Minotaur Опубликовано 3 февраля, 2012 · Жалоба Приветствую! Коллеги, а у кого-то получилось осуществить локальную авторизацию сервисов на ISG? Есть такие настройки AAA: aaa authentication login DHCP-BRAS group ISG-RADIUS aaa authorization network DHCP-BRAS group ISG-RADIUS aaa authorization subscriber-service default local Есть некий сервис: policy-map type service pms-1M class type traffic cmt-Any-Traffic police input 1000000 187500 375000 police output 1000000 187500 375000 Есть политика для пользователей: policy-map type control DHCP-Subscriber class type control always event session-start 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator # ! class type control always event session-restart 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator # Пользователь авторизируется через Radius, ему в ответ приезжает Cisco-Account-Info с именем сервиса: *Feb 3 20:22:59.221: RADIUS(00000851): sending *Feb 3 20:22:59.221: RADIUS(00000851): Send Access-Request to 178.214.192.2:1812 id 1645/169, len 128 *Feb 3 20:22:59.221: RADIUS: authenticator 39 0D 3D 5A 15 2A 91 6A - 14 EB 63 D3 DF D5 AC 2F *Feb 3 20:22:59.221: RADIUS: User-Name [1] 46 "000600226b2a8d52#000400210117#0007.e90a.75b2" *Feb 3 20:22:59.221: RADIUS: User-Password [2] 18 * *Feb 3 20:22:59.221: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Feb 3 20:22:59.221: RADIUS: NAS-Port [5] 6 0 *Feb 3 20:22:59.221: RADIUS: NAS-Port-Id [87] 10 "0/0/2/33" *Feb 3 20:22:59.221: RADIUS: Service-Type [6] 6 Outbound [5] *Feb 3 20:22:59.221: RADIUS: NAS-IP-Address [4] 6 178.214.192.68 *Feb 3 20:22:59.221: RADIUS: Acct-Session-Id [44] 10 "00000847" *Feb 3 20:22:59.225: RADIUS: Received from id 1645/169 178.214.192.2:1812, Access-Accept, len 76 *Feb 3 20:22:59.225: RADIUS: authenticator 03 D7 FC 8B 0E 1C D9 64 - 9D 9B C5 88 5F 2D A0 92 *Feb 3 20:22:59.225: RADIUS: Vendor, Cisco [26] 41 *Feb 3 20:22:59.225: RADIUS: Cisco AVpair [1] 35 "subscriber:keepalive=protocol ARP" *Feb 3 20:22:59.225: RADIUS: Vendor, Cisco [26] 15 *Feb 3 20:22:59.225: RADIUS: ssg-account-info [250] 9 "Apms-1M" *Feb 3 20:22:59.229: RADIUS(00000851): Received from id 1645/169 И дальше Cisco утверждает, что не может найти service authorization info: *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Received an AAA pass *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Parsed AAA interim interval = 0 *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: SIP Root parser not installed *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: SIP IP[25F6E90] parsed as Ignore *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Event <service not found>, state changed from authorizing to complete *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: No service authorization info found *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Active Handle present *Feb 3 20:25:01.750: SSS AAA AUTHOR [uid:414]: Freeing Active Handle; SSS Policy Context Handle = 12BB3658 *Feb 3 20:25:01.750: SSS PM [uid:414][12BB34B8]: AAA author needed for downloading service *Feb 3 20:25:01.750: SSS PM [uid:414][12BB34B8]: AAA author needed for downloading service Вопрос: что необходимо добавить в конфиг, чтобы заработала авторизация сервиса локально? Спасибо. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 4 февраля, 2012 · Жалоба в конфиге такая строчка есть? aaa authorization subscriber-service default local group ISG-RADIUS Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Minotaur Опубликовано 5 февраля, 2012 · Жалоба в конфиге такая строчка есть? aaa authorization subscriber-service default local group ISG-RADIUS В конфиге есть aaa authorization subscriber-service default local т.к. RADIUS не планируется использовать для авторизации сервисов. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
C@T Опубликовано 5 февраля, 2012 · Жалоба сорри не заметил в конфиге. просто причина обычно кроется именно в этой строчке... Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
Minotaur Опубликовано 6 февраля, 2012 · Жалоба Нашел проблему. В событии ISG session-restart не доступны идентификаторы remote-id и circuit-id. Если их убрать, и оставить нп. только MAC-адрес, то все работает. По предварительному диагнозу событие это возникает сразу же после session-start из-за того, что у Windows слишком маленький промежуток времени между DHCP Discover, и первый Discover не успевает обработаться в правиле session-start на ISG; второй же Discover приезжает уже когда сессия в состоянии в состоянии authen и вызывает session-restart... Почему так - до конца пока не понял. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
grfmaniak Опубликовано 3 мая, 2012 · Жалоба Пытаюсь привязать локальные сервисы для ip subscriber routed. Радиус выдает только имя сервиса ISG-1M, сам сервис описан локально. Конфиг: aaa new-model aaa session-mib disconnect ! ! aaa group server radius billing server-private 172.16.1.5 auth-port 34009 acct-port 34008 key 7 blabla ! aaa authentication login default local aaa authentication login ISG-AUTH-1 group billing aaa authentication ppp default group billing aaa authorization exec default local if-authenticated aaa authorization network default group billing aaa authorization network ISG-AUTH-1 group billing aaa authorization subscriber-service default local group billing aaa accounting delay-start aaa accounting update periodic 1 aaa accounting network default action-type start-stop group billing2 ! aaa accounting network ISG-AUTH-1 action-type start-stop group billing ! ! aaa nas port extended ! ! ! ! aaa session-id common subscriber authorization enable class-map type traffic match-any ALLTRAFF match access-group input 110 match access-group output 111 ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service SERVICE_L4R class type traffic CLASS-TO-REDIRECT redirect