Jump to content
Калькуляторы

Cisco ISG и aaa authorization subscriber-service Авторизация сервисов, описанных локально

Приветствую!

 

Коллеги, а у кого-то получилось осуществить локальную авторизацию сервисов на ISG?

 

Есть такие настройки AAA:

aaa authentication login DHCP-BRAS group ISG-RADIUS
aaa authorization network DHCP-BRAS group ISG-RADIUS 
aaa authorization subscriber-service default local 

 

Есть некий сервис:

policy-map type service pms-1M
class type traffic cmt-Any-Traffic
 police input 1000000 187500 375000
 police output 1000000 187500 375000

 

Есть политика для пользователей:

policy-map type control DHCP-Subscriber
class type control always event session-start
 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #
!
class type control always event session-restart
 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #

 

Пользователь авторизируется через Radius, ему в ответ приезжает Cisco-Account-Info с именем сервиса:

*Feb  3 20:22:59.221: RADIUS(00000851): sending
*Feb  3 20:22:59.221: RADIUS(00000851): Send Access-Request to 178.214.192.2:1812 id 1645/169, len 128
*Feb  3 20:22:59.221: RADIUS:  authenticator 39 0D 3D 5A 15 2A 91 6A - 14 EB 63 D3 DF D5 AC 2F
*Feb  3 20:22:59.221: RADIUS:  User-Name           [1]   46  "000600226b2a8d52#000400210117#0007.e90a.75b2"
*Feb  3 20:22:59.221: RADIUS:  User-Password       [2]   18  *
*Feb  3 20:22:59.221: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Feb  3 20:22:59.221: RADIUS:  NAS-Port            [5]   6   0                         
*Feb  3 20:22:59.221: RADIUS:  NAS-Port-Id         [87]  10  "0/0/2/33"
*Feb  3 20:22:59.221: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Feb  3 20:22:59.221: RADIUS:  NAS-IP-Address      [4]   6   178.214.192.68            
*Feb  3 20:22:59.221: RADIUS:  Acct-Session-Id     [44]  10  "00000847"
*Feb  3 20:22:59.225: RADIUS: Received from id 1645/169 178.214.192.2:1812, Access-Accept, len 76
*Feb  3 20:22:59.225: RADIUS:  authenticator 03 D7 FC 8B 0E 1C D9 64 - 9D 9B C5 88 5F 2D A0 92
*Feb  3 20:22:59.225: RADIUS:  Vendor, Cisco       [26]  41  
*Feb  3 20:22:59.225: RADIUS:   Cisco AVpair       [1]   35  "subscriber:keepalive=protocol ARP"
*Feb  3 20:22:59.225: RADIUS:  Vendor, Cisco       [26]  15  
*Feb  3 20:22:59.225: RADIUS:   ssg-account-info   [250] 9   "Apms-1M"
*Feb  3 20:22:59.229: RADIUS(00000851): Received from id 1645/169

 

И дальше Cisco утверждает, что не может найти service authorization info:

*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Received an AAA pass
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Parsed AAA interim interval = 0
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: SIP Root parser not installed
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: SIP IP[25F6E90] parsed as Ignore
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Event <service not found>, state changed from authorizing to complete
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: No service authorization info found
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Active Handle present
*Feb  3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Freeing Active Handle; SSS Policy Context Handle = 12BB3658
*Feb  3 20:25:01.750: SSS PM [uid:414][12BB34B8]: AAA author needed for downloading service
*Feb  3 20:25:01.750: SSS PM [uid:414][12BB34B8]: AAA author needed for downloading service

 

Вопрос: что необходимо добавить в конфиг, чтобы заработала авторизация сервиса локально?

Спасибо.

Share this post


Link to post
Share on other sites

в конфиге такая строчка есть?

aaa authorization subscriber-service default local group ISG-RADIUS

Share this post


Link to post
Share on other sites

в конфиге такая строчка есть?

aaa authorization subscriber-service default local group ISG-RADIUS

В конфиге есть

aaa authorization subscriber-service default local

т.к. RADIUS не планируется использовать для авторизации сервисов.

Share this post


Link to post
Share on other sites

сорри не заметил в конфиге.

просто причина обычно кроется именно в этой строчке...

Share this post


Link to post
Share on other sites

Нашел проблему.

В событии ISG session-restart не доступны идентификаторы remote-id и circuit-id. Если их убрать, и оставить нп. только MAC-адрес, то все работает.

По предварительному диагнозу событие это возникает сразу же после session-start из-за того, что у Windows слишком маленький промежуток времени между DHCP Discover, и первый Discover не успевает обработаться в правиле session-start на ISG; второй же Discover приезжает уже когда сессия в состоянии в состоянии authen и вызывает session-restart... Почему так - до конца пока не понял.

Share this post


Link to post
Share on other sites

Пытаюсь привязать локальные сервисы для ip subscriber routed. Радиус выдает только имя сервиса ISG-1M, сам сервис описан локально.

 

Конфиг:

 

aaa new-model
aaa session-mib disconnect
!
!
aaa group server radius billing
server-private 172.16.1.5 auth-port 34009 acct-port 34008 key 7 blabla
!
aaa authentication login default local
aaa authentication login ISG-AUTH-1 group billing
aaa authentication ppp default group billing
aaa authorization exec default local if-authenticated 
aaa authorization network default group billing 
aaa authorization network ISG-AUTH-1 group billing 
aaa authorization subscriber-service default local group billing 
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default
action-type start-stop
group billing2
!         
aaa accounting network ISG-AUTH-1
action-type start-stop
group billing
!         
!         
aaa nas port extended
!         
!         
!         
!         
aaa session-id common

subscriber authorization enable

class-map type traffic match-any ALLTRAFF
match access-group input 110
match access-group output 111
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER 
match authen-status unauthenticated 
!
policy-map type service SERVICE_L4R
class type traffic CLASS-TO-REDIRECT
 redirect to ip 44.44.44.44 port 80
!
!
policy-map type service ISG-1M
class type traffic ALLTRAFF
 police input 1000000 187500 375000
 police output 1000000 187500 375000
!        
!    
policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!        
class type control always event quota-depleted
 1 set-param drop-traffic FALSE
!        
class type control always event credit-exhausted
 1 service-policy type service name SERVICE_L4R
!        
class type control always event session-start
 10 authorize aaa list ISG-AUTH-1 password zzz identifier source-ip-address
 30 set-timer UNAUTH-TIMER 1
 40 service-policy type service name SERVICE_L4R
!        

