Jump to content
Калькуляторы

Cisco ASR, ISG redirect to server group

Доброго времени суток, коллеги!

После переезда с ESR на ASR столкнулся с проблемой - не снимается redirect после web авторизации сабскрайбера.

Вот так выглядят политики:

policy-map type control ISG-test
class type control UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control SESS-RESTART event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 30 service-policy type service name L4REDIRECT
 40 set-timer UNAUTH 3
!
class type control always event account-logon
 10 authenticate aaa list ISG
 11 service-policy type service unapply name L4REDIRECT
 30 set-timer SESS-RESTART 30
!
class type control always event account-logoff
 1 service disconnect
!
class type control always event session-restart
 30 service-policy type service name L4REDIRECT
 40 set-timer UNAUTH 3
!
!
!
policy-map type service L4REDIRECT
30 class type traffic L4K
 redirect to group PORTAL
!
!
class-map type traffic match-any L4K
match access-group input 151
! 
access-list 151 permit tcp any any eq 443
access-list 151 permit tcp any any eq www
access-list 151 permit tcp any any eq 8080
access-list 151 permit tcp any any eq 3128
access-list 151 permit tcp any any eq 8090
access-list 151 permit tcp any any eq 8085
access-list 151 permit tcp any any eq 8091
access-list 151 permit tcp any any eq 8092
access-list 151 permit tcp any any eq 8093
access-list 151 permit tcp any any eq 8094
access-list 151 permit tcp any any eq 8095
access-list 151 permit tcp any any eq 8096
!

вот собственно интерфейс:

interface TenGigabitEthernet0/2/0.23
description -WiFi-free-area-
encapsulation dot1Q 23
vrf forwarding Inet
ip address 172.19.0.2 255.255.255.252
no ip unreachables
no ip route-cache same-interface
service-policy type control ISG-test
ip subscriber routed
 initiator unclassified ip-address

 

Ну и вот сабскрайбер после авторизации:

Type: IP, UID: 3238, State: authen, Identity: wifigorptus
IPv4 Address: 172.19.1.202 
Session Up-time: 00:10:45, Last Changed: 00:10:36
Switch-ID: 11189033

Policy information:
 Context 7FFAC22FDE50: Handle A8020D73
 AAA_id 00042250: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   idletime             0   1800 (0x708)
   accounting-list      0   "masterRAD"
   ssg-account-info     0   "ip:vrf-id=Inet"
 Downloaded User profile, including services:
   idletime             0   1800 (0x708)
   accounting-list      0   "masterRAD"
   ssg-account-info     0   "ip:vrf-id=Inet"
   service-type         0   5 [Outbound]
   traffic-class        0   "in access-group name tb-night-in priority 10"
   traffic-class        0   "out access-group name tb-night-out priority 10"
   ssg-service-info     0   "QU;5240000;1095540;2191080;D;5240000;1095540;2191080"
 Config history for session (recent to oldest):
   Access-type: Web-user-logon Client: Service Command-Handler
    Policy event: Auto Services Downloaded (Unapplied) (Service)
     Profile name: L4REDIRECT, 2 references 
       password             0   <hidden>
       username             0   "L4REDIRECT"
       clid-mac-addr        0   00 0D 66 94 B0 00 
       traffic-class        0   "input access-group 151 priority 30"
       l4redirect           0   "redirect to group PORTAL"
   Access-type: Web-service-logon Client: Account Command-Handler
    Policy event: Got More Keys (Service)
     Profile name: 5M-N, 258 references 
       service-type         0   5 [Outbound]
       traffic-class        0   "in access-group name tb-night-in priority 10"
       traffic-class        0   "out access-group name tb-night-out priority 10"
       accounting-list      0   "masterRAD"
       ssg-service-info     0   "QU;5240000;1095540;2191080;D;5240000;1095540;2191080"
   Access-type: Web-service-logon Client: Account Command-Handler
    Policy event: Got More Keys (Service)
     Profile name: 1M-D, 34 references 
       service-type         0   5 [Outbound]
       traffic-class        0   "in access-group name tb-day-in priority 20"
       traffic-class        0   "out access-group name tb-day-out priority 20"
       accounting-list      0   "masterRAD"
       ssg-service-info     0   "QU;1128000;211200;422400;D;1128000;211200;422400"
   Access-type: Web-user-logon Client: Account Command-Handler
    Policy event: Got More Keys
     Profile name: wifigorptus, 3 references 
       idletime             0   1800 (0x708)
       accounting-list      0   "masterRAD"
       ssg-account-info     0   "ip:vrf-id=Inet"
   Access-type: IP Client: SM
    Policy event: Service Selection Request (Service)
     Profile name: L4REDIRECT, 7 references 
       password             0   <hidden>
       username             0   "L4REDIRECT"
       traffic-class        0   "input access-group 151"
       l4redirect           0   "redirect to group PORTAL"
 Active services associated with session:
   name "5M-N"
   name "1M-D"
 Rules, actions and conditions executed:
   subscriber rule-map ISG-test
     condition always event session-start
       30 service-policy type service name L4REDIRECT
       40 set-timer UNAUTH 3
   subscriber rule-map ISG-test
     condition always event account-logon
       10 authenticate aaa list ISG 
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map ISG-test
     condition always event account-logon
       11 service-policy type service unapply name L4REDIRECT
       30 set-timer SESS-RESTART 30
       subscriber condition-map match-all UNAUTH
         match identifier timer UNAUTH [TRUE]
         match identifier authen-status unauthenticated [FALSE]
   subscriber rule-map ISG-test
     condition UNAUTH event timed-policy-expiry
       subscriber condition-map match-all SESS-RESTART
         match identifier timer SESS-RESTART [FALSE]
   subscriber rule-map ISG-test
     condition SESS-RESTART event timed-policy-expiry
       subscriber condition-map match-all UNAUTH
         match identifier timer UNAUTH [TRUE]
         match identifier authen-status unauthenticated [FALSE]
   subscriber rule-map ISG-test
     condition UNAUTH event timed-policy-expiry
       subscriber condition-map match-all SESS-RESTART
         match identifier timer SESS-RESTART [FALSE]
   subscriber rule-map ISG-test
     condition SESS-RESTART event timed-policy-expiry

