Jump to content
Калькуляторы

Локальная авторизация ISG

Настраиваю ISG на ASR1002. Так, чтобы она брала сервисы локально.

 

aaa authentication login default local-case
aaa authentication ppp PPPOE group RAD_PPPOE
aaa authorization exec default local
aaa authorization network PPPOE group RAD_PPPOE
aaa authorization subscriber-service default local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network PPPOE start-stop group RAD_PPPOE

class-map type traffic match-any BOD1M_TC
match access-group input name BOD1M_IN_ACL_IN
match access-group output name BOD1M_ACL_OUT

policy-map type service BOD1M
10 class type traffic BOD1M_TC
 police input 512000 256000 5000
 police output 1024000 512000 5000
!
class type traffic default in-out
 drop
!
!

ip access-list extended BOD1M_IN_ACL_IN
permit ip any 172.18.32.0 0.0.15.255
deny   ip any any
ip access-list extended BOD1M_ACL_OUT
permit ip 172.18.32.0 0.0.15.255 any
deny   ip any any

 

В логах:

*Sep 20 15:41:59: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Sep 20 15:41:59: RADIUS:  User-Name           [1]   10  "testuser"
*Sep 20 15:41:59: RADIUS:  CHAP-Password       [3]   19  *
*Sep 20 15:41:59: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Sep 20 15:41:59: RADIUS:  NAS-Port            [5]   6   0
*Sep 20 15:41:59: RADIUS:  NAS-Port-Id         [87]  11  "0/0/0/101"
*Sep 20 15:41:59: RADIUS:  Vendor, Cisco       [26]  41
*Sep 20 15:41:59: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=001b.789a.d2d0"
*Sep 20 15:41:59: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Sep 20 15:41:59: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.9
*Sep 20 15:41:59: RADIUS(00000035): Sending a IPv4 Radius Packet
*Sep 20 15:41:59: RADIUS(00000035): Started 5 sec timeout
*Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57
*Sep 20 15:42:00: RADIUS:  authenticator 77 9F DE 9A ED F0 F0 02 - 2C 0E 36 A7 66 8A 52 87
*Sep 20 15:42:00: RADIUS:  Acct-Interim-Interva[85]  6   600
*Sep 20 15:42:00: RADIUS:  Framed-IP-Address   [8]   6   172.18.63.172
*Sep 20 15:42:00: RADIUS:  Vendor, Unknown     [26]  11
*Sep 20 15:42:00: RADIUS:  Ascend-Private-Route[104] 5
*Sep 20 15:42:00: RADIUS:   50 50 50               [ PPP]
*Sep 20 15:42:00: RADIUS:  Vendor, Cisco       [26]  14
*Sep 20 15:42:00: RADIUS:   ssg-account-info   [250] 8   "ABOD1M"


Ниже:
*Sep 20 15:42:00: SSS PM [422577A0]: Updated key list:
*Sep 20 15:42:00: SSS PM [422577A0]:   Logon-Service = "BOD1M"
*Sep 20 15:42:00: SSS PM [422577A0]:   Nasport = PPPoEoVLAN: slot 0 adapter 0 port 0 sub-interface 101 IP 0.0.0.0 VPI 0 VCI 0 VLAN 101
*Sep 20 15:42:00: SSS PM [422577A0]:   Access-Type = 11 (Web-service-logon)
*Sep 20 15:42:00: SSS PM [422577A0]:   Authen-Status = 1 (Unauthenticated)
*Sep 20 15:42:00: SSS PM [422577A0]:   Session-Handle = 754974798 (2D00004E)

Еще ниже:
*Sep 20 15:42:00: RADIUS:  User-Password       [2]   18  *
*Sep 20 15:42:00: RADIUS:  User-Name           [1]   7   "BOD1M"
*Sep 20 15:42:00: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Sep 20 15:42:00: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.9

Еще ниже:
*Sep 20 15:47:15: RADIUS(00000000): Send Access-Request to X.X.X.26:1812 id 1645/43, len 57
*Sep 20 15:47:15: RADIUS:  authenticator C7 E6 70 30 3F B4 D1 ED - E8 42 61 73 9A 61 C8 C1
*Sep 20 15:47:15: RADIUS:  User-Password       [2]   18  *
*Sep 20 15:47:15: RADIUS:  User-Name           [1]   7   "BOD1M"
*Sep 20 15:47:15: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Sep 20 15:47:15: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.9
*Sep 20 15:47:15: RADIUS(00000000): Sending a IPv4 Radius Packet
*Sep 20 15:47:15: RADIUS(00000000): Started 5 sec timeout
*Sep 20 15:47:15: RADIUS: Received from id 1645/43 X.X.X.26:1812, Access-Reject, len 23
*Sep 20 15:47:15: RADIUS:  authenticator 90 DD BE 99 26 13 8E BB - 74 B6 2A 90 D2 45 6E 8A
*Sep 20 15:47:15: RADIUS:  Reply-Message       [18]  3
*Sep 20 15:47:15: RADIUS:   31                 [ 1]

Т.е. авторизация ISG уходит на Radius-сервер. Но в настройках Cisco есть строчка:

aaa authorization subscriber-service default local

Которая по идее должна авторизовать сервис локально на ISG. Почему авторизация уходит на радиус?

Share this post


Link to post
Share on other sites

Так там же и высылается в Access-accept ABOD1M:

*Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57
.
.
*Sep 20 15:42:00: RADIUS:   ssg-account-info   [250] 8   "ABOD1M"

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.