 

Дебаг:

 

May  3 15:01:08 172.31.2.3 128952: May  3 04:01:08.424: SG-DPM: Request to DPM for session restart
May  3 15:01:08 172.31.2.3 128953: May  3 04:01:08.424: SG-DPM: sg_dpm_session_query: ip subscriber routed
May  3 15:01:08 172.31.2.3 128954: May  3 04:01:08.424: SG-DPM: DHCP Binding does not exist to restart session for ip 172.21.2.5
May  3 15:01:08 172.31.2.3 128955: May  3 04:01:08.424: AAA/BIND(00001F53): Bind i/f  
May  3 15:01:08 172.31.2.3 128956: May  3 04:01:08.424: AAA/BIND(00001F53): Bind i/f GigabitEthernet0/1.232 
May  3 15:01:08 172.31.2.3 128957: May  3 04:01:08.424: SSS INFO: Element type is AccIe-Hdl = 1509953241 (5A000ED9)
May  3 15:01:08 172.31.2.3 128958: May  3 04:01:08.424: SSS INFO: Element type is AAA-Id = 8019 (00001F53)
May  3 15:01:08 172.31.2.3 128959: May  3 04:01:08.424: SSS INFO: Element type is SHDB-Handle = 0 (00000000)
May  3 15:01:08 172.31.2.3 128960: May  3 04:01:08.424: SSS INFO: Element type is IP-Address = 172.21.2.5 (AC150205)
May  3 15:01:08 172.31.2.3 128961: May  3 04:01:08.424: SSS INFO: Element type is IP-Address-VRF = IP 172.21.2.5:0
May  3 15:01:08 172.31.2.3 128962: May  3 04:01:08.424: SSS INFO: Element type is source-ip-address = 209EF5C8 
May  3 15:01:08 172.31.2.3 128963: May  3 04:01:08.424: SSS INFO: Element type is Final = 1 (YES)
May  3 15:01:08 172.31.2.3 128964: May  3 04:01:08.424: SSS INFO: Element type is Access-Type = 15 (IP)
May  3 15:01:08 172.31.2.3 128965: May  3 04:01:08.424: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol)
May  3 15:01:08 172.31.2.3 128966: May  3 04:01:08.424: SSS INFO: Element type is Media-Type = 2 (IP)
May  3 15:01:08 172.31.2.3 128967: May  3 04:01:08.424: SSS INFO: Element type is Switch-Id = 7898 (00001EDA)
May  3 15:01:08 172.31.2.3 128968: May  3 04:01:08.424: SSS INFO: Element type is Segment-Hdl = 7604 (00001DB4)
May  3 15:01:08 172.31.2.3 128969: May  3 04:01:08.424: SSS MGR [uid:960]: Sending a Session Assert ID Mgr request
May  3 15:01:08 172.31.2.3 128970: May  3 04:01:08.424: SSS MGR [uid:960]: Updating ID Mgr with the following keys:
May  3 15:01:08 172.31.2.3 128971:   aaa-unique-id        8019 (0x1F53)
May  3 15:01:08 172.31.2.3 128972:   domainip-vrf         AC 15 02 05 00 00 
May  3 15:01:08 172.31.2.3 128973: May  3 04:01:08.424: SSS MGR [uid:960]: Updating ID Mgr with the following data:
May  3 15:01:08 172.31.2.3 128974:   addr                 172.21.2.5
May  3 15:01:08 172.31.2.3 128975: May  3 04:01:08.424: SSS MGR [uid:960]: ID Mgr returned status: 'success' for Session Assert
May  3 15:01:08 172.31.2.3 128976: May  3 04:01:08.424: SSS MGR [uid:960]: Handling Policy Service Authorize action (1 pending sessions)
May  3 15:01:08 172.31.2.3 128977: May  3 04:01:08.424: SSS PM [20C1C2D0]: Create context 20C1C2D0
May  3 15:01:08 172.31.2.3 128978: May  3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: Authen status update; is now "unauthen"
May  3 15:01:08 172.31.2.3 128979: May  3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: IDMGR: assert authen status "unauthen"
May  3 15:01:08 172.31.2.3 128980: May  3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: IDMGR:  send event Session Update
May  3 15:01:08 172.31.2.3 128981: May  3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: Updated NAS port for AAA ID 8019
May  3 15:01:08 172.31.2.3 128982: May  3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: IDMGR:  send event Session Update
May  3 15:01:08 172.31.2.3 128983: May  3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: Updated key list:
May  3 15:01:08 172.31.2.3 128984: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   SHDB-Handle = 0 (00000000)
May  3 15:01:08 172.31.2.3 128985: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   IP-Address = 172.21.2.5 (AC150205)
May  3 15:01:08 172.31.2.3 128986: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   IP-Address-VRF = IP 172.21.2.5:0
May  3 15:01:08 172.31.2.3 128987: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   source-ip-address = 209EF5C8 
May  3 15:01:08 172.31.2.3 128988: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Final = 1 (YES)
May  3 15:01:08 172.31.2.3 128989: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Access-Type = 15 (IP)
May  3 15:01:08 172.31.2.3 128990: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Protocol-Type = 4 (IP Access Protocol)
May  3 15:01:08 172.31.2.3 128991: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Media-Type = 2 (IP)
May  3 15:01:08 172.31.2.3 128992: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Authen-Status = 1 (Unauthenticated)
May  3 15:01:08 172.31.2.3 128993: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 232 IP 172.31.2.3 VPI 0 VCI 0 VLAN 232 
May  3 15:01:08 172.31.2.3 128994: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Updated key list:
May  3 15:01:08 172.31.2.3 128995: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   SHDB-Handle = 0 (00000000)
May  3 15:01:08 172.31.2.3 128996: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   IP-Address = 172.21.2.5 (AC150205)
