5901 / 3358 / 1036
Регистрация: 03.11.2009
Сообщений: 10,009
|
|||||||||||
1 | |||||||||||
Intelligent Services Gateway - быстрый обзор04.06.2014, 04:14. Показов 31883. Ответов 20
Метки нет (Все метки)
В этой посте я хотел бы (максимально кратко) показать пример настройки ISG. Для тех, кто не знает, ISG (Intelligent Services Gateway - интеллектуальный сервисный шлюз) – это фреймворк в платформах Cisco 10000, Cisco 7200, Cisco 7300, Cisco ASR для организации пользовательского доступа, с упрощенной системой аутентификации, гибкой интегрированной системой управления правилами (политиками) и глубокой интеграцией на оперативном уровне, позволяющей связать этот фреймворк с существующими платформами AAA, биллинга и пользовательского портала. Вот так Cisco описывает выгоды привнесения ISG:
Звучит сладко. Теперь о фичах. Чтобы особо не повторяться, приведу опять со слов циски: Материалы для ознакомления: White Paper Intelligent Service Gateway Features Roadmap (12.2, 15.0) Cisco IOS Intelligent Services Gateway Command Reference Cisco ISG Design and Deployment Guide: ATM Aggregation Using Cisco IOS Software Release 12.2(28)SB5 Cisco ISG Design and Deployment Guide: Gigabit Ethernet Aggregation Using Cisco IOS Software Release 12.2(31)SB2 Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000) На ciscolive по этому вопросу можно посмотреть следующие материалы:
Теперь ближе к делу. Для моего примера я возьму стандартную (и самую простую) схему, которая не отличается замысловатостью, но, при всем этом, позволит показать некотрые из возможностей Cisco ISG. Сразу уточню, что для демонстрации я буду использовать виртуализацию, как для сервисного шлюза, так и для конечного пользователя. Устройства: ISG: CSR1000v
ISG#sh ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Wed 26-Mar-14 21:09 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON ISG uptime is 1 day, 59 minutes Uptime for this control processor is 1 day, 1 hour, 0 minutes System returned to ROM by reload at 11:47:31 FET Mon Jun 2 2014 System restarted at 11:49:05 FET Mon Jun 2 2014 System image file is "bootflashackages.conf" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/expor... stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. License Level: premium License Type: Evaluation License Next reload license Level: premium cisco CSR1000V (VXE) processor with 2170596K/6147K bytes of memory. Processor board ID 9G4FLFSIQPY 3 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7774207K bytes of virtual hard disk at bootflash:. Configuration register is 0x2102 DHCP: CSR1000v
DHCP_SERVER#show ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Wed 26-Mar-14 21:09 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON DHCP_SERVER uptime is 1 week, 5 days, 1 hour, 49 minutes Uptime for this control processor is 1 week, 5 days, 1 hour, 50 minutes System returned to ROM by reload System restarted at 11:00:23 FET Thu May 22 2014 System image file is "bootflashackages.conf" Last reload reason: Unknown reason This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/expor... stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. License Level: limited License Type: Default. No valid license found. Next reload license Level: limited cisco CSR1000V (VXE) processor with 804580K/6147K bytes of memory. Processor board ID 9FGH5Z8MDHJ 3 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 3145728K bytes of physical memory. 7774207K bytes of virtual hard disk at bootflash:. Configuration register is 0x2102 INT-GW: CSR1000V
INT_GW#sh ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Wed 26-Mar-14 21:09 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON INT_GW uptime is 1 day, 2 hours, 29 minutes Uptime for this control processor is 1 day, 2 hours, 29 minutes System returned to ROM by reload System image file is "bootflashackages.conf" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/expor... stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. License Level: limited License Type: Default. No valid license found. Next reload license Level: limited cisco CSR1000V (VXE) processor with 804580K/6147K bytes of memory. Processor board ID 90FUTHQ505J 3 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 3145728K bytes of physical memory. 7774207K bytes of virtual hard disk at bootflash:. Configuration register is 0x2102 RADIUS (freeradius) / SQL (mysql) / WEB-PORTAL (самописный): vmware host
