Перейти к содержимому
Калькуляторы

asr 1002 isg не идет accounting

Здравствуйте.

Имееться Cisco ASR 1002. Пытаюсь настроить ISG. Автризация проходит нормально, а с аккаунтингом поблема(tcpdump port 1813 на radius сервере не ловит ни одного пакета). Кто сталкивался помогите пожалуйста.

 

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISE-M), Version 15.0(1)S, RELEASE SOFTWARE (fc1)
ROM: IOS-XE ROMMON
cisco ASR1002 (2RU) processor with 1724178K/6147K bytes of memory.

 

конфиг CISCO

Current configuration : 4423 bytes
!
! Last configuration change at 11:02:57 UTC Thu May 12 2011 by root
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service unsupported-transceiver
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition default
!
enable password 7 
!
aaa new-model
aaa session-mib disconnect
!
!
aaa group server radius SERVER_GROUP1
server 10.11.0.2 auth-port 1812 acct-port 1813
!
aaa authentication login AUTHEN_LIST1 group SERVER_GROUP1
aaa authorization network default group SERVER_GROUP1
aaa authorization subscriber-service AUTHOR_LIST1 group SERVER_GROUP1
aaa authorization subscriber-service AUTHEN_LIST1 group SERVER_GROUP1
aaa authorization subscriber-service ACCNT_LIST1 group SERVER_GROUP1
aaa accounting delay-start all
aaa accounting update periodic 5
aaa accounting network ACCNT_LIST1 start-stop group SERVER_GROUP1
!
aaa nas port extended
!
!
!
!
aaa session-id unique
ip source-route
!
!
!
no ip domain lookup
ip dhcp relay information policy keep
ip dhcp relay information trust-all
!
subscriber service session-accounting
subscriber service accounting interim-interval 1
subscriber authorization enable
!
redirect server-group REDIRECT_SERVER_GROUP1
server ip 10.11.0.2 port 80
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username root secret 4 8JejqDMXnmP5UU1C8NQ8zGNuw6r7tBqA46betnB4ghE
!
redundancy
mode none
!
!
!
class-map type traffic match-any account
!
policy-map type service ACC
class type traffic account
 accounting aaa list AUTHOR_LIST1
!
!
policy-map type control RULE_IP_SESSION2a
class type control always event session-start
 5 collect identifier nas-port
 10 service-policy type service aaa list AUTHOR_LIST1 identifier nas-port
!
class type control always event account-logon
 10 service-policy type service aaa list ACCNT_LIST1 identifier nas-port
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
 10 log-session-state
!
class type control always event session-restart
 30 service-policy type service aaa list AUTHOR_LIST1 identifier nas-port
 40 service-policy type service name SERVICE_406_L4R
!
!
gw-accounting aaa
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address X.X.X.X 255.255.255.252
ip nat outside
ip flow ingress
ip virtual-reassembly
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.1000
encapsulation dot1Q 1000
ip address 10.11.0.3 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface GigabitEthernet0/0/1.1011
encapsulation dot1Q 1011
ip address 192.168.0.1 255.255.255.0
ip helper-address 10.11.0.2
ip nat inside
ip virtual-reassembly
service-policy type control RULE_IP_SESSION2a
ip subscriber routed
 initiator dhcp class-aware
!
interface GigabitEthernet0/0/2
no ip address
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 2 interface GigabitEthernet0/0/0 overload
!
no ip http server
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.0.0.0 255.0.0.0 10.11.0.1
!
ip radius source-interface GigabitEthernet0/0/1.1000
logging esm config
access-list 1 permit 10.11.0.2
access-list 2 permit 192.0.0.0 0.255.255.255
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
radius-server host 10.11.0.2 auth-port 1812 acct-port 1813 key 7 12485744
radius-server retransmit 5
radius-server timeout 30
radius-server directed-request
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
!
!
gateway
timer receive-rtp 1200
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 
!
end

 

AAA Accounting debugging

*May 12 11:19:55.870: AAA/ACCT/HC(00000033): Register Iedge IP SIP/570000C1 64 bit counter support not configured
*May 12 11:19:55.870: AAA/ACCT/HC(00000033): Update Iedge IP SIP/570000C1
*May 12 11:19:55.870: AAA/ACCT/HC(00000033): no HC Iedge IP SIP/570000C1
*May 12 11:19:55.870: AAA/ACCT/EVENT/(00000033): CALL START
*May 12 11:19:55.870: Getting session id for NET(00000033) : db=42204CE4
*May 12 11:19:55.870: AAA/ACCT(00000000): add node, session 724
*May 12 11:19:55.870: AAA/ACCT/NET(00000033): add, count 1
*May 12 11:19:55.871: Getting session id for NONE(00000033) : db=42204CE4
*May 12 11:20:01.928: AAA/ACCT/EVENT/(00000033): IPCP_PASS
*May 12 11:20:01.928: AAA/ACCT/NET(00000033): Method list not found

 

log radius сервера

05-12/11:27:01  INFO [pool-1-thread-37] radius -  AUTH:.
Type=AUTHENTICATION_REQUEST
Attributes:.
<------>User-Name=nas-port:10.11.0.3:0/0/1/1011
<------>NAS-Identifier=router
<------>NAS-Port-Id=0/0/1/1011
<------>User-Password=cisco
<------>NAS-IP-Address=10.11.0.3
<------>NAS-Port=721
<------>Service-Type=5
<------>Acct-Session-Id=0/0/1/1011_000002D1
<------>NAS-Port-Type=15
<------>cisco-avpair=vendor-class-id-tag=MSFT 5.0

05-12/11:27:01  INFO [pool-1-thread-37] radius -  RESPONSE:
Type=AUTHENTICATION_ACCEPT
Process time auth: 122 init_tariff: 0; set_ip: 0; common_auth: 12
Attributes:.
<------>Acct-Interim-Interval=60
<------>Service-Type=2
<------>Framed-Protocol=1

Trace:
Login found.

