Jump to content
Калькуляторы

Cisco ISG-CoA

Добрый день, коллеги!

Бьюсь с проблемой CoA и ISG. Не выходит подключить/отключить сервисы.

 

Скрытый текст

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname Cisco_Test
!
boot-start-marker
boot-end-marker
!
!
enable password jdi-l.n
!
aaa new-model
!
!
aaa group server radius PPPoE_RADIUS
 server name radius
 ip radius source-interface GigabitEthernet3.100
!
aaa authentication login default local enable none
aaa authentication ppp PPPoE group PPPoE_RADIUS
aaa authorization network PPPoE group PPPoE_RADIUS
aaa authorization subscriber-service default local group PPPoE_RADIUS
aaa accounting update newinfo periodic 5
aaa accounting network PPPoE start-stop group PPPoE_RADIUS
!
!
!
!
aaa server radius dynamic-author
 client 10.5.5.2 server-key <пароль>
 domain stripping right-to-left
 port 3799
 auth-type any
!
aaa session-id common
clock timezone MSK 3 0
!
!
!         
!
!
!
!
!
!


ip domain name ugtelecom.info

!
!
!
!
!
!
!
!
!
!
subscriber templating
service-policy type control ISG-CONTROL
!         
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9HHYWD2KHJD
archive
 path flash:
 maximum 5
 write-memory
spanning-tree extend system-id
!
username dkostiuk password 0 blablabla
!         
redundancy
!
!
!
!
!
!
class-map type traffic match-any CLASS-TO-REDIRECT
 match access-group input 103
 match access-group output 103
!
class-map type traffic match-any PERMIT_RESOURCES_BLOCK
 match access-group input 101
 match access-group output 101
!
class-map type traffic match-any DNS4REDIRECT
 match access-group input 100
 match access-group output 100
!
class-map type control match-all ISG-IP-UNAUTH
 match authen-status unauthenticated
 match timer UNAUTH-TIMER
!         
policy-map type service FREE-INTERNET
 service local
 ip access-group 102 in
 ip access-group 102 out
 1 class type traffic PERMIT_RESOURCES_BLOCK
  police input 65000 1000 1000
  police output 65000 1000 1000
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service REDIRECT-POLICY-BLOCK
 ip access-group 104 in
 ip access-group 104 out
 1 class type traffic CLASS-TO-REDIRECT
  redirect to ip 100.63.0.3 port 80
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service DNS-REDIRECT
 ip access-group 105 in
 ip access-group 105 out
 1 class type traffic DNS4REDIRECT
  redirect to ip 8.8.8.8
 !
 class type traffic default in-out
  drop
 !
!
policy-map type control ISG-CONTROL
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event account-logoff
  1 service disconnect
 !
 class type control always event credit-exhausted
  1 service-policy type service name FREE-INTERNET
 !
 class type control always event session-start
  1 authenticate aaa list PPPoE
  2 authorize aaa list PPPoE password cisco identifier authenticated-username
 !        
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe BRAS-PPPOE
 virtual-template 1
 sessions per-vlan limit 2000
 sessions auto cleanup
!
!
!         
interface Loopback1
 ip address 100.63.1.1 255.255.255.255
!
interface GigabitEthernet1
 no ip address
 negotiation auto
 pppoe enable group BRAS-PPPOE
 service-policy type control ISG-CONTROL
 ip subscriber routed
  initiator unclassified ip-address
!
interface GigabitEthernet2
 ip address 192.168.5.15 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 no ip address
 negotiation auto
 pppoe enable group BRAS-PPPOE
!
interface GigabitEthernet3.50
 encapsulation dot1Q 50
 ip address 10.2.2.3 255.255.255.0
 ip ospf 1 area 10.2.2.0
!
interface GigabitEthernet3.100
 encapsulation dot1Q 100
 ip address 10.5.5.3 255.255.255.0
!
interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback1
 no logging event link-status
 no peer default ip address
 ppp authentication chap ms-chap ms-chap-v2 pap PPPoE
 ppp authorization PPPoE
 ppp accounting PPPoE
 ppp ipcp dns 8.8.8.8
 ppp ipcp address unique
 service-policy type control ISG-CONTROL
!
router ospf 1
 router-id 10.1.1.3
 redistribute connected subnets
 passive-interface GigabitEthernet1
!         
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 100.63.0.3 255.255.255.255 10.2.2.1
!
access-list 100 permit udp any any eq domain
access-list 100 permit udp any eq domain any
access-list 100 deny   udp any any
access-list 101 permit ip any 87.240.128.0 0.0.63.255
access-list 101 permit ip 87.240.128.0 0.0.63.255 any
access-list 101 deny   ip any any
access-list 102 remark --permit any any--
access-list 102 permit ip any any
access-list 103 remark -sniff all packets to web-
access-list 103 permit tcp any eq www any
access-list 103 permit tcp any any eq www
access-list 103 deny   tcp any any
access-list 104 permit tcp any eq www any
access-list 104 permit tcp any any eq www
access-list 104 deny   tcp any any
access-list 105 remark --sniff only dns packets for redirect--
access-list 105 permit udp any eq domain any
access-list 105 permit udp any any eq domain
access-list 105 deny   udp any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute 30 original-called-number
radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute 61 extended
radius-server attribute 31 mac format unformatted
radius-server configure-nas
!
radius server radius
 address ipv4 10.5.5.2 auth-port 1812 acct-port 1813
 key superpassword
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
line vty 0 5
 transport input telnet
!
ntp server 192.168.3.69
!
end