to ip 44.44.44.44 port 80 ! ! policy-map type service ISG-1M class type traffic ALLTRAFF police input 1000000 187500 375000 police output 1000000 187500 375000 ! ! policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event quota-depleted 1 set-param drop-traffic FALSE ! class type control always event credit-exhausted 1 service-policy type service name SERVICE_L4R ! class type control always event session-start 10 authorize aaa list ISG-AUTH-1 password zzz identifier source-ip-address 30 set-timer UNAUTH-TIMER 1 40 service-policy type service name SERVICE_L4R ! Дебаг: May 3 15:01:08 172.31.2.3 128952: May 3 04:01:08.424: SG-DPM: Request to DPM for session restart May 3 15:01:08 172.31.2.3 128953: May 3 04:01:08.424: SG-DPM: sg_dpm_session_query: ip subscriber routed May 3 15:01:08 172.31.2.3 128954: May 3 04:01:08.424: SG-DPM: DHCP Binding does not exist to restart session for ip 172.21.2.5 May 3 15:01:08 172.31.2.3 128955: May 3 04:01:08.424: AAA/BIND(00001F53): Bind i/f May 3 15:01:08 172.31.2.3 128956: May 3 04:01:08.424: AAA/BIND(00001F53): Bind i/f GigabitEthernet0/1.232 May 3 15:01:08 172.31.2.3 128957: May 3 04:01:08.424: SSS INFO: Element type is AccIe-Hdl = 1509953241 (5A000ED9) May 3 15:01:08 172.31.2.3 128958: May 3 04:01:08.424: SSS INFO: Element type is AAA-Id = 8019 (00001F53) May 3 15:01:08 172.31.2.3 128959: May 3 04:01:08.424: SSS INFO: Element type is SHDB-Handle = 0 (00000000) May 3 15:01:08 172.31.2.3 128960: May 3 04:01:08.424: SSS INFO: Element type is IP-Address = 172.21.2.5 (AC150205) May 3 15:01:08 172.31.2.3 128961: May 3 04:01:08.424: SSS INFO: Element type is IP-Address-VRF = IP 172.21.2.5:0 May 3 15:01:08 172.31.2.3 128962: May 3 04:01:08.424: SSS INFO: Element type is source-ip-address = 209EF5C8 May 3 15:01:08 172.31.2.3 128963: May 3 04:01:08.424: SSS INFO: Element type is Final = 1 (YES) May 3 15:01:08 172.31.2.3 128964: May 3 04:01:08.424: SSS INFO: Element type is Access-Type = 15 (IP) May 3 15:01:08 172.31.2.3 128965: May 3 04:01:08.424: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol) May 3 15:01:08 172.31.2.3 128966: May 3 04:01:08.424: SSS INFO: Element type is Media-Type = 2 (IP) May 3 15:01:08 172.31.2.3 128967: May 3 04:01:08.424: SSS INFO: Element type is Switch-Id = 7898 (00001EDA) May 3 15:01:08 172.31.2.3 128968: May 3 04:01:08.424: SSS INFO: Element type is Segment-Hdl = 7604 (00001DB4) May 3 15:01:08 172.31.2.3 128969: May 3 04:01:08.424: SSS MGR [uid:960]: Sending a Session Assert ID Mgr request May 3 15:01:08 172.31.2.3 128970: May 3 04:01:08.424: SSS MGR [uid:960]: Updating ID Mgr with the following keys: May 3 15:01:08 172.31.2.3 128971: aaa-unique-id 8019 (0x1F53) May 3 15:01:08 172.31.2.3 128972: domainip-vrf AC 15 02 05 00 00 May 3 15:01:08 172.31.2.3 128973: May 3 04:01:08.424: SSS MGR [uid:960]: Updating ID Mgr with the following data: May 3 15:01:08 172.31.2.3 128974: addr 172.21.2.5 May 3 15:01:08 172.31.2.3 128975: May 3 04:01:08.424: SSS MGR [uid:960]: ID Mgr returned status: 'success' for Session Assert May 3 15:01:08 172.31.2.3 128976: May 3 04:01:08.424: SSS MGR [uid:960]: Handling Policy Service Authorize action (1 pending sessions) May 3 15:01:08 172.31.2.3 128977: May 3 04:01:08.424: SSS PM [20C1C2D0]: Create context 20C1C2D0 May 3 15:01:08 172.31.2.3 128978: May 3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: Authen status update; is now "unauthen" May 3 15:01:08 172.31.2.3 128979: May 3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: IDMGR: assert authen status "unauthen" May 3 15:01:08 172.31.2.3 128980: May 3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: IDMGR: send event Session Update May 3 15:01:08 172.31.2.3 128981: May 3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: Updated NAS port for AAA ID 8019 May 3 15:01:08 172.31.2.3 128982: May 3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: IDMGR: send event Session Update May 3 15:01:08 172.31.2.3 128983: May 3 04:01:08.424: SSS PM [uid:960][20C1C2D0]: Updated key list: May 3 15:01:08 172.31.2.3 128984: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: SHDB-Handle = 0 (00000000) May 3 15:01:08 172.31.2.3 128985: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: IP-Address = 172.21.2.5 (AC150205) May 3 15:01:08 172.31.2.3 128986: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: IP-Address-VRF = IP 172.21.2.5:0 May 3 15:01:08 172.31.2.3 128987: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: source-ip-address = 209EF5C8 May 3 15:01:08 172.31.2.3 128988: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Final = 1 (YES) May 3 15:01:08 172.31.2.3 128989: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Access-Type = 15 (IP) May 3 15:01:08 172.31.2.3 128990: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Protocol-Type = 4 (IP Access Protocol) May 3 15:01:08 172.31.2.3 128991: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Media-Type = 2 (IP) May 3 15:01:08 172.31.2.3 128992: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Authen-Status = 1 (Unauthenticated) May 3 15:01:08 172.31.2.3 128993: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 232 IP 172.31.2.3 VPI 0 VCI 0 VLAN 232 May 3 15:01:08 172.31.2.3 128994: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Updated key list: May 3 15:01:08 172.31.2.3 128995: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: SHDB-Handle = 0 (00000000) May 3 15:01:08 172.31.2.3 128996: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: IP-Address = 172.21.2.5 (AC150205) May 3 15:01:08 172.31.2.3 128997: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: IP-Address-VRF = IP 172.21.2.5:0 May 3 15:01:08 172.31.2.3 128998: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: source-ip-address = 209EF5C8 May 3 15:01:08 172.31.2.3 