[Andrey75]

конфиг

policy-map type control CTRL_IPOE

class type control always event radius-timeout

10 set-timer TIMER_UNAUTH 10

20 service-policy type service name RADIUS-DEFAULT

!

class type control always event session-start

10 authorize aaa list ISG_IPOE password ISG identifier source-ip-address

20 set-timer TIMER_UNAUTH 10

30 service-policy type service name PASSIVE-SERVICE

40 service-policy type service name SRV-PASSIVE-REDIRECT

50 service-policy type service name DOWN-SERVICE

60 service-policy type service name SRV-DOWN-REDIRECT

 

пэссив у вас кстати в конфиге. в таком случае про ip:traffic-class ваще можно забыть :)

 

ну да, тогда можно обойтись и без листов, если будет сразу определяться сервис, даже проще

[zhenya`]

policy-map type service PASSIVE-SERVICE

service local

class type traffic ACL-PASSIVE

 

class-map type traffic match-any ACL-PASSIVE

match access-group input name PASSIVE_IN

match access-group output name PASSIVE_OUT

 

это уже полный сервис локальный без рейтлимита.

 

вам просто надо ответить юзеру

 

Cisco-AVPair += "subscriber:accounting-list=ISG_IPOE"

Cisco-Service-Info += APASSIVE-SERVICE

 

и все !!!

[Andrey75]

policy-map type service PASSIVE-SERVICE

service local

class type traffic ACL-PASSIVE

 

class-map type traffic match-any ACL-PASSIVE

match access-group input name PASSIVE_IN

match access-group output name PASSIVE_OUT

 

это уже полный сервис локальный без рейтлимита.

 

вам просто надо ответить юзеру

 

Cisco-AVPair += "subscriber:accounting-list=ISG_IPOE"

Cisco-Service-Info += APASSIVE-SERVICE

 

и все !!!

как я понял все по сценарию check

Auth-Type = Accept

Cleartext-Password := ISG

Cisco-AVPair += subscriber:accounting-list=ISG_IPOE

Cisco-Service-Info += APASSIVE-SERVICE

 

а ковычки нужны?

Cisco-AVPair += "subscriber:accounting-list=ISG_IPOE"

 

у меня биллинг работает на ssh2, а циска на ssh1 может они на разных языках друг с другом разговаривают?

 

 

[pap] WARNING: Auth-Type already set. Not setting to PAP

Изменено 1 июля, 2017 пользователем Andrey75

[Andrey75]

сервис не присваивается

rad_recv: Access-Request packet from host 10.1.0.1 port 1645, id=94, length=147

User-Name = "172.1.0.102"

User-Password = "ISG"

Framed-IP-Address = 172.1.0.102

Cisco-Account-Info = "S172.1.0.102"

NAS-Port-Type = Virtual

Cisco-NAS-Port = "0/0/3/250"

NAS-Port = 0

NAS-Port-Id = "0/0/3/250"

Service-Type = Outbound-User

NAS-IP-Address = 10.1.0.1

Acct-Session-Id = "0000000000004783"

# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[eap] No EAP-Message, not doing EAP

++[eap] = noop

   expand: %{User-Name} -> 172.1.0.102

[sql] sql_set_user escaped user --> '172.1.0.102'

rlm_sql (sql): Reserving sql socket id: 4

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '172.1.0.102' ORDER BY `id`

[sql] User found in radcheck table

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '172.1.0.102' ORDER BY `id`

[sql] expand: SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `priority` -> SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '172.1.0.102' ORDER BY `priority`

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '1:167837697' ORDER BY `id`

[sql] User found in group 1:167837697

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '1:167837697' ORDER BY `id`

rlm_sql (sql): Released sql socket id: 4

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set. Not setting to PAP

++[pap] = noop

+} # group authorize = ok

Found Auth-Type = Accept

Auth-Type = Accept, accepting the user

Login OK: [172.1.0.102] (from client Cisco 7201 Kharino port 0)

# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+group post-auth {

++[exec] = noop

+} # group post-auth = noop

Sending Access-Accept of id 94 to 10.1.0.1 port 1645

Finished request 9.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 9 ID 94 with timestamp +2390

Ready to process requests.