May  3 15:01:08 172.31.2.3 128997: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   IP-Address-VRF = IP 172.21.2.5:0
May  3 15:01:08 172.31.2.3 128998: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   source-ip-address = 209EF5C8 
May  3 15:01:08 172.31.2.3 128999: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Final = 1 (YES)
May  3 15:01:08 172.31.2.3 129000: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Access-Type = 15 (IP)
May  3 15:01:08 172.31.2.3 129001: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Protocol-Type = 4 (IP Access Protocol)
May  3 15:01:08 172.31.2.3 129002: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Media-Type = 2 (IP)
May  3 15:01:08 172.31.2.3 129003: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Authen-Status = 1 (Unauthenticated)
May  3 15:01:08 172.31.2.3 129004: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 232 IP 172.31.2.3 VPI 0 VCI 0 VLAN 232 
May  3 15:01:08 172.31.2.3 129005: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]:   Session-Handle = 1442844386 (56000EE2)
May  3 15:01:08 172.31.2.3 129006: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: SM Policy invoke - Service Selection Request
May  3 15:01:08 172.31.2.3 129007: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Access type IP
May  3 15:01:08 172.31.2.3 129008: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Access type IP: final key
May  3 15:01:08 172.31.2.3 129009: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Looking for a rule for event session-start
May  3 15:01:08 172.31.2.3 129010: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:  Intf CloneSrc Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129011: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for session-start
May  3 15:01:08 172.31.2.3 129012: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129013: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129014: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129015: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129016: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:    Matched "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129017: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE:    Matched "ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address"
May  3 15:01:08 172.31.2.3 129018: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Start
May  3 15:01:08 172.31.2.3 129019: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
May  3 15:01:08 172.31.2.3 129020: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Using author method AAA service
May  3 15:01:08 172.31.2.3 129021: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Have key source-ip-address
May  3 15:01:08 172.31.2.3 129022: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: State: initial-req to check-auth-needed
May  3 15:01:08 172.31.2.3 129023: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Using key source-ip-address
May  3 15:01:08 172.31.2.3 129024: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[1]: Start
May  3 15:01:08 172.31.2.3 129025: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[1]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
May  3 15:01:08 172.31.2.3 129026: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Event <send auth>, State: check-auth-needed to authorizing
May  3 15:01:08 172.31.2.3 129027: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Handling AAA service Authorization
May  3 15:01:08 172.31.2.3 129028: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Sending AAA request for '172.21.2.5'
May  3 15:01:08 172.31.2.3 129029: May  3 04:01:08.428: SSS PM: Allocating per-user profile info
May  3 15:01:08 172.31.2.3 129030: May  3 04:01:08.428: SSS PM: Add per-user profile info to policy context
May  3 15:01:08 172.31.2.3 129031: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: using named author method list "ISG-AUTH-1"
May  3 15:01:08 172.31.2.3 129032: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: using set aaa password "zzz"
May  3 15:01:08 172.31.2.3 129033: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Root SIP IP
May  3 15:01:08 172.31.2.3 129034: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]:  Enable IP parsing
May  3 15:01:08 172.31.2.3 129035: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[0]: Active context created
May  3 15:01:08 172.31.2.3 129036: May  3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[0]: Snapshot captured in Active context
May  3 15:01:08 172.31.2.3 129037: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Event <make request>, state changed from idle to authorizing
May  3 15:01:08 172.31.2.3 129038: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Active key set to source-ip-address
May  3 15:01:08 172.31.2.3 129039: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Authorizing key 172.21.2.5
May  3 15:01:08 172.31.2.3 129040: May  3 04:01:08.428: AAA/AUTHOR (0x1F53): Pick method list 'ISG-AUTH-1'
