Перейти к содержимому
Калькуляторы

asr1001x - No service authorization info found No service authorization info found

Ответить

lumenok   

lumenok
Опубликовано · Жалоба

Добрый день!

На аср не поднимается сессия, в чем может быть проблема, не подскажите, ругается на сервис.

Есть следующий конфиг:

 

 

Current configuration : 14179 bytes
!
! Last configuration change at 06:45:36 UTC Wed Nov 11 2015 by root
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 20000000
!
hostname Router
!
boot-start-marker
boot system flash asr1001x-universalk9.03.13.03.S.154-3.S3-ext.SPA.bin
boot system flash bootflash:/asr1001x-universalk9.03.13.03.S.154-3.S3-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf list Mgmt-intf
!
enable password 7 *****
!
aaa new-model
!
!
aaa group server radius billing-radius
server-private 10.96.0.100 auth-port 1812 acct-port 1813 timeout 3 key 7 **********
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
deadtime 1
!
aaa authentication login default local
aaa authentication login billing-auth group billing-radius
aaa authorization network billing-auth group billing-radius 
aaa authorization subscriber-service default local 
aaa authorization subscriber-service billing-auth local group billing-radius 
aaa accounting update newinfo periodic 10
aaa accounting network billing-auth
action-type start-stop
group billing-radius
!         
aaa accounting network billing-radius
action-type start-stop
group billing-radius
!         
!         
!         
!         
!         
aaa server radius dynamic-author
client 10.96.0.100 server-key 7 ***********
auth-type any
!         
aaa session-id common
!         
!         
!         
!         
!         
!         
!         
!         
!         


no ip domain lookup

!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
subscriber templating
subscriber authorization enable
service-policy type control test
!         
multilink bundle-name authenticated
!         
password encryption aes
!         
!         
!         
!         
!         
!         
!         
!         
!         