Изменено пользователем CheBuRashka

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Пароли то на enable зачем светите, уберите. Вас разве не учили использовать enable secret?

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

sh radius server-group all

и

sh radius statistics

м?

 

sh radius server-group all

Server group radius
   Sharecount = 1  sg_unconfigured = FALSE
   Type = standard  Memlocks = 1
   Server(10.11.0.2:1812,1813) Transactions:
   Authen: 0   Author: 0       Acct: 0
   Server_auto_test_enabled: FALSE
Server group SERVER_GROUP1
   Sharecount = 1  sg_unconfigured = FALSE
   Type = standard  Memlocks = 1
   Server(10.11.0.2:1812,1813) Transactions:
   Authen: 0   Author: 2       Acct: 0
   Server_auto_test_enabled: FALSE

 

sh radius statistics

                                  Auth.      Acct.       Both
        Maximum inQ length:         NA         NA          1
      Maximum waitQ length:         NA         NA          1
      Maximum doneQ length:         NA         NA          1
      Total responses seen:         37          0         37
    Packets with responses:         37          0         37
 Packets without responses:          0          0          0
 Access Rejects           :         16
Average response delay(ms):        195          0        195
Maximum response delay(ms):        325          0        325
 Number of Radius timeouts:          0          0          0
      Duplicate ID detects:          0          0          0
Buffer Allocation Failures:          0          0          0
Maximum Buffer Size (bytes):        233          0        233
Malformed Responses        :          0          0          0
Bad Authenticators         :          0          0          0
Unknown Responses          :          0          0          0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/47
1646/0

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

05-12/11:27:01 INFO [pool-1-thread-37] radius - RESPONSE:

Type=AUTHENTICATION_ACCEPT

Process time auth: 122 init_tariff: 0; set_ip: 0; common_auth: 12

Attributes:.

<------>Acct-Interim-Interval=60

<------>Service-Type=2

<------>Framed-Protocol=1

Может быть я и ошибаюсь, но похоже аккаунтинг не идет, потому что пользователю в Auth_accept пакете не подключился сервис ACC (policy-map type service ACC), по которому у вас должен идти аккаунтинг

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Может быть я и ошибаюсь, но похоже аккаунтинг не идет, потому что пользователю в Auth_accept пакете не подключился сервис ACC (policy-map type service ACC), по которому у вас должен идти аккаунтинг

если добавить

 

20 service-policy type service name ACC

 

то ACC почемуто начинает отправляться как имя пользователя

 

лог радиуса

05-12/16:04:42  INFO [pool-1-thread-7] radius -  AUTH:.
Type=AUTHENTICATION_REQUEST
Attributes:.
<------>User-Name=ACC
<------>NAS-Identifier=router
<------>NAS-Port-Id=0/0/1/1011
<------>User-Password=cisco
<------>NAS-IP-Address=10.11.0.3
<------>NAS-Port=217
<------>Service-Type=5
<------>Acct-Session-Id=0/0/1/1011_000000DC:000403f30001
<------>NAS-Port-Type=15
<------>cisco-avpair=circuit-id-tag=000403f30001
<------>cisco-avpair=remote-id-tag=010131
<------>cisco-avpair=vendor-class-id-tag=MSFT 5.0

05-12/16:04:42  INFO [pool-1-thread-7] radius -  RESPONSE:
Type=AUTHENTICATION_REJECT
Process time auth: 239 common_auth: 82
Attributes:.
<------>Reply-Message=14

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

то ACC почемуто начинает отправляться как имя пользователя

циска почему-то не находит этот сервис ACC у себя как локально определенный сервис, и пытается запросить его у RADIUSа, а на RADUIS-сервере. он, похоже, не определен

 

я не знаю тонкости ASR1002, но попробуйте добавить в конфиг, чтобы циска искала серисы сначала локально, а потом уже запрашивала их у радиуса:

aaa authorization subscriber-service default local group SERVER_GROUP1

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

 

циска почему-то не находит этот сервис ACC у себя как локально определенный сервис, и пытается запросить его у RADIUSа, а на RADUIS-сервере. он, похоже, не определен

 

я не знаю тонкости ASR1002, но попробуйте добавить в конфиг, чтобы циска искала серисы сначала локально, а потом уже запрашивала их у радиуса:

aaa authorization subscriber-service default local group SERVER_GROUP1

 

 

Сделал так. Cisco не отправлят ACC как имя пользователя, но перестала авторизовывать по nas-port.

Изменил

policy-map type control RULE_IP_SESSION2a

policy-map type control RULE_IP_SESSION2a
class type control always event session-start
 5 collect identifier nas-port
 10 authorize aaa list AUTHOR_LIST1 password cisco identifier nas-port
 20 service-policy type service name ACC

Авторизация стала проходить, но аккаунтинг по прежнему не идет.В дебаге тоже самое.

Изменено пользователем CheBuRashka

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

а пользователю через этот сервис подключается?

можете снова показать пакет AUTHENTICATION_ACCEPT от радиуса?

и в профиле пользователя поставить что-то типа

Cisco-Account-Info += AACT

Изменено пользователем C@T

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

а пользователю через этот сервис подключается?

можете снова показать пакет AUTHENTICATION_ACCEPT от радиуса?