May  3 15:01:08 172.31.2.3 129041: May  3 04:01:08.428: SSS AAA AUTHOR [uid:960]: AAA request sent for key 172.21.2.5
May  3 15:01:08 172.31.2.3 129042: May  3 04:01:08.428: RADIUS/ENCODE(00001F53):Orig. component type = Iedge IP SIP
May  3 15:01:08 172.31.2.3 129043: May  3 04:01:08.428: RADIUS/ENCODE(00001F53): Unsupported AAA attribute clid-mac-addr
May  3 15:01:08 172.31.2.3 129044: May  3 04:01:08.428: RADIUS(00001F53): Config NAS IP: 172.31.2.3
May  3 15:01:08 172.31.2.3 129045: May  3 04:01:08.428: RADIUS/ENCODE(00001F53): acct_session_id: 8013
May  3 15:01:08 172.31.2.3 129046: May  3 04:01:08.428: RADIUS(00001F53): Config NAS IP: 172.31.2.3
May  3 15:01:08 172.31.2.3 129047: May  3 04:01:08.428: RADIUS(00001F53): sending
May  3 15:01:08 172.31.2.3 129048: May  3 04:01:08.428: RADIUS(00001F53): Send Access-Request to 172.16.1.5:34009 id 1645/62, len 177
May  3 15:01:08 172.31.2.3 129049: May  3 04:01:08.428: RADIUS:  authenticator 27 AE A5 1B BE 46 9A 5A - F5 48 72 DD 3B BB 0D 95
May  3 15:01:08 172.31.2.3 129050: May  3 04:01:08.428: RADIUS:  User-Name           [1]   12  "172.21.2.5"
May  3 15:01:08 172.31.2.3 129051: May  3 04:01:08.428: RADIUS:  User-Password       [2]   18  *
May  3 15:01:08 172.31.2.3 129052: May  3 04:01:08.428: RADIUS:  Framed-IP-Address   [8]   6   172.21.2.5                
May  3 15:01:08 172.31.2.3 129053: May  3 04:01:08.428: RADIUS:  Vendor, Cisco       [26]  19  
May  3 15:01:08 172.31.2.3 129054: May  3 04:01:08.428: RADIUS:   ssg-account-info   [250] 13  "S172.21.2.5"
May  3 15:01:08 172.31.2.3 129055: May  3 04:01:08.428: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
May  3 15:01:08 172.31.2.3 129056: May  3 04:01:08.428: RADIUS:  Vendor, Cisco       [26]  17  
May  3 15:01:08 172.31.2.3 129057: May  3 04:01:08.428: RADIUS:   cisco-nas-port     [2]   11  "0/0/1/232"
May  3 15:01:08 172.31.2.3 129058: May  3 04:01:08.428: RADIUS:  NAS-Port            [5]   6   0                         
May  3 15:01:08 172.31.2.3 129059: May  3 04:01:08.428: RADIUS:  NAS-Port-Id         [87]  11  "0/0/1/232"
May  3 15:01:08 172.31.2.3 129060: May  3 04:01:08.428: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
May  3 15:01:08 172.31.2.3 129061: May  3 04:01:08.428: RADIUS:  NAS-IP-Address      [4]   6   172.31.2.3                
May  3 15:01:08 172.31.2.3 129062: May  3 04:01:08.428: RADIUS:  Acct-Session-Id     [44]  18  "B066A00A00001F4D"
May  3 15:01:08 172.31.2.3 129063: May  3 04:01:08.428: RADIUS:  Nas-Identifier      [32]  26  "c7301.test.ru"
May  3 15:01:08 172.31.2.3 129064: May  3 04:01:08.428: RADIUS:  Event-Timestamp     [55]  6   1336017668                
May  3 15:01:08 172.31.2.3 129065: May  3 04:01:08.432: RADIUS(00001F53): Started 5 sec timeout
May  3 15:01:08 172.31.2.3 129066: May  3 04:01:08.440: RADIUS: Received from id 1645/62 172.16.1.5:34009, Access-Accept, len 77
May  3 15:01:08 172.31.2.3 129067: May  3 04:01:08.440: RADIUS:  authenticator 38 F1 2B F7 97 91 0D AB - BD A2 07 98 F3 17 AF 87
May  3 15:01:08 172.31.2.3 129068: May  3 04:01:08.440: RADIUS:  Session-Timeout     [27]  6   0                         
May  3 15:01:08 172.31.2.3 129069: May  3 04:01:08.440: RADIUS:  Service-Type        [6]   6   Framed                    [2]
May  3 15:01:08 172.31.2.3 129070: May  3 04:01:08.440: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
May  3 15:01:08 172.31.2.3 129071: May  3 04:01:08.440: RADIUS:  Framed-IP-Address   [8]   6   88.88.88.2             
May  3 15:01:08 172.31.2.3 129072: May  3 04:01:08.440: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255           
May  3 15:01:08 172.31.2.3 129073: May  3 04:01:08.440: RADIUS:  Class               [25]  6   
May  3 15:01:08 172.31.2.3 129074: May  3 04:01:08.440: RADIUS:   33 39 39 32              [ 3992]
May  3 15:01:08 172.31.2.3 129075: May  3 04:01:08.440: RADIUS:  Acct-Interim-Interva[85]  6   60                        
May  3 15:01:08 172.31.2.3 129076: May  3 04:01:08.440: RADIUS:  Vendor, Cisco       [26]  15  
May  3 15:01:08 172.31.2.3 129077: May  3 04:01:08.440: RADIUS:   ssg-account-info   [250] 9   "AISG-1M"
May  3 15:01:08 172.31.2.3 129078: May  3 04:01:08.440: RADIUS(00001F53): Received from id 1645/62
May  3 15:01:08 172.31.2.3 129079: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Received an AAA pass
May  3 15:01:08 172.31.2.3 129080: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Parsed AAA interim interval = 60
May  3 15:01:08 172.31.2.3 129081: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Service Name = ISG-1M Ok
May  3 15:01:08 172.31.2.3 129082: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: RULE: VRF Parsing routine:
May  3 15:01:08 172.31.2.3 129083:   timeout              0 (0x0)
May  3 15:01:08 172.31.2.3 129084:   service-type         2 [Framed]
May  3 15:01:08 172.31.2.3 129085:   Framed-Protocol      1 [PPP]
May  3 15:01:08 172.31.2.3 129086:   addr                 88.88.88.2
May  3 15:01:08 172.31.2.3 129087:   netmask              255.255.255.255
May  3 15:01:08 172.31.2.3 129088:   ssg-account-info     "AISG-1M"