license accept end user agreement
license boot level adventerprise
archive
path flash:
maximum 14
write-memory
spanning-tree extend system-id
!
username root privilege 15 password 7 *********
!
redundancy
mode sso
redirect server-group RSG-BLOCK-REDIRECT
server ip 10.0.143.1 port 8001
!
redirect server-group RSG-NEGBAL-REDIRECT
server ip 10.0.143.1 port 8002
!
redirect session-limit 100
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
class-map type traffic match-any CLS-BLOCK-REDIRECT
match access-group input name ACL-BLOCK-REDIRECT
!
class-map type traffic match-any CLS-BLOCK-TRUST
match access-group output name ACL-BLOCK-TRUST
match access-group input name ACL-BLOCK-TRUST
!
class-map type traffic match-any CLS-NEGBAL-REDIRECT
match access-group input name ACL-NEGBAL-REDIRECT
!
class-map type traffic match-any CLS-NEGBAL-TRUST
match access-group output name ACL-NEGBAL-TRUST
match access-group input name ACL-NEGBAL-TRUST
!
class-map type traffic match-any CLS-LOCAL-NET
match access-group output name ACL-LOCAL-NET
match access-group input name ACL-LOCAL-NET
!
class-map type traffic match-any CLS-ACCEPT
match access-group input name ACL-ACCEPT
match access-group output name ACL-ACCEPT
!
class-map type traffic match-any CLS-NOSHAPE
match access-group input name ACL-NOSHAPE
match access-group output name ACL-NOSHAPE
!
class-map type control match-all CTRL-TIMER-AUTH
match authen-status authenticated 
match timer TIMER-AUTH 
!
class-map type control match-all CTRL-TIMER-UNAUTH
match authen-status unauthenticated 
match timer TIMER-UNAUTH 
!
policy-map type service FWPOL-LOCAL-NET
class type traffic CLS-LOCAL-NET
 police input 100000000
 police output 100000000
!
!
policy-map type service FWPOL-ACCEPT
service local
class type traffic CLS-ACCEPT
!
class type traffic default in-out
!
!
policy-map type service FWPOL-NEGBAL-TRUST
service local
class type traffic CLS-NEGBAL-TRUST
!
!
policy-map type service FWPOL-NEGBAL-REDIRECT
service local
class type traffic CLS-NEGBAL-REDIRECT
 redirect to group RSG-NEGBAL-REDIRECT
!
class type traffic default in-out
 drop
!
!
policy-map type service FWPOL-BLOCK-TRUST
class type traffic CLS-BLOCK-TRUST
!
!         
policy-map type service FWPOL-BLOCK-REDIRECT
service local
class type traffic CLS-BLOCK-REDIRECT
 redirect to group RSG-BLOCK-REDIRECT
!
class type traffic default in-out
 drop
!
!
policy-map type service FWPOL-DEFAULT
service local
class type traffic CLS-ACCEPT
 police input 512000
 police output 512000
!
!
policy-map type control CTRL-IPOE
class type control always event timed-policy-expiry
 1 service disconnect
!
class type control always event account-logoff
 1 service disconnect
!
class type control always event radius-timeout
 10 set-timer TIMER-UNAUTH 10
 20 service-policy type service name FWPOL-DEFAULT
!
class type control always event session-start
 10 set-timer TIMER-AUTH 7200
 20 authorize aaa list billing-auth password mypass identifier source-ip-address 
 30 set-timer TIMER-UNAUTH 5
 40 service-policy type service name FWPOL-BLOCK-TRUST
 50 service-policy type service name FWPOL-BLOCK-REDIRECT
!
!
!
! 
!
!
!
!
!
!
!
!
!         
!
!
!
! 
! 
!
interface Loopback0
ip address 172.31.31.31 255.255.255.255
!
interface Loopback1
ip address 172.1.1.14 255.255.255.255
!
interface TenGigabitEthernet0/0/0
description Downlink-to-X670
ip address 10.254.253.18 255.255.255.252
no ip redirects
no ip unreachables
service-policy type control CTRL-IPOE
ip subscriber routed
 initiator unclassified ip-address
!
interface TenGigabitEthernet0/0/1
description Uplink-to-JunMX80
ip address 188.190.159.221 255.255.255.252
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
description Managment
vrf forwarding Mgmt-intf
ip address 10.96.0.96 255.255.0.0
negotiation auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 188.x.y.222
ip route 10.0.0.0 255.128.0.0 10.254.253.17
ip route 172.1.1.1 255.255.255.255 10.254.254.17
ip route 172.1.1.2 255.255.255.255 172.1.1.1
ip route 188.x.y.248 255.255.255.252 10.254.253.17
ip route vrf Mgmt-intf 10.0.0.0 255.0.0.0 10.96.0.1
!
ip access-list extended ACL-ACCEPT
permit ip any any
ip access-list extended ACL-BLOCK-REDIRECT
permit tcp any any eq www
deny   ip any any
ip access-list extended ACL-BLOCK-TRUST
permit ip any 194.54.14.0 0.0.0.255
permit ip any 194.186.207.0 0.0.0.255
ip access-list extended ACL-LOCAL-NET
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
ip access-list extended ACL-NAT-GRAY-NET
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended ACL-NEGBAL-REDIRECT
permit tcp any any eq www
deny   ip any any
ip access-list extended ACL-NEGBAL-TRUST
permit ip any 194.54.14.0 0.0.0.255
permit ip any 194.186.207.0 0.0.0.255
ip access-list extended ACL-NOSHAPE
permit ip 188.190.128.0 0.0.31.255 188.190.128.0 0.0.31.255
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
ip access-list extended ACL-REDIRECT
permit tcp any any eq www
deny   ip any any
!
access-list 1 permit 10.80.0.0 0.0.255.255
access-list 1 permit 10.95.0.0 0.0.255.255
access-list 1 deny   any
access-list 100 permit ip 10.80.0.0 0.0.255.255 any
access-list 100 permit ip 10.95.0.0 0.0.255.255 any
access-list 100 deny   ip any any
!

!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
ntp source GigabitEthernet0
ntp server 10.80.0.225
!
end

 

 

 

При авторизации говорит следующее:

 

 

