CheBuRashka Опубликовано 12 мая, 2011 (изменено) · Жалоба Здравствуйте. Имееться Cisco ASR 1002. Пытаюсь настроить ISG. Автризация проходит нормально, а с аккаунтингом поблема(tcpdump port 1813 на radius сервере не ловит ни одного пакета). Кто сталкивался помогите пожалуйста. Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISE-M), Version 15.0(1)S, RELEASE SOFTWARE (fc1) ROM: IOS-XE ROMMON cisco ASR1002 (2RU) processor with 1724178K/6147K bytes of memory. конфиг CISCO Current configuration : 4423 bytes ! ! Last configuration change at 11:02:57 UTC Thu May 12 2011 by root ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service unsupported-transceiver ! hostname router ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition default ! enable password 7 ! aaa new-model aaa session-mib disconnect ! ! aaa group server radius SERVER_GROUP1 server 10.11.0.2 auth-port 1812 acct-port 1813 ! aaa authentication login AUTHEN_LIST1 group SERVER_GROUP1 aaa authorization network default group SERVER_GROUP1 aaa authorization subscriber-service AUTHOR_LIST1 group SERVER_GROUP1 aaa authorization subscriber-service AUTHEN_LIST1 group SERVER_GROUP1 aaa authorization subscriber-service ACCNT_LIST1 group SERVER_GROUP1 aaa accounting delay-start all aaa accounting update periodic 5 aaa accounting network ACCNT_LIST1 start-stop group SERVER_GROUP1 ! aaa nas port extended ! ! ! ! aaa session-id unique ip source-route ! ! ! no ip domain lookup ip dhcp relay information policy keep ip dhcp relay information trust-all ! subscriber service session-accounting subscriber service accounting interim-interval 1 subscriber authorization enable ! redirect server-group REDIRECT_SERVER_GROUP1 server ip 10.11.0.2 port 80 ! multilink bundle-name authenticated ! ! ! ! ! ! ! username root secret 4 8JejqDMXnmP5UU1C8NQ8zGNuw6r7tBqA46betnB4ghE ! redundancy mode none ! ! ! class-map type traffic match-any account ! policy-map type service ACC class type traffic account accounting aaa list AUTHOR_LIST1 ! ! policy-map type control RULE_IP_SESSION2a class type control always event session-start 5 collect identifier nas-port 10 service-policy type service aaa list AUTHOR_LIST1 identifier nas-port ! class type control always event account-logon 10 service-policy type service aaa list ACCNT_LIST1 identifier nas-port ! class type control always event service-stop 1 service-policy type service unapply identifier service-name 10 log-session-state ! class type control always event session-restart 30 service-policy type service aaa list AUTHOR_LIST1 identifier nas-port 40 service-policy type service name SERVICE_406_L4R ! ! gw-accounting aaa ! ! ! ! ! interface GigabitEthernet0/0/0 ip address X.X.X.X 255.255.255.252 ip nat outside ip flow ingress ip virtual-reassembly negotiation auto ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/1.1000 encapsulation dot1Q 1000 ip address 10.11.0.3 255.255.255.0 ip nat inside no ip virtual-reassembly ! interface GigabitEthernet0/0/1.1011 encapsulation dot1Q 1011 ip address 192.168.0.1 255.255.255.0 ip helper-address 10.11.0.2 ip nat inside ip virtual-reassembly service-policy type control RULE_IP_SESSION2a ip subscriber routed initiator dhcp class-aware ! interface GigabitEthernet0/0/2 no ip address speed 100 no negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ip nat inside source list 2 interface GigabitEthernet0/0/0 overload ! no ip http server ip route 0.0.0.0 0.0.0.0 X.X.X.X ip route 10.0.0.0 255.0.0.0 10.11.0.1 ! ip radius source-interface GigabitEthernet0/0/1.1000 logging esm config access-list 1 permit 10.11.0.2 access-list 2 permit 192.0.0.0 0.255.255.255 ! ! radius-server attribute 44 include-in-access-req radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 25 access-request include radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU radius-server host 10.11.0.2 auth-port 1812 acct-port 1813 key 7 12485744 radius-server retransmit 5 radius-server timeout 30 radius-server directed-request radius-server vsa send accounting radius-server vsa send authentication ! control-plane ! ! ! ! gateway timer receive-rtp 1200 ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 password 7 ! end AAA Accounting debugging *May 12 11:19:55.870: AAA/ACCT/HC(00000033): Register Iedge IP SIP/570000C1 64 bit counter support not configured *May 12 11:19:55.870: AAA/ACCT/HC(00000033): Update Iedge IP SIP/570000C1 *May 12 11:19:55.870: AAA/ACCT/HC(00000033): no HC Iedge IP SIP/570000C1 *May 12 11:19:55.870: AAA/ACCT/EVENT/(00000033): CALL START *May 12 11:19:55.870: Getting session id for NET(00000033) : db=42204CE4 *May 12 11:19:55.870: AAA/ACCT(00000000): add node, session 724 *May 12 11:19:55.870: AAA/ACCT/NET(00000033): add, count 1 *May 12 11:19:55.871: Getting session id for NONE(00000033) : db=42204CE4 *May 12 11:20:01.928: AAA/ACCT/EVENT/(00000033): IPCP_PASS *May 12 11:20:01.928: AAA/ACCT/NET(00000033): Method list not found log radius сервера 05-12/11:27:01 INFO [pool-1-thread-37] radius - AUTH:. Type=AUTHENTICATION_REQUEST Attributes:. <------>User-Name=nas-port:10.11.0.3:0/0/1/1011 <------>NAS-Identifier=router <------>NAS-Port-Id=0/0/1/1011 <------>User-Password=cisco <------>NAS-IP-Address=10.11.0.3 <------>NAS-Port=721 <------>Service-Type=5 <------>Acct-Session-Id=0/0/1/1011_000002D1 <------>NAS-Port-Type=15 <------>cisco-avpair=vendor-class-id-tag=MSFT 5.0 05-12/11:27:01 INFO [pool-1-thread-37] radius - RESPONSE: Type=AUTHENTICATION_ACCEPT Process time auth: 122 init_tariff: 0; set_ip: 0; common_auth: 12 Attributes:. <------>Acct-Interim-Interval=60 <------>Service-Type=2 <------>Framed-Protocol=1 Trace: Login found. Изменено 12 мая, 2011 пользователем CheBuRashka Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
SLon26 Опубликовано 12 мая, 2011 · Жалоба Пароли то на enable зачем светите, уберите. Вас разве не учили использовать enable secret? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
darkagent Опубликовано 12 мая, 2011 · Жалоба sh radius server-group all и sh radius statistics м? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
CheBuRashka Опубликовано 12 мая, 2011 · Жалоба sh radius server-group all и sh radius statistics м? sh radius server-group all Server group radius Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server(10.11.0.2:1812,1813) Transactions: Authen: 0 Author: 0 Acct: 0 Server_auto_test_enabled: FALSE Server group SERVER_GROUP1 Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server(10.11.0.2:1812,1813) Transactions: Authen: 0 Author: 2 Acct: 0 Server_auto_test_enabled: FALSE sh radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 1 Maximum doneQ length: NA NA 1 Total responses seen: 37 0 37 Packets with responses: 37 0 37 Packets without responses: 0 0 0 Access Rejects : 16 Average response delay(ms): 195 0 195 Maximum response delay(ms): 325 0 325 Number of Radius timeouts: 0 0 0 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 233 0 233 Malformed Responses : 0 0 0 Bad Authenticators : 0 0 0 Unknown Responses : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/47 1646/0 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 12 мая, 2011 · Жалоба 05-12/11:27:01 INFO [pool-1-thread-37] radius - RESPONSE: Type=AUTHENTICATION_ACCEPT Process time auth: 122 init_tariff: 0; set_ip: 0; common_auth: 12 Attributes:. <------>Acct-Interim-Interval=60 <------>Service-Type=2 <------>Framed-Protocol=1 Может быть я и ошибаюсь, но похоже аккаунтинг не идет, потому что пользователю в Auth_accept пакете не подключился сервис ACC (policy-map type service ACC), по которому у вас должен идти аккаунтинг Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