 

Вроде бы все прошло успешно, сервис передался, циска его опознала, радиус отдал еще и адрес реальный, но пока это не нужно. Что видим дальше:

 

May  3 15:01:08 172.31.2.3 129089: May  3 04:01:08.440: SSS PM: VPDN is not enabled
May  3 15:01:08 172.31.2.3 129090: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: SIP Root parser not installed
May  3 15:01:08 172.31.2.3 129091: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: SIP IP[6291D32C] parsed as Success
May  3 15:01:08 172.31.2.3 129092: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Event <service not found>, state changed from authorizing to complete
May  3 15:01:08 172.31.2.3 129093: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: No service authorization info found
May  3 15:01:08 172.31.2.3 129094: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Active Handle present
May  3 15:01:08 172.31.2.3 129095: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
May  3 15:01:08 172.31.2.3 129096: May  3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Freeing Active Handle; SSS Policy Context Handle = 20C1C2D0
May  3 15:01:08 172.31.2.3 129097: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[]: Released active handle
May  3 15:01:08 172.31.2.3 129098: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: PROFILE: store profile "172.21.2.5"
May  3 15:01:08 172.31.2.3 129099: May  3 04:01:08.440: SSS PM: PROFILE-DB: is profile "172.21.2.5" in DB
May  3 15:01:08 172.31.2.3 129100: May  3 04:01:08.440: SSS PM: PROFILE-DB:  Computed hash value = 2201335683
May  3 15:01:08 172.31.2.3 129101: May  3 04:01:08.440: SSS PM: PROFILE-DB:  No, add new list
May  3 15:01:08 172.31.2.3 129102: May  3 04:01:08.440: SSS PM: PROFILE-DB:   create "172.21.2.5"
May  3 15:01:08 172.31.2.3 129103: May  3 04:01:08.440: SSS PM: PROFILE-DB:    create "172.21.2.5"/20C5FF20 hdl A20006B6 ref 1
May  3 15:01:08 172.31.2.3 129104: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: PROFILE:  create 20C62660, ref 1
May  3 15:01:08 172.31.2.3 129105: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Handling Author Not Found Event
May  3 15:01:08 172.31.2.3 129106: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: SIP info: 50B5C4BC access: IP info: IP apply
May  3 15:01:08 172.31.2.3 129107: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Feature info: 641F0064 Type: IP Config
May  3 15:01:08 172.31.2.3 129108: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]:             : Config level: Per-user
May  3 15:01:08 172.31.2.3 129109: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]:             : IDB type: Sub-if or not required
May  3 15:01:08 172.31.2.3 129110: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Feature info: 650E7880 Type: Abs Timeout
:
May  3 15:01:08 172.31.2.3 129111: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]:             : Config level: Per-user
May  3 15:01:08 172.31.2.3 129112: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]:             : IDB type: Sub-if or not required
May  3 15:01:08 172.31.2.3 129113: May  3 04:01:08.440: SSS PM [uid:960][20C1C2D0]:             : 8 bytes:
May  3 15:01:08 172.31.2.3 129114: SSS PM [uid:960][20C1C2D0]:             : Data: 000000 00 00 00 00 00 00 00 00  ........
May  3 15:01:08 172.31.2.3 129115: May  3 04:01:08.440: SSS PM [20C1C620]: Create context 20C1C620
May  3 15:01:08 172.31.2.3 129116: May  3 04:01:08.440: SSS PM [20C1C620]: key lists to append are empty
May  3 15:01:08 172.31.2.3 129117: May  3 04:01:08.440: SSS PM [20C1C620]: Authen status update; is now "unauthen"
May  3 15:01:08 172.31.2.3 129118: May  3 04:01:08.440: SSS PM [20C1C620]: IDMGR: assert authen status "unauthen"
May  3 15:01:08 172.31.2.3 129119: May  3 04:01:08.440: SSS PM [20C1C620]: SERVICE [iSG-1M]: Parent 20C1C2D0
May  3 15:01:08 172.31.2.3 129120: May  3 04:01:08.440: SSS PM [20C1C620]: SERVICE [iSG-1M]: Started yet? No
May  3 15:01:08 172.31.2.3 129121: May  3 04:01:08.440: SSS PM [20C1C620]: IDMGR: service not started yet; can't update
May  3 15:01:08 172.31.2.3 129122: May  3 04:01:08.440: SSS PM [20C1C620]: Did not update authen status
May  3 15:01:08 172.31.2.3 129123: May  3 04:01:08.440: SSS PM [20C1C620]: Updated NAS port for AAA ID 8019
May  3 15:01:08 172.31.2.3 129124: May  3 04:01:08.440: SSS PM [20C1C620]: IDMGR:  send event Session Update
May  3 15:01:08 172.31.2.3 129125: May  3 04:01:08.440: SSS PM [20C1C620]: Updated key list:
May  3 15:01:08 172.31.2.3 129126: May  3 04:01:08.444: SSS PM [20C1C620]:   Logon-Service = "ISG-1M"
May  3 15:01:08 172.31.2.3 129127: May  3 04:01:08.444: SSS PM [20C1C620]:   Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 232 IP 172.31.2.3 VPI 0 VCI 0 VLAN 232 
May  3 15:01:08 172.31.2.3 129128: May  3 04:01:08.444: SSS PM [20C1C620]:   Access-Type = 11 (Web-service-logon)
May  3 15:01:08 172.31.2.3 129129: May  3 04:01:08.444: SSS PM [20C1C620]:   Authen-Status = 1 (Unauthenticated)
May  3 15:01:08 172.31.2.3 129130: May  3 04:01:08.444: SSS PM [20C1C620]:   Session-Handle = 1442844386 (56000EE2)
May  3 15:01:08 172.31.2.3 129131: May  3 04:01:08.444: SSS PM [20C1C620]: Service Command-Handler Policy invoke - Service-Start
May  3 15:01:08 172.31.2.3 129132: May  3 04:01:08.444: SSS PM [20C1C620]: Access type Web-service-logon
May  3 15:01:08 172.31.2.3 129133: May  3 04:01:08.444: SSS PM [20C1C620]: RULE: Looking for a rule for event service-start
May  3 15:01:08 172.31.2.3 129134: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:  Intf CloneSrc Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129135: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for service-start
May  3 15:01:08 172.31.2.3 129136: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129137: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129138: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129139: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129140: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129141: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129142: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129143: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129144: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129145: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129146: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129147: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129148: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:  Intf AccessIE Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129149: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for service-start
