Jump to content
Калькуляторы

UTM5 Radius + Cisco ISG Не понятные траблы

Всем привет!

 

Не могу победить трабл, вроде все настроено, как положено https://drive.google.com/file/d/0B4dvafHHhRrWS1BFUDZVdnBGdFU/view а в логах постоянно одно и тоже, unauthen.

 

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1) 

 

 

пробовал с версиями s6, s7. в s1 есть идентификатор, а в версиях s6, s7 нет :\

 

Oct  2 19:41:48 10.10.7.1 474: Oct  2 19:41:48.735: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol) 
Oct  2 19:41:48 10.10.7.1 475: Oct  2 19:41:48.735: SSS INFO: Element type is Media-Type = 2 (IP) 
Oct  2 19:41:48 10.10.7.1 476: Oct  2 19:41:48.735: SSS INFO: Element type is AccIe-Hdl = 3288334347 (C400000B) 
Oct  2 19:41:48 10.10.7.1 477: Oct  2 19:41:48.735: SSS INFO: Element type is AAA-Id = 84 (00000054) 
Oct  2 19:41:48 10.10.7.1 478: Oct  2 19:41:48.735: SSS INFO: Element type is SHDB-Handle = 0 (00000000) 
Oct  2 19:41:48 10.10.7.1 479: Oct  2 19:41:48.735: SSS INFO: Element type is Input Interface = "GigabitEthernet0/3.30" 
Oct  2 19:41:48 10.10.7.1 480: Oct  2 19:41:48.735: SSS INFO: Element type is Mac-Address = 84c9.b20a.3f37 
Oct  2 19:41:48 10.10.7.1 481: Oct  2 19:41:48.735: SSS INFO: Element type is Unauth-User = "84c9.b20a.3f37" 
Oct  2 19:41:48 10.10.7.1 482: Oct  2 19:41:48.735: SSS INFO: Element type is Circuit-id = "0004001e0013" 
Oct  2 19:41:48 10.10.7.1 483: Oct  2 19:41:48.735: SSS INFO: Element type is Remote-id = "0006340804c565e5" 
Oct  2 19:41:48 10.10.7.1 484: Oct  2 19:41:48.735: SSS INFO: Element type is Vendor-Class-id = "udhcp 0.9.8" 
Oct  2 19:41:48 10.10.7.1 485: Oct  2 19:41:48.735: SSS INFO: Element type is Restart = 1 (YES) 
Oct  2 19:41:48 10.10.7.1 486: Oct  2 19:41:48.735: SSS INFO: Element type is Access-Type = 18 (DHCP) 
Oct  2 19:41:48 10.10.7.1 487: Oct  2 19:41:48.735: SSS MGR [uid:11]: Sending a Session Assert ID Mgr request 
Oct  2 19:41:48 10.10.7.1 488: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following keys: 
Oct  2 19:41:48 10.10.7.1 489:   aaa-unique-id        0   84 (0x54) 
Oct  2 19:41:48 10.10.7.1 490:   clid-mac-addr        0   84 C9 B2 0A 3F 37 
Oct  2 19:41:48 10.10.7.1 491:   username             0   "84c9.b20a.3f37" 
Oct  2 19:41:48 10.10.7.1 492: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following data- smgr hdl0x3700000B : 
Oct  2 19:41:48 10.10.7.1 493:   circuit-id-tag       0   "0004001e0013" 
Oct  2 19:41:48 10.10.7.1 494:   remote-id-tag        0   "0006340804c565e5" 
Oct  2 19:41:48 10.10.7.1 495:   vendor-class-id-tag  0   "udhcp 0.9.8" 
Oct  2 19:41:48 10.10.7.1 496: Oct  2 19:41:48.735: SSS MGR [uid:11]: ID Mgr returned status: 'success' for Session Assert 
Oct  2 19:41:48 10.10.7.1 497: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event client-service-request, state changed from wait-for-req to authorizing
Oct  2 19:41:48 10.10.7.1 498: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Policy Service Authorize action (1 pending sessions) 
Oct  2 19:41:48 10.10.7.1 499: Oct  2 19:41:48.735: SSS MGR [uid:11]: Got reply Need More Keys from PM 
Oct  2 19:41:49 10.10.7.1 500: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event policy-or-mgr-need-more-keys, state changed from authorizing to pm-needs-more-keys 
Oct  2 19:41:49 10.10.7.1 501: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Need More Keys action 
Oct  2 19:41:49 10.10.7.1 502: Oct  2 19:41:48.735: SSS MGR [uid:11]: Use authen list "IPoE" 