root@freeradius:~# uname -a
Linux freeradius 3.2.0-4-686-pae #1 SMP Debian 3.2.57-3+deb7u1 i686 GNU/Linux root@freeradius:~# Конфиги: ISG
hostname ISG
! aaa new-model ! aaa group server radius RAD_SRV server name RAD_SRV1 load-balance method least-outstanding batch-size 1 ignore-preferred-server ! aaa authentication login default local aaa authentication login RAD_SRV group RAD_SRV aaa authorization exec default local aaa authorization network default group RAD_SRV aaa authorization subscriber-service default local group RAD_SRV aaa accounting delay-start aaa accounting jitter maximum 0 aaa accounting update periodic 1 aaa accounting commands 0 default none aaa accounting commands 1 default none aaa accounting commands 15 default none aaa accounting network default start-stop group RAD_SRV aaa accounting network ISG_ACC start-stop group RAD_SRV ! aaa nas port extended ! aaa server radius dynamic-author client 192.168.8.227 server-key cisco auth-type any ignore session-key ignore server-key ! ip domain name office.cisco.com ip name-server 8.8.8.8 ip name-server 192.168.6.9 ! subscriber service multiple-accept subscriber service session-accounting subscriber service accounting interim-interval 1 subscriber redundancy dynamic periodic-update interval 15 subscriber templating subscriber authorization enable ! username a.ivanov privilege 15 secret 5 $1$YaAl$OVACRX6v0trI3Ms/4RDwm/ ! redundancy mode none ! cdp run ! class-map type traffic match-any TC_L4R match access-group input name ACL_IN_L4R ! class-map type traffic match-any OPEN_GARDEN match access-group input name OPENGARDEN_IN match access-group output name OPENGARDEN_OUT ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service S_L4R 250 class type traffic TC_L4R redirect to ip 192.168.8.227 ! policy-map type service OPEN_GARDEN 250 class type traffic OPEN_GARDEN ! class type traffic default in-out drop ! policy-map type control ISG class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event session-start 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R ! class type control always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R ! class type control always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET ! class type control always event account-logoff 10 service-policy type service unapply name INET ! policy-map SUB-QOS-IN class class-default police cir 100000 ! policy-map SUB-QOS-OUT class class-default police cir 100000 ! interface GigabitEthernet1 description host ip address 172.16.1.254 255.255.255.0 ip helper-address 192.168.8.228 service-policy type control ISG ip subscriber l2-connected initiator unclassified mac-address ! interface GigabitEthernet2 description server-dhcp-int_gw ip address dhcp ! ip route 0.0.0.0 0.0.0.0 192.168.8.226 ip route 192.168.0.0 255.255.0.0 192.168.8.1 ! ip access-list extended ACL_IN_L4R permit tcp any any eq www permit tcp any any eq 443 ! ip access-list extended INT_IN permit ip 172.16.1.0 0.0.0.255 any ! ip access-list extended INT_OUT permit ip any 172.16.1.0 0.0.0.255 ! ip access-list extended OPENGARDEN_IN permit ip any host 192.168.8.227 permit ip any host 192.168.6.9 ! ip access-list extended OPENGARDEN_OUT permit ip host 192.168.8.227 any permit ip host 192.168.6.9 any ! snmp-server community public RO snmp-server location lab@office.cisco.com snmp ifmib ifindex persist ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 30 original-called-number radius-server attribute 31 mac format ietf radius-server attribute 31 send nas-port-detail mac-only radius-server retransmit 2 radius-server timeout 3 radius-server key cisco ! radius server RAD_SRV1 address ipv4 192.168.8.227 auth-port 1812 acct-port 1813 key cisco ! alias exec shs show subscriber session alias exec cls clear subscriber session all alias exec cld clear ip dhcp binding * ! end DHCP_SERVER
hostname DHCP_SERVER
! ip dhcp pool SUBSCRIBERS network 172.16.1.0 255.255.255.0 dns-server 192.168.6.9 default-router 172.16.1.254 ! interface GigabitEthernet2 ip address dhcp negotiation auto ! ip route 172.16.1.0 255.255.255.0 192.168.8.230 INT_GW
hostname INT_GW