и в профиле пользователя поставить что-то типа

Cisco-Account-Info += AACT

 

пользователь подключаеться

router#sh subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Unique Session ID: 90
Identifier: nas-port:10.11.0.3:0/0/1/1011
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:01:12, Last Changed: 00:01:12

Policy information:
 Context 300B02C4: Handle 5A0001A0
 AAA_id 00000068: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   service-type         2 [Framed]
   Framed-Protocol      1 [PPP]
   clid-mac-addr        00 15 E9 F1 C7 B3
   addr                 192.168.0.15
   netmask              255.255.255.255
   config-source-dpm    True
   vendor-class-id-tag  "MSFT 5.0"
 Downloaded User profile, including services:
   service-type         2 [Framed]
   Framed-Protocol      1 [PPP]
   clid-mac-addr        00 15 E9 F1 C7 B3
   addr                 192.168.0.15
   netmask              255.255.255.255
   config-source-dpm    True
   vendor-class-id-tag  "MSFT 5.0"
 Config history for session (recent to oldest):
   Access-type: IP Client: DHCP
    Policy event: Session-Update
     Profile name: apply-config-only, 2 references
       clid-mac-addr        00 15 E9 F1 C7 B3
       addr                 192.168.0.15
       netmask              255.255.255.255
       config-source-dpm    True
       vendor-class-id-tag  "MSFT 5.0"
   Access-type: IP Client: SM
    Policy event: Service Selection Request
     Profile name: nas-port:10.11.0.3:0/0/1/1011, 2 references
       service-type         2 [Framed]
       Framed-Protocol      1 [PPP]
 Rules, actions and conditions executed:
   subscriber rule-map RULE_IP_SESSION2a
     condition always event session-start
       5 collect identifier nas-port
       10 authorize aaa list AUTHOR_LIST1 identifier nas-port

Configuration sources associated with this session:
Interface: GigabitEthernet0/0/1.1011, Active Time = 00:01:12

 

 

05-12/16:45:29  INFO [pool-1-thread-3] radius -  AUTH:.
Type=AUTHENTICATION_REQUEST
Attributes:.
<------>User-Name=nas-port:10.11.0.3:0/0/1/1011
<------>NAS-Identifier=router
<------>NAS-Port-Id=0/0/1/1011
<------>User-Password=cisco
<------>NAS-IP-Address=10.11.0.3
<------>NAS-Port=1679
<------>Service-Type=5
<------>Acct-Session-Id=0/0/1/1011_0000068F
<------>NAS-Port-Type=15
<------>cisco-avpair=vendor-class-id-tag=MSFT 5.0

05-12/16:45:29  INFO [pool-1-thread-3] radius -  RESPONSE:
Type=AUTHENTICATION_ACCEPT
Process time auth: 121 init_tariff: 0; set_ip: 0; common_auth: 14
Attributes:.
<------>Acct-Interim-Interval=60
<------>Service-Type=2
<------>Framed-Protocol=1

Trace:
Login found.

 

профиля пользователя как такого нет.

Cisco настраиваю в связке с bgbilling.

Изменено пользователем CheBuRashka

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

в bgbilling используете bitel.billing.server.processor.PoDNASConnectionInspector или новый

bitel.billing.server.processor.ISGNasConnectionInspector ? Весрия 5.1 , 5.0 или 4.6 ?

Через модуль IPN или BGRadiusDialup?

в любом случае попробуйте передать атрибут Cisco-Account-Info = AACT через bgbilling'овский radius, если не знаете как, пишите, IPN не знаю, а если BGRadiusDialup, то подскажу

Изменено пользователем C@T

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

в bgbilling используете bitel.billing.server.processor.PoDNASConnectionInspector или новый

bitel.billing.server.processor.ISGNasConnectionInspector ? Весрия 5.1 , 5.0 или 4.6 ?

в любом случае попробуйте передать атрибут Cisco-Account-Info = AACT через bgbilling'овский radius, если не знаете как, пишите

bgbilling 5.0

Попробую разобраться, если не получиться отпишусь.

За помощь огромное спасибо.

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Есть еще способ сказать циске, чтобы она все-таки слала аккаунтинг, это

передать в AUTHENTICATION_ACCEPT пакете с RADIUS-сервера атрибуты

1. Cisco-Avpair="accounting-list=accounting-mlist-name" (видимо ACCNT_LIST1)

2. Acct-Interim-Interval (attribute 85)

но попробовать мне это так и не удалось, не знаю, будет ли работать

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Есть еще способ сказать циске, чтобы она все-таки слала аккаунтинг, это

передать в AUTHENTICATION_ACCEPT пакете с RADIUS-сервера атрибуты

1. Cisco-Avpair="accounting-list=accounting-mlist-name" (видимо ACCNT_LIST1)

2. Acct-Interim-Interval (attribute 85)

но попробовать мне это так и не удалось, не знаю, будет ли работать

Спасибо огромное, все заработало.

Изменено пользователем CheBuRashka

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Доброго времени суток всем!

помогите!

 

конфиг

 

Building configuration...

 

Current configuration : 10870 bytes

!

! Last configuration change at 14:36:05 UTC Mon Jun 26 2017 by admin

! NVRAM config last updated at 07:40:55 UTC Mon Jun 26 2017 by admin

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname KharinoIPoE

!

boot-start-marker

boot system disk2:c7200-advipservicesk9-mz.152-4.S7.bin

boot-end-marker

!

!

no logging console

enable secret 5 $1$G4sK$Q616cITrTmXUIz0iS0.Sz1

!

aaa new-model

!

!

aaa group server radius RADIUS_IPOE

server-private 10.1.0.2 auth-port 1812 acct-port 1813 timeout 3 retransmit 2 key 7 035C025C54597848180F48014F

ip radius source-interface GigabitEthernet0/3.10

deadtime 1

!

aaa authentication login ISG_IPOE group RADIUS_IPOE

aaa authentication ppp ISG_IPOE group RADIUS_IPOE

aaa authorization network ISG_IPOE group RADIUS_IPOE

aaa authorization subscriber-service default local group RADIUS_IPOE

aaa authorization subscriber-service ISG_IPOE local group RADIUS_IPOE

aaa accounting delay-start all

aaa accounting jitter maximum 10

aaa accounting update periodic 20

aaa accounting network ISG_IPOE

action-type start-stop

group RADIUS_IPOE

!

