ya4ya Posted February 13, 2010 (edited) · Report post Кто нибудь использует для авторизации сабскрабера сам интерфейс? "ip subscriber interface" Попробовал, сервисы вешаются, трафик в сервисы попадает, но нет аккаутинга по сервисам, ни стоповых, ни стартовых пакетов вообще не приходит ни по одному сервису. Если пробовать ip subscriber routed или l2-connectde все приходит. Копал cisco, упоминание про аккаутинг при использовании "ip subscriber interface" не нашел... Вот сессия Unique Session ID: 99 Identifier: test SIP subscriber access type(s): IP-Interface Current SIP options: None Session Up-time: 00:00:09, Last Changed: 00:00:09 Interface: GigabitEthernet0/1.10 Policy information: Context 0684C37C: Handle E1000C76 AAA_id 00023BA0: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: ssg-account-info "Aservice_unauth" idletime 300 (0x12C) timeout 21600 (0x5460) reply-message "Hello, R1:0/0/1/10" username "test" reply-message "Hello, test" ssg-account-info "Aservice_inet512" ssg-account-info "Aservice_inet2pre" ssg-account-info "Aservice_local5120" Downloaded User profile, including services: ssg-account-info "Aservice_unauth" idletime 300 (0x12C) timeout 21600 (0x5460) reply-message "Hello, R1:0/0/1/10" username "test" reply-message "Hello, test" ssg-account-info "Aservice_inet512" ssg-account-info "Aservice_inet2pre" ssg-account-info "Aservice_local5120" accounting-list “rad” ssg-service-info "QU;512000;96000;192000;D;512000;96000;192000" clid "0030.18a0.4ec6" sss-service 6 [local-termination] service-type 5 [Outbound] traffic-class "in default drop" traffic-class "out default drop" traffic-class "in access-group name service_inet2pre_in priority 400" traffic-class "out access-group name service_inet2pre_out priority 400" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Service) Profile name: service_inet2pre, 4 references service-type 5 [Outbound] traffic-class "in default drop" traffic-class "out default drop" traffic-class "in access-group name service_inet2pre_in priority 400" traffic-class "out access-group name service_inet2pre_out priority 400" Access-type: Web-service-logon Client: SM Policy event: Service Selection Request (Service) Profile name: service_unauth, 178 references username "service_unauth" clid "0030.18a0.4ec6" password <hidden> sss-service 6 [local-termination] traffic-class "input default drop" traffic-class "output default drop" Access-type: Web-service-logon Client: SM Policy event: Service Selection Request (Service) Profile name: service_inet512, 58 references service-type 5 [Outbound] accounting-list “rad” traffic-class "in default drop" traffic-class "out default drop" traffic-class "in access-group name service_inet_in priority 500" traffic-class "out access-group name service_inet_out priority 500" ssg-service-info "QU;512000;96000;192000;D;512000;96000;192000" Access-type: Web-service-logon Client: SM Policy event: Service Selection Request (Service) Profile name: service_local5120, 12 references service-type 5 [Outbound] accounting-list “rad” traffic-class "in default drop" traffic-class "out default drop" traffic-class "in access-group name service_local_in priority 200" traffic-class "out access-group name service_local_out priority 200" ssg-service-info "QU;5120000;960000;1920000;D;5120000;960000;1920000" Access-type: IP-Interface Client: SM Policy event: Service Selection Request Profile name: nas-port:0.0.0.0:0/0/1/10, 2 references ssg-account-info "Aservice_unauth" idletime 300 (0x12C) timeout 21600 (0x5460) reply-message "Hello, R1:0/0/1/10" username "test" reply-message "Hello, test" ssg-account-info "Aservice_inet512" ssg-account-info "Aservice_inet2pre" ssg-account-info "Aservice_local5120" Active services associated with session: name "service_inet2pre" name "service_unauth" name "service_inet512" name "service_local5120" Rules, actions and conditions executed: subscriber rule-map isg_sss_initif condition always event session-start 20 authorize aaa list pppoe identifier nas-port Session inbound features: Traffic classes: Traffic class session ID: 682 ACL Name: service_local_in, Packets = 3, Bytes = 232 Traffic class session ID: 230 ACL Name: service_inet_in, Packets = 0, Bytes = 0 Traffic class session ID: 662 ACL Name: service_inet2pre_in, Packets = 1, Bytes = 76 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Feature: IP Idle Timeout Timeout value is 300 Idle time is 00:00:31 Session outbound features: Traffic classes: Traffic class session ID: 682 ACL Name: service_local_out, Packets = 3, Bytes = 980 Traffic class session ID: 230 ACL Name: service_inet_out, Packets = 0, Bytes = 0 Traffic class session ID: 662 ACL Name: service_inet2pre_out, Packets = 0, Bytes = 0 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Non-datapath features: Feature: Session Timeout Timeout value is 21600 seconds Time remaining is 05:58:52 Configuration sources associated with this session: Service: service_inet2pre, Active Time = 00:01:07 AAA Service ID = 3724542134 Service: service_unauth, Active Time = 00:01:07 Service: service_inet512, Active Time = 00:01:07 AAA Service ID = 2634023719 Service: service_local5120, Active Time = 00:01:07 AAA Service ID = 1979711499 Interface: GigabitEthernet0/1.10, Active Time = 00:01:07 Edited February 13, 2010 by ya4ya Share this post Link to post Share on other sites
ya4ya Posted February 13, 2010 · Report post Попробовал поднять на dynamips'е на разных ios'ах тоже самое. ip subscriber routed или l2-connectde аккаутинг есть с ip subscriber interface - нету совсем. Полисинг работает... Странно блин. Может я много хочу? Приходит влан с пользователем, на которого кроме /30 зароучена сеть /26. Необходимо все это расценивать(считать/полисить) как одного пользователя. Возможно можно как нибудь по другому? Share this post Link to post Share on other sites
Cr_net Posted February 13, 2010 · Report post Попробовал поднять на dynamips'е на разных ios'ах тоже самое.ip subscriber routed или l2-connectde аккаутинг есть с ip subscriber interface - нету совсем. Полисинг работает... Странно блин. Может я много хочу? Приходит влан с пользователем, на которого кроме /30 зароучена сеть /26. Необходимо все это расценивать(считать/полисить) как одного пользователя. Возможно можно как нибудь по другому? Попробуйте в профиле сервисов атрибутами передать название радиус схемы для аккаунтинга и апдейт интервал. ещё не понятно как вы добились Unique Session ID: 99 Identifier: test при SIP subscriber access type(s): IP-Interface reply-message "Hello, R1:0/0/1/10" username "test" reply-message "Hello, test" идентификатором (юзернеймом) при ip subscriber interface является же интерфейс, то есть R1:0/0/1/10 Share this post Link to post Share on other sites
ya4ya Posted February 13, 2010 (edited) · Report post Передаю :( Вот например. service_inet512 Huntgroup-Name == "ASCONFIG" cisco-avpair = "accounting-list=rad", cisco-avpair += "ip:traffic-class=in default drop", cisco-avpair += "ip:traffic-class=out default drop", cisco-avpair += "ip:traffic-class=in access-group name service_inet_in priority 500", cisco-avpair += "ip:traffic-class=out access-group name service_inet_out priority 500", Cisco-Service-Info += "QU;512000;96000;192000;D;512000;96000;192000", Service-Type = Outbound-User А идентификатор из-за того что при авторизация радиусом выдаю User-Name := "test" - атрибут. Соответственно authed username становиться "test". На него и ведеться весь аккаутинг когда он работает :((с ip subscriber routed или l2-connectde, pppoe...) и т.д. и т.п., удобно. Edited February 13, 2010 by ya4ya Share this post Link to post Share on other sites
Cr_net Posted February 14, 2010 · Report post Передаю :(Вот например. service_inet512 Huntgroup-Name == "ASCONFIG" cisco-avpair = "accounting-list=rad", cisco-avpair += "ip:traffic-class=in default drop", cisco-avpair += "ip:traffic-class=out default drop", cisco-avpair += "ip:traffic-class=in access-group name service_inet_in priority 500", cisco-avpair += "ip:traffic-class=out access-group name service_inet_out priority 500", Cisco-Service-Info += "QU;512000;96000;192000;D;512000;96000;192000", Service-Type = Outbound-User А идентификатор из-за того что при авторизация радиусом выдаю User-Name := "test" - атрибут. Соответственно authed username становиться "test". На него и ведеться весь аккаутинг когда он работает :((с ip subscriber routed или l2-connectde, pppoe...) и т.д. и т.п., удобно. Да сорь, не заметил accounting-list “rad”, действительно странно. Попробуйте два атрибута отдавать, второй хоть и опциональный но может багофича. 1. Cisco-Avpair="accounting-list=accounting-mlist-name" 2. IETF RADIUS attribute Acct-Interim-Interval (attribute 85) Share this post Link to post Share on other sites
ya4ya Posted February 14, 2010 · Report post Попробовал, не помогло :( Share this post Link to post Share on other sites
Cr_net Posted February 15, 2010 · Report post Попробовал, не помогло :(А можно тогдаshow run | inc aaa show run | inc radius show version | inc image и атрибуты радиуса которые отдаются по основной сессии Share this post Link to post Share on other sites