 

C7206-BRAS#sh sss ses 
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen - 
authenticated, TC Ct. - Number of Traffic Classes on the main session 

 

Current Subscriber Information: Total sessions 1 
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier 
11      DHCP         unauthen Attempting  00:03:07 0      84c9.b20a.3f37 

 

C7206-BRAS#sh sss ses det 
Current Subscriber Information: Total sessions 1 
-------------------------------------------------- 
Type: DHCP, UID: 11, State: unauthen, Identity: 84c9.b20a.3f37 
Session Up-time: 00:03:34, Last Changed: 00:03:34 
Switch-ID: 0 

Policy information: 
 Context 51639648: Handle 1B000017 
 AAA_id 00000054: Flow_handle 0 
 Authentication status: unauthen 
 Rules, actions and conditions executed: 
   subscriber rule-map ISG-RADIUS-PROFILES 
     condition always event session-restart 
       10 authorize aaa list IPoE identifier source-ip-address 

 

Конфига 7206

 

aaa group server radius ISG-RADIUS-PROFILES 
server name UTM5-RADIUS 
ip radius source-interface Loopback1 
! 
aaa group server radius ISG-IPoE 
server name UTM5-RADIUS 
ip radius source-interface Loopback2 
! 
aaa group server radius ACC-IPoE 
server name UTM5-RADIUS 
ip radius source-interface Loopback2 
! 
aaa authentication login IPoE group ISG-IPoE 
aaa authorization network IPoE group ISG-IPoE 
aaa authorization subscriber-service default group ISG-RADIUS-PROFILES 
aaa accounting update periodic 5 
aaa accounting network IPoE start-stop group ACC-IPoE 

aaa server radius dynamic-author 
client 10.10.4.2 server-key 7 secret 
auth-type all 
ignore session-key 
ignore server-key 

ip dhcp relay information option 
ip dhcp relay information policy keep 
no ip dhcp relay information check 
ip dhcp relay information trust-all 
no ip dhcp use vrf connected 

ip dhcp pool UTM5 
relay source 172.22.22.0 255.255.255.0 
relay destination 10.10.5.2 

subscriber authorization enable 

redirect server-group L4R 
server ip 10.10.10.1 port 80 
! 
! 
! 
! 
! 
! 
class-map type control match-all ISG-IP-UNAUTH 
match timer UNAUTH-TIMER 
match authen-status unauthenticated 

policy-map type control ISG-RADIUS-PROFILES 
class type control ISG-IP-UNAUTH event timed-policy-expiry 
 1 service disconnect 
! 
class type control always event session-start 
 10 authorize aaa list IPoE identifier source-ip-address 
 20 service-policy type service name OG_SRV 
 30 service-policy type service name L4R_SRV 
 40 set-timer UNAUTH-TIMER 1 
! 
class type control always event session-restart 
 10 authorize aaa list IPoE identifier source-ip-address 
 20 service-policy type service name OG_SRV 
 30 service-policy type service name L4R_SRV 
 40 set-timer UNAUTH-TIMER 1 

interface Loopback1 
description AAA_Profile 
ip address 10.10.1.1 255.255.255.255 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ntp disable 
! 
interface Loopback2 
description AAA_IPoE 
ip address 10.10.2.1 255.255.255.255 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ntp disable 

interface Loopback11 
ip address 172.22.22.254 255.255.255.0 
no ip redirects 
no ip unreachables 
ntp disable 

interface GigabitEthernet0/3.30 
description -=IPoE_Clients=- 
encapsulation dot1Q 30 
ip unnumbered Loopback11 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
ip flow monitor ISG-BRAS sampler ISG-BRAS input 
ip flow monitor ISG-BRAS sampler ISG-BRAS output 
service-policy type control ISG-RADIUS-PROFILES 
ip subscriber l2-connected 
 initiator dhcp 

radius-server attribute 44 include-in-access-req all 
radius-server attribute 6 on-for-login-auth 
radius-server attribute 8 include-in-access-req 
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req 
radius-server attribute 55 access-request include 
radius-server attribute nas-port format d 
radius-server attribute 61 extended 
radius-server attribute 31 send nas-port-detail mac-only 
radius-server attribute 31 remote-id 
radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id 
radius-server vsa send cisco-nas-port 
radius-server vsa send accounting 
radius-server vsa send authentication 
! 
radius server UTM5-RADIUS 
address ipv4 10.10.4.2 auth-port 1812 acct-port 1813 
key 7 secret

 

Ну ни в какую не хочет авторизовываться. Куда копнуть подскажите, копну.