!

!

!

!

aaa server radius dynamic-author

client 10.1.0.2 server-key 7 897269d6f1d8

auth-type any

!

aaa session-id common

aaa policy interface-config allow-subinterface

ip cef

!

!

!

ip flow-cache timeout inactive 30

ip flow-cache timeout active 20

ip domain name Kharino

no ipv6 cef

!

!

subscriber service multiple-accept

subscriber authorization enable

service-policy type control CTRL_IPOE

multilink bundle-name authenticated

!

!

archive

log config

hidekeys

!

!

!

!

!

username admin privilege 15 secret 5 $1$J9.1$Hy5OeGNL40k..5Bam.EsU/

redirect server-group REDIRECT_NOPAY

server ip 10.1.0.2 port 80

!

redirect server-group OFF-LINE-REDIRECT

server ip 10.1.0.2 port 80

!

redirect server-group DOWN-REDIRECT

server ip 10.1.0.2 port 80

!

redirect server-group PASSIVE-REDIRECT

server ip 10.1.0.2 port 80

!

redirect session-limit 256

!

!

ip ssh version 1

class-map type traffic match-any RADUIS_DEFAULT

match access-group input 103

match access-group output 104

!

class-map type traffic match-any REDIRECT-PASSIVE

match access-group input name PASSIVE

!

class-map type traffic match-any REDIRECT-DOWN

match access-group input name DOWN

!

class-map type traffic match-any REDIRECT-OFF-LINE

match access-group input name OFF-LINE

!

class-map type traffic match-any ACL-PASSIVE

match access-group input name PASSIVE

match access-group output name PASSIVE

!

class-map type traffic match-any ACL-DOWN

match access-group input name DOWN

match access-group output name DOWN

!

class-map type traffic match-any ACL-OFF-LINE

match access-group input name OFF-LINE

match access-group output name OFF-LINE

!

class-map type traffic match-any ACL-ON-LINE

match access-group output name ON-LINE

match access-group input name ON-LINE

!

class-map type traffic match-any avaria

match access-group input 102

match access-group output 101

!

class-map type control match-all ACC-ON-LINE

match authen-status authenticated

match timer TIMER_AUTH

!

class-map type control match-all ACC-UNAUTH

match authen-status unauthenticated

match timer UNAUTH-TIMER

!

!

policy-map type service ON-LINE-SERVICE

service local

class type traffic ACL-ON-LINE

!

class type traffic default in-out

!

!

policy-map type service OFF-LINE-SERVICE

service local

class type traffic ACL-OFF-LINE

!

!

policy-map type service SRV-OFF-LINE-REDIRECT

service local

class type traffic REDIRECT-OFF-LINE

redirect to group OFF-LINE-REDIRECT

!

class type traffic default in-out

drop

!

!

policy-map type service DOWN-SERVICE

service local

class type traffic ACL-DOWN

!

!

policy-map type service SRV-DOWN-REDIRECT

service local

class type traffic REDIRECT-DOWN

redirect to group DOWN-REDIRECT

!

class type traffic default in-out

drop

!

!

policy-map type service PASSIVE-SERVICE

service local

class type traffic ACL-PASSIVE

!

!

policy-map type service SRV-PASSIVE-REDIRECT

service local

class type traffic REDIRECT-PASSIVE

redirect to group PASSIVE-REDIRECT

!

class type traffic default in-out

drop

!

!

policy-map type service RADIUS-DEFAULT

service local

class type traffic RADUIS_DEFAULT

police input 2048000

police output 2048000

!

!

!

policy-map type control CTRL_IPOE

class type control always event radius-timeout

10 set-timer TIMER_UNAUTH 10

20 service-policy type service name RADIUS-DEFAULT

!

class type control always event session-start

10 authorize aaa list ISG_IPOE password ISG identifier source-ip-address

20 set-timer TIMER_UNAUTH 10

30 service-policy type service name PASSIVE-SERVICE

40 service-policy type service name SRV-PASSIVE-REDIRECT

50 service-policy type service name DOWN-SERVICE

60 service-policy type service name SRV-DOWN-REDIRECT

!

!

!

!

!

!

!

!

!

!

!

!

!

 

!

interface GigabitEthernet0/2

no ip address

shutdown

media-type rj45

speed auto

duplex auto

no negotiation auto

!

interface GigabitEthernet0/3

no ip address

media-type rj45

speed auto

duplex auto

no negotiation auto

!

interface GigabitEthernet0/3.10

encapsulation dot1Q 10

ip address 10.1.0.1 255.255.255.0

ip nat inside

!

 

!

interface GigabitEthernet0/3.250

encapsulation dot1Q 250

ip address 172.1.0.1 255.255.248.0

ip nat inside

ip flow ingress

ip flow egress

service-policy type control CTRL_IPOE

ip subscriber routed

initiator unclassified ip-address

!

 

!

ip access-list extended DOWN

permit ip host 10.1.0.2 any

permit ip any host 10.1.0.2

permit tcp any any eq www

deny ip any any

ip access-list extended OFF-LINE

permit ip any host 10.1.0.2

permit ip host 10.1.0.2 any

permit tcp any any eq www

deny ip any any

ip access-list extended ON-LINE

permit ip any any

ip access-list extended PASSIVE

permit ip host 10.1.0.2 any

permit ip any host 10.1.0.2

permit tcp any any eq www

deny ip any any

!

logging host 10.1.0.2

!

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 44 extend-with-addr

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 31 mac format unformatted lower-case

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

!

!

