Cisco ISG-CoA

[Den4ikArgv]

Добрый день, коллеги!

Бьюсь с проблемой CoA и ISG. Не выходит подключить/отключить сервисы.

 

Скрытый текст

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname Cisco_Test
!
boot-start-marker
boot-end-marker
!
!
enable password jdi-l.n
!
aaa new-model
!
!
aaa group server radius PPPoE_RADIUS
 server name radius
 ip radius source-interface GigabitEthernet3.100
!
aaa authentication login default local enable none
aaa authentication ppp PPPoE group PPPoE_RADIUS
aaa authorization network PPPoE group PPPoE_RADIUS
aaa authorization subscriber-service default local group PPPoE_RADIUS
aaa accounting update newinfo periodic 5
aaa accounting network PPPoE start-stop group PPPoE_RADIUS
!
!
!
!
aaa server radius dynamic-author
 client 10.5.5.2 server-key <пароль>
 domain stripping right-to-left
 port 3799
 auth-type any
!
aaa session-id common
clock timezone MSK 3 0
!
!
!         
!
!
!
!
!
!

ip domain name ugtelecom.info

!
!
!
!
!
!
!
!
!
!
subscriber templating
service-policy type control ISG-CONTROL
!         
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9HHYWD2KHJD
archive
 path flash:
 maximum 5
 write-memory
spanning-tree extend system-id
!
username dkostiuk password 0 blablabla
!         
redundancy
!
!
!
!
!
!
class-map type traffic match-any CLASS-TO-REDIRECT
 match access-group input 103
 match access-group output 103
!
class-map type traffic match-any PERMIT_RESOURCES_BLOCK
 match access-group input 101
 match access-group output 101
!
class-map type traffic match-any DNS4REDIRECT
 match access-group input 100
 match access-group output 100
!
class-map type control match-all ISG-IP-UNAUTH
 match authen-status unauthenticated
 match timer UNAUTH-TIMER
!         
policy-map type service FREE-INTERNET
 service local
 ip access-group 102 in
 ip access-group 102 out
 1 class type traffic PERMIT_RESOURCES_BLOCK
  police input 65000 1000 1000
  police output 65000 1000 1000
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service REDIRECT-POLICY-BLOCK
 ip access-group 104 in
 ip access-group 104 out
 1 class type traffic CLASS-TO-REDIRECT
  redirect to ip 100.63.0.3 port 80
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service DNS-REDIRECT
 ip access-group 105 in
 ip access-group 105 out
 1 class type traffic DNS4REDIRECT
  redirect to ip 8.8.8.8
 !
 class type traffic default in-out
  drop
 !
!
policy-map type control ISG-CONTROL
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event account-logoff
  1 service disconnect
 !
 class type control always event credit-exhausted
  1 service-policy type service name FREE-INTERNET
 !
 class type control always event session-start
  1 authenticate aaa list PPPoE
  2 authorize aaa list PPPoE password cisco identifier authenticated-username
 !        
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe BRAS-PPPOE
 virtual-template 1
 sessions per-vlan limit 2000
 sessions auto cleanup
!
!
!         
interface Loopback1
 ip address 100.63.1.1 255.255.255.255
!
interface GigabitEthernet1
 no ip address
 negotiation auto
 pppoe enable group BRAS-PPPOE
 service-policy type control ISG-CONTROL
 ip subscriber routed
  initiator unclassified ip-address
!
interface GigabitEthernet2
 ip address 192.168.5.15 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 no ip address
 negotiation auto
 pppoe enable group BRAS-PPPOE
!
interface GigabitEthernet3.50
 encapsulation dot1Q 50
 ip address 10.2.2.3 255.255.255.0
 ip ospf 1 area 10.2.2.0
!
interface GigabitEthernet3.100
 encapsulation dot1Q 100
 ip address 10.5.5.3 255.255.255.0
!
interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback1
 no logging event link-status
 no peer default ip address
 ppp authentication chap ms-chap ms-chap-v2 pap PPPoE
 ppp authorization PPPoE
 ppp accounting PPPoE
 ppp ipcp dns 8.8.8.8
 ppp ipcp address unique
 service-policy type control ISG-CONTROL
!
router ospf 1
 router-id 10.1.1.3
 redistribute connected subnets
 passive-interface GigabitEthernet1
!         
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 100.63.0.3 255.255.255.255 10.2.2.1
!
access-list 100 permit udp any any eq domain
access-list 100 permit udp any eq domain any
access-list 100 deny   udp any any
access-list 101 permit ip any 87.240.128.0 0.0.63.255
access-list 101 permit ip 87.240.128.0 0.0.63.255 any
access-list 101 deny   ip any any
access-list 102 remark --permit any any--
access-list 102 permit ip any any
access-list 103 remark -sniff all packets to web-
access-list 103 permit tcp any eq www any
access-list 103 permit tcp any any eq www
access-list 103 deny   tcp any any
access-list 104 permit tcp any eq www any
access-list 104 permit tcp any any eq www
access-list 104 deny   tcp any any
access-list 105 remark --sniff only dns packets for redirect--
access-list 105 permit udp any eq domain any
access-list 105 permit udp any any eq domain
access-list 105 deny   udp any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute 30 original-called-number
radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute 61 extended
radius-server attribute 31 mac format unformatted
radius-server configure-nas
!
radius server radius
 address ipv4 10.5.5.2 auth-port 1812 acct-port 1813
 key superpassword
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
line vty 0 5
 transport input telnet
!
ntp server 192.168.3.69
!
end