128999: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Final = 1 (YES) May 3 15:01:08 172.31.2.3 129000: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Access-Type = 15 (IP) May 3 15:01:08 172.31.2.3 129001: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Protocol-Type = 4 (IP Access Protocol) May 3 15:01:08 172.31.2.3 129002: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Media-Type = 2 (IP) May 3 15:01:08 172.31.2.3 129003: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Authen-Status = 1 (Unauthenticated) May 3 15:01:08 172.31.2.3 129004: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 232 IP 172.31.2.3 VPI 0 VCI 0 VLAN 232 May 3 15:01:08 172.31.2.3 129005: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Session-Handle = 1442844386 (56000EE2) May 3 15:01:08 172.31.2.3 129006: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: SM Policy invoke - Service Selection Request May 3 15:01:08 172.31.2.3 129007: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Access type IP May 3 15:01:08 172.31.2.3 129008: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Access type IP: final key May 3 15:01:08 172.31.2.3 129009: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Looking for a rule for event session-start May 3 15:01:08 172.31.2.3 129010: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Intf CloneSrc Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129011: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for session-start May 3 15:01:08 172.31.2.3 129012: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129013: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129014: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129015: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129016: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Matched "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129017: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE: Matched "ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address" May 3 15:01:08 172.31.2.3 129018: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Start May 3 15:01:08 172.31.2.3 129019: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address May 3 15:01:08 172.31.2.3 129020: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Using author method AAA service May 3 15:01:08 172.31.2.3 129021: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Have key source-ip-address May 3 15:01:08 172.31.2.3 129022: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: State: initial-req to check-auth-needed May 3 15:01:08 172.31.2.3 129023: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[0]: Using key source-ip-address May 3 15:01:08 172.31.2.3 129024: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[1]: Start May 3 15:01:08 172.31.2.3 129025: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: RULE[1]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address May 3 15:01:08 172.31.2.3 129026: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Event <send auth>, State: check-auth-needed to authorizing May 3 15:01:08 172.31.2.3 129027: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Handling AAA service Authorization May 3 15:01:08 172.31.2.3 129028: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: Sending AAA request for '172.21.2.5' May 3 15:01:08 172.31.2.3 129029: May 3 04:01:08.428: SSS PM: Allocating per-user profile info May 3 15:01:08 172.31.2.3 129030: May 3 04:01:08.428: SSS PM: Add per-user profile info to policy context May 3 15:01:08 172.31.2.3 129031: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: using named author method list "ISG-AUTH-1" May 3 15:01:08 172.31.2.3 129032: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: using set aaa password "zzz" May 3 15:01:08 172.31.2.3 129033: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Root SIP IP May 3 15:01:08 172.31.2.3 129034: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Enable IP parsing May 3 15:01:08 172.31.2.3 129035: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[0]: Active context created May 3 15:01:08 172.31.2.3 129036: May 3 04:01:08.428: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[0]: Snapshot captured in Active context May 3 15:01:08 172.31.2.3 129037: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Event <make request>, state changed from idle to authorizing May 3 15:01:08 172.31.2.3 129038: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Active key set to source-ip-address May 3 15:01:08 172.31.2.3 129039: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: Authorizing key 172.21.2.5 May 3 15:01:08 172.31.2.3 129040: May 3 04:01:08.428: AAA/AUTHOR (0x1F53): Pick method list 'ISG-AUTH-1' May 3 15:01:08 172.31.2.3 129041: May 3 04:01:08.428: SSS AAA AUTHOR [uid:960]: AAA request sent for key 172.21.2.5 May 3 15:01:08 172.31.2.3 129042: May 3 04:01:08.428: RADIUS/ENCODE(00001F53):Orig. component type = Iedge IP SIP May 3 15:01:08 172.31.2.3 129043: May 3 04:01:08.428: RADIUS/ENCODE(00001F53): Unsupported AAA attribute clid-mac-addr May 3 15:01:08 172.31.2.3 129044: May 3 04:01:08.428: RADIUS(00001F53): Config NAS IP: 172.31.2.3 May 3 15:01:08 172.31.2.3 129045: May 3 04:01:08.428: RADIUS/ENCODE(00001F53): acct_session_id: 8013 May 3 15:01:08 172.31.2.3 129046: May 3 04:01:08.428: RADIUS(00001F53): Config NAS IP: 172.31.2.3 May 3 15:01:08 172.31.2.3 129047: May 3 04:01:08.428: RADIUS(00001F53): sending May 3 15:01:08 172.31.2.3 129048: May 3 04:01:08.428: RADIUS(00001F53): Send Access-Request to 172.16.1.5:34009 id 1645/62, len 177 May 3 15:01:08 172.31.2.3 129049: May 3 04:01:08.428: RADIUS: authenticator 27 AE A5 1B BE 46 9A 5A - F5 48 72 DD 3B BB 0D 95 May 3 15:01:08 172.31.2.3 129050: May 3 04:01:08.428: RADIUS: User-Name [1] 12 "172.21.2.5" May 3 