lumenok Опубликовано 12 ноября, 2015 · Жалоба Добрый день! На аср не поднимается сессия, в чем может быть проблема, не подскажите, ругается на сервис. Есть следующий конфиг: Current configuration : 14179 bytes ! ! Last configuration change at 06:45:36 UTC Wed Nov 11 2015 by root ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core platform hardware throughput level 20000000 ! hostname Router ! boot-start-marker boot system flash asr1001x-universalk9.03.13.03.S.154-3.S3-ext.SPA.bin boot system flash bootflash:/asr1001x-universalk9.03.13.03.S.154-3.S3-ext.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf list Mgmt-intf ! enable password 7 ***** ! aaa new-model ! ! aaa group server radius billing-radius server-private 10.96.0.100 auth-port 1812 acct-port 1813 timeout 3 key 7 ********** ip vrf forwarding Mgmt-intf ip radius source-interface GigabitEthernet0 deadtime 1 ! aaa authentication login default local aaa authentication login billing-auth group billing-radius aaa authorization network billing-auth group billing-radius aaa authorization subscriber-service default local aaa authorization subscriber-service billing-auth local group billing-radius aaa accounting update newinfo periodic 10 aaa accounting network billing-auth action-type start-stop group billing-radius ! aaa accounting network billing-radius action-type start-stop group billing-radius ! ! ! ! ! aaa server radius dynamic-author client 10.96.0.100 server-key 7 *********** auth-type any ! aaa session-id common ! ! ! ! ! ! ! ! ! no ip domain lookup ! ! ! ! ! ! ! ! ! ! subscriber templating subscriber authorization enable service-policy type control test ! multilink bundle-name authenticated ! password encryption aes ! ! ! ! ! ! ! ! ! license accept end user agreement license boot level adventerprise archive path flash: maximum 14 write-memory spanning-tree extend system-id ! username root privilege 15 password 7 ********* ! redundancy mode sso redirect server-group RSG-BLOCK-REDIRECT server ip 10.0.143.1 port 8001 ! redirect server-group RSG-NEGBAL-REDIRECT server ip 10.0.143.1 port 8002 ! redirect session-limit 100 ! ! ! ! ! ! ip tftp source-interface GigabitEthernet0 class-map type traffic match-any CLS-BLOCK-REDIRECT match access-group input name ACL-BLOCK-REDIRECT ! class-map type traffic match-any CLS-BLOCK-TRUST match access-group output name ACL-BLOCK-TRUST match access-group input name ACL-BLOCK-TRUST ! class-map type traffic match-any CLS-NEGBAL-REDIRECT match access-group input name ACL-NEGBAL-REDIRECT ! class-map type traffic match-any CLS-NEGBAL-TRUST match access-group output name ACL-NEGBAL-TRUST match access-group input name ACL-NEGBAL-TRUST ! class-map type traffic match-any CLS-LOCAL-NET match access-group output name ACL-LOCAL-NET match access-group input name ACL-LOCAL-NET ! class-map type traffic match-any CLS-ACCEPT match access-group input name ACL-ACCEPT match access-group output name ACL-ACCEPT ! class-map type traffic match-any CLS-NOSHAPE match access-group input name ACL-NOSHAPE match access-group output name ACL-NOSHAPE ! class-map type control match-all CTRL-TIMER-AUTH match authen-status authenticated match timer TIMER-AUTH ! class-map type control match-all CTRL-TIMER-UNAUTH match authen-status unauthenticated match timer TIMER-UNAUTH ! policy-map type service FWPOL-LOCAL-NET class type traffic CLS-LOCAL-NET police input 100000000 police output 100000000 ! ! policy-map type service FWPOL-ACCEPT service local class type traffic CLS-ACCEPT ! class type traffic default in-out ! ! policy-map type service FWPOL-NEGBAL-TRUST service local class type traffic CLS-NEGBAL-TRUST ! ! policy-map type service FWPOL-NEGBAL-REDIRECT service local class type traffic CLS-NEGBAL-REDIRECT redirect to group RSG-NEGBAL-REDIRECT ! class type traffic default in-out drop ! ! policy-map type service FWPOL-BLOCK-TRUST class type traffic CLS-BLOCK-TRUST ! ! policy-map type service FWPOL-BLOCK-REDIRECT service local class type traffic CLS-BLOCK-REDIRECT redirect to group RSG-BLOCK-REDIRECT ! class