CheBuRashka Опубликовано 12 мая, 2011 · Жалоба Может быть я и ошибаюсь, но похоже аккаунтинг не идет, потому что пользователю в Auth_accept пакете не подключился сервис ACC (policy-map type service ACC), по которому у вас должен идти аккаунтинг если добавить 20 service-policy type service name ACC то ACC почемуто начинает отправляться как имя пользователя лог радиуса 05-12/16:04:42 INFO [pool-1-thread-7] radius - AUTH:. Type=AUTHENTICATION_REQUEST Attributes:. <------>User-Name=ACC <------>NAS-Identifier=router <------>NAS-Port-Id=0/0/1/1011 <------>User-Password=cisco <------>NAS-IP-Address=10.11.0.3 <------>NAS-Port=217 <------>Service-Type=5 <------>Acct-Session-Id=0/0/1/1011_000000DC:000403f30001 <------>NAS-Port-Type=15 <------>cisco-avpair=circuit-id-tag=000403f30001 <------>cisco-avpair=remote-id-tag=010131 <------>cisco-avpair=vendor-class-id-tag=MSFT 5.0 05-12/16:04:42 INFO [pool-1-thread-7] radius - RESPONSE: Type=AUTHENTICATION_REJECT Process time auth: 239 common_auth: 82 Attributes:. <------>Reply-Message=14 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 12 мая, 2011 · Жалоба то ACC почемуто начинает отправляться как имя пользователя циска почему-то не находит этот сервис ACC у себя как локально определенный сервис, и пытается запросить его у RADIUSа, а на RADUIS-сервере. он, похоже, не определен я не знаю тонкости ASR1002, но попробуйте добавить в конфиг, чтобы циска искала серисы сначала локально, а потом уже запрашивала их у радиуса: aaa authorization subscriber-service default local group SERVER_GROUP1 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
CheBuRashka Опубликовано 12 мая, 2011 (изменено) · Жалоба циска почему-то не находит этот сервис ACC у себя как локально определенный сервис, и пытается запросить его у RADIUSа, а на RADUIS-сервере. он, похоже, не определен я не знаю тонкости ASR1002, но попробуйте добавить в конфиг, чтобы циска искала серисы сначала локально, а потом уже запрашивала их у радиуса: aaa authorization subscriber-service default local group SERVER_GROUP1 Сделал так. Cisco не отправлят ACC как имя пользователя, но перестала авторизовывать по nas-port. Изменил policy-map type control RULE_IP_SESSION2a policy-map type control RULE_IP_SESSION2a class type control always event session-start 5 collect identifier nas-port 10 authorize aaa list AUTHOR_LIST1 password cisco identifier nas-port 20 service-policy type service name ACC Авторизация стала проходить, но аккаунтинг по прежнему не идет.В дебаге тоже самое. Изменено 12 мая, 2011 пользователем CheBuRashka Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 12 мая, 2011 (изменено) · Жалоба а пользователю через этот сервис подключается? можете снова показать пакет AUTHENTICATION_ACCEPT от радиуса? и в профиле пользователя поставить что-то типа Cisco-Account-Info += AACT Изменено 12 мая, 2011 пользователем C@T Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
CheBuRashka Опубликовано 12 мая, 2011 (изменено) · Жалоба а пользователю через этот сервис подключается? можете снова показать пакет AUTHENTICATION_ACCEPT от радиуса? и в профиле пользователя поставить что-то типа Cisco-Account-Info += AACT пользователь подключаеться router#sh subscriber session detailed Current Subscriber Information: Total sessions 1 -------------------------------------------------- Unique Session ID: 90 Identifier: nas-port:10.11.0.3:0/0/1/1011 SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:01:12, Last Changed: 00:01:12 Policy information: Context 300B02C4: Handle 5A0001A0 AAA_id 00000068: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: service-type 2 [Framed] Framed-Protocol 1 [PPP] clid-mac-addr 00 15 E9 F1 C7 B3 addr 192.168.0.15 netmask 255.255.255.255 config-source-dpm True vendor-class-id-tag "MSFT 5.0" Downloaded User profile, including services: service-type 2 [Framed] Framed-Protocol 1 [PPP] clid-mac-addr 00 15 E9 F1 C7 B3 addr 192.168.0.15 netmask 255.255.255.255 config-source-dpm True vendor-class-id-tag "MSFT 5.0" Config history for session (recent to oldest): Access-type: IP Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 2 references clid-mac-addr 00 15 E9 F1 C7 B3 addr 192.168.0.15 netmask 255.255.255.255 config-source-dpm True vendor-class-id-tag "MSFT 5.0" Access-type: IP Client: SM Policy event: Service Selection Request Profile name: nas-port:10.11.0.3:0/0/1/1011, 2 references service-type 2 [Framed] Framed-Protocol 1 [PPP] Rules, actions and conditions executed: subscriber rule-map RULE_IP_SESSION2a condition always event session-start 5 collect identifier nas-port 10 authorize