 

 

циска

KharinoIPoE#sh sss ses ui 108

Type: IP, UID: 108, State: authen, Identity: 172.1.0.102

IPv4 Address: 172.1.0.102

Session Up-time: 00:00:44, Last Changed: 00:00:44

Switch-ID: 14375

 

Policy information:

Authentication status: authen

Rules, actions and conditions executed:

subscriber rule-map CTRL_IPOE

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

 

Classifiers:

Class-id Dir Packets Bytes Pri. Definition

0 In 49 2989 0 Match Any

1 Out 44 2603 0 Match Any

 

Configuration Sources:

Type Active Time AAA Service ID Name

USR 00:00:44 - Peruser

INT 00:00:44 - GigabitEthernet0/3.250

 

 

 

если вместо += ставлю =

то присваиваются все сервисы

KharinoIPoE#sh sss ses ui 134

Type: IP, UID: 134, State: unauthen, Identity: 172.1.0.102

IPv4 Address: 172.1.0.102

Session Up-time: 00:00:36, Last Changed: 00:00:36

Switch-ID: 22694

 

Policy information:

Authentication status: unauthen

Active services associated with session:

name "SRV-DOWN-REDIRECT", applied before account logon

name "DOWN-SERVICE", applied before account logon

name "SRV-PASSIVE-REDIRECT", applied before account logon

name "PASSIVE-SERVICE", applied before account logon

Rules, actions and conditions executed:

subscriber rule-map CTRL_IPOE

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

20 set-timer TIMER_UNAUTH 10

30 service-policy type service name PASSIVE-SERVICE

40 service-policy type service name SRV-PASSIVE-REDIRECT

50 service-policy type service name DOWN-SERVICE

60 service-policy type service name SRV-DOWN-REDIRECT

 

Classifiers:

Class-id Dir Packets Bytes Pri. Definition

0 In 42 4154 0 Match Any

1 Out 40 3461 0 Match Any

121224 In 0 0 0 Match ACL PASSIVE_IN

121225 Out 0 0 0 Match ACL PASSIVE_OUT

121228 In 0 0 0 Match ACL DOWN_IN

121229 Out 0 0 0 Match ACL DOWN_OUT

 

Configuration Sources:

Type Active Time AAA Service ID Name

SVC 00:00:39 - PASSIVE-SERVICE

SVC 00:00:39 - SRV-PASSIVE-REDIRECT

SVC 00:00:39 - DOWN-SERVICE

SVC 00:00:39 - SRV-DOWN-REDIRECT

USR 00:00:39 - Peruser

INT 00:00:39 - GigabitEthernet0/3.250

Изменено 1 июля, 2017 пользователем Andrey75

[Andrey75]

нагуглил у меня запрос "Sending Access-Accept of id 102 to 10.1.0.1 port 1645" по 1645 порту, а настройках 1813

[zhenya`]

Второй случай это из политики взялись дефолтные сервисы. Имхо у вас в словарях радиуса чего-то нет ;) готов решить проблему за компенсацию потраченного времени.

[Andrey75]

Второй случай это из политики взялись дефолтные сервисы. Имхо у вас в словарях радиуса чего-то нет ;) готов решить проблему за компенсацию потраченного времени.

по умолчанию атрибуты циски в фрирадиус отключены http://r00ssyp.blogspot.ru/2016/03/freeradius-centos7-cisco-voip.html

 

атрибуты:

Cisco-Service-Info += "NPASSIVE-SERVICE"

Cisco-Account-Info += "APASSIVE-SERVICE"

Cisco-Account-Info += "NPASSIVE-SERVICE"

Cisco-AVPair += "subscriber:accounting-list=ISG_IPOE"

 

результат

KharinoIPoE#sh subsc session uid 316

Type: IP, UID: 316, State: authen, Identity: 172.1.0.102

IPv4 Address: 172.1.0.102

Session Up-time: 00:03:53, Last Changed: 00:03:53

Switch-ID: 8654

 

Policy information:

Authentication status: authen

Active services associated with session:

name "PASSIVE-SERVICE", applied before account logon

Rules, actions and conditions executed:

subscriber rule-map CTRL_IPOE

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

subscriber rule-map default-internal-rule

condition always event service-start

1 service-policy type service identifier service-name

 

Classifiers:

Class-id Dir Packets Bytes Pri. Definition

0 In 462 53902 0 Match Any

1 Out 427 101980 0 Match Any

121500 In 6 407 0 Match ACL PASSIVE_IN

121501 Out 0 0 0 Match ACL PASSIVE_OUT

 

Features:

 

Accounting:

Class-id Dir Packets Bytes Source

0 In 462 53902 Peruser

1 Out 427 101980 Peruser

 

Configuration Sources:

Type Active Time AAA Service ID Name

SVC 00:03:53 - PASSIVE-SERVICE

USR 00:03:53 - Peruser

INT 00:03:53 - GigabitEthernet0/3.250

 

 

zhenya` Вам большое спасибо, извините за потраченное время

 

 

отсталось скорость и редирект, теперь к циске

Изменено 1 июля, 2017 пользователем Andrey75

[zhenya`]

у вас там сессии unauth )

 

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

20 set-timer TIMER_UNAUTH 10

30 service-policy type service name PASSIVE-SERVICE

40 service-policy type service name SRV-PASSIVE-REDIRECT

50 service-policy type service name DOWN-SERVICE

60 service-policy type service name SRV-DOWN-REDIRECT

 

это работает примерно так:

10 сходи в радиус с username source-ip. дальше если от радиуса все окей, то происходит что-то типа return и следующее ничего не выполняется.

а вот когда кучка навесилась как раз было неок, и применились пункты 20 и далее. service-policy type service name назначает сессии сервис.

 

 

 

скорость просто..

policy-map type service PASSIVE-SERVICE

service local

class type traffic ACL-PASSIVE

police input 1000000 187500 375000

police output 1000000 187500 375000

[Andrey75]

у вас там сессии unauth )

 

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

20 set-timer TIMER_UNAUTH 10

30 service-policy type service name PASSIVE-SERVICE

40 service-policy type service name SRV-PASSIVE-REDIRECT

50 service-policy type service name DOWN-SERVICE

60 service-policy type service name SRV-DOWN-REDIRECT

 

это работает примерно так:

10 сходи в радиус с username source-ip. дальше если от радиуса все окей, то происходит что-то типа return и следующее ничего не выполняется.

а вот когда кучка навесилась как раз было неок, и применились пункты 20 и далее. service-policy type service name назначает сессии сервис.

 

примерно начало доходить, но в этой математике еще есть чего поучить!

 

 

скорость просто..

policy-map type service PASSIVE-SERVICE

service local

class type traffic ACL-PASSIVE

police input 1000000 187500 375000

police output 1000000 187500 375000

а с помощью атрибутов можно?

[Andrey75]

что бы забирать данные с биллинга

Изменено 2 июля, 2017 пользователем Andrey75

[Andrey75]

не могу запустить redirect

 

сессия

KharinoIPoE#sh sss ses ui 556

Type: IP, UID: 556, State: authen, Identity: 172.1.0.102

IPv4 Address: 172.1.0.102

Session Up-time: 00:20:20, Last Changed: 00:20:20

Switch-ID: 19633

 

Policy information:

Authentication status: authen

Active services associated with session:

name "OFF-LINE-SERVICE", applied before account logon

Rules, actions and conditions executed:

subscriber rule-map CTRL_IPOE

condition always event session-start

10 authorize aaa list ISG_IPOE identifier source-ip-address

subscriber rule-map default-internal-rule

condition always event service-start

1 service-policy type service identifier service-name

 

Classifiers:

Class-id Dir Packets Bytes Pri. Definition

0 In 2138 145886 0 Match Any

1 Out 0 0 0 Match Any

123392 In 13 584 0 Match ACL 105

123393 Out 0 0 0 Match ACL 105

4294967294 In 2125 145302 - Drop

 

Features:

 

Accounting:

Class-id Dir Packets Bytes Source

0 In 13 584 Peruser

1 Out 0 0 Peruser

 

L4 Redirect:

Class-id Rule cfg Definition Source

123392 #1 SVC to group OFF-LINE_REDIRECT OFF-LINE-SERVICE

 

Configuration Sources:

Type Active Time AAA Service ID Name

SVC 00:20:21 - OFF-LINE-SERVICE

USR 00:20:21 - Peruser

INT 00:20:21 - GigabitEthernet0/3.250

 

 