ya4ya Posted February 15, 2010 (edited) · Report post конечно. aaa new-model aaa group server radius radius-def aaa authentication login default local group radius-def enable aaa authentication ppp rad group radius-def aaa authorization exec default local group radius-def aaa authorization network rad group radius-def aaa authorization subscriber-service default local group radius-def aaa accounting delay-start all aaa accounting suppress null-username aaa accounting update periodic 10 aaa accounting exec rad start-stop group radius-def aaa accounting network default start-stop group radius-def aaa accounting network rad start-stop group radius-def aaa server radius dynamic-author aaa session-id unique 20 authorize aaa list rad password ISG identifier nas-port 20 authorize aaa list rad password ISG identifier nas-port aaa group server radius radius-def aaa authentication login default local group radius-def enable aaa authentication ppp rad group radius-def aaa authorization exec default local group radius-def aaa authorization network rad group radius-def aaa authorization subscriber-service default local group radius-def aaa accounting exec rad start-stop group radius-def aaa accounting network default start-stop group radius-def aaa accounting network rad start-stop group radius-def aaa server radius dynamic-author radius-server attribute 44 include-in-access-req radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU radius-server attribute 31 mac format unformatted radius-server attribute 31 send nas-port-detail mac-only radius-server host xxxxxxx auth-port 1645 acct-port 1646 radius-server retransmit 5 radius-server key xxxxxxx radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication System image file is "disk0:c7200p-advipservicesk9_li-mz.122-33.SRD3.bin" Попробовал уже на трех железках, на двух из них на разных иосах. Может я просто не умею его готовить конечно. Но уже в который раз перечитываю cisco.com по этому поводу... в aaa group server radius radius-def только адрес сервера. Например вот, пробовал добавить Session-Timeout и к основной сессии и к сервису. К сервсису тотже реплай к примеру на service_inet512. Sun Feb 14 04:45:18 2010 Packet-Type = Access-Accept Cisco-Account-Info += "Aservice_unauth" Idle-Timeout := 300 Session-Timeout := 21600 Reply-Message = "Hello, AS1:0/0/1/10" User-Name := "test" Reply-Message += "Hello, test" Cisco-Account-Info += "Aservice_inet512" Cisco-Account-Info += "Aservice_inet2pre" Cisco-Account-Info += "Aservice_local5120" service_inet512 Huntgroup-Name == "ASCONFIG" cisco-avpair = "accounting-list=rad", cisco-avpair += "ip:traffic-class=in default drop", cisco-avpair += "ip:traffic-class=out default drop", cisco-avpair += "ip:traffic-class=in access-group name service_inet_in priority 500", cisco-avpair += "ip:traffic-class=out access-group name service_inet_out priority 500", Cisco-Service-Info += "QU;512000;96000;192000;D;512000;96000;192000", Service-Type = Outbound-User Если есть возможность попробуйте сами у себя. И скажите результат. Если будет хотябы стартовый acct пакет этого будет достаточно. Edited February 15, 2010 by ya4ya Share this post Link to post Share on other sites
stason Posted December 21, 2010 · Report post Та же самая фигня... не нашли как побороть? :( Share this post Link to post Share on other sites
stason Posted December 21, 2010 (edited) · Report post И ещё вопрос... кто-нибудь может подсказать как при авторизации ip subscriber interface деактивировать сервис или наоборот активировать ? Сейчас картина такая: cs-pe1.yar#sh sss session Current Subscriber Information: Total sessions 3 Uniq ID Interface State Service Identifier Up-time 1799 Se1/0:0 unauthen Ltm MLP Lnk nas-port:0/1/0/0/0 02:45:55 3090 Se1/1:0 unauthen Ltm MLP Lnk nas-port:0/1/0/1/0 02:45:55 1675 Gi0/1.973 authen Local Term 123 00:07:00 140 Traffic-Clas unauthen Ltm Internal 00:07:00 n/a Mu1 connected Ltm Internal nas-port:0/1/0/0/0 02:45:55 cs-pe1.yar#sh sss session uid 1675 detailed Unique Session ID: 1675 Identifier: 123 SIP subscriber access type(s): IP-Interface Current SIP options: None Session Up-time: 00:00:21, Last Changed: 00:00:21 Interface: GigabitEthernet0/1.973 Policy information: Context 6675E59C: Handle 85000A01 AAA_id 000BB002: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: ssg-account-info "AINTERNET" ssg-service-info "NINTERNET" username "123" Downloaded User