aaa list AUTHOR_LIST1 identifier nas-port Configuration sources associated with this session: Interface: GigabitEthernet0/0/1.1011, Active Time = 00:01:12 05-12/16:45:29 INFO [pool-1-thread-3] radius - AUTH:. Type=AUTHENTICATION_REQUEST Attributes:. <------>User-Name=nas-port:10.11.0.3:0/0/1/1011 <------>NAS-Identifier=router <------>NAS-Port-Id=0/0/1/1011 <------>User-Password=cisco <------>NAS-IP-Address=10.11.0.3 <------>NAS-Port=1679 <------>Service-Type=5 <------>Acct-Session-Id=0/0/1/1011_0000068F <------>NAS-Port-Type=15 <------>cisco-avpair=vendor-class-id-tag=MSFT 5.0 05-12/16:45:29 INFO [pool-1-thread-3] radius - RESPONSE: Type=AUTHENTICATION_ACCEPT Process time auth: 121 init_tariff: 0; set_ip: 0; common_auth: 14 Attributes:. <------>Acct-Interim-Interval=60 <------>Service-Type=2 <------>Framed-Protocol=1 Trace: Login found. профиля пользователя как такого нет. Cisco настраиваю в связке с bgbilling. Изменено 12 мая, 2011 пользователем CheBuRashka Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 12 мая, 2011 (изменено) · Жалоба в bgbilling используете bitel.billing.server.processor.PoDNASConnectionInspector или новый bitel.billing.server.processor.ISGNasConnectionInspector ? Весрия 5.1 , 5.0 или 4.6 ? Через модуль IPN или BGRadiusDialup? в любом случае попробуйте передать атрибут Cisco-Account-Info = AACT через bgbilling'овский radius, если не знаете как, пишите, IPN не знаю, а если BGRadiusDialup, то подскажу Изменено 12 мая, 2011 пользователем C@T Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
CheBuRashka Опубликовано 12 мая, 2011 · Жалоба в bgbilling используете bitel.billing.server.processor.PoDNASConnectionInspector или новый bitel.billing.server.processor.ISGNasConnectionInspector ? Весрия 5.1 , 5.0 или 4.6 ? в любом случае попробуйте передать атрибут Cisco-Account-Info = AACT через bgbilling'овский radius, если не знаете как, пишите bgbilling 5.0 Попробую разобраться, если не получиться отпишусь. За помощь огромное спасибо. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 12 мая, 2011 · Жалоба Есть еще способ сказать циске, чтобы она все-таки слала аккаунтинг, это передать в AUTHENTICATION_ACCEPT пакете с RADIUS-сервера атрибуты 1. Cisco-Avpair="accounting-list=accounting-mlist-name" (видимо ACCNT_LIST1) 2. Acct-Interim-Interval (attribute 85) но попробовать мне это так и не удалось, не знаю, будет ли работать Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
CheBuRashka Опубликовано 12 мая, 2011 (изменено) · Жалоба Есть еще способ сказать циске, чтобы она все-таки слала аккаунтинг, это передать в AUTHENTICATION_ACCEPT пакете с RADIUS-сервера атрибуты 1. Cisco-Avpair="accounting-list=accounting-mlist-name" (видимо ACCNT_LIST1) 2. Acct-Interim-Interval (attribute 85) но попробовать мне это так и не удалось, не знаю, будет ли работать Спасибо огромное, все заработало. Изменено 12 мая, 2011 пользователем CheBuRashka Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 26 июня, 2017 · Жалоба Доброго времени суток всем! помогите! конфиг Building configuration... Current configuration : 10870 bytes ! ! Last configuration change at 14:36:05 UTC Mon Jun 26 2017 by admin ! NVRAM config last updated at 07:40:55 UTC Mon Jun 26 2017 by admin ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname KharinoIPoE ! boot-start-marker boot system disk2:c7200-advipservicesk9-mz.152-4.S7.bin boot-end-marker ! ! no logging console enable secret 5 $1$G4sK$Q616cITrTmXUIz0iS0.Sz1 ! aaa new-model ! ! aaa group server radius RADIUS_IPOE server-private 10.1.0.2 auth-port 1812 acct-port 1813 timeout 3 retransmit 2 key 7 035C025C54597848180F48014F ip radius source-interface GigabitEthernet0/3.10 deadtime 1 ! aaa authentication login ISG_IPOE group RADIUS_IPOE aaa authentication ppp ISG_IPOE group RADIUS_IPOE aaa authorization network ISG_IPOE group RADIUS_IPOE aaa authorization subscriber-service default local group RADIUS_IPOE aaa authorization subscriber-service ISG_IPOE local group RADIUS_IPOE aaa accounting delay-start all aaa accounting jitter maximum 10 aaa accounting update periodic 