 


Запрос-Ответ:

Скрытый текст

echo "User-Name=\"02-00001\",Cisco-Account-Info=\"S100.63.1.234\",Cisco-Account-Info=\"N;1;AFREE-INTERNET;86400;65000;65000;200;200;0\"" | radclient -r1 -t1 -x 10.5.5.3:3799 coa <Пароль>

Sent CoA-Request Id 90 from 0.0.0.0:39795 to 10.5.5.3:3799 length 105
    User-Name = "02-00001"
    Cisco-Account-Info = "S100.63.1.234"
    Cisco-Account-Info = "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
Received CoA-ACK Id 90 from 10.5.5.3:3799 to 10.5.5.2:39795 length 68
    Cisco-Account-Info = "S100.63.1.234"
    Cisco-Account-Info = "$IVirtual-Access2.1"

 

 

Но сервис на циске не подключился:
 

Скрытый текст

Cisco_Test#show subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: PPPoE, UID: 22, State: authen, Identity: 02-00001
IPv4 Address: 100.63.1.234
Session Up-time: 00:06:04, Last Changed: 00:05:15
Interface: Virtual-Access2.1
Switch-ID: 4175

Policy information:
  Context 7F401B41CE20: Handle B3000034
  AAA_id 00000027: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    timeout              0   86400 (0x15180)
    service-type         0   2 [Framed]
    addr                 0   100.63.1.234
    netmask              0   255.255.255.255
    username             0   "02-00001"
    ssg-account-info     0   "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
  Downloaded User profile, including services:
    timeout              0   86400 (0x15180)
    service-type         0   2 [Framed]
    addr                 0   100.63.1.234
    netmask              0   255.255.255.255
    username             0   "02-00001"
    ssg-account-info     0   "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
  Config history for session (recent to oldest):
    Access-type: PPP Client: Push Command-Handler
     Policy event: Process Config
      Profile name: 02-00001, 2 references
        username             0   "02-00001"
        ssg-account-info     0   "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0"
    Access-type: PPP Client: SM
     Policy event: Got More Keys
      Profile name: 02-00001, 2 references
        timeout              0   86400 (0x15180)
        service-type         0   2 [Framed]
        addr                 0   100.63.1.234
        netmask              0   255.255.255.255
        Message-Authenticato 0   <hidden>
  Rules, actions and conditions executed:
    subscriber rule-map ISG-CONTROL
      condition always event session-start
        1 authenticate aaa list PPPoE
        2 authorize aaa list PPPoE identifier authenticated-username

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    326        40104                  0    Match Any
1           Out   219        41002                  0    Match Any

Features:

IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags  Peer IP Address                  Pool Name             Interface      
       100.63.1.234                     [None]                [None]         
       ::                               [None]                [None]         

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          86400            23:53:55             Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   00:06:04     -               Peruser
INT   00:06:04     -               Virtual-Template1

Cisco_Test#show subscriber service detailed
%No active services

 



Подскажите, что я не докручиваю?

Edited by Den4ikArgv

Share this post


Link to post
Share on other sites

Сам отвечу на свой вопрос, может кому-нибудь будет полезно.
 

Скрытый текст

-aaa authorization subscriber-service default local group PPPoE_RADIUS

+aaa authorization subscriber-service PPPoE local group PPPoE_RADIUS

Проблема банальна как белый день, но долго мучила.

CoA при этом имеет вид:

Скрытый текст

echo "User-Name=\"02-00001\",Cisco-Account-Info=\"S100.63.1.232\",Cisco-Avpair=\"subscriber:service-name=REDIRECT-POLICY-BLOCK\",Cisco-Avpair=\"subscriber:command=deactivate-service\"" | radclient -r1 -t1 -x 10.5.5.3:3799 coa <Пароль>

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.