May  3 15:01:08 172.31.2.3 129150: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129151: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129152: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129153: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129154: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129155: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129156: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129157: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129158: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129159: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129160: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always
event session-start"
May  3 15:01:08 172.31.2.3 129161: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129162: May  3 04:01:08.444: SSS PM [20C1C620]: RULE:  Glob: service-rule any: None
May  3 15:01:08 172.31.2.3 129163: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: RM/VPDN disabled: RM/VPDN author not needed
May  3 15:01:08 172.31.2.3 129164: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: AAA author needed for downloading service
May  3 15:01:08 172.31.2.3 129165: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Received Service Request
May  3 15:01:08 172.31.2.3 129166: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Event <init request>, State: initial-req to check-auth-needed
May  3 15:01:08 172.31.2.3 129167: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Handling Authorization Check
May  3 15:01:08 172.31.2.3 129168: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Check author needed
May  3 15:01:08 172.31.2.3 129169: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]:  Have keyset: Nasport, Session-Handle, Logon-Service, FM-Apply-Config, Authen-Status
May  3 15:01:08 172.31.2.3 129170: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]:  Want keyset: Logon-Service
May  3 15:01:08 172.31.2.3 129171: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]:  Do we have key: 'Logon-Service'?
May  3 15:01:08 172.31.2.3 129172: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: AAA author needed for downloading service
May  3 15:01:08 172.31.2.3 129173: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Event <send auth>, State: check-auth-needed to authorizing
May  3 15:01:08 172.31.2.3 129174: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Handling AAA service Authorization
May  3 15:01:08 172.31.2.3 129175: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: Sending AAA request for 'ISG-1M'
May  3 15:01:08 172.31.2.3 129176: May  3 04:01:08.444: SVM [iSG-1M]: needs downloading
May  3 15:01:08 172.31.2.3 129177: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: service "ISG-1M" not in cache; needs download
May  3 15:01:08 172.31.2.3 129178: May  3 04:01:08.444: SVM [89000ED7/ISG-1M]: allocated version 1
May  3 15:01:08 172.31.2.3 129179: May  3 04:01:08.444: SVM [89000ED7/ISG-1M]: [4B000E16]: client queued
May  3 15:01:08 172.31.2.3 129180: May  3 04:01:08.444: SVM [89000ED7/ISG-1M]: [PM-Download:4B000E16] locked 0->1
May  3 15:01:08 172.31.2.3 129181: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: download required
May  3 15:01:08 172.31.2.3 129182: May  3 04:01:08.444: SVM [89000ED7/ISG-1M]: [AAA-Download:64382368] locked 0->1
May  3 15:01:08 172.31.2.3 129183: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Root SIP IP
May  3 15:01:08 172.31.2.3 129184: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]:  Enable IP parsing
May  3 15:01:08 172.31.2.3 129185: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]:  Enable Web-service-logon parsing
May  3 15:01:08 172.31.2.3 129186: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: ACTIVE HANDLE[0]: Active context created
May  3 15:01:08 172.31.2.3 129187: May  3 04:01:08.444: SSS PM [uid:960][20C1C620]: ACTIVE HANDLE[0]: Snapshot captured in Active context
May  3 15:01:08 172.31.2.3 129188: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Event <make request>, state changed from idle to authorizing
May  3 15:01:08 172.31.2.3 129189: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Active key set to Apply-Service
May  3 15:01:08 172.31.2.3 129190: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Authorizing key ISG-1M
May  3 15:01:08 172.31.2.3 129191: May  3 04:01:08.444: AAA/AUTHOR (0x1F53): Pick method list 'default'
May  3 15:01:08 172.31.2.3 129192: May  3 04:01:08.444: SSS AAA AUTHOR [uid:960]: AAA request sent for key ISG-1M
May  3 15:01:08 172.31.2.3 129193: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Event <srvf not found>, State: authorizing to check-auth-needed
May  3 15:01:08 172.31.2.3 129194: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Handling Next Authorization Check
May  3 15:01:08 172.31.2.3 129195: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[0]: Continue
May  3 15:01:08 172.31.2.3 129196: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[0]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
May  3 15:01:08 172.31.2.3 129197: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[0]: Author finished
May  3 15:01:08 172.31.2.3 129198: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: State: check-auth-needed to initial-req
May  3 15:01:08 172.31.2.3 129199: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[1]: Continue
May  3 15:01:08 172.31.2.3 129200: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[1]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
May  3 15:01:08 172.31.2.3 129201: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Authen status update; is now "authen"
May  3 15:01:08 172.31.2.3 129202: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: IDMGR: assert authen status "authen"
May  3 15:01:08 172.31.2.3 129203: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: IDMGR:  send event Session Update
May  3 15:01:08 172.31.2.3 129204: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: IDMGR:  with username "172.21.2.5"
May  3 15:01:08 172.31.2.3 129205: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Session activation: ok
May  3 15:01:08 172.31.2.3 129206: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[1]: TAL authorization succesful, stop

