Jump to content
Калькуляторы

UTM5 Radius + Cisco ISG Не понятные траблы

Всем привет!

 

Не могу победить трабл, вроде все настроено, как положено https://drive.google.com/file/d/0B4dvafHHhRrWS1BFUDZVdnBGdFU/view а в логах постоянно одно и тоже, unauthen.

 

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1) 

 

 

пробовал с версиями s6, s7. в s1 есть идентификатор, а в версиях s6, s7 нет :\

 

Oct  2 19:41:48 10.10.7.1 474: Oct  2 19:41:48.735: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol) 
Oct  2 19:41:48 10.10.7.1 475: Oct  2 19:41:48.735: SSS INFO: Element type is Media-Type = 2 (IP) 
Oct  2 19:41:48 10.10.7.1 476: Oct  2 19:41:48.735: SSS INFO: Element type is AccIe-Hdl = 3288334347 (C400000B) 
Oct  2 19:41:48 10.10.7.1 477: Oct  2 19:41:48.735: SSS INFO: Element type is AAA-Id = 84 (00000054) 
Oct  2 19:41:48 10.10.7.1 478: Oct  2 19:41:48.735: SSS INFO: Element type is SHDB-Handle = 0 (00000000) 
Oct  2 19:41:48 10.10.7.1 479: Oct  2 19:41:48.735: SSS INFO: Element type is Input Interface = "GigabitEthernet0/3.30" 
Oct  2 19:41:48 10.10.7.1 480: Oct  2 19:41:48.735: SSS INFO: Element type is Mac-Address = 84c9.b20a.3f37 
Oct  2 19:41:48 10.10.7.1 481: Oct  2 19:41:48.735: SSS INFO: Element type is Unauth-User = "84c9.b20a.3f37" 
Oct  2 19:41:48 10.10.7.1 482: Oct  2 19:41:48.735: SSS INFO: Element type is Circuit-id = "0004001e0013" 
Oct  2 19:41:48 10.10.7.1 483: Oct  2 19:41:48.735: SSS INFO: Element type is Remote-id = "0006340804c565e5" 
Oct  2 19:41:48 10.10.7.1 484: Oct  2 19:41:48.735: SSS INFO: Element type is Vendor-Class-id = "udhcp 0.9.8" 
Oct  2 19:41:48 10.10.7.1 485: Oct  2 19:41:48.735: SSS INFO: Element type is Restart = 1 (YES) 
Oct  2 19:41:48 10.10.7.1 486: Oct  2 19:41:48.735: SSS INFO: Element type is Access-Type = 18 (DHCP) 
Oct  2 19:41:48 10.10.7.1 487: Oct  2 19:41:48.735: SSS MGR [uid:11]: Sending a Session Assert ID Mgr request 
Oct  2 19:41:48 10.10.7.1 488: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following keys: 
Oct  2 19:41:48 10.10.7.1 489:   aaa-unique-id        0   84 (0x54) 
Oct  2 19:41:48 10.10.7.1 490:   clid-mac-addr        0   84 C9 B2 0A 3F 37 
Oct  2 19:41:48 10.10.7.1 491:   username             0   "84c9.b20a.3f37" 
Oct  2 19:41:48 10.10.7.1 492: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following data- smgr hdl0x3700000B : 
Oct  2 19:41:48 10.10.7.1 493:   circuit-id-tag       0   "0004001e0013" 
Oct  2 19:41:48 10.10.7.1 494:   remote-id-tag        0   "0006340804c565e5" 
Oct  2 19:41:48 10.10.7.1 495:   vendor-class-id-tag  0   "udhcp 0.9.8" 
Oct  2 19:41:48 10.10.7.1 496: Oct  2 19:41:48.735: SSS MGR [uid:11]: ID Mgr returned status: 'success' for Session Assert 
Oct  2 19:41:48 10.10.7.1 497: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event client-service-request, state changed from wait-for-req to authorizing
Oct  2 19:41:48 10.10.7.1 498: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Policy Service Authorize action (1 pending sessions) 
Oct  2 19:41:48 10.10.7.1 499: Oct  2 19:41:48.735: SSS MGR [uid:11]: Got reply Need More Keys from PM 
Oct  2 19:41:49 10.10.7.1 500: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event policy-or-mgr-need-more-keys, state changed from authorizing to pm-needs-more-keys 
Oct  2 19:41:49 10.10.7.1 501: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Need More Keys action 
Oct  2 19:41:49 10.10.7.1 502: Oct  2 19:41:48.735: SSS MGR [uid:11]: Use authen list "IPoE" 

