infery Posted September 5, 2014 · Report post Доброй пятницы. Второй день бьюсь над проблемой, не могу решить. Есть брас cisco ASR 1002 с ISG, все настроено и работает, кроме, конечно же, CoA. Вот конфиг ISG aaa new-model ! ! aaa group server radius ISG-RADIUS server name LANBILLING ! aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS ! ! ! ! aaa server radius dynamic-author client 3.3.3.10 server-key KEY port 3799 ignore session-key ignore server-key ! aaa session-id common class-map type traffic match-any CLASS-PERMITED-DEST match access-group input name PERMITED-DEST match access-group output name PERMITED-DEST ! class-map type traffic match-any CLASS-REDIRECTOR match access-group input name ACL-FOR-REDIRECT match access-group output name ACL-FOR-REDIRECT ! class-map type traffic match-any CLASS-BILLING-DOWN match access-group input name ACL-BILLING-DOWN match access-group output name ACL-BILLING-DOWN ! class-map type control match-all ISG-IP-UNAUTH match authen-status unauthenticated match timer UNAUTH-TIMER ! class-map type control match-any SUBSCRIBER-NETWORKS match source-ip-address 100.67.0.0 255.255.255.0 ! policy-map type service REDIRECT-SERVICE 1 class type traffic CLASS-REDIRECTOR redirect to group GROUP-REDIRECT ! class type traffic default input drop ! ! policy-map type service SERVICE-PERMITED-DEST 1 class type traffic CLASS-PERMITED-DEST police input 1000000000 police output 1000000000 ! class type traffic default input drop ! ! policy-map type service SERVICE-BILLING-DOWN class type traffic CLASS-BILLING-DOWN police input 20000000 police output 20000000 ! class type traffic default input drop ! ! policy-map type service PBHK ip portbundle ! policy-map type control ISG-CUSTOMER-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control SUBSCRIBER-NETWORKS event session-start 10 authorize aaa list ISG-AUTH-1 password 100.67.0.61 identifier source-ip-address ! class type control SUBSCRIBER-NETWORKS event access-reject 5 set-timer UNAUTH-TIMER 3 10 service-policy type service name SERVICE-PERMITED-DEST 20 service-policy type service name REDIRECT-SERVICE ! class type control SUBSCRIBER-NETWORKS event radius-timeout 10 service-policy type service name SERVICE-BILLING-DOWN ! ! [b]bras#show subscriber session detailed[/b] Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: IPv4, UID: 24, State: authen, Identity: 100.67.0.61 IPv4 Address: 100.67.0.61 Session Up-time: 02:36:14, Last Changed: 02:36:14 Switch-ID: 4189 Policy information: Context 4384BC08: Handle 6900003C AAA_id 00000024: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: timeout 0 86400 (0x15180) service-type 0 5 [Outbound] addr 0 100.67.0.61 netmask 0 255.255.255.255 ssg-account-info 0 "QU;30720000;576000;1152000;D;30720000;576000;1152000" Downloaded User profile, including services: timeout 0 86400 (0x15180) service-type 0 5 [Outbound] addr 0 100.67.0.61 netmask 0 255.255.255.255 ssg-account-info 0 "QU;30720000;576000;1152000;D;30720000;576000;1152000" Config history for session (recent to oldest): Access-type: IP Client: SM Policy event: Service Selection Request Profile name: 100.67.0.61, 2 references timeout 0 86400 (0x15180) service-type 0 5 [Outbound] addr 0 100.67.0.61 netmask 0 255.255.255.255 ssg-account-info 0 "QU;30720000;576000;1152000;D;30720000;576000;1152000" Rules, actions and conditions executed: subscriber condition-map match-any SUBSCRIBER-NETWORKS match identifier source-ip-address 100.67.0.0 255.255.255.0 [TRUE] subscriber rule-map ISG-CUSTOMER-POLICY condition SUBSCRIBER-NETWORKS event session-start 10 authorize aaa list ISG-AUTH-1 identifier source-ip-address Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 53755 34902113 0 Match Any 1 Out 70173 59548994 0 Match Any Template Id : 11 Features: Absolute Timeout: Class-id Timeout Value Time Remaining Source 0 86400 21:23:45 Peruser Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 0 In 30720000 576000 1152000 Peruser 1 Out 30720000 576000 1152000 Peruser Configuration Sources: Type Active Time AAA Service ID Name USR 02:36:14 - Peruser INT 02:36:14 - GigabitEthernet0/0/1 Посылаю с помощью radclient любой CoA запрос и получаю NAK echo User-Name="100.67.0.61",Acct-Session-Id=24,Cisco-Account-Info="S100.67.0.61",cisco-ssg-service-info="QU;1000;D;1000"| radclient -x 3.3.3.4:3799 coa KEY Как только не пробовал, хотя бы добиться ACK. Тип подключения IPoE. Подскажите, пожалуйста, куда копать. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...