Marg Posted September 17, 2014 · Report post Здравствуйте. Помогите. Не поднимается ISG сессия: policy-map type control isg class type control always event session-restart 10 authorize aaa list ipoe password cisco identifier circuit-id plus remote-id 20 set-timer UNAUTH-TIMER 1 ! class type control always event session-start 10 authorize aaa list ipoe password cisco identifier circuit-id plus remote-id 20 set-timer UNAUTH-TIMER 1 ! ! interface TenGigabitEthernet0/0/0.1 service-policy type control isg ip subscriber routed initiator dhcp При этом "unclassified ip-address" при "authorize aaa list ipoe password cisco identifier source-ip-address" успешно поднимается при любом ответов от радиуса (не успешные - unauthen). Запрос на радиус идет с circuit-id:remote-id в поле User-Name... Но сессии на циске не вижу.... Что может быть? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
furai Posted September 19, 2014 · Report post Дебаг включали? А не пробовали ip subscriber connected или l2-connected (не помню дословно) и initiator dhcp? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Alex/AT Posted September 19, 2014 · Report post авторизовать - авторизовали, а где сервис? service local в старт-рестарт допишите для начала. если поднимется - дебажьте навешивание сервисов с радиуса, либо оставляйте как есть Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Marg Posted September 20, 2014 (edited) · Report post l2-connected работает... Но она не подходит т.к. за интерфейсом l3 сеть за которой находиться множество коммутаторов посылающих opt82 на циску в dhcp релай запросах. Сервисы убрал пока, т.к. как-раз сессия и не поднимается сервисы уже потом навешиваются... Она не поднимается даже в процессе авторизации - отправки запросов на радиус. В дебаге: DHCPD: Reload workspace interface TenGigabitEthernet0/0/0.1 tableid 0. DHCPD: tableid for 172.16.1.1 on TenGigabitEthernet0/0/0.1 is 0 DHCPD: client's VPN is . DHCPD: using received relay info. DHCPD: Sending notification of DISCOVER: DHCPD: htype 1 chaddr 2cab.253b.9b53 DHCPD: remote id 00063408043a3f10 DHCPD: circuit id 0004012d0012 DHCPD: giaddr = 172.16.101.15 DHCPD: interface = TenGigabitEthernet0/0/0.1 DHCPD: class id 756468637020302e392e38 DHCPD: DHCPDISCOVER received from client 012c.ab25.3b9b.53 through relay 172.16.101.15. DHCPD: using received relay info. DHCPD: Sending notification of DISCOVER: DHCPD: htype 1 chaddr 2cab.253b.9b53 DHCPD: remote id 00063408043a3f10 DHCPD: circuit id 0004012d0012 DHCPD: giaddr = 172.16.101.15 DHCPD: interface = TenGigabitEthernet0/0/0.1 DHCPD: class id 756468637020302e392e38 AAA/BIND(00BA4FBF): Bind i/f AAA/BIND(00BA4FBF): Bind i/f TenGigabitEthernet0/0/0.1 Adding mac 2cab.253b.9b53 to SIP common DB Added mac 2cab.253b.9b53 to SIP common DB DHCPD: FSM state change WAIT-FOR-CONFIG DHCPD: Workspace state changed from INIT to WAIT-FOR-CONFIG DHCPD: Saving workspace (ID=0x910004FD) DHCPD: New packet workspace 0x7F85E92E7940 (ID=0x5F0004FF) SSS AAA AUTHOR [uid:5089]: using named author method list "ipoe" SSS AAA AUTHOR [uid:5089]: using set aaa password "cisco" SSS AAA AUTHOR [uid:5089]: Root SIP DHCP SSS AAA AUTHOR [uid:5089]: Enable IP parsing SSS AAA AUTHOR [uid:5089]: Enable DHCP parsing SSS AAA AUTHOR [uid:5089]: Enable IP-Interface parsing SSS AAA AUTHOR [uid:5089]: Event <make request>, state changed from idle to authorizing SSS AAA AUTHOR [uid:5089]: Active key set to combo_keys SSS AAA AUTHOR [uid:5089]: Authorizing key 0004012d0012:00063408043a3f10 AAA/AUTHOR (0xBA4FBF): Pick method list 'ipoe' SSS AAA AUTHOR [uid:5089]: Set authorization profile type default - user SSS AAA AUTHOR [uid:5089]: AAA request sent for key 0004012d0012:00063408043a3f10 RADIUS/ENCODE(00BA4FBF):Orig. component type = Iedge DHCP SIP RADIUS: Format E value 0xE8E3A13 for character U with bitmask 0xFFFFFFFF RADIUS: Format E port 0xE8E3A13 with bit 32 processed RADIUS(00BA4FBF): Config NAS IPv6: :: RADIUS/ENCODE(00BA4FBF): acct_session_id: 244202006 RADIUS/ENCODE(00BA4FBF): Acct-session-id pre-pended with Nas Port = 0/0/0/1 RADIUS(00BA4FBF): sending RADIUS(00BA4FBF): Send Access-Request to 172.16.10.133:1812 id 1645/162, len 278 RADIUS: authenticator F4 65 F5 C3 66 5F 13 05 - EB B4 FF 5E FD F5 89 B9 RADIUS: User-Name [1] 31 "0004012d0012:00063408043a3f10" RADIUS: User-Password [2] 18 * RADIUS: Calling-Station-Id [31] 14 "2cab253b9b53" RADIUS: NAS-Port-Type [61] 6 RADIUS: Vendor, Cisco [26] 17 RADIUS: cisco-nas-port [2] 11 "0/0/0/1" RADIUS: NAS-Port [5] 6 244202003 RADIUS: NAS-Port-Id [87] 11 "0/0/0/1" RADIUS: Vendor, Cisco [26] 35 RADIUS: Cisco AVpair [1] 29 "circuit-id-tag=0004012d0012" RADIUS: Vendor, Cisco [26] 38 RADIUS: Cisco AVpair [1] 32 "remote-id-tag=00063408043a3f10" RADIUS: Vendor, Cisco [26] 39 RADIUS: Cisco AVpair [1] 33 "vendor-class-id-tag=udhcp 0.9.8" RADIUS: Service-Type [6] 6 Outbound [5] RADIUS: NAS-IP-Address [4] 6 172.16.10.1 RADIUS: Acct-Session-Id [44] 20 "0/0/0/1_0E8E3A16" RADIUS: Nas-Identifier [32] 5 "AS1" RADIUS: Event-Timestamp [55] 6 1411207456 RADIUS(00BA4FBF): Sending a IPv4 Radius Packet RADIUS(00BA4FBF): Started 15 sec timeout .... IPSUB: Try to create a new session IPSUB: Lite session not required IPSUB: IP session context allocated 0x7F861DC31EA8 IPSub: Not a L2 initiated session, update failed IPSub: Not a L2 initiated session, update failed IPSub: Check IP session recovery: 172.17.182.39 Te0/0/0.1 mac 0000.0000.0000 IPSub ERROR: No binding application to serve the query. IPSub: IPSUB: Create no IP session. Start timer to tear down DP session IPSub: Added session 172.17.182.39 to L3 session table IPSub: Added session to session table with access session keys IPSub: session disconnect delay timer started IPSUB_DP: [uid:0] Sent message to control plane for in-band session creation IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.7332 IPSUB_DP: [uid:0] Processing new in-band session request IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.7332 IPSUB_DP: [uid:0] Session already exist with given keys IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.cb13 IPSUB_DP: [uid:0] Processing new in-band session request IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.cb13 IPSUB_DP: [uid:0] Session already exist with given keys IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.4418 IPSUB_DP: [uid:0] Processing new in-band session request IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.4418 IPSUB_DP: [uid:0] Session already exist with given keys IPSUB_DP: [uid:0] Insert new entry for mac 0000.0aad.2017 IPSUB_DP: [uid:0] Processing new in-band session request IPSUB_DP: [uid:0] Delete mac entry 