 

Сервис был успешно принят, и сессия вроде бы активирована.

 

May  3 15:01:08 172.31.2.3 129207: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[2]: Continue
May  3 15:01:08 172.31.2.3 129208: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[2]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
May  3 15:01:08 172.31.2.3 129209: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: State: initial-req to check-auth-needed
May  3 15:01:08 172.31.2.3 129210: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[2]: Give default directive
May  3 15:01:08 172.31.2.3 129211: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[3]: Continue
May  3 15:01:08 172.31.2.3 129212: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[3]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
May  3 15:01:08 172.31.2.3 129213: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Event <srvf found>, State: check-auth-needed to wait-for-events
May  3 15:01:08 172.31.2.3 129214: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Handling Default Service
May  3 15:01:08 172.31.2.3 129215: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Looking for a rule for event session-default-service
May  3 15:01:08 172.31.2.3 129216: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:  Intf CloneSrc Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129217: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for session-default-service
May  3 15:01:08 172.31.2.3 129218: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129219: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129220: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129221: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129222: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129223: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129224: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:  Intf AccessIE Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129225: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for session-default-service
May  3 15:01:08 172.31.2.3 129226: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129227: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129228: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129229: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129230: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129231: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129232: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:  Glob: service-rule any: None
May  3 15:01:08 172.31.2.3 129233: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Providing Service
May  3 15:01:08 172.31.2.3 129234: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate
May  3 15:01:08 172.31.2.3 129235: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Plumbing proposed by default, not FSP
May  3 15:01:08 172.31.2.3 129236: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate
May  3 15:01:08 172.31.2.3 129237: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Plumbing proposed by default, not FSP
May  3 15:01:08 172.31.2.3 129238: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate
May  3 15:01:08 172.31.2.3 129239: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Looking for a rule for event session-service-found
May  3 15:01:08 172.31.2.3 129240: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:  Intf CloneSrc Gi0/1.232: service-rule any
: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129241: May  3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for session-service-found
May  3 15:01:08 172.31.2.3 129242: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129243: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129244: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129245: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129246: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129247: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129248: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:  Intf AccessIE Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY
May  3 15:01:08 172.31.2.3 129249: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for session-service-found
May  3 15:01:08 172.31.2.3 129250: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
May  3 15:01:08 172.31.2.3 129251: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted"
May  3 15:01:08 172.31.2.3 129252: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted"
May  3 15:01:08 172.31.2.3 129253: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp"
May  3 15:01:08 172.31.2.3 129254: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/always event session-start"
May  3 15:01:08 172.31.2.3 129255: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:   No match for "ISG-CUSTOMERS-POLICY"
May  3 15:01:08 172.31.2.3 129256: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE:  Glob: service-rule any: None
May  3 15:01:08 172.31.2.3 129257: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Plumbing proposed by default, not FSP
May  3 15:01:08 172.31.2.3 129258: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate
May  3 15:01:08 172.31.2.3 129259: May  3 04:01:08.448: SSS MGR [uid:960]: Got reply Local Terminate from PM
May  3 15:01:08 172.31.2.3 129260: May  3 04:01:08.448: SSS MGR [uid:960]: Handling Connect Local Service action
May  3 15:01:08 172.31.2.3 129261: May  3 04:01:08.448: SSS LTERM [uid:960]: Processing Local termination request
May  3 15:01:08 172.31.2.3 129262: May  3 04:01:08.448: SSS LTERM [uid:960]: L3 session - IDB not required for service
May  3 15:01:08 172.31.2.3 129263: May  3 04:01:08.448: SSS LTERM [uid:960]: Segment provision successful
[b]May  3 15:01:08 172.31.2.3 129264: May  3 04:01:08.448: SSS AAA AUTHOR [uid:960]: Event <free request>, state changed from complete to terminal
May  3 15:01:08 172.31.2.3 129265: May  3 04:01:08.448: SSS AAA AUTHOR [uid:960]: Cancel request
May  3 15:01:08 172.31.2.3 129266: May  3 04:01:08.448: SSS LTERM [uid:960]:  Switching session provisioned
May  3 15:01:08 172.31.2.3 129267: May  3 04:01:08.448: SSS MGR [uid:960]: Processing a client disconnect
[/b]

 

Какого ж черта было принято решение отключить клиента? Дальше естественно сервисы грохаются и вещается редирект:

 

May  3 15:01:08 172.31.2.3 129268: May  3 04:01:08.448: SSS MGR [uid:960]: Handling Send Service Disconnect action
May  3 15:01:08 172.31.2.3 129269: May  3 04:01:08.448: SSS MGR [uid:960]: Handling Disconnecting, Network Service Feature Clean action
May  3 15:01:08 172.31.2.3 129270: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Received policy cancel
May  3 15:01:08 172.31.2.3 129271: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Event <policy cancel>, State: wait-for-events to end
May  3 15:01:08 172.31.2.3 129272: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Handling Action Ignore for <policy cancel>
May  3 15:01:08 172.31.2.3 129273: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Destroy context 20C1C2D0
May  3 15:01:08 172.31.2.3 129274: May  3 04:01:08.448: SSS PM [uid:960][20C1C620]: Destroy context 20C1C620
May  3 15:01:08 172.31.2.3 129275: May  3 04:01:08.448: SVM [89000ED7/ISG-1M] ERROR: [4B000E16]: client bad remove
May  3 15:01:08 172.31.2.3 129276: May  3 04:01:08.448: SVM [89000ED7/ISG-1M]: [4B000E16]: client removed
May  3 15:01:08 172.31.2.3 129277: May  3 04:01:08.448: SVM [89000ED7/ISG-1M]: [PM-Download:4B000E16] unlocked 1->0
May  3 15:01:08 172.31.2.3 129278: May  3 04:01:08.448: SSS PM [uid:960][20C1C620]: PROFILE: destroy all config
May  3 15:01:08 172.31.2.3 129279: May  3 04:01:08.448: SSS PM: destroy all user profile info from policy context
May  3 15:01:08 172.31.2.3 129280: May  3 04:01:08.448: SSS PM [uid:960][20C1C620]: ACTIVE HANDLE[]: Released active handle
May  3 15:01:08 172.31.2.3 129281: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: PROFILE: destroy all config
May  3 15:01:08 172.31.2.3 129282: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: PROFILE:  destroy 20C62660, ref 1
May  3 15:01:08 172.31.2.3 129283: May  3 04:01:08.448: SSS PM: PROFILE:  decremented ref 20C62660, ref 0
May  3 15:01:08 172.31.2.3 129284: May  3 04:01:08.448: SSS PM: PROFILE-DB:    destroy "172.21.2.5"/20C5FF20 hdl A20006B6 ref 1
May  3 15:01:08 172.31.2.3 129285: May  3 04:01:08.448: SSS PM: PROFILE-DB:   destroy "172.21.2.5"
May  3 15:01:08 172.31.2.3 129286: May  3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Auto services not NULL - Freeing
May  3 15:01:08 172.31.2.3 129287: May  3 04:01:08.448: SSS PM: Policy Mgr handle [4B000E16] destroyed already
May  3 15:01:08 172.31.2.3 129288: May  3 04:01:08.448: SSS PM: Policy Mgr context is NULL
May  3 15:01:08 172.31.2.3 129289: May  3 04:01:08.448: SSS PM: AUTOSERVICE [iSG-1M]: Removing auto service entry from the parent policy context list
May  3 15:01:08 172.31.2.3 129290: May  3 04:01:08.448: SSS PM: destroy all user profile info from policy context
May  3 15:01:08 172.31.2.3 129291: May  3 04:01:08.448: SSS PM: destroy per-user info from policy context
May  3 15:01:08 172.31.2.3 129292: May  3 04:01:08.448: SSS MGR [uid:960]: Sending a Session End ID Mgr request
May  3 15:01:08 172.31.2.3 129293: May  3 04:01:08.448: SSS MGR [uid:960]: ID Mgr returned status: 'deleted' for Session End
May  3 15:01:08 172.31.2.3 129294: May  3 04:01:08.448: SSS PM: destroy per-user info from policy context

