ya4ya Posted August 3, 2010 Posted August 3, 2010 (edited) Здравствуйте. Что-то я совсем туплю. Не могу заставить работать ISG в ip subscriver route / l2-connected.... Уже тупо пробовал примеры брать (например от сюда http://wiki.sirmax.noname.com.ua/index.php/ISG), все равно не выходит каменный цветок. На стенде две железки: Первая: ! version 12.2 service tcp-keepalives-in service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname TEST ! aaa new-model ! ! aaa group server radius def server ......... ! aaa authorization exec default group def aaa authorization network default group def aaa authorization subscriber-service default local group def aaa accounting delay-start all aaa accounting suppress null-username aaa accounting update periodic 10 aaa accounting network default action-type start-stop group def ! ! ! ! aaa server radius dynamic-author client ........... ! aaa session-id unique clock timezone MSK 3 clock summer-time MSK recurring last Sun Mar 3:00 last Sun Oct 2:00 no ip source-route ! ! ! ! ip name-server ....... ip cef no ipv6 cef ! ! ! ! ! class-map type control match-all UNAUTH-COND match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service unauth service local class type traffic default in-out drop ! ! policy-map type control isg_sss_initif class type control UNAUTH-COND event timed-policy-expiry 10 service disconnect ! class type control always event session-start 20 authorize aaa list default password ISG identifier source-ip-address 30 service-policy type service name unauth 40 set-timer UNAUTH-TIMER 5 ! class type control always event session-restart 20 authorize aaa list default password ISG identifier source-ip-address 30 service-policy type service name unauth 40 set-timer UNAUTH-TIMER 5 ! ! ! ! ! ! ! interface Ethernet0/0 no ip address shutdown duplex auto ! interface GigabitEthernet0/0 ip address .......... no ip redirects no ip proxy-arp media-type gbic speed 1000 duplex full negotiation auto ! interface GigabitEthernet1/0 ip address 192.168.1.1 255.255.255.0 no ip redirects no ip proxy-arp negotiation auto service-policy type control isg_sss_initif ip subscriber routed initiator unclassified ip-address ! interface GigabitEthernet2/0 no ip address shutdown negotiation auto ! ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 ........ ! no cdp run ! snmp-server community stone RO 3 ! radius-server attribute 44 include-in-access-req radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU radius-server attribute 31 mac format unformatted radius-server attribute 31 send nas-port-detail mac-only radius-server host ......... radius-server retransmit 5 radius-server key 7 ............ radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication ! control-plane ! ! line con 0 exec-timeout 0 0 transport preferred none transport output none stopbits 1 line aux 0 access-class 2 in exec-timeout 0 0 transport preferred none transport output none escape-character BREAK autohangup stopbits 1 line vty 0 4 access-class 2 in exec-timeout 0 0 transport preferred none transport input telnet ! ntp access-group peer 4 ntp access-group serve 5 ntp access-group serve-only 6 ntp server ........... ! end Вторая в качестве клиента: ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! Пингую со второй первую... Клиента на ISG железке в show sss session - нет, show ip subscriver - нет. Однако: debug ip subscriver all Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:PROC:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:PROC:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:O:PROC:DFL:192.168.1.2] Packet classified, results = 0x0 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:PROC:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:PROC:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:O:PROC:DFL:192.168.1.2] Packet classified, results = 0x0 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:CEF:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:PROC:DFL:192.168.1.2] Packet classified, results = 0x40 Aug 3 11:56:11: IPSUB_DP: [Gi1/0:I:PROC:DFL:192.168.1.2] Rx driver allowing IP routing Aug 3 11:56:11: IPSUB_DP: [Gi1/0:O:PROC:DFL:192.168.1.2] Packet classified, results = 0x0 Соответственно ни в радиусе ни где авторизацией и не пахнет, но все пингуется :(.... Ради теста меняю authorize aaa list default password ISG identifier nas-port и ip subscriver interface блокирует, авторизация на радиус идет... Помогите завести ip subscriver route... :( Edited August 3, 2010 by ya4ya Вставить ник Quote
triam Posted August 3, 2010 Posted August 3, 2010 А что дебаг радиуса говорит? Ну и пингуйте, что-нить типа 8.8.8.8 , чтобы трафик проходил через интерфейс. Вставить ник Quote
ya4ya Posted August 4, 2010 Author Posted August 4, 2010 Млин, я как дурак пингую адрес интерфейса браса, а сессия то поднимается при прохождении... Видимо жара сильно влияет. Вопрос снят. Все работает. Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.