Bat Posted September 20, 2014 · Report post Настраиваю ISG на ASR1002. Так, чтобы она брала сервисы локально. aaa authentication login default local-case aaa authentication ppp PPPOE group RAD_PPPOE aaa authorization exec default local aaa authorization network PPPOE group RAD_PPPOE aaa authorization subscriber-service default local aaa accounting delay-start aaa accounting update periodic 1 aaa accounting network PPPOE start-stop group RAD_PPPOE class-map type traffic match-any BOD1M_TC match access-group input name BOD1M_IN_ACL_IN match access-group output name BOD1M_ACL_OUT policy-map type service BOD1M 10 class type traffic BOD1M_TC police input 512000 256000 5000 police output 1024000 512000 5000 ! class type traffic default in-out drop ! ! ip access-list extended BOD1M_IN_ACL_IN permit ip any 172.18.32.0 0.0.15.255 deny ip any any ip access-list extended BOD1M_ACL_OUT permit ip 172.18.32.0 0.0.15.255 any deny ip any any В логах: *Sep 20 15:41:59: RADIUS: Framed-Protocol [7] 6 PPP [1] *Sep 20 15:41:59: RADIUS: User-Name [1] 10 "testuser" *Sep 20 15:41:59: RADIUS: CHAP-Password [3] 19 * *Sep 20 15:41:59: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Sep 20 15:41:59: RADIUS: NAS-Port [5] 6 0 *Sep 20 15:41:59: RADIUS: NAS-Port-Id [87] 11 "0/0/0/101" *Sep 20 15:41:59: RADIUS: Vendor, Cisco [26] 41 *Sep 20 15:41:59: RADIUS: Cisco AVpair [1] 35 "client-mac-address=001b.789a.d2d0" *Sep 20 15:41:59: RADIUS: Service-Type [6] 6 Framed [2] *Sep 20 15:41:59: RADIUS: NAS-IP-Address [4] 6 X.X.X.9 *Sep 20 15:41:59: RADIUS(00000035): Sending a IPv4 Radius Packet *Sep 20 15:41:59: RADIUS(00000035): Started 5 sec timeout *Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57 *Sep 20 15:42:00: RADIUS: authenticator 77 9F DE 9A ED F0 F0 02 - 2C 0E 36 A7 66 8A 52 87 *Sep 20 15:42:00: RADIUS: Acct-Interim-Interva[85] 6 600 *Sep 20 15:42:00: RADIUS: Framed-IP-Address [8] 6 172.18.63.172 *Sep 20 15:42:00: RADIUS: Vendor, Unknown [26] 11 *Sep 20 15:42:00: RADIUS: Ascend-Private-Route[104] 5 *Sep 20 15:42:00: RADIUS: 50 50 50 [ PPP] *Sep 20 15:42:00: RADIUS: Vendor, Cisco [26] 14 *Sep 20 15:42:00: RADIUS: ssg-account-info [250] 8 "ABOD1M" Ниже: *Sep 20 15:42:00: SSS PM [422577A0]: Updated key list: *Sep 20 15:42:00: SSS PM [422577A0]: Logon-Service = "BOD1M" *Sep 20 15:42:00: SSS PM [422577A0]: Nasport = PPPoEoVLAN: slot 0 adapter 0 port 0 sub-interface 101 IP 0.0.0.0 VPI 0 VCI 0 VLAN 101 *Sep 20 15:42:00: SSS PM [422577A0]: Access-Type = 11 (Web-service-logon) *Sep 20 15:42:00: SSS PM [422577A0]: Authen-Status = 1 (Unauthenticated) *Sep 20 15:42:00: SSS PM [422577A0]: Session-Handle = 754974798 (2D00004E) Еще ниже: *Sep 20 15:42:00: RADIUS: User-Password [2] 18 * *Sep 20 15:42:00: RADIUS: User-Name [1] 7 "BOD1M" *Sep 20 15:42:00: RADIUS: Service-Type [6] 6 Outbound [5] *Sep 20 15:42:00: RADIUS: NAS-IP-Address [4] 6 X.X.X.9 Еще ниже: *Sep 20 15:47:15: RADIUS(00000000): Send Access-Request to X.X.X.26:1812 id 1645/43, len 57 *Sep 20 15:47:15: RADIUS: authenticator C7 E6 70 30 3F B4 D1 ED - E8 42 61 73 9A 61 C8 C1 *Sep 20 15:47:15: RADIUS: User-Password [2] 18 * *Sep 20 15:47:15: RADIUS: User-Name [1] 7 "BOD1M" *Sep 20 15:47:15: RADIUS: Service-Type [6] 6 Outbound [5] *Sep 20 15:47:15: RADIUS: NAS-IP-Address [4] 6 X.X.X.9 *Sep 20 15:47:15: RADIUS(00000000): Sending a IPv4 Radius Packet *Sep 20 15:47:15: RADIUS(00000000): Started 5 sec timeout *Sep 20 15:47:15: RADIUS: Received from id 1645/43 X.X.X.26:1812, Access-Reject, len 23 *Sep 20 15:47:15: RADIUS: authenticator 90 DD BE 99 26 13 8E BB - 74 B6 2A 90 D2 45 6E 8A *Sep 20 15:47:15: RADIUS: Reply-Message [18] 3 *Sep 20 15:47:15: RADIUS: 31 [ 1] Т.е. авторизация ISG уходит на Radius-сервер. Но в настройках Cisco есть строчка: aaa authorization subscriber-service default local Которая по идее должна авторизовать сервис локально на ISG. Почему авторизация уходит на радиус? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zhenya` Posted September 20, 2014 · Report post A шлите в радиус ответе. вначале имени сервиса. т.е. вместо BOD1M ABOD1M. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Bat Posted September 20, 2014 · Report post Так там же и высылается в Access-accept ABOD1M: *Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57 . . *Sep 20 15:42:00: RADIUS: ssg-account-info [250] 8 "ABOD1M" Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Bat Posted September 21, 2014 · Report post Вопрос снимается. Проблема была в софте. После замены все заработало. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...