with responses:     520406   33340807   33861213
 Packets without responses:      41112    2724377    2765489
 Access Rejects           :     491847
Average response delay(ms):         61          4          5
Maximum response delay(ms):      90160      30068      90160
 Number of Radius timeouts:     166172   10906743   11072915
      Duplicate ID detects:          0          0          0
Buffer Allocation Failures:          0          0          0
Maximum Buffer Size (bytes):        177        429        429
Malformed Responses        :          0          0          0
Bad Authenticators         :          0       2618       2618
Unknown Responses          :          0          0          0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/110
1646/25

 Elapsed time since counters last cleared: 14w1d7h47m
Radius Latency Distribution:
<= 2ms :          0   16661063
3-5ms  :        317   16365771
5-10ms :         18     238226
10-20ms:       1372      55005
20-50ms:     488560       7844
50-100m:      22684       2083
>100ms :       7455      10815

Current inQ length  : 0
Current doneQ length: 0

ISG_ASR1#

 

омг, Rejects -ы нашлись и их много - это нормально ?

Edited by Diman_xxxx

Share this post


Link to post
Share on other sites

И таймауты и пустые пакеты не нормально.сбросьте стату и наблюдайте.

Share this post


Link to post
Share on other sites

И таймауты и пустые пакеты не нормально.сбросьте стату и наблюдайте.

Спасибо,

Стата на сейчас

ISG_ASR1#show radius statistics
                                 Auth.      Acct.       Both
        Maximum inQ length:         NA         NA       1989
      Maximum waitQ length:         NA         NA       2443
      Maximum doneQ length:         NA         NA        655
      Total responses seen:     533825   34352900   34886725
    Packets with responses:     532619   34352589   34885208
 Packets without responses:      41112    2724786    2765898
 Access Rejects           :     503176
Average response delay(ms):         61          4          5
Maximum response delay(ms):      90160      30068      90160
 Number of Radius timeouts:     166172   10908057   11074229
      Duplicate ID detects:          0          0          0
Buffer Allocation Failures:          0          0          0
Maximum Buffer Size (bytes):        177        429        429
Malformed Responses        :          0          0          0
Bad Authenticators         :          0       4020       4020
Unknown Responses          :          0          0          0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/35
1646/24

 Elapsed time since counters last cleared: 14w2d1h29m
Radius Latency Distribution:
<= 2ms :          0   17273413
3-5ms  :        317   16760527
5-10ms :         18     240653
10-20ms:       1433      56524
20-50ms:     499939       8139
50-100m:      23307       2161
>100ms :       7605      11172

Current inQ length  : 0
Current doneQ length: 0

 

Шас сборшу

 

Снимок через 1,5 минуты

ISG_ASR1#show radius statistics
                                 Auth.      Acct.       Both
        Maximum inQ length:         NA         NA          4
      Maximum waitQ length:         NA         NA          4
      Maximum doneQ length:         NA         NA          0
      Total responses seen:         20       1073       1093
    Packets with responses:         20       1073       1093
 Packets without responses:          0          0          0
 Access Rejects           :         19
Average response delay(ms):         31          2          2
Maximum response delay(ms):         90         13         90
 Number of Radius timeouts:          0          0          0
      Duplicate ID detects:          0          0          0
Buffer Allocation Failures:          0          0          0
Maximum Buffer Size (bytes):        173        407        407
Malformed Responses        :          0          0          0
Bad Authenticators         :          0          0          0
Unknown Responses          :          0          0          0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/114
1646/201

 Elapsed time since counters last cleared: 1m
Radius Latency Distribution:
<= 2ms :          0        644
3-5ms  :          0        427
5-10ms :          0          0
10-20ms:          1          2
20-50ms:         17          0
50-100m:          2          0
>100ms :          0          0

Share this post


Link to post
Share on other sites

      Total responses seen:         20       1073       1093
    Packets with responses:         20       1073       1093
 Access Rejects           :         19

 

20-19=1

один положительный ответ билинга из 20.

Хотя это может быть неверно настроеный клиент, который постоянно долбится.

Короче надо смотреть логи билинга.

Edited by ShyLion

Share this post


Link to post
Share on other sites

Для сравнения моя статистика

                                 Auth.      Acct.       Both
        Maximum inQ length:         NA         NA         13
      Maximum waitQ length:         NA         NA        226
      Maximum doneQ length:         NA         NA         12
      Total responses seen:     437830   31256520   31694350
    Packets with responses:     386912   31256096   31643008
 Packets without responses:     104859      57572     162431
 Access Rejects           :     403079
Average response delay(ms):         16          1          1
Maximum response delay(ms):      20099      18507      20099
 Number of Radius timeouts:     419160     231109     650269

 

Кучу Reject'ов делает один едиственный абоенент, у которого дебильный роутер с ДВУМЯ pppoe учетками, одна из которых левая, но роутер непрерывно пытается ее поднять одновременно с легальной и и работающей.

Засирает лог билингу.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this