15:01:08 172.31.2.3 129051: May 3 04:01:08.428: RADIUS: User-Password [2] 18 * May 3 15:01:08 172.31.2.3 129052: May 3 04:01:08.428: RADIUS: Framed-IP-Address [8] 6 172.21.2.5 May 3 15:01:08 172.31.2.3 129053: May 3 04:01:08.428: RADIUS: Vendor, Cisco [26] 19 May 3 15:01:08 172.31.2.3 129054: May 3 04:01:08.428: RADIUS: ssg-account-info [250] 13 "S172.21.2.5" May 3 15:01:08 172.31.2.3 129055: May 3 04:01:08.428: RADIUS: NAS-Port-Type [61] 6 Virtual [5] May 3 15:01:08 172.31.2.3 129056: May 3 04:01:08.428: RADIUS: Vendor, Cisco [26] 17 May 3 15:01:08 172.31.2.3 129057: May 3 04:01:08.428: RADIUS: cisco-nas-port [2] 11 "0/0/1/232" May 3 15:01:08 172.31.2.3 129058: May 3 04:01:08.428: RADIUS: NAS-Port [5] 6 0 May 3 15:01:08 172.31.2.3 129059: May 3 04:01:08.428: RADIUS: NAS-Port-Id [87] 11 "0/0/1/232" May 3 15:01:08 172.31.2.3 129060: May 3 04:01:08.428: RADIUS: Service-Type [6] 6 Outbound [5] May 3 15:01:08 172.31.2.3 129061: May 3 04:01:08.428: RADIUS: NAS-IP-Address [4] 6 172.31.2.3 May 3 15:01:08 172.31.2.3 129062: May 3 04:01:08.428: RADIUS: Acct-Session-Id [44] 18 "B066A00A00001F4D" May 3 15:01:08 172.31.2.3 129063: May 3 04:01:08.428: RADIUS: Nas-Identifier [32] 26 "c7301.test.ru" May 3 15:01:08 172.31.2.3 129064: May 3 04:01:08.428: RADIUS: Event-Timestamp [55] 6 1336017668 May 3 15:01:08 172.31.2.3 129065: May 3 04:01:08.432: RADIUS(00001F53): Started 5 sec timeout May 3 15:01:08 172.31.2.3 129066: May 3 04:01:08.440: RADIUS: Received from id 1645/62 172.16.1.5:34009, Access-Accept, len 77 May 3 15:01:08 172.31.2.3 129067: May 3 04:01:08.440: RADIUS: authenticator 38 F1 2B F7 97 91 0D AB - BD A2 07 98 F3 17 AF 87 May 3 15:01:08 172.31.2.3 129068: May 3 04:01:08.440: RADIUS: Session-Timeout [27] 6 0 May 3 15:01:08 172.31.2.3 129069: May 3 04:01:08.440: RADIUS: Service-Type [6] 6 Framed [2] May 3 15:01:08 172.31.2.3 129070: May 3 04:01:08.440: RADIUS: Framed-Protocol [7] 6 PPP [1] May 3 15:01:08 172.31.2.3 129071: May 3 04:01:08.440: RADIUS: Framed-IP-Address [8] 6 88.88.88.2 May 3 15:01:08 172.31.2.3 129072: May 3 04:01:08.440: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 May 3 15:01:08 172.31.2.3 129073: May 3 04:01:08.440: RADIUS: Class [25] 6 May 3 15:01:08 172.31.2.3 129074: May 3 04:01:08.440: RADIUS: 33 39 39 32 [ 3992] May 3 15:01:08 172.31.2.3 129075: May 3 04:01:08.440: RADIUS: Acct-Interim-Interva[85] 6 60 May 3 15:01:08 172.31.2.3 129076: May 3 04:01:08.440: RADIUS: Vendor, Cisco [26] 15 May 3 15:01:08 172.31.2.3 129077: May 3 04:01:08.440: RADIUS: ssg-account-info [250] 9 "AISG-1M" May 3 15:01:08 172.31.2.3 129078: May 3 04:01:08.440: RADIUS(00001F53): Received from id 1645/62 May 3 15:01:08 172.31.2.3 129079: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Received an AAA pass May 3 15:01:08 172.31.2.3 129080: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Parsed AAA interim interval = 60 May 3 15:01:08 172.31.2.3 129081: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Service Name = ISG-1M Ok May 3 15:01:08 172.31.2.3 129082: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: RULE: VRF Parsing routine: May 3 15:01:08 172.31.2.3 129083: timeout 0 (0x0) May 3 15:01:08 172.31.2.3 129084: service-type 2 [Framed] May 3 15:01:08 172.31.2.3 129085: Framed-Protocol 1 [PPP] May 3 15:01:08 172.31.2.3 129086: addr 88.88.88.2 May 3 15:01:08 172.31.2.3 129087: netmask 255.255.255.255 May 3 15:01:08 172.31.2.3 129088: ssg-account-info "AISG-1M" Вроде бы все прошло успешно, сервис передался, циска его опознала, радиус отдал еще и адрес реальный, но пока это не нужно. Что видим дальше: May 3 15:01:08 172.31.2.3 129089: May 3 04:01:08.440: SSS PM: VPDN is not enabled May 3 15:01:08 172.31.2.3 129090: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: SIP Root parser not installed May 3 15:01:08 172.31.2.3 129091: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: SIP IP[6291D32C] parsed as Success May 3 15:01:08 172.31.2.3 129092: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Event <service not found>, state changed from authorizing to complete May 3 15:01:08 172.31.2.3 129093: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: No service authorization info found May 3 15:01:08 172.31.2.3 129094: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Active Handle present May 3 15:01:08 172.31.2.3 129095: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context May 3 15:01:08 172.31.2.3 129096: May 3 04:01:08.440: SSS AAA AUTHOR [uid:960]: Freeing Active Handle; SSS Policy Context Handle = 20C1C2D0 May 3 15:01:08 172.31.2.3 129097: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: ACTIVE HANDLE[]: Released active handle May 3 15:01:08 172.31.2.3 129098: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: PROFILE: store profile "172.21.2.5" May 3 15:01:08 172.31.2.3 129099: May 3 04:01:08.440: SSS PM: PROFILE-DB: is profile "172.21.2.5" in DB May 3 15:01:08 172.31.2.3 129100: May 3 04:01:08.440: SSS PM: PROFILE-DB: Computed hash value = 2201335683 May 3 15:01:08 172.31.2.3 129101: May 3 04:01:08.440: SSS PM: PROFILE-DB: No, add new list May 3 15:01:08 172.31.2.3 129102: May 3 04:01:08.440: SSS PM: PROFILE-DB: create "172.21.2.5" May 3 15:01:08 172.31.2.3 129103: May 3 04:01:08.440: SSS PM: PROFILE-DB: create "172.21.2.5"/20C5FF20 hdl A20006B6 ref 1 May 3 15:01:08 172.31.2.3 129104: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: PROFILE: create 20C62660, ref 1 May 3 15:01:08 172.31.2.3 129105: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Handling Author Not Found Event May 3 15:01:08 172.31.2.3 129106: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: SIP info: 50B5C4BC access: IP info: IP apply May 3 15:01:08 172.31.2.3 129107: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Feature info: 641F0064 Type: IP Config May 3 15:01:08 172.31.2.3 129108: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: : Config level: Per-user May 3 15:01:08 172.31.2.3 129109: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: : IDB type: Sub-if or not required May 3 15:01:08 172.31.2.3 129110: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: Feature info: 650E7880 Type: Abs Timeout : May 3 15:01:08 172.31.2.3 129111: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: : Config level: Per-user May 3 15:01:08 172.31.2.3 129112: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: : IDB type: Sub-if or not required May 3 15:01:08 172.31.2.3 129113: May 3 04:01:08.440: SSS PM [uid:960][20C1C2D0]: : 8 bytes: May 3 15:01:08 172.31.2.3 129114: SSS PM [uid:960][20C1C2D0]: : Data: 000000 00 00 00 00 00 00 00 00 ........ May 3 15:01:08 172.31.2.3 129115: May 3 04:01:08.440: SSS PM [20C1C620]: Create context 20C1C620 May 3 15:01:08 172.31.2.3 129116: May 3 04:01:08.440: SSS PM [20C1C620]: key lists to append are empty May 3 15:01:08 172.31.2.3 129117: May 3 04:01:08.440: SSS PM [20C1C620]: Authen status update; is now "unauthen" May 3 15:01:08 172.31.2.3 129118: May 3 04:01:08.440: SSS PM [20C1C620]: IDMGR: assert authen status "unauthen" May 3 15:01:08 172.31.2.3 129119: May 3 04:01:08.440: SSS PM [20C1C620]: SERVICE [iSG-1M]: Parent 20C1C2D0 May 3 15:01:08 172.31.2.3 129120: May 3 04:01:08.440: SSS PM [20C1C620]: SERVICE [iSG-1M]: Started yet? No May 3 15:01:08 172.31.2.3 129121: May 3 04:01:08.440: SSS PM [20C1C620]: IDMGR: service not started yet; can't update May 3 15:01:08 172.31.2.3 129122: May 3 04:01:08.440: SSS PM [20C1C620]: Did not update authen status May 3 15:01:08 172.31.2.3 129123: May 3 04:01:08.440: SSS PM [20C1C620]: Updated NAS port for AAA ID 8019 May 3 15:01:08 172.31.2.3 129124: May 3 04:01:08.440: SSS PM [20C1C620]: IDMGR: send event Session Update May 3 15:01:08 172.31.2.3 129125: May 3 04:01:08.440: SSS PM [20C1C620]: Updated key list: May 3 15:01:08 172.31.2.3 129126: May 3 04:01:08.444: SSS PM [20C1C620]: Logon-Service = "ISG-1M" May 3 15:01:08 172.31.2.3 129127: May 3 04:01:08.444: SSS PM [20C1C620]: Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 232 IP 172.31.2.3 VPI 0 VCI 0 VLAN 232 May 3 15:01:08 172.31.2.3 129128: May 3 04:01:08.444: SSS PM [20C1C620]: Access-Type = 11 (Web-service-logon) May 3 15:01:08 172.31.2.3 129129: May 3 04:01:08.444: SSS PM [20C1C620]: Authen-Status = 1 (Unauthenticated) May 3 15:01:08 172.31.2.3 129130: May 3 04:01:08.444: SSS PM [20C1C620]: Session-Handle = 1442844386 (56000EE2) May 3 15:01:08 172.31.2.3 129131: May 3 04:01:08.444: SSS PM [20C1C620]: Service Command-Handler Policy invoke - Service-Start May 3 15:01:08 172.31.2.3 129132: May 3 04:01:08.444: SSS PM [20C1C620]: Access type Web-service-logon May 3 15:01:08 172.31.2.3 129133: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Looking for a rule for event service-start May 3 15:01:08 172.31.2.3 129134: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Intf CloneSrc Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129135: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for service-start May 3 15:01:08 172.31.2.3 129136: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129137: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129138: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129139: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129140: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129141: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129142: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129143: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129144: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129145: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129146: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129147: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129148: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Intf AccessIE Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129149: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for service-start May 3 15:01:08 172.31.2.3 129150: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129151: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129152: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129153: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129154: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129155: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129156: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129157: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129158: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129159: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129160: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129161: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129162: May 3 04:01:08.444: SSS PM [20C1C620]: RULE: Glob: service-rule any: None May 3 15:01:08 172.31.2.3 129163: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: RM/VPDN disabled: RM/VPDN author not needed May 3 15:01:08 172.31.2.3 129164: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: AAA author needed for downloading service May 3 15:01:08 172.31.2.3 129165: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Received Service Request May 3 15:01:08 172.31.2.3 129166: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Event <init request>, State: initial-req to check-auth-needed May 3 15:01:08 172.31.2.3 129167: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Handling Authorization Check May 3 15:01:08 172.31.2.3 129168: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Check author needed May 3 15:01:08 172.31.2.3 129169: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Have keyset: Nasport, Session-Handle, Logon-Service, FM-Apply-Config, Authen-Status May 3 15:01:08 172.31.2.3 129170: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Want keyset: Logon-Service May 3 15:01:08 172.31.2.3 129171: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Do we have key: 'Logon-Service'? May 3 15:01:08 172.31.2.3 129172: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: AAA author needed for downloading service May 3 15:01:08 172.31.2.3 129173: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Event <send auth>, State: check-auth-needed to authorizing May 3 15:01:08 172.31.2.3 129174: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Handling AAA service Authorization May 3 15:01:08 172.31.2.3 129175: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: Sending AAA request for 'ISG-1M' May 3 15:01:08 172.31.2.3 129176: May 3 04:01:08.444: SVM [iSG-1M]: needs downloading May 3 15:01:08 172.31.2.3 129177: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: service "ISG-1M" not in cache; needs download May 3 15:01:08 172.31.2.3 129178: May 3 04:01:08.444: SVM [89000ED7/ISG-1M]: allocated version 1 May 3 15:01:08 172.31.2.3 129179: May 3 04:01:08.444: SVM [89000ED7/ISG-1M]: [4B000E16]: client queued May 3 15:01:08 172.31.2.3 129180: May 3 04:01:08.444: SVM [89000ED7/ISG-1M]: [PM-Download:4B000E16] locked 0->1 May 3 15:01:08 172.31.2.3 129181: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: download required May 3 15:01:08 172.31.2.3 129182: May 3 04:01:08.444: SVM [89000ED7/ISG-1M]: [AAA-Download:64382368] locked 0->1 May 3 15:01:08 172.31.2.3 129183: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Root SIP IP May 3 15:01:08 172.31.2.3 129184: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Enable IP parsing May 3 15:01:08 172.31.2.3 129185: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Enable Web-service-logon parsing May 3 15:01:08 172.31.2.3 129186: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: ACTIVE HANDLE[0]: Active context created May 3 15:01:08 172.31.2.3 129187: May 3 04:01:08.444: SSS PM [uid:960][20C1C620]: ACTIVE HANDLE[0]: Snapshot captured in Active context May 3 15:01:08 172.31.2.3 129188: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Event <make request>, state changed from idle to authorizing May 3 15:01:08 172.31.2.3 129189: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Active key set to Apply-Service May 3 15:01:08 172.31.2.3 129190: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: Authorizing key ISG-1M May 3 15:01:08 172.31.2.3 129191: May 3 04:01:08.444: AAA/AUTHOR (0x1F53): Pick method list 'default' May 3 15:01:08 172.31.2.3 129192: May 3 04:01:08.444: SSS AAA AUTHOR [uid:960]: AAA request sent for key ISG-1M May 3 15:01:08 172.31.2.3 129193: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Event <srvf not found>, State: authorizing to check-auth-needed May 3 15:01:08 172.31.2.3 129194: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Handling Next Authorization Check May 3 15:01:08 172.31.2.3 129195: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[0]: Continue May 3 15:01:08 172.31.2.3 129196: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[0]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address May 3 15:01:08 172.31.2.3 129197: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[0]: Author finished May 3 15:01:08 172.31.2.3 129198: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: State: check-auth-needed to initial-req May 3 15:01:08 172.31.2.3 129199: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[1]: Continue May 3 15:01:08 172.31.2.3 129200: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[1]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address May 3 15:01:08 172.31.2.3 129201: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Authen status update; is now "authen" May 3 15:01:08 172.31.2.3 129202: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: IDMGR: assert authen status "authen" May 3 15:01:08 172.31.2.3 129203: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: IDMGR: send event Session Update May 3 15:01:08 172.31.2.3 129204: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: IDMGR: with username "172.21.2.5" May 3 15:01:08 172.31.2.3 129205: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Session activation: ok May 3 15:01:08 172.31.2.3 129206: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[1]: TAL authorization succesful, stop Сервис был успешно принят, и сессия вроде бы активирована. May 3 15:01:08 172.31.2.3 129207: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[2]: Continue May 3 15:01:08 172.31.2.3 129208: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[2]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address May 3 15:01:08 172.31.2.3 129209: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: State: initial-req to check-auth-needed May 3 15:01:08 172.31.2.3 129210: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[2]: Give default directive May 3 15:01:08 172.31.2.3 129211: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[3]: Continue May 3 15:01:08 172.31.2.3 129212: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE[3]: ISG-CUSTOMERS-POLICY/always event session-start/10 authorize aaa list ISG-AUTH-1 identifier source-ip-address May 3 15:01:08 172.31.2.3 129213: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Event <srvf found>, State: check-auth-needed to wait-for-events May 3 15:01:08 172.31.2.3 129214: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Handling Default Service May 3 15:01:08 172.31.2.3 129215: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Looking for a rule for event session-default-service May 3 15:01:08 172.31.2.3 129216: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Intf