Share this post


Link to post
Share on other sites

Ап, что ни у кого проблем не бывало с ISG? 0_о

Share this post


Link to post
Share on other sites

покажите дебаг по радиусу

 

Я правильно понимаю, что ни один сабскрайбер не может авторизоваться или это единичный?

 

В радиусе сделайте по-минимуму - тупо accept, без всяких сервисов и т.п.

Share this post


Link to post
Share on other sites

покажите дебаг по радиусу

 

Я правильно понимаю, что ни один сабскрайбер не может авторизоваться или это единичный?

 

В радиусе сделайте по-минимуму - тупо accept, без всяких сервисов и т.п.

Ни один все верно. Сейчас тестовый крутится один, пробовали еще пару мыльниц абонентских цеплять, все то же самое.

 

Хрень после ребута, которая то проходит то нет

*Feb 17 19:27:00.007: %AAAA-4-SERVUNDEF: The server-group "ISG-IPoE" is not defined. Please define it.
*Feb 17 19:27:00.011: %AAAA-4-SERVUNDEF: The server-group "ISG-IPoE" is not defined. Please define it.

 

Просто тупо нет связи с радиусом. Но вот по какой причине...

 

Router#sh sss ses
Current Subscriber Information: Total sessions 1

Uniq ID Interface    State         Service      Identifier           Up-time
1       IP           unauthen      Local Term   84c9.b20a.3f37       00:04:02

Router#sh sss ses uid 1
Unique Session ID: 1
Identifier: 84c9.b20a.3f37
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:04:06, Last Changed: 00:04:06

Policy information:
 Authentication status: unauthen
 Rules, actions and conditions executed:
   subscriber rule-map ISG-RADIUS-PROFILES
     condition always event session-start
       10 authorize aaa list IPoE identifier source-ip-address

Configuration sources associated with this session:
Interface: GigabitEthernet0/3.30, Active Time = 00:04:06

 

На боевой машине все крутилось. Сейчас нужно было пересобрать и считай уже несколько дней ип..сь

Share this post


Link to post
Share on other sites

Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: New request from 10.10.1.1:1645
--- RADIUS Pkt ---
 Code: [1]  ID:   [99]
 Auth: Size 16; Data [0x0bdbc11617a222c70280225f02cdea01]
   Attr: [2] Vendor: [0] Size 16; Data [0xfd3aac192589e6ca6669d3a876f39c63]
       (User-Password=HEX:...)
   Attr: [31] Vendor: [0] Size 16; Data [0x30303036333430383034633536356535]
       (Calling-Station-Id=STRING:0006340804c565e5)
   Attr: [1] Vendor: [0] Size 6; Data [0x4f475f535256]
       (User-Name=STRING:OG_SRV)
   Attr: [61] Vendor: [0] Size 4; Data [0x00000021]
       (NAS-Port-Type=INT:33)
   Attr: [2] Vendor: [9] Size 41; Data [0x3030303430303165303031343a303030363334303830346335363565353a756468637020302e392e38]
       (Cisco:Cisco-NAS-Port=STRING:0004001e0014:0006340804c565e5:udhcp 0.9.8)
   Attr: [5] Vendor: [0] Size 4; Data [0x0300001e]
       (NAS-Port=INT:50331678)
   Attr: [87] Vendor: [0] Size 41; Data [0x3030303430303165303031343a303030363334303830346335363565353a756468637020302e392e38]
       (NAS-Port-Id=STRING:0004001e0014:0006340804c565e5:udhcp 0.9.8)
   Attr: [1] Vendor: [9] Size 27; Data [0x636972637569742d69642d7461673d303030343030316530303134]
       (Cisco:Cisco-AVPair=STRING:circuit-id-tag=0004001e0014)
   Attr: [1] Vendor: [9] Size 30; Data [0x72656d6f74652d69642d7461673d30303036333430383034633536356535]
       (Cisco:Cisco-AVPair=STRING:remote-id-tag=0006340804c565e5)
   Attr: [1] Vendor: [9] Size 31; Data [0x76656e646f722d636c6173732d69642d7461673d756468637020302e392e38]
       (Cisco:Cisco-AVPair=STRING:vendor-class-id-tag=udhcp 0.9.8)
   Attr: [6] Vendor: [0] Size 4; Data [0x00000005]
       (Service-Type=INT:5)
   Attr: [4] Vendor: [0] Size 4; Data [0x0a0a0101]
       (NAS-IP-Address=IP:10.10.1.1)
   Attr: [32] Vendor: [0] Size 10; Data [0x43373230362d42524153]
       (NAS-Identifier=STRING:C7206-BRAS)
   Attr: [55] Vendor: [0] Size 4; Data [0x57f51a2e]
       (Event-Timestamp=DATE:1475680814)

Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Login 'OG_SRV'
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Login info found, radius account og_srv
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Processing radius account og_srv
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Using PAP authentication method
Oct 05 22:20:28 ?Debug : d1fa9700 CustomAttrs: custom attributes for RADIUS_ACCOUNT ID 2 have been added to the reply
Oct 05 22:20:28 ?Debug : d1fa9700 AcctQueue: lookup: session ID 876 closed
Oct 05 22:20:28 ?Debug : d1fa9700 SessionManager: put: sessiond ID 876 from NAS 2 is closed
Oct 05 22:20:28 ?Debug : d1fa9700 AuthQueue: Reply
--- RADIUS Pkt ---
 Code: [2]  ID:   [99]
 Auth: Size 16; Data [0x0bdbc11617a222c70280225f02cdea01]
   Attr: [1] Vendor: [9] Size 63; Data [0x69703a747261666669632d636c6173733d696e707574206163636573732d67726f7570206e616d652041434c5f5a30305f494e207072696f72697479203130]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=input access-group name ACL_Z00_IN priority 10)
   Attr: [1] Vendor: [9] Size 33; Data [0x69703a747261666669632d636c6173733d6f75742064656661756c742064726f70]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=out default drop)
   Attr: [1] Vendor: [9] Size 32; Data [0x69703a747261666669632d636c6173733d696e2064656661756c742064726f70]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=in default drop)
   Attr: [1] Vendor: [9] Size 65; Data [0x69703a747261666669632d636c6173733d6f7574707574206163636573732d67726f7570206e616d652041434c5f5a30305f4f5554207072696f72697479203130]
       (Cisco:Cisco-AVPair=STRING:ip:traffic-class=output access-group name ACL_Z00_OUT priority 10)

Oct 05 22:20:43 ?Debug : d18a2700 StreamConnection: Got message ID 0x2129
Oct 05 22:20:43 ?Debug : d18a2700 Transport: got PING event

 

И так циклом.

Edited by TiRider

Share this post


Link to post
Share on other sites

Нет авторизации utm5 radius с циской при отправке Request-Start.

 

Проверил путем тестирования: test aaa group radius server name UTM5-RADIUS user password port 1812 new-code count 1

 

