Jump to content
Калькуляторы

Локальная авторизация ISG

Настраиваю ISG на ASR1002. Так, чтобы она брала сервисы локально.

 

aaa authentication login default local-case
aaa authentication ppp PPPOE group RAD_PPPOE
aaa authorization exec default local
aaa authorization network PPPOE group RAD_PPPOE
aaa authorization subscriber-service default local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network PPPOE start-stop group RAD_PPPOE

class-map type traffic match-any BOD1M_TC
match access-group input name BOD1M_IN_ACL_IN
match access-group output name BOD1M_ACL_OUT

policy-map type service BOD1M
10 class type traffic BOD1M_TC
 police input 512000 256000 5000
 police output 1024000 512000 5000
!
class type traffic default in-out
 drop
!
!

ip access-list extended BOD1M_IN_ACL_IN
permit ip any 172.18.32.0 0.0.15.255
deny   ip any any
ip access-list extended BOD1M_ACL_OUT
permit ip 172.18.32.0 0.0.15.255 any
deny   ip any any

 

В логах:

*Sep 20 15:41:59: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Sep 20 15:41:59: RADIUS:  User-Name           [1]   10  "testuser"
*Sep 20 15:41:59: RADIUS:  CHAP-Password       [3]   19  *
*Sep 20 15:41:59: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Sep 20 15:41:59: RADIUS:  NAS-Port            [5]   6   0
*Sep 20 15:41:59: RADIUS:  NAS-Port-Id         [87]  11  "0/0/0/101"
*Sep 20 15:41:59: RADIUS:  Vendor, Cisco       [26]  41
*Sep 20 15:41:59: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=001b.789a.d2d0"
*Sep 20 15:41:59: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Sep 20 15:41:59: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.9
*Sep 20 15:41:59: RADIUS(00000035): Sending a IPv4 Radius Packet
*Sep 20 15:41:59: RADIUS(00000035): Started 5 sec timeout
*Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57
*Sep 20 15:42:00: RADIUS:  authenticator 77 9F DE 9A ED F0 F0 02 - 2C 0E 36 A7 66 8A 52 87
*Sep 20 15:42:00: RADIUS:  Acct-Interim-Interva[85]  6   600
*Sep 20 15:42:00: RADIUS:  Framed-IP-Address   [8]   6   172.18.63.172
*Sep 20 15:42:00: RADIUS:  Vendor, Unknown     [26]  11
*Sep 20 15:42:00: RADIUS:  Ascend-Private-Route[104] 5
*Sep 20 15:42:00: RADIUS:   50 50 50               [ PPP]
*Sep 20 15:42:00: RADIUS:  Vendor, Cisco       [26]  14
*Sep 20 15:42:00: RADIUS:   ssg-account-info   [250] 8   "ABOD1M"


Ниже:
*Sep 20 15:42:00: SSS PM [422577A0]: Updated key list:
*Sep 20 15:42:00: SSS PM [422577A0]:   Logon-Service = "BOD1M"
*Sep 20 15:42:00: SSS PM [422577A0]:   Nasport = PPPoEoVLAN: slot 0 adapter 0 port 0 sub-interface 101 IP 0.0.0.0 VPI 0 VCI 0 VLAN 101
*Sep 20 15:42:00: SSS PM [422577A0]:   Access-Type = 11 (Web-service-logon)
*Sep 20 15:42:00: SSS PM [422577A0]:   Authen-Status = 1 (Unauthenticated)
*Sep 20 15:42:00: SSS PM [422577A0]:   Session-Handle = 754974798 (2D00004E)

Еще ниже:
*Sep 20 15:42:00: RADIUS:  User-Password       [2]   18  *
*Sep 20 15:42:00: RADIUS:  User-Name           [1]   7   "BOD1M"
*Sep 20 15:42:00: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Sep 20 15:42:00: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.9

Еще ниже:
*Sep 20 15:47:15: RADIUS(00000000): Send Access-Request to X.X.X.26:1812 id 1645/43, len 57
*Sep 20 15:47:15: RADIUS:  authenticator C7 E6 70 30 3F B4 D1 ED - E8 42 61 73 9A 61 C8 C1
*Sep 20 15:47:15: RADIUS:  User-Password       [2]   18  *
*Sep 20 15:47:15: RADIUS:  User-Name           [1]   7   "BOD1M"
*Sep 20 15:47:15: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Sep 20 15:47:15: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.9
*Sep 20 15:47:15: RADIUS(00000000): Sending a IPv4 Radius Packet
*Sep 20 15:47:15: RADIUS(00000000): Started 5 sec timeout
*Sep 20 15:47:15: RADIUS: Received from id 1645/43 X.X.X.26:1812, Access-Reject, len 23
*Sep 20 15:47:15: RADIUS:  authenticator 90 DD BE 99 26 13 8E BB - 74 B6 2A 90 D2 45 6E 8A
*Sep 20 15:47:15: RADIUS:  Reply-Message       [18]  3
*Sep 20 15:47:15: RADIUS:   31                 [ 1]

Т.е. авторизация ISG уходит на Radius-сервер. Но в настройках Cisco есть строчка:

aaa authorization subscriber-service default local

Которая по идее должна авторизовать сервис локально на ISG. Почему авторизация уходит на радиус?

Share this post


Link to post
Share on other sites

A шлите в радиус ответе. вначале имени сервиса. т.е. вместо BOD1M ABOD1M.

Share this post


Link to post
Share on other sites

Так там же и высылается в Access-accept ABOD1M:

*Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57
.
.
*Sep 20 15:42:00: RADIUS:   ssg-account-info   [250] 8   "ABOD1M"

Share this post


Link to post
Share on other sites

Вопрос снимается. Проблема была в софте. После замены все заработало.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this