CloneSrc Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129217: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for session-default-service May 3 15:01:08 172.31.2.3 129218: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129219: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129220: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129221: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129222: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129223: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129224: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Intf AccessIE Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129225: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for session-default-service May 3 15:01:08 172.31.2.3 129226: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129227: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129228: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129229: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129230: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129231: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129232: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Glob: service-rule any: None May 3 15:01:08 172.31.2.3 129233: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Providing Service May 3 15:01:08 172.31.2.3 129234: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate May 3 15:01:08 172.31.2.3 129235: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Plumbing proposed by default, not FSP May 3 15:01:08 172.31.2.3 129236: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate May 3 15:01:08 172.31.2.3 129237: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Plumbing proposed by default, not FSP May 3 15:01:08 172.31.2.3 129238: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate May 3 15:01:08 172.31.2.3 129239: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Looking for a rule for event session-service-found May 3 15:01:08 172.31.2.3 129240: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Intf CloneSrc Gi0/1.232: service-rule any : ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129241: May 3 04:01:08.444: SSS PM [uid:960][20C1C2D0]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for session-service-found May 3 15:01:08 172.31.2.3 129242: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129243: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129244: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129245: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129246: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129247: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129248: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Intf AccessIE Gi0/1.232: service-rule any: ISG-CUSTOMERS-POLICY May 3 15:01:08 172.31.2.3 129249: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Evaluate "ISG-CUSTOMERS-POLICY" for session-service-found May 3 15:01:08 172.31.2.3 129250: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry" May 3 15:01:08 172.31.2.3 129251: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event quota-depleted" May 3 15:01:08 172.31.2.3 129252: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event credit-exhausted" May 3 15:01:08 172.31.2.3 129253: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event internal-event-cre-t-exp" May 3 15:01:08 172.31.2.3 129254: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Wrong type "ISG-CUSTOMERS-POLICY/always event session-start" May 3 15:01:08 172.31.2.3 129255: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: No match for "ISG-CUSTOMERS-POLICY" May 3 15:01:08 172.31.2.3 129256: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: RULE: Glob: service-rule any: None May 3 15:01:08 172.31.2.3 129257: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Plumbing proposed by default, not FSP May 3 15:01:08 172.31.2.3 129258: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Policy reply - Local Terminate May 3 15:01:08 172.31.2.3 129259: May 3 04:01:08.448: SSS MGR [uid:960]: Got reply Local Terminate from PM May 3 15:01:08 172.31.2.3 129260: May 3 04:01:08.448: SSS MGR [uid:960]: Handling Connect Local Service action May 3 15:01:08 172.31.2.3 129261: May 3 04:01:08.448: SSS LTERM [uid:960]: Processing Local termination request May 3 15:01:08 172.31.2.3 129262: May 3 04:01:08.448: SSS LTERM [uid:960]: L3 session - IDB not required for service May 3 15:01:08 172.31.2.3 129263: May 3 04:01:08.448: SSS LTERM [uid:960]: Segment provision successful [b]May 3 15:01:08 172.31.2.3 129264: May 3 04:01:08.448: SSS AAA AUTHOR [uid:960]: Event <free request>, state changed from complete to terminal May 3 15:01:08 172.31.2.3 129265: May 3 04:01:08.448: SSS AAA AUTHOR [uid:960]: Cancel request May 3 15:01:08 172.31.2.3 129266: May 3 04:01:08.448: SSS LTERM [uid:960]: Switching session provisioned May 3 15:01:08 172.31.2.3 129267: May 3 04:01:08.448: SSS MGR [uid:960]: Processing a client disconnect [/b] Какого ж черта было принято решение отключить клиента? Дальше естественно сервисы грохаются и вещается редирект: May 3 15:01:08 172.31.2.3 129268: May 3 04:01:08.448: SSS MGR [uid:960]: Handling Send Service Disconnect action May 3 15:01:08 172.31.2.3 129269: May 3 04:01:08.448: SSS MGR [uid:960]: Handling Disconnecting, Network Service Feature Clean action May 3 15:01:08 172.31.2.3 129270: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Received policy cancel May 3 15:01:08 172.31.2.3 129271: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Event <policy cancel>, State: wait-for-events to end May 3 15:01:08 172.31.2.3 129272: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Handling Action Ignore for <policy cancel> May 3 15:01:08 172.31.2.3 