циска

 

redirect server-group OFF-LINE_REDIRECT

server ip 10.1.0.2 port 80

 

 

access-list 105 permit tcp any any eq www

access-list 105 deny ip any any

 

class-map type traffic match-any ACL-DOWN

match access-group input name 105

match access-group output name 105

 

 

policy-map type control CTRL_IPOE

class type control ACC-UNAUTH event timed-policy-expiry

1 service disconnect

!

class type control always event quota-depleted

1 set-param drop-traffic FALSE

!

class type control always event radius-timeout

10 set-timer TIMER_UNAUTH 10

20 service-policy type service name RADIUS-DEFAULT

!

class type control always event session-start

10 authorize aaa list ISG_IPOE password ISG identifier source-ip-address

20 service-policy type service name ON-LINE-SERVICE

30 set-timer TIMER_UNAUTH 10

40 service-policy type service name OFF-LINE-SERVICE

50 service-policy type service name PASSIVE-SERVICE

60 service-policy type service name DOWN-SERVICE

!

 

policy-map type service OFF-LINE-SERVICE

service local

class type traffic ACL-DOWN

redirect to group OFF-LINE_REDIRECT

!

class type traffic default input

drop

!

 

 

названия не совпадают, пока ищу причину. Потом порядок наведу.

 

сервисы присваиваются, ограничение на сайты работает.

но переадресации нет, где то намудрил.

Изменено 2 июля, 2017 пользователем Andrey75

[zhenya`]

да, когда будет для циски имя неизвестное) то она сделает запрос в радиус с username имя сервиса без A, там и надо отвечать скоростями и именами ацл.

[Andrey75]

да, когда будет для циски имя неизвестное) то она сделает запрос в радиус с username имя сервиса без A, там и надо отвечать скоростями и именами ацл.

когда она делает запрос ИМЯ(ip) пароль ISG, получает ответ что такой есть и сверху данные по сервисам.

затем с А

 

запрос Freeradius

rad_recv: Accounting-Request packet from host 10.1.0.1 port 1646, id=71, length=334

Acct-Session-Id = "0000000000005698"

Framed-Protocol = PPP

Cisco-Service-Info = "NOFF-LINE-SERVICE"

Cisco-AVPair = "parent-session-id=0000000000005697"

Acct-Input-Packets = 0

Acct-Output-Packets = 0

Acct-Input-Octets = 0

Acct-Output-Octets = 0

Cisco-Control-Info = "I0;0"

Cisco-Control-Info = "O0;0"

Framed-IP-Address = 172.1.0.102

User-Name = "172.1.0.102"

Acct-Session-Time = 349

Acct-Terminate-Cause = Admin-Reset

Cisco-AVPair = "disc-cause-ext=Local Admin Disc"

Acct-Status-Type = Stop

NAS-Port-Type = Virtual

Cisco-NAS-Port = "0/0/3/250"

NAS-Port = 0

NAS-Port-Id = "0/0/3/250"

Service-Type = Framed-User

NAS-IP-Address = 10.1.0.1

PMIP6-Home-HN-Prefix = 3246:4638:3645::/50

Event-Timestamp = "Jul 2 2017 18:56:56 YEKT"

NAS-Identifier = "KharinoIPoE.KharinoIPoE"

Acct-Delay-Time = 0

# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default

+group preacct {

++[preprocess] = ok

[acct_unique] Hashing 'NAS-Port = 0,NAS-Identifier = "KharinoIPoE.KharinoIPoE",NAS-IP-Address = 10.1.0.1,Acct-Session-Id = "0000000000005698",User-Name = "172.1.0.102"'

[acct_unique] Acct-Unique-Session-ID = "d3ddfab9bb5f8482".

++[acct_unique] = ok

+} # group preacct = ok

# Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default

+group accounting {

++[exec] = noop

[attr_filter.accounting_response] expand: %{User-Name} -> 172.1.0.102

attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] = updated

+} # group accounting = updated

Sending Accounting-Response of id 71 to 10.1.0.1 port 1646

Finished request 0.