 

C7206-BRAS#sh sss ses 
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen - 
authenticated, TC Ct. - Number of Traffic Classes on the main session 

 

Current Subscriber Information: Total sessions 1 
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier 
11      DHCP         unauthen Attempting  00:03:07 0      84c9.b20a.3f37 

 

C7206-BRAS#sh sss ses det 
Current Subscriber Information: Total sessions 1 
-------------------------------------------------- 
Type: DHCP, UID: 11, State: unauthen, Identity: 84c9.b20a.3f37 
Session Up-time: 00:03:34, Last Changed: 00:03:34 
Switch-ID: 0 

Policy information: 
 Context 51639648: Handle 1B000017 
 AAA_id 00000054: Flow_handle 0 
 Authentication status: unauthen 
 Rules, actions and conditions executed: 
   subscriber rule-map ISG-RADIUS-PROFILES 
     condition always event session-restart 
       10 authorize aaa list IPoE identifier source-ip-address 

 

Конфига 7206

 

aaa group server radius ISG-RADIUS-PROFILES 
server name UTM5-RADIUS 
ip radius source-interface Loopback1 
! 
aaa group server radius ISG-IPoE 
server name UTM5-RADIUS 
ip radius source-interface Loopback2 
! 
aaa group server radius ACC-IPoE 
server name UTM5-RADIUS 
ip radius source-interface Loopback2 
! 
aaa authentication login IPoE group ISG-IPoE 
aaa authorization network IPoE group ISG-IPoE 
aaa authorization subscriber-service default group ISG-RADIUS-PROFILES 
aaa accounting update periodic 5 
aaa accounting network IPoE start-stop group ACC-IPoE 

aaa server radius dynamic-author 
client 10.10.4.2 server-key 7 secret 
auth-type all 
ignore session-key 
ignore server-key 

ip dhcp relay information option 
ip dhcp relay information policy keep 
no ip dhcp relay information check 
ip dhcp relay information trust-all 
no ip dhcp use vrf connected 

ip dhcp pool UTM5 
relay source 172.22.22.0 255.255.255.0 
relay destination 10.10.5.2 

subscriber authorization enable 

redirect server-group L4R 
server ip 10.10.10.1 port 80 
! 
! 
! 
! 
! 
! 
class-map type control match-all ISG-IP-UNAUTH 
match timer UNAUTH-TIMER 
match authen-status unauthenticated 

policy-map type control ISG-RADIUS-PROFILES 
class type control ISG-IP-UNAUTH event timed-policy-expiry 
 1 service disconnect 
! 
class type control always event session-start 
 10 authorize aaa list IPoE identifier source-ip-address 
 20 service-policy type service name OG_SRV 
 30 service-policy type service name L4R_SRV 
 40 set-timer UNAUTH-TIMER 1 
! 
class type control always event session-restart 
 10 authorize aaa list IPoE identifier source-ip-address 
 20 service-policy type service name OG_SRV 
 30 service-policy type service name L4R_SRV 
 40 set-timer UNAUTH-TIMER 1 

interface Loopback1 
description AAA_Profile 
ip address 10.10.1.1 255.255.255.255 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ntp disable 
! 
interface Loopback2 
description AAA_IPoE 
ip address 10.10.2.1 255.255.255.255 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ntp disable 

interface Loopback11 
ip address 172.22.22.254 255.255.255.0 
no ip redirects 
no ip unreachables 
ntp disable 

interface GigabitEthernet0/3.30 
description -=IPoE_Clients=- 
encapsulation dot1Q 30 
ip unnumbered Loopback11 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ip flow monitor ISG-BRAS sampler ISG-BRAS input 
ip flow monitor ISG-BRAS sampler ISG-BRAS output 
service-policy type control ISG-RADIUS-PROFILES 
ip subscriber l2-connected 
 initiator dhcp 

radius-server attribute 44 include-in-access-req all 
radius-server attribute 6 on-for-login-auth 
radius-server attribute 8 include-in-access-req 
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req 
radius-server attribute 55 access-request include 
radius-server attribute nas-port format d 
radius-server attribute 61 extended 
radius-server attribute 31 send nas-port-detail mac-only 
radius-server attribute 31 remote-id 
radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id 
radius-server vsa send cisco-nas-port 
radius-server vsa send accounting 
radius-server vsa send authentication 
! 
radius server UTM5-RADIUS 
address ipv4 10.10.4.2 auth-port 1812 acct-port 1813 
key 7 secret