 

Подскажите в чем ошибка, неделю голову ломаю.

Share this post


Link to post
Share on other sites

Извиняюсь за поднятие старой темы, но имею похожую проблему.

Сервисы забираю с радиуса.

Имеем загруженный сервис со скоростью на 7206: (Скорость режется, всё работает)

 


Service "INET100":
   Version 1:
     SVM ID                : 72000005
     Child ID              : A0000006
     Locked by             : SVM-Printer            [1]
     Locked by             : PM-Service             [1]
     Locked by             : PM-Info                [1]
     Locked by             : FM-Bind                [1]
     Locked by             : TC-Child               [1]
     Locked by             : Accounting-Feature     [1]
     Profile               : 50DA05C4
       Profile name: INET100, 4 references 
         username             "INET100"
         service-type         5 [Outbound]
         timeout              86400 (0x15180)
         traffic-class        "in access-group 196 priority 200"
         traffic-class        "out access-group 196 priority 200"
         traffic-class        "in default drop"
         traffic-class        "out default drop"
         accounting-list      "PPPOE"
         ssg-service-info     "IINET100"
         ssg-service-info     "QD;2000000"
         ssg-service-info     "QU;2000000"
     Feature               : TC
         Feature IDB type      : Sub-if or not required
         Feature Data          : 28 bytes:
                               : 000000 00 00 A0 00 00 06 00 00  ........
                               : 000008 00 C8 01 00 00 00 64 95  ......d.
                               : 000010 47 64 00 00 00 C8 01 00  gd......
                               : 000018 00 00 21 83              ..!.
     Version 1:
       SVM ID                : A0000006
       Parent ID             : 72000005
       Locked by             : SVM-Printer            [1]
       Locked by             : FM-Bind                [1]
       Locked by             : SM-SIP-Apply           [1]
       Locked by             : TC-Parent              [1]
       Feature               : Abs Timeout
         Feature IDB type      : Sub-if or not required
         Feature Data          : 8 bytes:
                               : 000000 00 00 05 26 5C 00 00 00  ...&\...
       Feature               : Accounting
         Feature IDB type      : Sub-if or not required
         Feature Data          : 24 bytes:
                               : 000000 00 00 72 00 00 05 51 60  ..r...q`
                               : 000008 48 54 00 00 04 0F 00 00  ht......
                               : 000010 00 01 00 00 00 00 00 00  ........


 

Тот же самый сервис на 7606 имеет вид:

 


 Service "INET100":
   Version 1:
     SVM ID                : 5700001D
     Locked by             : SVM-Printer            [1]
     Locked by             : PM-Service             [1]
     Locked by             : PM-Info                [1]
     Locked by             : FM-Bind                [1]
     Feature               : Abs Timeout
         Feature IDB type      : Sub-if or not required
         Feature Data          : 8 bytes:
                               : 000000 00 00 05 26 5C 00 00 00  ...&\...
     Feature               : Accounting
         Feature IDB type      : Sub-if or not required
         Feature Data          : 24 bytes:
                               : 000000 00 00 57 00 00 1D 22 6C  ..w..."l
                               : 000008 2F 04 00 00 00 00 00 00  /.......
                               : 000010 00 00 00 00 00 00 00 00  ........



Само собой скорость не режется, аккаунтинг по сервису также не стартует.

При этом сервис на брасе авторизуется.

Куда можно копнуть?

Share this post


Link to post
Share on other sites

Afair 7600 не умеет рррое тем более isg без сервисных карт SIP/ES. У вас они имеются?

Share this post


Link to post
Share on other sites

Да, забыл написать.

Стоят ES20-D3C и SIP-400.

Сейчас pppoe работает, радиус спускает названия локальных политик, применяемых к скорости.

Хотелось бы перейти на схему с ISG сервисами.

Тут особых ограничений по моей конфигурации не увидел.

http://www.cisco.com/c/en/us/td/docs/ios/isg/configuration/guide/15_0s/isg_15_0s_book/isg_sub_aware_enet.html#wp1074579

Возможно есть у кого рабочая инсталляция?

Share this post


Link to post
Share on other sites
Тут у коллеги брас на 7604. Попробуйте ему написать.

Share this post


Link to post
Share on other sites

Ок, а что скажет debug subscriber error, debug radius?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this