Cleaning up request 0 ID 71 with timestamp +9

Going to the next request

Ready to process requests.

rad_recv: Accounting-Request packet from host 10.1.0.1 port 1646, id=72, length=305

Acct-Session-Id = "0000000000005697"

Framed-IP-Address = 172.1.0.102

Framed-Protocol = PPP

Acct-Input-Packets = 0

Acct-Output-Packets = 0

Acct-Input-Octets = 0

Acct-Output-Octets = 0

Cisco-Control-Info = "I0;0"

Cisco-Control-Info = "O0;0"

User-Name = "172.1.0.102"

Acct-Authentic = RADIUS

Cisco-AVPair = "connect-progress=Call Up"

Acct-Session-Time = 349

Acct-Terminate-Cause = Admin-Reset

Cisco-AVPair = "disc-cause-ext=Local Admin Disc"

Acct-Status-Type = Stop

NAS-Port-Type = Virtual

Cisco-NAS-Port = "0/0/3/250"

NAS-Port = 0

NAS-Port-Id = "0/0/3/250"

Service-Type = Framed-User

NAS-IP-Address = 10.1.0.1

PMIP6-Home-HN-Prefix = 3246:4638:3645::/50

Event-Timestamp = "Jul 2 2017 18:56:56 YEKT"

NAS-Identifier = "KharinoIPoE.KharinoIPoE"

Acct-Delay-Time = 0

# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default

+group preacct {

++[preprocess] = ok

[acct_unique] Hashing 'NAS-Port = 0,NAS-Identifier = "KharinoIPoE.KharinoIPoE",NAS-IP-Address = 10.1.0.1,Acct-Session-Id = "0000000000005697",User-Name = "172.1.0.102"'

[acct_unique] Acct-Unique-Session-ID = "be1bf86256cd645a".

++[acct_unique] = ok

+} # group preacct = ok

# Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default

+group accounting {

++[exec] = noop

[attr_filter.accounting_response] expand: %{User-Name} -> 172.1.0.102

attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] = updated

+} # group accounting = updated

Sending Accounting-Response of id 72 to 10.1.0.1 port 1646

Finished request 1.

Cleaning up request 1 ID 72 with timestamp +9

Going to the next request

Ready to process requests.

rad_recv: Access-Request packet from host 10.1.0.1 port 1645, id=101, length=147

User-Name = "172.1.0.102"

User-Password = "ISG"

Framed-IP-Address = 172.1.0.102

Cisco-Account-Info = "S172.1.0.102"

NAS-Port-Type = Virtual

Cisco-NAS-Port = "0/0/3/250"

NAS-Port = 0

NAS-Port-Id = "0/0/3/250"

Service-Type = Outbound-User

NAS-IP-Address = 10.1.0.1

Acct-Session-Id = "00000000000056B7"

# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[eap] No EAP-Message, not doing EAP

++[eap] = noop

   expand: %{User-Name} -> 172.1.0.102

[sql] sql_set_user escaped user --> '172.1.0.102'

rlm_sql (sql): Reserving sql socket id: 3

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_check` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '172.1.0.102' ORDER BY `id`

[sql] User found in radcheck table

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `UserName`, `Attribute`, `Value`, `op` FROM `radius_reply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `UserName` = '172.1.0.102' ORDER BY `id`

[sql] expand: SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '%{SQL-User-Name}' ORDER BY `priority` -> SELECT `GroupName` FROM `radius_usergroup` WHERE `UserName` = '172.1.0.102' ORDER BY `priority`

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupcheck` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '1:167837697' ORDER BY `id`

[sql] User found in group 1:167837697

[sql] expand: SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '%{Sql-Group}' ORDER BY `id` -> SELECT (@cnt := @cnt + 1) AS `id`, `GroupName`, `Attribute`, `Value`, `op` FROM `radius_groupreply` CROSS JOIN (SELECT @cnt := 0) AS `dummy` WHERE `GroupName` = '1:167837697' ORDER BY `id`

rlm_sql (sql): Released sql socket id: 3

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set. Not setting to PAP

++[pap] = noop

+} # group authorize = ok

Found Auth-Type = Accept

Auth-Type = Accept, accepting the user

Login OK: [172.1.0.102] (from client Cisco 7201 Kharino port 0)

# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+group post-auth {

++[exec] = noop

+} # group post-auth = noop

Sending Access-Accept of id 101 to 10.1.0.1 port 1645

Cisco-AVPair += "subscriber:accounting-list=ISG_IPOE"