 

end

 

sh radius server-group all

Server group radius

Sharecount = 1 sg_unconfigured = FALSE

Type = standard Memlocks = 1

Server group RADIUS_IPOE

Sharecount = 1 sg_unconfigured = FALSE

Type = standard Memlocks = 1

Server(10.1.0.2:1812,1813) Transactions:

Authen: 0 Author: 896 Acct: 0

Server_auto_test_enabled: FALSE

Keywrap enabled: FALSE

 

sh radius st

 

 

Auth. Acct. Both

Maximum inQ length: NA NA 1

Maximum waitQ length: NA NA 1

Maximum doneQ length: NA NA 0

Total responses seen: 1978 0 1978

Packets with responses: 1978 0 1978

Packets without responses: 0 0 0

Access Rejects : 1978

Average response delay(ms): 1010 0 1010

Maximum response delay(ms): 1804 0 1804

Number of Radius timeouts: 0 0 0

Duplicate ID detects: 0 0 0

Buffer Allocation Failures: 0 0 0

Maximum Buffer Size (bytes): 165 0 165

Malformed Responses : 0 0 0

Bad Authenticators : 0 0 0

Unknown Responses : 0 0 0

Source Port Range: (2 ports only)

1645 - 1646

Last used Source Port/Identifier:

1645/16

1646/0

 

Elapsed time since counters last cleared: 1h8m

Radius Latency Distribution:

<= 2ms : 0 0

3-5ms : 0 0

5-10ms : 0 0

10-20ms: 0 0

20-50ms: 0 0

50-100m: 0 0

>100ms : 1978 0

 

Current inQ length : 0

Current doneQ length: 0

 

 

абонент не авторизуется

sh subsc ses

 

Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -

authenticated, TC Ct. - Number of Traffic Classes on the main session

 

Current Subscriber Information: Total sessions 31

Uniq ID Interface State Service Up-time TC Ct. Identifier

1572 IP unauthen Attempting 00:00:00 0 172.1.0.102

 

 

на Freeradiuse при авторизации ничего не происодит

 

Raduisd -X

 

# radiusd -X

radiusd: FreeRADIUS Version 2.2.9, for host amd64-portbld-freebsd10.3, built on Apr 24 2017 at 17:47:58

Copyright © 1999-2015 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License.

For more information about these matters, see the file named COPYRIGHT.

Starting - reading configuration files ...

including configuration file /usr/local/etc/raddb/radiusd.conf

including files in directory /usr/local/etc/raddb/modules/

including configuration file /usr/local/etc/raddb/modules/always

including configuration file /usr/local/etc/raddb/modules/attr_filter

including configuration file /usr/local/etc/raddb/modules/attr_rewrite

including configuration file /usr/local/etc/raddb/modules/cache

including configuration file /usr/local/etc/raddb/modules/chap

including configuration file /usr/local/etc/raddb/modules/checkval

including configuration file /usr/local/etc/raddb/modules/counter

including configuration file /usr/local/etc/raddb/modules/cui

including configuration file /usr/local/etc/raddb/modules/detail

including configuration file /usr/local/etc/raddb/modules/detail.example.com

including configuration file /usr/local/etc/raddb/modules/detail.log

including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool

including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf

including configuration file /usr/local/etc/raddb/modules/digest

including configuration file /usr/local/etc/raddb/modules/dynamic_clients

including configuration file /usr/local/etc/raddb/modules/echo

including configuration file /usr/local/etc/raddb/modules/etc_group

including configuration file /usr/local/etc/raddb/modules/exec

including configuration file /usr/local/etc/raddb/modules/expiration

including configuration file /usr/local/etc/raddb/modules/expr

including configuration file /usr/local/etc/raddb/modules/files

including configuration file /usr/local/etc/raddb/modules/inner-eap

including configuration file /usr/local/etc/raddb/modules/ippool

including configuration file /usr/local/etc/raddb/modules/krb5

including configuration file /usr/local/etc/raddb/modules/ldap

including configuration file /usr/local/etc/raddb/modules/linelog

including configuration file /usr/local/etc/raddb/modules/logintime

including configuration file /usr/local/etc/raddb/modules/otp

including configuration file /usr/local/etc/raddb/modules/mac2ip

including configuration file /usr/local/etc/raddb/modules/mac2vlan

including configuration file /usr/local/etc/raddb/modules/mschap

including configuration file /usr/local/etc/raddb/modules/ntlm_auth

including configuration file /usr/local/etc/raddb/modules/opendirectory

including configuration file /usr/local/etc/raddb/modules/pam

including configuration file /usr/local/etc/raddb/modules/pap

including configuration file /usr/local/etc/raddb/modules/passwd

including configuration file /usr/local/etc/raddb/modules/perl

including configuration file /usr/local/etc/raddb/modules/policy

including configuration file /usr/local/etc/raddb/modules/preprocess

including configuration file /usr/local/etc/raddb/modules/radrelay

including configuration file /usr/local/etc/raddb/modules/radutmp

including configuration file /usr/local/etc/raddb/modules/realm

including configuration file /usr/local/etc/raddb/modules/redis

including configuration file /usr/local/etc/raddb/modules/rediswho

including configuration file /usr/local/etc/raddb/modules/replicate

including configuration file /usr/local/etc/raddb/modules/smbpasswd

including configuration file /usr/local/etc/raddb/modules/smsotp

including configuration file /usr/local/etc/raddb/modules/soh

including configuration file /usr/local/etc/raddb/modules/sql_log

including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /usr/local/etc/raddb/modules/sradutmp

including configuration file /usr/local/etc/raddb/modules/unix

including configuration file /usr/local/etc/raddb/modules/wimax

including configuration file /usr/local/etc/raddb/modules/acct_unique

including configuration file /usr/local/etc/raddb/eap.conf

including configuration file /usr/local/etc/raddb/sql.conf

including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf

including files in directory /usr/local/etc/raddb/sites-enabled/

including configuration file /usr/local/etc/raddb/sites-enabled/default

including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel

including configuration file /usr/local/etc/raddb/sites-enabled/control-socket

main {

user = "freeradius"

group = "freeradius"

allow_core_dumps = no

}

including dictionary file /usr/local/etc/raddb/dictionary

main {

name = "radiusd"

prefix = "/usr/local"

localstatedir = "/var"

sbindir = "/usr/local/sbin"

logdir = "/var/log"

run_dir = "/var/run/radiusd"

libdir = "/usr/local/lib/freeradius-2.2.0"

radacctdir = "/var/log/radacct"