type traffic default in-out drop ! ! policy-map type service FWPOL-DEFAULT service local class type traffic CLS-ACCEPT police input 512000 police output 512000 ! ! policy-map type control CTRL-IPOE class type control always event timed-policy-expiry 1 service disconnect ! class type control always event account-logoff 1 service disconnect ! class type control always event radius-timeout 10 set-timer TIMER-UNAUTH 10 20 service-policy type service name FWPOL-DEFAULT ! class type control always event session-start 10 set-timer TIMER-AUTH 7200 20 authorize aaa list billing-auth password mypass identifier source-ip-address 30 set-timer TIMER-UNAUTH 5 40 service-policy type service name FWPOL-BLOCK-TRUST 50 service-policy type service name FWPOL-BLOCK-REDIRECT ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 172.31.31.31 255.255.255.255 ! interface Loopback1 ip address 172.1.1.14 255.255.255.255 ! interface TenGigabitEthernet0/0/0 description Downlink-to-X670 ip address 10.254.253.18 255.255.255.252 no ip redirects no ip unreachables service-policy type control CTRL-IPOE ip subscriber routed initiator unclassified ip-address ! interface TenGigabitEthernet0/0/1 description Uplink-to-JunMX80 ip address 188.190.159.221 255.255.255.252 ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface GigabitEthernet0 description Managment vrf forwarding Mgmt-intf ip address 10.96.0.96 255.255.0.0 negotiation auto ! ip forward-protocol nd ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 188.x.y.222 ip route 10.0.0.0 255.128.0.0 10.254.253.17 ip route 172.1.1.1 255.255.255.255 10.254.254.17 ip route 172.1.1.2 255.255.255.255 172.1.1.1 ip route 188.x.y.248 255.255.255.252 10.254.253.17 ip route vrf Mgmt-intf 10.0.0.0 255.0.0.0 10.96.0.1 ! ip access-list extended ACL-ACCEPT permit ip any any ip access-list extended ACL-BLOCK-REDIRECT permit tcp any any eq www deny ip any any ip access-list extended ACL-BLOCK-TRUST permit ip any 194.54.14.0 0.0.0.255 permit ip any 194.186.207.0 0.0.0.255 ip access-list extended ACL-LOCAL-NET permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ip access-list extended ACL-NAT-GRAY-NET permit ip 10.0.0.0 0.255.255.255 any ip access-list extended ACL-NEGBAL-REDIRECT permit tcp any any eq www deny ip any any ip access-list extended ACL-NEGBAL-TRUST permit ip any 194.54.14.0 0.0.0.255 permit ip any 194.186.207.0 0.0.0.255 ip access-list extended ACL-NOSHAPE permit ip 188.190.128.0 0.0.31.255 188.190.128.0 0.0.31.255 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255 permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255 permit ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255 ip access-list extended ACL-REDIRECT permit tcp any any eq www deny ip any any ! access-list 1 permit 10.80.0.0 0.0.255.255 access-list 1 permit 10.95.0.0 0.0.255.255 access-list 1 deny any access-list 100 permit ip 10.80.0.0 0.0.255.255 any access-list 100 permit ip 10.95.0.0 0.0.255.255 any access-list 100 deny ip any any ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ntp source GigabitEthernet0 ntp server 10.80.0.225 ! end При авторизации говорит следующее: Nov 11 06:30:36.271: AAA/BIND(000006B9): Bind i/f *Nov 11 06:30:36.271: AAA/BIND(000006B9): Bind i/f TenGigabitEthernet0/0/0 *Nov 11 06:30:36.271: SSS INFO: Element type is AccIe-Hdl = 570426807 (220005B7) *Nov 11 06:30:36.271: SSS INFO: Element type is AAA-Id = 1721 (000006B9) *Nov 11 06:30:36.271: SSS INFO: Element type is SHDB-Handle = 2348810679 (8C0001B7) *Nov 11 06:30:36.271: SSS INFO: Element type is Input Interface = "TenGigabitEthernet0/0/0" *Nov 11 06:30:36.271: SSS INFO: Element type is IP-Address = 10.90.0.33 (0A5A0021) *Nov 11 06:30:36.271: SSS INFO: Element type is IP-Address-VRF = IP 10.90.0.33:0 *Nov 11 06:30:36.271: SSS INFO: Element type is source-ip-address = 7F123A643768 *Nov 11 06:30:36.271: SSS INFO: Element type is Sign-Of-Life = 1 (00000001) *Nov 11 06:30:36.271: SSS INFO: Element type is IP-Session-Handle = 922748343 (370005B7) *Nov 11 06:30:36.271: SSS INFO: Element type is