Nov 11 06:30:36.271: AAA/BIND(000006B9): Bind i/f  
*Nov 11 06:30:36.271: AAA/BIND(000006B9): Bind i/f TenGigabitEthernet0/0/0 
*Nov 11 06:30:36.271: SSS INFO: Element type is AccIe-Hdl = 570426807 (220005B7)
*Nov 11 06:30:36.271: SSS INFO: Element type is AAA-Id = 1721 (000006B9)
*Nov 11 06:30:36.271: SSS INFO: Element type is SHDB-Handle = 2348810679 (8C0001B7)
*Nov 11 06:30:36.271: SSS INFO: Element type is Input Interface = "TenGigabitEthernet0/0/0"
*Nov 11 06:30:36.271: SSS INFO: Element type is IP-Address = 10.90.0.33 (0A5A0021)
*Nov 11 06:30:36.271: SSS INFO: Element type is IP-Address-VRF = IP 10.90.0.33:0
*Nov 11 06:30:36.271: SSS INFO: Element type is source-ip-address = 7F123A643768 
*Nov 11 06:30:36.271: SSS INFO: Element type is Sign-Of-Life = 1 (00000001)
*Nov 11 06:30:36.271: SSS INFO: Element type is IP-Session-Handle = 922748343 (370005B7)
*Nov 11 06:30:36.271: SSS INFO: Element type is Access-Type = 15 (IP)
*Nov 11 06:30:36.271: SSS INFO: Element type is Subscriber-Session-Type = 1 (00000001)
*Nov 11 06:30:36.271: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol)
*Nov 11 06:30:36.271: SSS INFO: Element type is Media-Type = 2 (IP)
*Nov 11 06:30:36.271: SSS INFO: Element type is Switch-Id = 7021 (00001B6D)
*Nov 11 06:30:36.271: SSS INFO: Element type is Segment-Hdl = 7022 (00001B6E)
*Nov 11 06:30:36.271: SSS MGR [uid:462]: Sending a Session Assert ID Mgr request
*Nov 11 06:30:36.271: SSS MGR [uid:462]: Updating ID Mgr with the following keys:
 aaa-unique-id        0   1721 (0x6B9)
 domainip-vrf         0   0A 5A 00 21 00 00 
*Nov 11 06:30:36.271: SSS MGR [uid:462]: Updating ID Mgr with the following data- smgr hdl0xF30005B7 : 
 addr                 0   10.90.0.33
*Nov 11 06:30:36.271: SSS MGR [uid:462]: ID Mgr returned status: 'success' for Session Assert
*Nov 11 06:30:36.271: SSS MGR [uid:462]: Handling Policy Service Authorize action (1 pending sessions)
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: using named author method list "billing-auth"
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: using set aaa password "mypass"
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Root SIP IP
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]:  Enable IP parsing
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]:  Enable DHCP parsing
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]:  Enable IP-Interface parsing
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Event <make request>, state changed from idle to authorizing
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Active key set to source-ip-address
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Authorizing key 10.90.0.33
*Nov 11 06:30:36.271: AAA/AUTHOR (0x6B9): Pick method list 'billing-auth'
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Set authorization profile type default -  user
*Nov 11 06:30:36.271: SSS AAA AUTHOR [uid:462][AAA ID:1721]: AAA request sent for key 10.90.0.33
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: TAL authorisation keys added
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Received an AAA pass
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: [7F1245016E50]:Reply message not exist
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Parsed AAA interim interval = 300
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: SIP IP[7F12C1F35BB0] parsed as Success
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: SIP IP[7F12C1F90790] parsed as Ignore
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: SIP DHCP[7F12C1F90790] parsed as Ignore
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Event <service not found>, state changed from authorizing to complete
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: No service authorization info found
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Active Handle present - 11000981
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Freeing Active Handle; SSS Policy Context Handle = 17000D99
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Event <free request>, state changed from complete to terminal
*Nov 11 06:30:36.347: SSS AAA AUTHOR [uid:462][AAA ID:1721]: Cancel request
*Nov 11 06:30:36.347: SSS MGR [uid:462]: Got reply Disconnect from PM
*Nov 11 06:30:36.347: SSS MGR [uid:462]: Handling Session Disconnect action
*Nov 11 06:30:36.347: SSS MGR [uid:462]: No accounting feature installed skipping attribute gathering
*Nov 11 06:30:36.347: SSS MGR [uid:462]: Handling Disconnecting, All Clean action
*Nov 11 06:30:36.347: SSS MGR [uid:462]: Sending a Session End ID Mgr request
*Nov 11 06:30:36.347: SSS MGR [uid:462]: ID Mgr returned status: 'deleted' for Session End
*Nov 11 06:30:36.347: SSS MGR [uid:462]: Publish session done aaa 1721, uid 462

 

 

С радиуса отдаю следующее:

Framed-Ip-Address=10.90.0.33, Cisco-AVpair=accouting-list=billing-auth, Cisco-Account-Info=AFWPOL-ACCEPT, Cisco-Account-Info=AFWPOL-NOSHAPE, Acct-Interim-Interval=300

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гость
Ответить в тему...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.

×
Подписчики 0
Перейти к списку тем Активное оборудование Ethernet, IP, MPLS, SDN/NFV...