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

pidfile = "/var/run/radiusd/radiusd.pid"

checkrad = "/usr/local/sbin/checkrad"

debug_level = 0

proxy_requests = yes

log {

stripped_names = yes

auth = yes

auth_badpass = yes

auth_goodpass = no

}

security {

max_attributes = 200

reject_delay = 1

status_server = yes

allow_vulnerable_openssl = no

}

}

radiusd: #### Loading Realms and Home Servers ####

radiusd: #### Loading Clients ####

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec

exec {

wait = no

input_pairs = "request"

shell_escape = yes

timeout = 10

}

Module: Linked to module rlm_expr

Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr

}

radiusd: #### Loading Virtual Servers ####

server { # from file /usr/local/etc/raddb/radiusd.conf

modules {

Module: Creating Auth-Type = digest

Module: Checking authenticate {...} for more modules to load

Module: Linked to module rlm_pap

Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap

pap {

encryption_scheme = "auto"

auto_header = no

}

Module: Linked to module rlm_chap

Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap

Module: Linked to module rlm_mschap

Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap

mschap {

use_mppe = yes

require_encryption = no

require_strong = no

with_ntdomain_hack = no

allow_retry = yes

}

Module: Linked to module rlm_digest

Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest

Module: Linked to module rlm_unix

Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix

unix {

radwtmp = "/var/log/radwtmp"

}

Module: Linked to module rlm_eap

Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf

eap {

default_eap_type = "md5"

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

max_sessions = 1024

}

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

gtc {

challenge = "Password: "

auth_type = "PAP"

}

Module: Linked to sub-module rlm_eap_tls

Module: Instantiating eap-tls

tls {

rsa_key_exchange = no

dh_key_exchange = yes

rsa_key_length = 512

dh_key_length = 512

verify_depth = 0

CA_path = "/usr/local/etc/raddb/certs"

pem_file_type = yes

private_key_file = "/usr/local/etc/raddb/certs/server.pem"

certificate_file = "/usr/local/etc/raddb/certs/server.pem"

CA_file = "/usr/local/etc/raddb/certs/ca.pem"

private_key_password = "whatever"

dh_file = "/usr/local/etc/raddb/certs/dh"

fragment_size = 1024

include_length = yes

check_crl = no

check_all_crl = no

cipher_list = "DEFAULT"

make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"

ecdh_curve = "prime256v1"

cache {

enable = no

lifetime = 24

max_entries = 255

}

verify {

}

ocsp {

enable = no

override_cert_url = yes

url = "http://127.0.0.1/ocsp/"

use_nonce = yes

timeout = 0

softfail = no

}

}

Module: Linked to sub-module rlm_eap_ttls

Module: Instantiating eap-ttls

ttls {

default_eap_type = "md5"

copy_request_to_tunnel = no

use_tunneled_reply = no

virtual_server = "inner-tunnel"

include_length = yes

}

Module: Linked to sub-module rlm_eap_peap

Module: Instantiating eap-peap

peap {

default_eap_type = "mschapv2"

copy_request_to_tunnel = no

use_tunneled_reply = no

proxy_tunneled_request_as_eap = yes

virtual_server = "inner-tunnel"

soh = no

}

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

mschapv2 {

with_ntdomain_hack = no

send_error = no

}

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_preprocess

Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess

preprocess {

huntgroups = "/usr/local/etc/raddb/huntgroups"

hints = "/usr/local/etc/raddb/hints"

with_ascend_hack = no

ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no

with_alvarion_vsa_hack = no

}

reading pairlist file /usr/local/etc/raddb/huntgroups

reading pairlist file /usr/local/etc/raddb/hints

Module: Linked to module rlm_sql

Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf

sql {

driver = "rlm_sql_mysql"

server = "localhost"

port = "3306"

login = "root"

password = "mysd2b9e237"

radius_db = "stg"

read_groups = yes

sqltrace = no

sqltracefile = "/var/log/sqltrace.sql"

readclients = yes

deletestalesessions = yes

num_sql_socks = 5

lifetime = 0

max_queries = 0

sql_user_name = "%{User-Name}"

default_user_profile = ""

nas_query = "SELECT (@cnt := @cnt + 1) AS `id`, `nasname`, `shortname`, `type`, `secret`, `server` FROM `radius_clients` CROSS JOIN (SELECT @cnt := 0) AS `dummy` ORDER BY `id`"

authorize_check_query = "SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id`"

authorize_reply_query = "SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id`"

authorize_group_check_query = "SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id`"

authorize_group_reply_query = "SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id`"

accounting_onoff_query = " UPDATE radius_acct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"

accounting_update_query = " UPDATE radius_acct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"

accounting_update_query_alt = " INSERT INTO radius_acct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"

accounting_start_query = " INSERT INTO radius_acct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"

accounting_start_query_alt = " UPDATE radius_acct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"

accounting_stop_query = " UPDATE radius_acct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"

accounting_stop_query_alt = " INSERT INTO radius_acct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"

group_membership_query = "SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `priority`"

connect_failure_retry_delay = 60

simul_count_query = ""

simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radius_acct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"

postauth_query = "INSERT INTO radius_postauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"

safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

}

rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked

rlm_sql (sql): Attempting to connect to root@localhost:3306/stg

rlm_sql (sql): starting 0

rlm_sql (sql): Attempting to connect rlm_sql_mysql #0

rlm_sql_mysql: Starting connect to MySQL server for #0

rlm_sql (sql): Connected new DB handle, #0

rlm_sql (sql): starting 1

rlm_sql (sql): Attempting to connect rlm_sql_mysql #1

rlm_sql_mysql: Starting connect to MySQL server for #1

rlm_sql (sql): Connected new DB handle, #1

rlm_sql (sql): starting 2

rlm_sql (sql): Attempting to connect rlm_sql_mysql #2

rlm_sql_mysql: Starting connect to MySQL server for #2

rlm_sql (sql): Connected new DB handle, #2

rlm_sql (sql): starting 3

rlm_sql (sql): Attempting to connect rlm_sql_mysql #3

rlm_sql_mysql: Starting connect to MySQL server for #3

rlm_sql (sql): Connected new DB handle, #3

rlm_sql (sql): starting 4

rlm_sql (sql): Attempting to connect rlm_sql_mysql #4

rlm_sql_mysql: Starting connect to MySQL server for #4

rlm_sql (sql): Connected new DB handle, #4

rlm_sql (sql): Processing generate_sql_clients

rlm_sql (sql) in generate_sql_clients: query is SELECT (@cnt := @cnt + 1) AS `id`, `nasname`, `shortname`, `type`, `secret`, `server` FROM `radius_clients` CROSS JOIN (SELECT @cnt := 0) AS `dummy` ORDER BY `id`

rlm_sql (sql): Reserving sql socket id: 4

rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=Local,secret=dec0071981b1

rlm_sql (sql): Adding client 127.0.0.1 (Local, server=<none>) to clients list

rlm_sql (sql): Read entry nasname=10.1.0.1,shortname=Cisco 7201 Kharino,secret=897269d6f1d8

rlm_sql (sql): Adding client 10.1.0.1 (Cisco 7201 Kharino, server=<none>) to clients list

rlm_sql (sql): Read entry nasname=172.1.0.1,shortname=Cisco 7201,secret=c1394e9f030e

rlm_sql (sql): Adding client 172.1.0.1 (Cisco 7201, server=<none>) to clients list

rlm_sql (sql): Released sql socket id: 4

Module: Linked to module rlm_expiration

Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration

expiration {

reply-message = "Password Has Expired "

}

Module: Linked to module rlm_logintime

Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime

logintime {

reply-message = "You are calling outside your allowed timespan "

minimum-timeout = 60

}

Module: Checking preacct {...} for more modules to load

Module: Linked to module rlm_acct_unique

Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique

acct_unique {

key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"

}

Module: Checking accounting {...} for more modules to load

Module: Linked to module rlm_attr_filter

Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter

attr_filter attr_filter.accounting_response {

attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"

key = "%{User-Name}"

relaxed = no

}

reading pairlist file /usr/local/etc/raddb/attrs.accounting_response

Module: Checking session {...} for more modules to load

Module: Linked to module rlm_radutmp

Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp

radutmp {

filename = "/var/log/radutmp"

username = "%{User-Name}"

case_sensitive = yes

check_with_nas = yes

perm = 384

callerid = yes

}

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter

attr_filter attr_filter.access_reject {

attrsfile = "/usr/local/etc/raddb/attrs.access_reject"

key = "%{User-Name}"

relaxed = no

}

reading pairlist file /usr/local/etc/raddb/attrs.access_reject

} # modules

} # server

server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

modules {

Module: Checking authenticate {...} for more modules to load

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_realm

Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm

realm suffix {

format = "suffix"

delimiter = "@"

ignore_default = no

ignore_null = no

}

Module: Linked to module rlm_files

Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files

files {

usersfile = "/usr/local/etc/raddb/users"

acctusersfile = "/usr/local/etc/raddb/acct_users"

preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"

compat = "no"

}

reading pairlist file /usr/local/etc/raddb/users

reading pairlist file /usr/local/etc/raddb/acct_users

reading pairlist file /usr/local/etc/raddb/preproxy_users

Module: Checking session {...} for more modules to load

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

} # modules

} # server

radiusd: #### Opening IP addresses and Ports ####

listen {

type = "auth"

ipaddr = *

port = 0

}

listen {

type = "acct"

ipaddr = *

port = 0

}

listen {

type = "control"

listen {

socket = "/var/run/radiusd/radiusd.sock"

}

}

listen {

type = "auth"

ipaddr = 127.0.0.1

port = 18120

}

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

Listening on proxy address * port 1814

Ready to process requests.

 

сейчас при перезагрузке Freeradius абонент авторизовался, но радиус не видит?????

 

sh subsc ses ui 1781

 

 

Type: IP, UID: 1781, State: unauthen, Identity: 172.1.0.102

IPv4 Address: 172.1.0.102

Session Up-time: 00:01:02, Last Changed: 00:01:02

Switch-ID: 127920

 

Policy information:

Authentication status: unauthen

Active services associated with session:

name "RADIUS-DEFAULT", applied before account logon

Rules, actions and conditions executed:

subscriber rule-map CTRL_IPOE

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

subscriber rule-map CTRL_IPOE

condition always event radius-timeout

10 set-timer TIMER_UNAUTH 10

20 service-policy type service name RADIUS-DEFAULT

 

Classifiers:

Class-id Dir Packets Bytes Pri. Definition

0 In 192 14249 0 Match Any

1 Out 165 24045 0 Match Any

81574 In 192 14249 0 Match ACL 103

81575 Out 165 24045 0 Match ACL 104

 

Features:

 

Policing:

Class-id Dir Avg. Rate Normal Burst Excess Burst Source

81574 In 2048000 384000 768000 RADIUS-DEFAULT

81575 Out 2048000 384000 768000 RADIUS-DEFAULT

 

Configuration Sources:

Type Active Time AAA Service ID Name

SVC 00:01:03 - RADIUS-DEFAULT

USR 00:01:03 - Peruser

INT 00:01:03 - GigabitEthernet0/3.250

 

sh subscriber session detailed

Current Subscriber Information: Total sessions 31

--------------------------------------------------

Type: IP, UID: 1781, State: unauthen, Identity: 172.1.0.102

IPv4 Address: 172.1.0.102

Session Up-time: 00:05:35, Last Changed: 00:05:35

Switch-ID: 127920

 

Policy information:

Context 6843CF4C: Handle 3D00054E

AAA_id 000455F6: Flow_handle 0

Authentication status: unauthen

Downloaded User profile, including services:

username 0 "RADIUS-DEFAULT"

sss-service 0 6 [local-termination]

traffic-class 0 "input access-group 103"

traffic-class 0 "output access-group 104"

ssg-service-info 0 "QU;2048000;D;2048000"

Config history for session (recent to oldest):

Access-type: IP Client: Invalid

Policy event: Service Selection Request (Service)

Profile name: RADIUS-DEFAULT, 3 references

password 0 <hidden>

username 0 "RADIUS-DEFAULT"

sss-service 0 6 [local-termination]

traffic-class 0 "input access-group 103"

traffic-class 0 "output access-group 104"

ssg-service-info 0 "QU;2048000;D;2048000"

Active services associated with session:

name "RADIUS-DEFAULT", applied before account logon

Rules, actions and conditions executed:

subscriber rule-map CTRL_IPOE

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

subscriber rule-map CTRL_IPOE

condition always event radius-timeout

10 set-timer TIMER_UNAUTH 10

20 service-policy type service name RADIUS-DEFAULT

 

Classifiers:

Class-id Dir Packets Bytes Pri. Definition

0 In 998 84616 0 Match Any

1 Out 825 114047 0 Match Any

81574 In 998 84616 0 Match ACL 103

81575 Out 825 114047 0 Match ACL 104

 

Features:

 

Policing:

Class-id Dir Avg. Rate Normal Burst Excess Burst Source

81574 In 2048000 384000 768000 RADIUS-DEFAULT

81575 Out 2048000 384000 768000 RADIUS-DEFAULT

 

Configuration Sources:

Type Active Time AAA Service ID Name

SVC 00:05:38 - RADIUS-DEFAULT

USR 00:05:38 - Peruser

INT 00:05:38 - GigabitEthernet0/3.250

 

 

при повторной авторизации то же самое

из атрибутов только пароль и IP

 

при этом попрежнему

sh radius server-group all

 

 

Server group radius

Sharecount = 1 sg_unconfigured = FALSE

Type = standard Memlocks = 1

Server group RADIUS_IPOE

Sharecount = 1 sg_unconfigured = FALSE

Type = standard Memlocks = 1

Server(10.1.0.2:1812,1813) Transactions:

Authen: 0 Author: 1244 Acct: 0

Server_auto_test_enabled: FALSE

Keywrap enabled: FALSE

 

sh radius st

 

Auth. Acct. Both

Maximum inQ length: NA NA 1

Maximum waitQ length: NA NA 1

Maximum doneQ length: NA NA 1

Total responses seen: 2297 0 2297

Packets with responses: 2297 0 2297

Packets without responses: 1 0 1

Access Rejects : 2297

Average response delay(ms): 1010 0 1010

Maximum response delay(ms): 1804 0 1804

Number of Radius timeouts: 3 0 3

Duplicate ID detects: 0 0 0

Buffer Allocation Failures: 0 0 0

Maximum Buffer Size (bytes): 165 0 165

Malformed Responses : 0 0 0

Bad Authenticators : 0 0 0

Unknown Responses : 0 0 0

Source Port Range: (2 ports only)

1645 - 1646

Last used Source Port/Identifier:

1645/80

1646/0

 

Elapsed time since counters last cleared: 1h31m

Radius Latency Distribution:

<= 2ms : 0 0

3-5ms : 0 0

5-10ms : 0 0

10-20ms: 0 0

20-50ms: 0 0

50-100m: 0 0

>100ms : 2297 0

 

Current inQ length : 0

Current doneQ length: 0

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

при просмотре интерфейса на Freeradius во время авторизации

 

# tcpdump -n -i bce0 port 1812 or udp port 1813

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on bce0, link-type EN10MB (Ethernet), capture size 65535 bytes

 

 

тишина

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

ping 10.1.0.2

 

#ping 10.1.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

show arp 10.1.0.2

 

#show arp 10.1.0.2

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.0.2 7 001f.29e0.56fa ARPA GigabitEthernet0/3.10

 

 

debug radius authen

 

#debug radius authen

Radius protocol debugging is on

Radius protocol brief debugging is off

Radius protocol verbose debugging is off

Radius packet hex dump debugging is off

Radius packet protocol (authentication) debugging is on

Radius packet protocol (accounting) debugging is off

Radius elog debugging debugging is off

Radius packet retransmission debugging is off

Radius server fail-over debugging is off

Radius elog debugging debugging is off

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Ну соберите лог) дебаг) зачем показывать вывод.. включили и пишите

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Явно не хватает: term mon

 

А в конце: term no mon

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Ну соберите лог) дебаг) зачем показывать вывод.. включили и пишите

можно подробнее или пример

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

В гугле забанили?

 

"cisco debug"

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

смотрю, конечно!

режим отладки

 

но пока не доходит

 

если речь о логах то они идут на 10.1.0.2

 

мне надо запустить отладку

и меня их нет

show debug condition

 

 

% No conditions found

Изменено пользователем Andrey75

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

так отладка включена

 

#show debug

General OS:

AAA Authentication debugging is on

Radius protocol debugging is on

Radius protocol brief debugging is on

Radius protocol verbose debugging is on

Radius packet protocol (accounting) debugging is on

Radius elog debugging debugging is on

Radius packet retransmission debugging is on

Radius server fail-over debugging is on

Radius elog debugging debugging is on

 

не понимаю как посмотреть что происходит?

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гость
Ответить в тему...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.