129273: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Destroy context 20C1C2D0 May 3 15:01:08 172.31.2.3 129274: May 3 04:01:08.448: SSS PM [uid:960][20C1C620]: Destroy context 20C1C620 May 3 15:01:08 172.31.2.3 129275: May 3 04:01:08.448: SVM [89000ED7/ISG-1M] ERROR: [4B000E16]: client bad remove May 3 15:01:08 172.31.2.3 129276: May 3 04:01:08.448: SVM [89000ED7/ISG-1M]: [4B000E16]: client removed May 3 15:01:08 172.31.2.3 129277: May 3 04:01:08.448: SVM [89000ED7/ISG-1M]: [PM-Download:4B000E16] unlocked 1->0 May 3 15:01:08 172.31.2.3 129278: May 3 04:01:08.448: SSS PM [uid:960][20C1C620]: PROFILE: destroy all config May 3 15:01:08 172.31.2.3 129279: May 3 04:01:08.448: SSS PM: destroy all user profile info from policy context May 3 15:01:08 172.31.2.3 129280: May 3 04:01:08.448: SSS PM [uid:960][20C1C620]: ACTIVE HANDLE[]: Released active handle May 3 15:01:08 172.31.2.3 129281: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: PROFILE: destroy all config May 3 15:01:08 172.31.2.3 129282: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: PROFILE: destroy 20C62660, ref 1 May 3 15:01:08 172.31.2.3 129283: May 3 04:01:08.448: SSS PM: PROFILE: decremented ref 20C62660, ref 0 May 3 15:01:08 172.31.2.3 129284: May 3 04:01:08.448: SSS PM: PROFILE-DB: destroy "172.21.2.5"/20C5FF20 hdl A20006B6 ref 1 May 3 15:01:08 172.31.2.3 129285: May 3 04:01:08.448: SSS PM: PROFILE-DB: destroy "172.21.2.5" May 3 15:01:08 172.31.2.3 129286: May 3 04:01:08.448: SSS PM [uid:960][20C1C2D0]: Auto services not NULL - Freeing May 3 15:01:08 172.31.2.3 129287: May 3 04:01:08.448: SSS PM: Policy Mgr handle [4B000E16] destroyed already May 3 15:01:08 172.31.2.3 129288: May 3 04:01:08.448: SSS PM: Policy Mgr context is NULL May 3 15:01:08 172.31.2.3 129289: May 3 04:01:08.448: SSS PM: AUTOSERVICE [iSG-1M]: Removing auto service entry from the parent policy context list May 3 15:01:08 172.31.2.3 129290: May 3 04:01:08.448: SSS PM: destroy all user profile info from policy context May 3 15:01:08 172.31.2.3 129291: May 3 04:01:08.448: SSS PM: destroy per-user info from policy context May 3 15:01:08 172.31.2.3 129292: May 3 04:01:08.448: SSS MGR [uid:960]: Sending a Session End ID Mgr request May 3 15:01:08 172.31.2.3 129293: May 3 04:01:08.448: SSS MGR [uid:960]: ID Mgr returned status: 'deleted' for Session End May 3 15:01:08 172.31.2.3 129294: May 3 04:01:08.448: SSS PM: destroy per-user info from policy context Подскажите в чем ошибка, неделю голову ломаю. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
wonder Опубликовано 29 января, 2015 · Жалоба Извиняюсь за поднятие старой темы, но имею похожую проблему. Сервисы забираю с радиуса. Имеем загруженный сервис со скоростью на 7206: (Скорость режется, всё работает) Service "INET100": Version 1: SVM ID : 72000005 Child ID : A0000006 Locked by : SVM-Printer [1] Locked by : PM-Service [1] Locked by : PM-Info [1] Locked by : FM-Bind [1] Locked by : TC-Child [1] Locked by : Accounting-Feature [1] Profile : 50DA05C4 Profile name: INET100, 4 references username "INET100" service-type 5 [Outbound] timeout 86400 (0x15180) traffic-class "in access-group 196 priority 200" traffic-class "out access-group 196 priority 200" traffic-class "in default drop" traffic-class "out default drop" accounting-list "PPPOE" ssg-service-info "IINET100" ssg-service-info "QD;2000000" ssg-service-info "QU;2000000" Feature : TC Feature IDB type : Sub-if or not required Feature Data : 28 bytes: : 000000 00 00 A0 00 00 06 00 00 ........ : 000008 00 C8 01 00 00 00 64 95 ......d. : 000010 47 64 00 00 00 C8 01 00 gd...... : 000018 00 00 21 83 ..!. Version 1: SVM ID : A0000006 Parent ID : 72000005 Locked by : SVM-Printer [1] Locked by : FM-Bind [1] Locked by : SM-SIP-Apply [1] Locked by : TC-Parent [1] Feature : Abs Timeout Feature IDB type : Sub-if or not required Feature Data : 8 bytes: : 000000 00 00 05 26 5C 00 00 00 ...&\... Feature : Accounting Feature IDB type : Sub-if or not required Feature Data : 24 bytes: : 000000 00 00 72 00 00 05 51 60 ..r...q` : 000008 48 54 00 00 04 0F 00 00 ht...... : 000010 00 01 00 00 00 00 00 00 ........ Тот же самый сервис на 7606 имеет вид: Service "INET100": Version 1: SVM ID : 5700001D Locked by : SVM-Printer [1] Locked by : PM-Service [1] Locked by : PM-Info [1] Locked by : FM-Bind [1] Feature : Abs Timeout Feature IDB type : Sub-if or not required Feature Data : 8 bytes: : 000000 00 00 05 26 5C 00 00 00 ...&\... Feature : Accounting Feature IDB type : Sub-if or not required Feature Data : 24 bytes: : 000000 00 00 57 00 00 1D 22 6C ..w..."l : 000008 2F 04 00 00 00 00 00 00 /....... : 000010 00 00 00 00 00 00 00 00 ........ Само собой скорость не режется, аккаунтинг по сервису также не стартует. При этом сервис на брасе авторизуется. Куда можно копнуть? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
furai Опубликовано 30 января, 2015 · Жалоба Afair 7600 не умеет рррое тем более isg без сервисных карт SIP/ES. У вас они имеются? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
wonder Опубликовано 3 февраля, 2015 · Жалоба Да, забыл написать. Стоят ES20-D3C и SIP-400. Сейчас pppoe работает, радиус спускает названия локальных политик, применяемых к скорости. Хотелось бы перейти на схему с ISG сервисами. Тут особых ограничений по моей конфигурации не увидел. http://www.cisco.com/c/en/us/td/docs/ios/isg/configuration/guide/15_0s/isg_15_0s_book/isg_sub_aware_enet.html#wp1074579 Возможно есть у кого рабочая инсталляция? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
g3fox Опубликовано 3 февраля, 2015 · Жалоба Тут у коллеги брас на 7604. Попробуйте ему написать. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
furai Опубликовано 4 февраля, 2015 · Жалоба Ок, а что скажет debug subscriber error, debug radius? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...