Den4ikArgv Posted August 15 (edited) · Report post Добрый день, коллеги! Бьюсь с проблемой CoA и ISG. Не выходит подключить/отключить сервисы. Скрытый текст version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual ! hostname Cisco_Test ! boot-start-marker boot-end-marker ! ! enable password jdi-l.n ! aaa new-model ! ! aaa group server radius PPPoE_RADIUS server name radius ip radius source-interface GigabitEthernet3.100 ! aaa authentication login default local enable none aaa authentication ppp PPPoE group PPPoE_RADIUS aaa authorization network PPPoE group PPPoE_RADIUS aaa authorization subscriber-service default local group PPPoE_RADIUS aaa accounting update newinfo periodic 5 aaa accounting network PPPoE start-stop group PPPoE_RADIUS ! ! ! ! aaa server radius dynamic-author client 10.5.5.2 server-key <пароль> domain stripping right-to-left port 3799 auth-type any ! aaa session-id common clock timezone MSK 3 0 ! ! ! ! ! ! ! ! ! ip domain name ugtelecom.info ! ! ! ! ! ! ! ! ! ! subscriber templating service-policy type control ISG-CONTROL ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! license udi pid CSR1000V sn 9HHYWD2KHJD archive path flash: maximum 5 write-memory spanning-tree extend system-id ! username dkostiuk password 0 blablabla ! redundancy ! ! ! ! ! ! class-map type traffic match-any CLASS-TO-REDIRECT match access-group input 103 match access-group output 103 ! class-map type traffic match-any PERMIT_RESOURCES_BLOCK match access-group input 101 match access-group output 101 ! class-map type traffic match-any DNS4REDIRECT match access-group input 100 match access-group output 100 ! class-map type control match-all ISG-IP-UNAUTH match authen-status unauthenticated match timer UNAUTH-TIMER ! policy-map type service FREE-INTERNET service local ip access-group 102 in ip access-group 102 out 1 class type traffic PERMIT_RESOURCES_BLOCK police input 65000 1000 1000 police output 65000 1000 1000 ! class type traffic default in-out drop ! ! policy-map type service REDIRECT-POLICY-BLOCK ip access-group 104 in ip access-group 104 out 1 class type traffic CLASS-TO-REDIRECT redirect to ip 100.63.0.3 port 80 ! class type traffic default in-out drop ! ! policy-map type service DNS-REDIRECT ip access-group 105 in ip access-group 105 out 1 class type traffic DNS4REDIRECT redirect to ip 8.8.8.8 ! class type traffic default in-out drop ! ! policy-map type control ISG-CONTROL class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event account-logoff 1 service disconnect ! class type control always event credit-exhausted 1 service-policy type service name FREE-INTERNET ! class type control always event session-start 1 authenticate aaa list PPPoE 2 authorize aaa list PPPoE password cisco identifier authenticated-username ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! bba-group pppoe BRAS-PPPOE virtual-template 1 sessions per-vlan limit 2000 sessions auto cleanup ! ! ! interface Loopback1 ip address 100.63.1.1 255.255.255.255 ! interface GigabitEthernet1 no ip address negotiation auto pppoe enable group BRAS-PPPOE service-policy type control ISG-CONTROL ip subscriber routed initiator unclassified ip-address ! interface GigabitEthernet2 ip address 192.168.5.15 255.255.255.0 negotiation auto ! interface GigabitEthernet3 no ip address negotiation auto pppoe enable group BRAS-PPPOE ! interface GigabitEthernet3.50 encapsulation dot1Q 50 ip address 10.2.2.3 255.255.255.0 ip ospf 1 area 10.2.2.0 ! interface GigabitEthernet3.100 encapsulation dot1Q 100 ip address 10.5.5.3 255.255.255.0 ! interface Virtual-Template1 mtu 1492 ip unnumbered Loopback1 no logging event link-status no peer default ip address ppp authentication chap ms-chap ms-chap-v2 pap PPPoE ppp authorization PPPoE ppp accounting PPPoE ppp ipcp dns 8.8.8.8 ppp ipcp address unique service-policy type control ISG-CONTROL ! router ospf 1 router-id 10.1.1.3 redistribute connected subnets passive-interface GigabitEthernet1 ! ! virtual-service csr_mgmt ! ip forward-protocol nd ! no ip http server no ip http secure-server ip route 100.63.0.3 255.255.255.255 10.2.2.1 ! access-list 100 permit udp any any eq domain access-list 100 permit udp any eq domain any access-list 100 deny udp any any access-list 101 permit ip any 87.240.128.0 0.0.63.255 access-list 101 permit ip 87.240.128.0 0.0.63.255 any access-list 101 deny ip any any access-list 102 remark --permit any any-- access-list 102 permit ip any any access-list 103 remark -sniff all packets to web- access-list 103 permit tcp any eq www any access-list 103 permit tcp any any eq www access-list 103 deny tcp any any access-list 104 permit tcp any eq www any access-list 104 permit tcp any any eq www access-list 104 deny tcp any any access-list 105 remark --sniff only dns packets for redirect-- access-list 105 permit udp any eq domain any access-list 105 permit udp any any eq domain access-list 105 deny udp any any ! ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 25 access-request include radius-server attribute 30 original-called-number radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU radius-server attribute 61 extended radius-server attribute 31 mac format unformatted radius-server configure-nas ! radius server radius address ipv4 10.5.5.2 auth-port 1812 acct-port 1813 key superpassword ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line vty 0 5 transport input telnet ! ntp server 192.168.3.69 ! end Запрос-Ответ: Скрытый текст echo "User-Name=\"02-00001\",Cisco-Account-Info=\"S100.63.1.234\",Cisco-Account-Info=\"N;1;AFREE-INTERNET;86400;65000;65000;200;200;0\"" | radclient -r1 -t1 -x 10.5.5.3:3799 coa <Пароль> Sent CoA-Request Id 90 from 0.0.0.0:39795 to 10.5.5.3:3799 length 105 User-Name = "02-00001" Cisco-Account-Info = "S100.63.1.234" Cisco-Account-Info = "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0" Received CoA-ACK Id 90 from 10.5.5.3:3799 to 10.5.5.2:39795 length 68 Cisco-Account-Info = "S100.63.1.234" Cisco-Account-Info = "$IVirtual-Access2.1" Но сервис на циске не подключился: Скрытый текст Cisco_Test#show subscriber session detailed Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: PPPoE, UID: 22, State: authen, Identity: 02-00001 IPv4 Address: 100.63.1.234 Session Up-time: 00:06:04, Last Changed: 00:05:15 Interface: Virtual-Access2.1 Switch-ID: 4175 Policy information: Context 7F401B41CE20: Handle B3000034 AAA_id 00000027: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: timeout 0 86400 (0x15180) service-type 0 2 [Framed] addr 0 100.63.1.234 netmask 0 255.255.255.255 username 0 "02-00001" ssg-account-info 0 "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0" Downloaded User profile, including services: timeout 0 86400 (0x15180) service-type 0 2 [Framed] addr 0 100.63.1.234 netmask 0 255.255.255.255 username 0 "02-00001" ssg-account-info 0 "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0" Config history for session (recent to oldest): Access-type: PPP Client: Push Command-Handler Policy event: Process Config Profile name: 02-00001, 2 references username 0 "02-00001" ssg-account-info 0 "N;1;AFREE-INTERNET;86400;65000;65000;200;200;0" Access-type: PPP Client: SM Policy event: Got More Keys Profile name: 02-00001, 2 references timeout 0 86400 (0x15180) service-type 0 2 [Framed] addr 0 100.63.1.234 netmask 0 255.255.255.255 Message-Authenticato 0 <hidden> Rules, actions and conditions executed: subscriber rule-map ISG-CONTROL condition always event session-start 1 authenticate aaa list PPPoE 2 authorize aaa list PPPoE identifier authenticated-username Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 326 40104 0 Match Any 1 Out 219 41002 0 Match Any Features: IP Config: M=Mandatory, T=Tag, Mp=Mandatory pool Flags Peer IP Address Pool Name Interface 100.63.1.234 [None] [None] :: [None] [None] Absolute Timeout: Class-id Timeout Value Time Remaining Source 0 86400 23:53:55 Peruser Configuration Sources: Type Active Time AAA Service ID Name USR 00:06:04 - Peruser INT 00:06:04 - Virtual-Template1 Cisco_Test#show subscriber service detailed %No active services Подскажите, что я не докручиваю? Edited August 15 by Den4ikArgv Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Den4ikArgv Posted August 15 · Report post Сам отвечу на свой вопрос, может кому-нибудь будет полезно. Скрытый текст -aaa authorization subscriber-service default local group PPPoE_RADIUS +aaa authorization subscriber-service PPPoE local group PPPoE_RADIUS Проблема банальна как белый день, но долго мучила. CoA при этом имеет вид: Скрытый текст echo "User-Name=\"02-00001\",Cisco-Account-Info=\"S100.63.1.232\",Cisco-Avpair=\"subscriber:service-name=REDIRECT-POLICY-BLOCK\",Cisco-Avpair=\"subscriber:command=deactivate-service\"" | radclient -r1 -t1 -x 10.5.5.3:3799 coa <Пароль> Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...