profile, including services: ssg-account-info "AINTERNET" ssg-service-info "NINTERNET" username "123" traffic-class "in access-group 111 priority 10" traffic-class "out access-group 111 priority 10" traffic-class "out default drop" traffic-class "in default drop" accounting-list "ISG-AUTH-YAR" ssg-service-info "IINTERNET" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Apply Config Success (Service) Profile name: INTERNET, 4 references traffic-class "in access-group 111 priority 10" traffic-class "out access-group 111 priority 10" traffic-class "out default drop" traffic-class "in default drop" accounting-list "ISG-AUTH-YAR" ssg-service-info "IINTERNET" Access-type: IP-Interface Client: SM Policy event: Service Selection Request Profile name: nas-port:x.x.x.x:0/0/1/973, 2 references ssg-account-info "AINTERNET" ssg-service-info "NINTERNET" username "123" Active services associated with session: name "INTERNET" Rules, actions and conditions executed: subscriber rule-map ISG-CUSTOMERS-POLICY condition always event session-start 10 authorize aaa list ISG-AUTH-YAR identifier nas-port Session inbound features: Traffic classes: Traffic class session ID: 2739 ACL Name: 111, Packets = 6281, Bytes = 471592 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Session outbound features: Traffic classes: Traffic class session ID: 2739 ACL Name: 111, Packets = 8306, Bytes = 10248704 Default traffic is dropped Unmatched Packets = 0, Re-classified packets (redirected) = 0 Configuration sources associated with this session: Service: INTERNET, Active Time = 00:00:35 AAA Service ID = 3623945013 Interface: GigabitEthernet0/1.973, Active Time = 00:00:35 хочется через CoA вырубить допустим сервис INTERNET абоненту и включить L4R. пытаюсь элементарно получить статус текущей сессии equity cisco # /bin/echo "User-Name=\"123\",cisco-avpair=\"subscriber:command=account-status-query\"" | /usr/bin/radclient -x х.х.х.х:1700 coa yarisg Sending CoA-Request of id 193 to х.х.х.х port 1700 User-Name = "123" Cisco-AVPair = "subscriber:command=account-status-query" rad_recv: CoA-NAK packet from host х.х.х.х port 1700, id=193, length=76 Cisco-Command-Code = "\0040" Cisco-AVPair = "sg-version=1.0" Reply-Message = "No valid Session" Error-Cause = Session-Context-Not-Found во всех примерах, которые встречал - везде фигурирует аттрибут account-info со значением Sy.y.y.y, где y.y.y.y - IP абонента. И совсем неясно, что туда подставить, если у абонента несколько IP, а авторизация в моем случае идет по интерфейсу. Edited December 21, 2010 by stason Share this post Link to post Share on other sites
stason Posted December 21, 2010 · Report post удалось добиться ответов только включив PBHK, чтобы можно было найти сессию по IP:<PBHK KEY> equity cisco # /bin/echo "User-name=\"*\",Cisco-Account-Info=\"Sx.x.x.x:85\",cisco-avpair=\"subscriber:command=account-status-query\"" | /usr/bin/radclient -x x.x.x.x:1700 coa yarisg Sending CoA-Request of id 213 to x.x.x.x port 1700 User-Name = "*" Cisco-Account-Info = "Sx.x.x.x:85" Cisco-AVPair = "subscriber:command=account-status-query" rad_recv: CoA-ACK packet from host x.x.x.x port 1700, id=213, length=233 Cisco-Account-Info = "N1PBHK;194;123;0;0;0;0" Cisco-Account-Info = "N1INTERNET;194;123;10346;11577;1748367;12087110" User-Name = "123" Cisco-Account-Info = "$IGigabitEthernet0/1.973" Cisco-Command-Code = "\0041" Cisco-Account-Info = "Sx.x.x.x:85" Cisco-AVPair = "sg-version=1.0" Cisco-NAS-Port = "0/0/1/973" NAS-Port = 16778189 NAS-Port-Id = "0/0/1/973" искать по одному user-name или допустим Cisco-Account-Info = "$IGigabitEthernet0/1.973" ни в какую не хочет. только с указанием Cisco-Account-Info = "Sx.x.x.x:85" и никак иначе =\ есть у кого-нибудь опыт по применению этих фич ? должно ли оно себя так вести ? можно ли обойтись без применения portbundle ? Share this post Link to post Share on other sites
stason Posted December 22, 2010 · Report post С утра пришло озарение ))) оказалось оно ищет по ip адресу, с которого заходишь на веб-портал )) Share this post Link to post Share on other sites
zzeka Posted January 21, 2011 · Report post 12.2(33)SRE2 C7200 аккаунтинг для ip interface session не работает тоже. Проблема актуальна! Share this post Link to post Share on other sites
zzeka Posted January 27, 2011 · Report post Аккаунтинг для interface сессий заработал после выключения "'aaa accounting delay-start all". Тут собственно ответили: https://supportforums.cisco.com/message/3275194#3275194 Share this post Link to post Share on other sites