Cisco-Account-Info += "AOFF-LINE-SERVICE"

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 10.1.0.1 port 1646, id=73, length=235

Acct-Session-Id = "00000000000056B8"

Framed-Protocol = PPP

Cisco-Service-Info = "NOFF-LINE-SERVICE"

Cisco-AVPair = "parent-session-id=00000000000056B7"

User-Name = "172.1.0.102"

Acct-Status-Type = Start

Framed-IP-Address = 172.1.0.102

NAS-Port-Type = Virtual

Cisco-NAS-Port = "0/0/3/250"

NAS-Port = 0

NAS-Port-Id = "0/0/3/250"

Service-Type = Framed-User

NAS-IP-Address = 10.1.0.1

PMIP6-Home-HN-Prefix = 4239:3137:3237::/52

Event-Timestamp = "Jul 2 2017 18:56:57 YEKT"

NAS-Identifier = "KharinoIPoE.KharinoIPoE"

Acct-Delay-Time = 0

# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default

+group preacct {

++[preprocess] = ok

[acct_unique] Hashing 'NAS-Port = 0,NAS-Identifier = "KharinoIPoE.KharinoIPoE",NAS-IP-Address = 10.1.0.1,Acct-Session-Id = "00000000000056B8",User-Name = "172.1.0.102"'

[acct_unique] Acct-Unique-Session-ID = "d11355dd82633138".

++[acct_unique] = ok

+} # group preacct = ok

# Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default

+group accounting {

++[exec] = noop

[attr_filter.accounting_response] expand: %{User-Name} -> 172.1.0.102

attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] = updated

+} # group accounting = updated

Sending Accounting-Response of id 73 to 10.1.0.1 port 1646

Finished request 3.

Cleaning up request 3 ID 73 with timestamp +10

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 10.1.0.1 port 1646, id=74, length=206

Acct-Session-Id = "00000000000056B7"

Framed-IP-Address = 172.1.0.102

Framed-Protocol = PPP

User-Name = "172.1.0.102"

Cisco-AVPair = "connect-progress=Call Up"

Acct-Authentic = RADIUS

Acct-Status-Type = Start

NAS-Port-Type = Virtual

Cisco-NAS-Port = "0/0/3/250"

NAS-Port = 0

NAS-Port-Id = "0/0/3/250"

Service-Type = Framed-User

NAS-IP-Address = 10.1.0.1

PMIP6-Home-HN-Prefix = 4239:3137:3237::/52

Event-Timestamp = "Jul 2 2017 18:56:57 YEKT"

NAS-Identifier = "KharinoIPoE.KharinoIPoE"

Acct-Delay-Time = 0

# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default

+group preacct {

++[preprocess] = ok

[acct_unique] Hashing 'NAS-Port = 0,NAS-Identifier = "KharinoIPoE.KharinoIPoE",NAS-IP-Address = 10.1.0.1,Acct-Session-Id = "00000000000056B7",User-Name = "172.1.0.102"'

[acct_unique] Acct-Unique-Session-ID = "b28d788577cab5cc".

++[acct_unique] = ok

+} # group preacct = ok

# Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default

+group accounting {

++[exec] = noop

[attr_filter.accounting_response] expand: %{User-Name} -> 172.1.0.102

attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] = updated

+} # group accounting = updated

Sending Accounting-Response of id 74 to 10.1.0.1 port 1646

Finished request 4.

Cleaning up request 4 ID 74 with timestamp +10

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 2 ID 101 with timestamp +10

Ready to process requests.

[Andrey75]

редирект на циске есть, на компьютере клиента нет

 

KharinoIPoE# sh redir trans

Unlimited number of L4 Redirect allowed per session

 

 

Prot Destination IP/Port Server IP/Port

TCP 37.48.82.67 80 10.1.0.2 82

TCP 213.206.94.83 80 10.1.0.2 82

TCP 37.48.82.67 80 10.1.0.2 82

TCP 80.231.123.131 80 10.1.0.2 82

TCP 80.231.123.131 80 10.1.0.2 82

 

Total Number of Translations: 5

 

Highest number of L4 Redirect: 5 by session with source IP 172.1.0.102

KharinoIPoE# sh redir trans

Unlimited number of L4 Redirect allowed per session

 

No translations currently exist