Access-Type = 15 (IP) *Nov 11 06:30:36.271: SSS INFO: Element type is Subscriber-Session-Type = 1 (00000001) *Nov 11 06:30:36.271: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol) *Nov 11 06:30:36.271: SSS INFO: Element type is Media-Type = 2 (IP) *Nov 11 06:30:36.271: SSS INFO: Element type is Switch-Id = 7021 (00001B6D) *Nov 11 06:30:36.271: SSS INFO: Element type is Segment-Hdl = 7022 (00001B6E) *Nov 11 06:30:36.271: SSS MGR [uid:462]: Sending a Session Assert ID Mgr request *Nov 11 06:30:36.271: SSS MGR [uid:462]: Updating ID Mgr with the following keys: aaa-unique-id 0 1721 (0x6B9) domainip-vrf 0 0A 5A 00 21 00 00 *Nov 11 06:30:36.271: SSS MGR [uid:462]: Updating ID Mgr with the following data- smgr hdl0xF30005B7 : addr 0 10.90.0.33 *Nov 11 06:30:36.271: SSS MGR [uid:462]: ID Mgr returned status: 'success' for Session Assert *Nov 11 06:30:36.271: SSS MGR [uid:462]: Handling Policy Service Authorize action (1 pending sessions) *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: using named author method list "billing-auth" *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: using set aaa password "mypass" *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Root SIP IP *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Enable IP parsing *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Enable DHCP parsing *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Enable IP-Interface parsing *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Event <make request>, state changed from idle to authorizing *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Active key set to source-ip-address *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Authorizing key 10.90.0.33 *Nov 11 06:30:36.271: AAA/AUTHOR (0x6B9): Pick method list 'billing-auth' *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Set authorization profile type default - user *Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: AAA request sent for key 10.90.0.33 *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: TAL authorisation keys added *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Received an AAA pass *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: [7F1245016E50]:Reply message not exist *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Parsed AAA interim interval = 300 *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: SIP IP[7F12C1F35BB0] parsed as Success *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: SIP IP[7F12C1F90790] parsed as Ignore *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: SIP DHCP[7F12C1F90790] parsed as Ignore *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Event <service not found>, state changed from authorizing to complete *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: No service authorization info found *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Active Handle present - 11000981 *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Freeing Active Handle; SSS Policy Context Handle = 17000D99 *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Event <free request>, state changed from complete to terminal *Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Cancel request *Nov 11 06:30:36.347: SSS MGR [uid:462]: Got reply Disconnect from PM *Nov 11 06:30:36.347: SSS MGR [uid:462]: Handling Session Disconnect action *Nov 11 06:30:36.347: SSS MGR [uid:462]: No accounting feature installed skipping attribute gathering *Nov 11 06:30:36.347: SSS MGR [uid:462]: Handling Disconnecting, All Clean action *Nov 11 06:30:36.347: SSS MGR [uid:462]: Sending a Session End ID Mgr request *Nov 11 06:30:36.347: SSS MGR [uid:462]: ID Mgr returned status: 'deleted' for Session End *Nov 11 06:30:36.347: SSS MGR [uid:462]: Publish session done aaa 1721, uid 462 С радиуса отдаю следующее: Framed-Ip-Address=10.90.0.33, Cisco-AVpair=accouting-list=billing-auth, Cisco-Account-Info=AFWPOL-ACCEPT, Cisco-Account-Info=AFWPOL-NOSHAPE, Acct-Interim-Interval=300 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...