0000.0aad.2017 IPSUB_DP: [uid:0] Session already exist with given keys RADIUS: Received from id 1645/162 172.16.10.133:1812, Access-Reject, len 20 RADIUS: authenticator E1 97 6F 69 D0 41 B9 85 - BA 50 B6 A0 2D D4 AB F3 RADIUS(00BA4FBF): Received from id 1645/162 SSS AAA AUTHOR [uid:5089]: TAL authorisation keys added SSS AAA AUTHOR [uid:5089]: Received an AAA failure SSS AAA AUTHOR [uid:5089]: Radius server sent reject SSS AAA AUTHOR [uid:5089]: Event <service not found>, state changed from authorizing to complete SSS AAA AUTHOR [uid:5089]: No service authorization info found SSS AAA AUTHOR [uid:5089]: Active Handle present - C6000311 SSS AAA AUTHOR [uid:5089]: Freeing Active Handle; SSS Policy Context Handle = 7E010EA1 SSS AAA AUTHOR [uid:5089]: Event <free request>, state changed from complete to terminal SSS AAA AUTHOR [uid:5089]: Cancel request DHCPD: Callback for workspace (ID=0x910004FD) DHCPD: FSM state change CONFIGURED DHCPD: Reprocessing saved workspace (ID=0x910004FD) DHCPD: Reload workspace interface TenGigabitEthernet0/0/0.1 tableid 0. DHCPD: tableid for 172.16.1.1 on TenGigabitEthernet0/0/0.1 is 0 DHCPD: client's VPN is . DHCPD: using received relay info. DHCPD: Sending notification of DISCOVER: DHCPD: htype 1 chaddr 2cab.253b.9b53 DHCPD: remote id 00063408043a3f10 DHCPD: circuit id 0004012d0012 DHCPD: giaddr = 172.16.101.15 DHCPD: interface = TenGigabitEthernet0/0/0.1 DHCPD: class id 756468637020302e392e38 DHCPD: DHCPDISCOVER received from client 012c.ab25.3b9b.53 through relay 172.16.101.15. DHCPD: relaying this packet DHCPD: BOOTREQUEST from 012c.ab25.3b9b.53 forwarded to 172.16.2.67. DHCPD: Freeing saved workspace (ID=0x910004FD) DHCPD: Sending notification of ASSIGNMENT FAILURE: DHCPD: htype 1 chaddr 2cab.253b.9b53 DHCPD: remote id 020a00000a490101080000c9 DHCPD: giaddr = 172.16.101.15 DHCPD: interface = TenGigabitEthernet0/0/0.1 DHCPD: class id 756468637020302e392e38 DHCPD: Sending notification of ASSIGNMENT_FAILURE: DHCPD: due to: NO REASON DHCPD: htype 1 chaddr 2cab.253b.9b53 DHCPD: remote id 020a00000a490101080000c9 DHCPD: giaddr = 172.16.101.15 DHCPD: interface = TenGigabitEthernet0/0/0.1 DHCPD: class id 756468637020302e392e38 ... Соответственно есть ли в схеме policy-map type control service local с существующим сервисом или нет, роли не играет... сессии не вижу... Edited September 20, 2014 by Marg Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Marg Posted September 20, 2014 · Report post Кстати смотрю адреса поднимаются в "show ip subscriber" Но все они выглядят как ... routed 0 down 172.17.4.40/32 routed 0 down 172.17.4.85/32 ... И помоему все таки адреса dhcp шные должны быть в show ip dhcp database/binding ? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
furai Posted September 22, 2014 · Report post Хм, такую схему мы не использовали. Одна из наших схем - клиенты L2 connected, initiator dhcp, ААА по circuit+remote. Вторая - L3 connected, identifier - source ip, адреса выдаются отдельным сервером, трафик которого через брас не ходит. А циска точно умеет сочетание опции 82 и routed? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted September 23, 2014 · Report post + не очень понятно. ибо работу с двойным л3 релеем не умеет исг. там в рестрикшенах написано. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...