20 aaa accounting network ISG_IPOE action-type start-stop group RADIUS_IPOE ! ! ! ! ! aaa server radius dynamic-author client 10.1.0.2 server-key 7 897269d6f1d8 auth-type any ! aaa session-id common aaa policy interface-config allow-subinterface ip cef ! ! ! ip flow-cache timeout inactive 30 ip flow-cache timeout active 20 ip domain name Kharino no ipv6 cef ! ! subscriber service multiple-accept subscriber authorization enable service-policy type control CTRL_IPOE multilink bundle-name authenticated ! ! archive log config hidekeys ! ! ! ! ! username admin privilege 15 secret 5 $1$J9.1$Hy5OeGNL40k..5Bam.EsU/ redirect server-group REDIRECT_NOPAY server ip 10.1.0.2 port 80 ! redirect server-group OFF-LINE-REDIRECT server ip 10.1.0.2 port 80 ! redirect server-group DOWN-REDIRECT server ip 10.1.0.2 port 80 ! redirect server-group PASSIVE-REDIRECT server ip 10.1.0.2 port 80 ! redirect session-limit 256 ! ! ip ssh version 1 class-map type traffic match-any RADUIS_DEFAULT match access-group input 103 match access-group output 104 ! class-map type traffic match-any REDIRECT-PASSIVE match access-group input name PASSIVE ! class-map type traffic match-any REDIRECT-DOWN match access-group input name DOWN ! class-map type traffic match-any REDIRECT-OFF-LINE match access-group input name OFF-LINE ! class-map type traffic match-any ACL-PASSIVE match access-group input name PASSIVE match access-group output name PASSIVE ! class-map type traffic match-any ACL-DOWN match access-group input name DOWN match access-group output name DOWN ! class-map type traffic match-any ACL-OFF-LINE match access-group input name OFF-LINE match access-group output name OFF-LINE ! class-map type traffic match-any ACL-ON-LINE match access-group output name ON-LINE match access-group input name ON-LINE ! class-map type traffic match-any avaria match access-group input 102 match access-group output 101 ! class-map type control match-all ACC-ON-LINE match authen-status authenticated match timer TIMER_AUTH ! class-map type control match-all ACC-UNAUTH match authen-status unauthenticated match timer UNAUTH-TIMER ! ! policy-map type service ON-LINE-SERVICE service local class type traffic ACL-ON-LINE ! class type traffic default in-out ! ! policy-map type service OFF-LINE-SERVICE service local class type traffic ACL-OFF-LINE ! ! policy-map type service SRV-OFF-LINE-REDIRECT service local class type traffic REDIRECT-OFF-LINE redirect to group OFF-LINE-REDIRECT ! class type traffic default in-out drop ! ! policy-map type service DOWN-SERVICE service local class type traffic ACL-DOWN ! ! policy-map type service SRV-DOWN-REDIRECT service local class type traffic REDIRECT-DOWN redirect to group DOWN-REDIRECT ! class type traffic default in-out drop ! ! policy-map type service PASSIVE-SERVICE service local class type traffic ACL-PASSIVE ! ! policy-map type service SRV-PASSIVE-REDIRECT service local class type traffic REDIRECT-PASSIVE redirect to group PASSIVE-REDIRECT ! class type traffic default in-out drop ! ! policy-map type service RADIUS-DEFAULT service local class type traffic RADUIS_DEFAULT police input 2048000 police output 2048000 ! ! ! policy-map type control CTRL_IPOE class type control always event radius-timeout 10 set-timer TIMER_UNAUTH 10 20 service-policy type service name RADIUS-DEFAULT ! class type control always event session-start 10 authorize aaa list ISG_IPOE password ISG identifier source-ip-address 20 set-timer TIMER_UNAUTH 10 30 service-policy type service name PASSIVE-SERVICE 40 service-policy type service name SRV-PASSIVE-REDIRECT 50 service-policy type service name DOWN-SERVICE 60 service-policy type service name SRV-DOWN-REDIRECT ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/2 no ip address shutdown media-type rj45 speed auto duplex auto no negotiation auto ! interface GigabitEthernet0/3 no ip address media-type rj45 speed auto duplex auto no negotiation auto ! interface GigabitEthernet0/3.10 encapsulation dot1Q 10 ip address 10.1.0.1 255.255.255.0 ip nat inside ! ! interface GigabitEthernet0/3.250 encapsulation