 

Ну ни в какую не хочет авторизовываться. Куда копнуть подскажите, копну.

Share this post


Link to post
Share on other sites

покажите дебаг по радиусу

 

Я правильно понимаю, что ни один сабскрайбер не может авторизоваться или это единичный?

 

В радиусе сделайте по-минимуму - тупо accept, без всяких сервисов и т.п.

Share this post


Link to post
Share on other sites

покажите дебаг по радиусу

 

Я правильно понимаю, что ни один сабскрайбер не может авторизоваться или это единичный?

 

В радиусе сделайте по-минимуму - тупо accept, без всяких сервисов и т.п.

Ни один все верно. Сейчас тестовый крутится один, пробовали еще пару мыльниц абонентских цеплять, все то же самое.

 

Хрень после ребута, которая то проходит то нет

*Feb 17 19:27:00.007: %AAAA-4-SERVUNDEF: The server-group "ISG-IPoE" is not defined. Please define it.
*Feb 17 19:27:00.011: %AAAA-4-SERVUNDEF: The server-group "ISG-IPoE" is not defined. Please define it.

 

Просто тупо нет связи с радиусом. Но вот по какой причине...

 

Router#sh sss ses
Current Subscriber Information: Total sessions 1

Uniq ID Interface    State         Service      Identifier           Up-time
1       IP           unauthen      Local Term   84c9.b20a.3f37       00:04:02

Router#sh sss ses uid 1
Unique Session ID: 1
Identifier: 84c9.b20a.3f37
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:04:06, Last Changed: 00:04:06

Policy information:
 Authentication status: unauthen
 Rules, actions and conditions executed:
   subscriber rule-map ISG-RADIUS-PROFILES
     condition always event session-start
       10 authorize aaa list IPoE identifier source-ip-address

Configuration sources associated with this session:
Interface: GigabitEthernet0/3.30, Active Time = 00:04:06

 

На боевой машине все крутилось. Сейчас нужно было пересобрать и считай уже несколько дней ип..сь

Share this post


Link to post
Share on other sites

Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: New request from 10.10.1.1:1645
--- RADIUS Pkt ---
 Code: [1]  ID:   [99]
 Auth: Size 16; Data [0x0bdbc11617a222c70280225f02cdea01]
   Attr: [2] Vendor: [0] Size 16; Data [0xfd3aac192589e6ca6669d3a876f39c63]
       (User-Password=HEX:...)
   Attr: [31] Vendor: [0] Size 16; Data [0x30303036333430383034633536356535]
       (Calling-Station-Id=STRING:0006340804c565e5)
   Attr: [1] Vendor: [0] Size 6; Data [0x4f475f535256]
       (User-Name=STRING:OG_SRV)
   Attr: [61] Vendor: [0] Size 4; Data [0x00000021]
       (NAS-Port-Type=INT:33)
   Attr: [2] Vendor: [9] Size 41; Data [0x3030303430303165303031343a303030363334303830346335363565353a756468637020302e392e38]
       (Cisco:Cisco-NAS-Port=STRING:0004001e0014:0006340804c565e5:udhcp 0.9.8)
   Attr: [5] Vendor: [0] Size 4; Data [0x0300001e]
       (NAS-Port=INT:50331678)
   Attr: [87] Vendor: [0] Size 41; Data [0x3030303430303165303031343a303030363334303830346335363565353a756468637020302e392e38]
       (NAS-Port-Id=STRING:0004001e0014:0006340804c565e5:udhcp 0.9.8)
   Attr: [1] Vendor: [9] Size 27; Data [0x636972637569742d69642d7461673d303030343030316530303134]
       (Cisco:Cisco-AVPair=STRING:circuit-id-tag=0004001e0014)
   Attr: [1] Vendor: [9] Size 30; Data [0x72656d6f74652d69642d7461673d30303036333430383034633536356535]
       (Cisco:Cisco-AVPair=STRING:remote-id-tag=0006340804c565e5)
   Attr: [1] Vendor: [9] Size 31; Data [0x76656e646f722d636c6173732d69642d7461673d756468637020302e392e38]
       (Cisco:Cisco-AVPair=STRING:vendor-class-id-tag=udhcp 0.9.8)
   Attr: [6] Vendor: [0] Size 4; Data [0x00000005]
       (Service-Type=INT:5)
   Attr: [4] Vendor: [0] Size 4; Data [0x0a0a0101]
       (NAS-IP-Address=IP:10.10.1.1)
   Attr: [32] Vendor: [0] Size 10; Data [0x43373230362d42524153]
       (NAS-Identifier=STRING:C7206-BRAS)
   Attr: [55] Vendor: [0] Size 4; Data [0x57f51a2e]
       (Event-Timestamp=DATE:1475680814)

Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Login 'OG_SRV'
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Login info found, radius account og_srv
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Processing radius account og_srv
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Using PAP authentication method
Oct 05 22:20:28 ?Debug : d1fa9700 CustomAttrs: custom attributes for RADIUS_ACCOUNT ID 2 have been added to the reply
Oct 05 22:20:28 ?Debug : d1fa9700 AcctQueue: lookup: session ID 876 closed
Oct 05 22:20:28 ?Debug : d1fa9700 SessionManager: put: sessiond ID 876 from NAS 2 is closed
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Reply
--- RADIUS Pkt ---
 Code: [2]  ID:   [99]
 Auth: Size 16; Data [0x0bdbc11617a222c70280225f02cdea01]
   Attr: [1] Vendor: [9] Size 63; Data [0x69703a747261666669632d636c6173733d696e707574206163636573732d67726f7570206e616d652041434c5f5a30305f494e207072696f72697479203130]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=input access-group name ACL_Z00_IN priority 10)
   Attr: [1] Vendor: [9] Size 33; Data [0x69703a747261666669632d636c6173733d6f75742064656661756c742064726f70]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=out default drop)
   Attr: [1] Vendor: [9] Size 32; Data [0x69703a747261666669632d636c6173733d696e2064656661756c742064726f70]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=in default drop)
   Attr: [1] Vendor: [9] Size 65; Data [0x69703a747261666669632d636c6173733d6f7574707574206163636573732d67726f7570206e616d652041434c5f5a30305f4f5554207072696f72697479203130]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=output access-group name ACL_Z00_OUT priority 10)

Oct 05 22:20:43 ?Debug : d18a2700 StreamConnection: Got message ID 0x2129
Oct 05 22:20:43 ?Debug : d18a2700 Transport: got PING event

 

И так циклом.

Edited by TiRider

Share this post


Link to post
Share on other sites

Нет авторизации utm5 radius с циской при отправке Request-Start.

 

Проверил путем тестирования: test aaa group radius server name UTM5-RADIUS user password port 1812 new-code count 1

 