Oct  8 23:30:02 10.10.7.1 3821: .Oct  8 23:30:02.251: RADIUS/ENCODE(00000000):Orig. component type = Invalid 
Oct  8 23:30:02 10.10.7.1 3822: .Oct  8 23:30:02.251: RADIUS/ENCODE: Skip encoding 0 length AAA attribute formatted-clid 
Oct  8 23:30:02 10.10.7.1 3823: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IP: 0.0.0.0 
Oct  8 23:30:02 10.10.7.1 3824: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IPv6: :: 
Oct  8 23:30:02 10.10.7.1 3825: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IP: 0.0.0.0 
Oct  8 23:30:02 10.10.7.1 3826: .Oct  8 23:30:02.251: RADIUS(00000000): sending 
Oct  8 23:30:02 10.10.7.1 3827: .Oct  8 23:30:02.251: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified 
Oct  8 23:30:02 10.10.7.1 3828: .Oct  8 23:30:02.251: RADIUS/ENCODE: Best Local IP-Address 10.10.4.1 for Radius-Server 10.10.4.2 
Oct  8 23:30:02 10.10.7.1 3829: RADIUS/ENCODE: Nas-Identifier "C7206-BRAS" 
Oct  8 23:30:02 10.10.7.1 3830: .Oct  8 23:30:02.251: RADIUS(00000000): Sending a IPv4 Radius Packet 
Oct  8 23:30:02 10.10.7.1 3831: .Oct  8 23:30:02.251: RADIUS(00000000): Send Access-Request to 10.10.4.2:1812 id 1645/1,len 88 
Oct  8 23:30:02 10.10.7.1 3832: .Oct  8 23:30:02.251: RADIUS:  authenticator 93 ED C5 D4 C4 6F 0C ED - 62 DB 7C 2A 3C 41 33 8F 
Oct  8 23:30:02 10.10.7.1 3833: .Oct  8 23:30:02.251: RADIUS:  User-Password       [2]   18  * 
Oct  8 23:30:02 10.10.7.1 3834: .Oct  8 23:30:02.251: RADIUS:  User-Name           [1]   9   "testmax" 
Oct  8 23:30:02 10.10.7.1 3835: .Oct  8 23:30:02.251: RADIUS:  Service-Type        [6]   6   Login                     [1] 
Oct  8 23:30:02 10.10.7.1 3836: .Oct  8 23:30:02.251: RADIUS:  NAS-IP-Address      [4]   6   10.10.4.1 
Oct  8 23:30:02 10.10.7.1 3837: .Oct  8 23:30:02.251: RADIUS:  Nas-Identifier      [32]  23  "C7206-BRAS" 
Oct  8 23:30:03 10.10.7.1 3838: .Oct  8 23:30:02.251: RADIUS:  Event-Timestamp     [55]  6   1475944202 
Oct  8 23:30:03 10.10.7.1 3839: .Oct  8 23:30:02.251: RADIUS(00000000): Started 5 sec timeout 
Oct  8 23:30:07 10.10.7.1 3840: .Oct  8 23:30:07.275: RADIUS(00000000): Request timed out! 
Oct  8 23:30:07 10.10.7.1 3841: .Oct  8 23:30:07.275: RADIUS: Retransmit to (10.10.4.2:1812,1813) for id 1645/1 
Oct  8 23:30:07 10.10.7.1 3842: .Oct  8 23:30:07.275: RADIUS:  authenticator 93 ED C5 D4 C4 6F 0C ED - 62 DB 7C 2A 3C 41 33 8F 
Oct  8 23:30:07 10.10.7.1 3843: .Oct  8 23:30:07.275: RADIUS:  User-Password       [2]   18  * 
Oct  8 23:30:07 10.10.7.1 3844: .Oct  8 23:30:07.275: RADIUS:  User-Name           [1]   9   "testmax" 
Oct  8 23:30:07 10.10.7.1 3845: .Oct  8 23:30:07.275: RADIUS:  Service-Type        [6]   6   Login                     [1] 
Oct  8 23:30:07 10.10.7.1 3846: .Oct  8 23:30:07.275: RADIUS:  NAS-IP-Address      [4]   6   10.10.4.1 
Oct  8 23:30:07 10.10.7.1 3847: .Oct  8 23:30:07.275: RADIUS:  Nas-Identifier      [32]  23  "C7206-BRAS" 
Oct  8 23:30:08 10.10.7.1 3848: .Oct  8 23:30:07.275: RADIUS:  Event-Timestamp     [55]  6   1475944202 
Oct  8 23:30:08 10.10.7.1 3849: .Oct  8 23:30:07.275: RADIUS(00000000): Started 5 sec timeout 
Oct  8 23:30:12 10.10.7.1 3850: .Oct  8 23:30:12.299: RADIUS(00000000): Request timed out! 

 

дамп

root@billing:~# tcpdump -i eth1.14 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth1.14, link-type EN10MB (Ethernet), capture size 262144 bytes 
23:51:03.330179 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:08.353560 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:13.377885 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:18.401808 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85 
23:51:23.442722 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x06 length: 103 
23:51:28.466111 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x07 length: 103 
23:51:33.490294 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x08 length: 103 
23:51:38.514390 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x09 length: 103

 

Но когда делаешь clear sss ses all и клиент переавторизовывается, то в дампе по нулям.

 

Люди нужна помощь!

Share this post


Link to post
Share on other sites

aaa group server radius ISG-IPoE

server name UTM5-RADIUS

ip radius source-interface Loopback2

 

А где порты, секрет для радиуса?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this