dot1Q 250 ip address 172.1.0.1 255.255.248.0 ip nat inside ip flow ingress ip flow egress service-policy type control CTRL_IPOE ip subscriber routed initiator unclassified ip-address ! ! ip access-list extended DOWN permit ip host 10.1.0.2 any permit ip any host 10.1.0.2 permit tcp any any eq www deny ip any any ip access-list extended OFF-LINE permit ip any host 10.1.0.2 permit ip host 10.1.0.2 any permit tcp any any eq www deny ip any any ip access-list extended ON-LINE permit ip any any ip access-list extended PASSIVE permit ip host 10.1.0.2 any permit ip any host 10.1.0.2 permit tcp any any eq www deny ip any any ! logging host 10.1.0.2 ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted lower-case radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication ! ! end sh radius server-group all Server group radius Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server group RADIUS_IPOE Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server(10.1.0.2:1812,1813) Transactions: Authen: 0 Author: 896 Acct: 0 Server_auto_test_enabled: FALSE Keywrap enabled: FALSE sh radius st Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 1 Maximum doneQ length: NA NA 0 Total responses seen: 1978 0 1978 Packets with responses: 1978 0 1978 Packets without responses: 0 0 0 Access Rejects : 1978 Average response delay(ms): 1010 0 1010 Maximum response delay(ms): 1804 0 1804 Number of Radius timeouts: 0 0 0 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 165 0 165 Malformed Responses : 0 0 0 Bad Authenticators : 0 0 0 Unknown Responses : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/16 1646/0 Elapsed time since counters last cleared: 1h8m Radius Latency Distribution: <= 2ms : 0 0 3-5ms : 0 0 5-10ms : 0 0 10-20ms: 0 0 20-50ms: 0 0 50-100m: 0 0 >100ms : 1978 0 Current inQ length : 0 Current doneQ length: 0 абонент не авторизуется sh subsc ses Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -authenticated, TC Ct. - Number of Traffic Classes on the main session Current Subscriber Information: Total sessions 31 Uniq ID Interface State Service Up-time TC Ct. Identifier 1572 IP unauthen Attempting 00:00:00 0 172.1.0.102 на Freeradiuse при авторизации ничего не происодит Raduisd -X # radiusd -Xradiusd: FreeRADIUS Version 2.2.9, for host amd64-portbld-freebsd10.3, built on Apr 24 2017 at 17:47:58 Copyright © 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/cache including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radrelay including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { user = "freeradius" group = "freeradius" allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib/freeradius-2.2.0" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/huntgroups reading pairlist file /usr/local/etc/raddb/hints Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "3306" login = "root" password = "mysd2b9e237" radius_db = "stg" read_groups = yes sqltrace = no sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT (@cnt := @cnt + 1) AS `id`, `nasname`, `shortname`, `type`, `secret`, `server` FROM `radius_clients` CROSS JOIN (SELECT @cnt := 0) AS `dummy` ORDER BY `id`" authorize_check_query = "SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id`" authorize_reply_query = "SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id`" authorize_group_check_query = "SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id`" authorize_group_reply_query = "SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id`" accounting_onoff_query = " UPDATE radius_acct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radius_acct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radius_acct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radius_acct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radius_acct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radius_acct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radius_acct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `priority`" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radius_acct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radius_postauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:3306/stg rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT (@cnt := @cnt + 1) AS `id`, `nasname`, `shortname`, `type`, `secret`, `server` FROM `radius_clients` CROSS JOIN (SELECT @cnt := 0) AS `dummy` ORDER BY `id` rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=Local,secret=dec0071981b1 rlm_sql (sql): Adding client 127.0.0.1 (Local, server=<none>) to clients list rlm_sql (sql): Read entry nasname=10.1.0.1,shortname=Cisco 7201 Kharino,secret=897269d6f1d8 rlm_sql (sql): Adding client 10.1.0.1 (Cisco 7201 Kharino, server=<none>) to clients list rlm_sql (sql): Read entry nasname=172.1.0.1,shortname=Cisco 7201,secret=c1394e9f030e rlm_sql (sql): Adding client 172.1.0.1 (Cisco 7201, server=<none>) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/local/etc/raddb/users reading pairlist file /usr/local/etc/raddb/acct_users reading pairlist file /usr/local/etc/raddb/preproxy_users Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. сейчас при перезагрузке Freeradius абонент авторизовался, но радиус не видит????? sh subsc ses ui 1781 Type: IP, UID: 1781, State: unauthen, Identity: 172.1.0.102IPv4 Address: 172.1.0.102 Session Up-time: 00:01:02, Last Changed: 00:01:02 Switch-ID: 127920 Policy information: Authentication status: unauthen Active services associated with session: name "RADIUS-DEFAULT", applied before account logon Rules, actions and conditions executed: subscriber rule-map CTRL_IPOE condition always event session-start 10 authorize aaa list ISG_IPOE identifier source-ip-address subscriber rule-map CTRL_IPOE condition always event radius-timeout 10 set-timer TIMER_UNAUTH 10 20 service-policy type service name RADIUS-DEFAULT Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 192 14249 0 Match Any 1 Out 165 24045 0 Match Any 81574 In 192 14249 0 Match ACL 103 81575 Out 165 24045 0 Match ACL 104 Features: Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 81574 In 2048000 384000 768000 RADIUS-DEFAULT 81575 Out 2048000 384000 768000 RADIUS-DEFAULT Configuration Sources: Type Active Time AAA Service ID Name SVC 00:01:03 - RADIUS-DEFAULT USR 00:01:03 - Peruser INT 00:01:03 - GigabitEthernet0/3.250 sh subscriber session detailed Current Subscriber Information: Total sessions 31-------------------------------------------------- Type: IP, UID: 1781, State: unauthen, Identity: 172.1.0.102 IPv4 Address: 172.1.0.102 Session Up-time: 00:05:35, Last Changed: 00:05:35 Switch-ID: 127920 Policy information: Context 6843CF4C: Handle 3D00054E AAA_id 000455F6: Flow_handle 0 Authentication status: unauthen Downloaded User profile, including services: username 0 "RADIUS-DEFAULT" sss-service 0 6 [local-termination] traffic-class 0 "input access-group 103" traffic-class 0 "output access-group 104" ssg-service-info 0 "QU;2048000;D;2048000" Config history for session (recent to oldest): Access-type: IP Client: Invalid Policy event: Service Selection Request (Service) Profile name: RADIUS-DEFAULT, 3 references password 0 <hidden> username 0 "RADIUS-DEFAULT" sss-service 0 6 [local-termination] traffic-class 0 "input access-group 103" traffic-class 0 "output access-group 104" ssg-service-info 0 "QU;2048000;D;2048000" Active services associated with session: name "RADIUS-DEFAULT", applied before account logon Rules, actions and conditions executed: subscriber rule-map CTRL_IPOE condition always event session-start 10 authorize aaa list ISG_IPOE identifier source-ip-address subscriber rule-map CTRL_IPOE condition always event radius-timeout 10 set-timer TIMER_UNAUTH 10 20 service-policy type service name RADIUS-DEFAULT Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 998 84616 0 Match Any 1 Out 825 114047 0 Match Any 81574 In 998 84616 0 Match ACL 103 81575 Out 825 114047 0 Match ACL 104 Features: Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 81574 In 2048000 384000 768000 RADIUS-DEFAULT 81575 Out 2048000 384000 768000 RADIUS-DEFAULT Configuration Sources: Type Active Time AAA Service ID Name SVC 00:05:38 - RADIUS-DEFAULT USR 00:05:38 - Peruser INT 00:05:38 - GigabitEthernet0/3.250 при повторной авторизации то же самое из атрибутов только пароль и IP при этом попрежнему sh radius server-group all Server group radius Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server group RADIUS_IPOE Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server(10.1.0.2:1812,1813) Transactions: Authen: 0 Author: 1244 Acct: 0 Server_auto_test_enabled: FALSE Keywrap enabled: FALSE sh radius st Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 1 Maximum doneQ length: NA NA 1 Total responses seen: 2297 0 2297 Packets with responses: 2297 0 2297 Packets without responses: 1 0 1 Access Rejects : 2297 Average response delay(ms): 1010 0 1010 Maximum response delay(ms): 1804 0 1804 Number of Radius timeouts: 3 0 3 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 165 0 165 Malformed Responses : 0 0 0 Bad Authenticators : 0 0 0 Unknown Responses : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/80 1646/0 Elapsed time since counters last cleared: 1h31m Radius Latency Distribution: <= 2ms : 0 0 3-5ms : 0 0 5-10ms : 0 0 10-20ms: 0 0 20-50ms: 0 0 50-100m: 0 0 >100ms : 2297 0 Current inQ length : 0 Current doneQ length: 0 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 27 июня, 2017 · Жалоба при просмотре интерфейса на Freeradius во время авторизации # tcpdump -n -i bce0 port 1812 or udp port 1813 tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on bce0, link-type EN10MB (Ethernet), capture size 65535 bytes тишина Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
zhenya` Опубликовано 27 июня, 2017 · Жалоба ping 10.1.0.2 show arp 10.1.0.2 debug radius authen Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 27 июня, 2017 · Жалоба ping 10.1.0.2 #ping 10.1.0.2Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms show arp 10.1.0.2 #show arp 10.1.0.2Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.0.2 7 001f.29e0.56fa ARPA GigabitEthernet0/3.10 debug radius authen #debug radius authenRadius protocol debugging is on Radius protocol brief debugging is off Radius protocol verbose debugging is off Radius packet hex dump debugging is off Radius packet protocol (authentication) debugging is on Radius packet protocol (accounting) debugging is off Radius elog debugging debugging is off Radius packet retransmission debugging is off Radius server fail-over debugging is off Radius elog debugging debugging is off Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
zhenya` Опубликовано 27 июня, 2017 · Жалоба Ну соберите лог) дебаг) зачем показывать вывод.. включили и пишите Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
snvoronkov Опубликовано 27 июня, 2017 · Жалоба Явно не хватает: term mon А в конце: term no mon Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 27 июня, 2017 · Жалоба Ну соберите лог) дебаг) зачем показывать вывод.. включили и пишите можно подробнее или пример Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 27 июня, 2017 · Жалоба как я понял работам через логи? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
snvoronkov Опубликовано 27 июня, 2017 · Жалоба В гугле забанили? "cisco debug" Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 27 июня, 2017 (изменено) · Жалоба смотрю, конечно! режим отладки но пока не доходит если речь о логах то они идут на 10.1.0.2 мне надо запустить отладку и меня их нет show debug condition % No conditions found Изменено 27 июня, 2017 пользователем Andrey75 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Andrey75 Опубликовано 27 июня, 2017 · Жалоба так отладка включена #show debugGeneral OS: AAA Authentication debugging is on Radius protocol debugging is on Radius protocol brief debugging is on Radius protocol verbose debugging is on Radius packet protocol (accounting) debugging is on Radius elog debugging debugging is on Radius packet retransmission debugging is on Radius server fail-over debugging is on Radius elog debugging debugging is on не понимаю как посмотреть что происходит? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...