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    1627       109670                 0    Match Any
1           Out   2389       2844973                0    Match Any
36          In    0          0                      10   Match ACL tb-night-in
37          Out   0          0                      10   Match ACL tb-night-out
52          In    973        55449                  20   Match ACL tb-day-in
53          Out   2068       2422851                20   Match ACL tb-day-out
250         In    475        43369                  0    Match ACL 151

Features:

Idle Timeout:
Class-id   Dir  Timeout value   Idle-Time            Source
1          Out  1800            00:01:08             Peruser

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   1403       94928                 Peruser
1          Out  1857       2108501               Peruser
36         In   0          0                     5M-N
37         Out  0          0                     5M-N
52         In   973        55449                 1M-D
53         Out  1857       2108501               1M-D

L4 Redirect:
Class-id   Rule cfg  Definition                               Source
250        #1   SVC  to group PORTAL                          L4REDIRECT

Policing: 
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
36         In   5240000     1095540       2191080      5M-N
37         Out  5240000     1095540       2191080      5M-N
52         In   1128000     211200        422400       1M-D
53         Out  1128000     211200        422400       1M-D

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:10:36     3623881403      5M-N
SVC   00:10:36     2835354906      1M-D
SVC   00:10:45     -               L4REDIRECT
USR   00:10:36     -               Peruser
INT   00:10:45     -               TenGigabitEthernet0/2/0.23

 

По логике работы политики ISG-test, после авторизации, сервис L4REDIRECT снимается. Но реально этого не происходит, то есть, весь трафик попадающий под L4K редиректится на портал. Пинги при этом, DNS-запросы, успешно бегают по реальным адресам.

На ESR работало как часы. Где-то у меня видимо "лыжи не едут". Пните в нужном направлении, плиз.

Софт: IOS XE Version: 03.06.00.S

Share this post


Link to post
Share on other sites

Здравствуйте, Коллега.

 

Проблема как нибудь решилась ?

Share this post


Link to post
Share on other sites

приоритет редирект не перебивает сервисы ночь и день ?

Share this post


Link to post
Share on other sites

приоритет редирект не перебивает сервисы ночь и день ?

 

Ни в коем случае. У traffic-class для L4REDIRECT приоритет 30, то есть , ниже чем у день-ночь. Впрочем, все решилось по этой теме, а вот как, спустя уже год, и не помню:)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this