Oct  8 23:30:02 10.10.7.1 3821: .Oct  8 23:30:02.251: RADIUS/ENCODE(00000000):Orig. component type = Invalid 
Oct  8 23:30:02 10.10.7.1 3822: .Oct  8 23:30:02.251: RADIUS/ENCODE: Skip encoding 0 length AAA attribute formatted-clid 
Oct  8 23:30:02 10.10.7.1 3823: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IP: 0.0.0.0 
Oct  8 23:30:02 10.10.7.1 3824: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IPv6: :: 
Oct  8 23:30:02 10.10.7.1 3825: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IP: 0.0.0.0 
Oct  8 23:30:02 10.10.7.1 3826: .Oct  8 23:30:02.251: RADIUS(00000000): sending 
Oct  8 23:30:02 10.10.7.1 3827: .Oct  8 23:30:02.251: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified 
Oct  8 23:30:02 10.10.7.1 3828: .Oct  8 23:30:02.251: RADIUS/ENCODE: Best Local IP-Address 10.10.4.1 for Radius-Server 10.10.4.2 
Oct  8 23:30:02 10.10.7.1 3829: RADIUS/ENCODE: Nas-Identifier "C7206-BRAS" 
Oct  8 23:30:02 10.10.7.1 3830: .Oct  8 23:30:02.251: RADIUS(00000000): Sending a IPv4 Radius Packet 
Oct  8 23:30:02 10.10.7.1 3831: .Oct  8 23:30:02.251: RADIUS(00000000): Send Access-Request to 10.10.4.2:1812 id 1645/1,len 88 
Oct  8 23:30:02 10.10.7.1 3832: .Oct  8 23:30:02.251: RADIUS:  authenticator 93 ED C5 D4 C4 6F 0C ED - 62 DB 7C 2A 3C 41 33 8F 
Oct  8 23:30:02 10.10.7.1 3833: .Oct  8 23:30:02.251: RADIUS:  User-Password       [2]   18  * 
Oct  8 23:30:02 10.10.7.1 3834: .Oct  8 23:30:02.251: RADIUS:  User-Name           [1]   9   "testmax" 
Oct  8 23:30:02 10.10.7.1 3835: .Oct  8 23:30:02.251: RADIUS:  Service-Type        [6]   6   Login                     [1] 
Oct  8 23:30:02 10.10.7.1 3836: .Oct  8 23:30:02.251: RADIUS:  NAS-IP-Address      [4]   6   10.10.4.1 
Oct  8 23:30:02 10.10.7.1 3837: .Oct  8 23:30:02.251: RADIUS:  Nas-Identifier      [32]  23  "C7206-BRAS" 
Oct  8 23:30:03 10.10.7.1 3838: .Oct  8 23:30:02.251: RADIUS:  Event-Timestamp     [55]  6   1475944202 
Oct  8 23:30:03 10.10.7.1 3839: .Oct  8 23:30:02.251: RADIUS(00000000): Started 5 sec timeout 
Oct  8 23:30:07 10.10.7.1 3840: .Oct  8 23:30:07.275: RADIUS(00000000): Request timed out! 
Oct  8 23:30:07 10.10.7.1 3841: .Oct  8 23:30:07.275: RADIUS: Retransmit to (10.10.4.2:1812,1813) for id 1645/1 
Oct  8 23:30:07 10.10.7.1 3842: .Oct  8 23:30:07.275: RADIUS:  authenticator 93 ED C5 D4 C4 6F 0C ED - 62 DB 7C 2A 3C 41 33 8F 
Oct  8 23:30:07 10.10.7.1 3843: .Oct  8 23:30:07.275: RADIUS:  User-Password       [2]   18  * 
Oct  8 23:30:07 10.10.7.1 3844: .Oct  8 23:30:07.275: RADIUS:  User-Name           [1]   9   "testmax" 
Oct  8 23:30:07 10.10.7.1 3845: .Oct  8 23:30:07.275: RADIUS:  Service-Type        [6]   6   Login                     [1] 
Oct  8 23:30:07 10.10.7.1 3846: .Oct  8 23:30:07.275: RADIUS:  NAS-IP-Address      [4]   6   10.10.4.1 
Oct  8 23:30:07 10.10.7.1 3847: .Oct  8 23:30:07.275: RADIUS:  Nas-Identifier      [32]  23  "C7206-BRAS" 
Oct  8 23:30:08 10.10.7.1 3848: .Oct  8 23:30:07.275: RADIUS:  Event-Timestamp     [55]  6   1475944202 
Oct  8 23:30:08 10.10.7.1 3849: .Oct  8 23:30:07.275: RADIUS(00000000): Started 5 sec timeout 
Oct  8 23:30:12 10.10.7.1 3850: .Oct  8 23:30:12.299: RADIUS(00000000): Request timed out! 

 

дамп

root@billing:~# tcpdump -i eth1.14 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth1.14, link-type EN10MB (Ethernet), capture size 262144 bytes 
23:51:03.330179 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:08.353560 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:13.377885 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:18.401808 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:23.442722 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x06 length: 103 
23:51:28.466111 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x07 length: 103 
23:51:33.490294 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x08 length: 103 
23:51:38.514390 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x09 length: 103

 

Но когда делаешь clear sss ses all и клиент переавторизовывается, то в дампе по нулям.

 

Люди нужна помощь!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.