 

Запрос-Ответ:

Скрытый текст

echo "User-Name=\"02-00001\",Cisco-Account-Info=\"S100.63.1.234\",Cisco-Account-Info=\"N;1;AFREE-INTERNET;86400;65000;65000;200;200;0\"" | radclient -r1 -t1 -x 10.5.5.3:3799 coa <Пароль>

Sent CoA-Request Id 90 from 0.0.0.0:39795 to 10.5.5.3:3799 length 105
    User-Name = "02-00001"
    Cisco-Account-Info = "S100.63.1.234"
    Cisco-Account-Info = "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
Received CoA-ACK Id 90 from 10.5.5.3:3799 to 10.5.5.2:39795 length 68
    Cisco-Account-Info = "S100.63.1.234"
    Cisco-Account-Info = "$IVirtual-Access2.1"

 

 

Но сервис на циске не подключился:
 

Скрытый текст

Cisco_Test#show subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: PPPoE, UID: 22, State: authen, Identity: 02-00001
IPv4 Address: 100.63.1.234
Session Up-time: 00:06:04, Last Changed: 00:05:15
Interface: Virtual-Access2.1
Switch-ID: 4175

Policy information:
  Context 7F401B41CE20: Handle B3000034
  AAA_id 00000027: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    timeout              0   86400 (0x15180)
    service-type         0   2 [Framed]
    addr                 0   100.63.1.234
    netmask              0   255.255.255.255
    username             0   "02-00001"
    ssg-account-info     0   "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
  Downloaded User profile, including services:
    timeout              0   86400 (0x15180)
    service-type         0   2 [Framed]
    addr                 0   100.63.1.234
    netmask              0   255.255.255.255
    username             0   "02-00001"
    ssg-account-info     0   "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
  Config history for session (recent to oldest):
    Access-type: PPP Client: Push Command-Handler
     Policy event: Process Config
      Profile name: 02-00001, 2 references
        username             0   "02-00001"
        ssg-account-info     0   "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
    Access-type: PPP Client: SM
     Policy event: Got More Keys
      Profile name: 02-00001, 2 references
        timeout              0   86400 (0x15180)
        service-type         0   2 [Framed]
        addr                 0   100.63.1.234
        netmask              0   255.255.255.255
        Message-Authenticato 0   <hidden>
  Rules, actions and conditions executed:
    subscriber rule-map ISG-CONTROL
      condition always event session-start
        1 authenticate aaa list PPPoE
        2 authorize aaa list PPPoE identifier authenticated-username

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    326        40104                  0    Match Any
1           Out   219        41002                  0    Match Any

Features:

IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags  Peer IP Address                  Pool Name             Interface      
       100.63.1.234                     [None]                [None]         
       ::                               [None]                [None]         

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          86400            23:53:55             Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   00:06:04     -               Peruser
INT   00:06:04     -               Virtual-Template1

Cisco_Test#show subscriber service detailed
%No active services

 

Подскажите, что я не докручиваю?

Edited August 15, 2024 by Den4ikArgv

[Den4ikArgv]

Сам отвечу на свой вопрос, может кому-нибудь будет полезно.
 

Скрытый текст

-aaa authorization subscriber-service default local group PPPoE_RADIUS

+aaa authorization subscriber-service PPPoE local group PPPoE_RADIUS

Проблема банальна как белый день, но долго мучила.

CoA при этом имеет вид:

Скрытый текст

echo "User-Name=\"02-00001\",Cisco-Account-Info=\"S100.63.1.232\",Cisco-Avpair=\"subscriber:service-name=REDIRECT-POLICY-BLOCK\",Cisco-Avpair=\"subscriber:command=deactivate-service\"" | radclient -r1 -t1 -x 10.5.5.3:3799 coa <Пароль>