! interface GigabitEthernet1 ip address 178.172.213.10 255.255.255.0 ip nat outside ! interface GigabitEthernet2 ip address dhcp ip nat inside ! ip nat inside source list NAT interface GigabitEthernet1 overload ! ip route 0.0.0.0 0.0.0.0 X.X.X.X ip route 172.16.1.0 255.255.255.0 192.168.8.230 ip route 192.168.0.0 255.255.0.0 192.168.8.1 ! ip access-list extended NAT permit ip 172.16.1.0 0.0.0.255 any permit ip host 192.168.8.230 any ! end Настройку radius и mysql тут приводить не буду, предполагаю, что читающий знаком с этими вещами Radius: в /etc/freeradius/radiusd.conf включаем $INCLUDE sql.conf в самом sql.conf - описываем нашу бд. в mysql: show tables from radius_db;
Код
mysql> show tables from radius_db; +------------------------+ | Tables_in_radius_db | +------------------------+ | batch_history | | billing_history | | billing_merchant | | billing_paypal | | billing_plans | | billing_plans_profiles | | billing_rates | | cui | | dictionary | | hotspots | | invoice | | invoice_items | | invoice_status | | invoice_type | | nas | | node | | operators | | operators_acl | | operators_acl_files | | payment | | payment_type | | proxys | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radhuntgroup | | radippool | | radpostauth | | radreply | | radusergroup | | realms | | userbillinfo | | userinfo | | wimax | +------------------------+ 35 rows in set (0.01 sec) mysql> основной интерес представляют таблицы radcheck, radreply и radacct. Вот как это выглядит с уже существующим пользователем, атрибутами и аккаунтингом. mysql> select * from radcheck;
Код
+----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 1 | test | Cleartext-Password | := | test | | 5 | INET | Cleartext-Password | := | cisco | +----+----------+--------------------+----+-------+ 2 rows in set (0.00 sec) mysql> mysql> select * from radreply;
Код
+----+----------+--------------+----+---------------------------------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------+----+---------------------------------------------------------------+ | 19 | INET | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS-IN | | 20 | INET | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS-OUT | | 17 | INET | Cisco-AVPair | += | ip:traffic-class=in default drop | | 18 | INET | Cisco-AVPair | += | ip:traffic-class=out default drop | | 16 | INET | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 | | 15 | INET | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50 | | 26 | test | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC | +----+----------+--------------+----+---------------------------------------------------------------+ 7 rows in set (0.00 sec) mysql> mysql> select radacctid,username,nasipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets from radacct;
Код
+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+ | radacctid | username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | +-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+ | 19 | test | 192.168.8.230 | 2014-06-02 15:46:19 | NULL | 725731 | 705781 | | 18 | test | 192.168.8.230 | 2014-06-02 15:39:00 | 2014-06-02 15:40:22 | 4913 | 4647 | | 17 | test | 192.168.8.230 | 2014-06-02 15:29:30 | 2014-06-02 15:38:33 | 240 | 3223 | | 16 | test | 192.168.8.230 | 2014-06-02 14:58:42 | 2014-06-02 15:27:00 | 852 | 1249 | | 15 | test | 192.168.8.230 | 2014-06-02 14:51:15 | 2014-06-02 14:57:25 | 252 | 649 | | 14 | test | 192.168.8.230 | 2014-06-02 14:46:41 | 2014-06-02 14:50:34 | 1051 | 1950 | | 13 | test | 192.168.8.230 | 2014-06-02 14:37:08 | 2014-06-02 14:46:24 | 288 | 1639 | +-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+ 7 rows in set (0.00 sec) mysql> Web-portal (Apache): netland@freeradius:~$ cat /var/www/index.php
netland@freeradius:~$ cat /var/www/isg.php
А теперь немного по трафик-флоу: Абонент подключается к сети и запрашивает адрес по DHCP. На порту настроен ip address-helper, думаю, что он делает объяснять ну нужно. DHCP_SERVER#show ip dhcp binding
Код
Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type State Interface Hardware address/ User name 172.16.1.2 0100.5056.9462.6a Jun 04 2014 10:04 PM Automatic Active Unknown На этом же интерфейсе применена политика ISG, которая и является нашей основной политикой, где мы рулим различными событиями и указано, что сессия будет создана на основе нового (неклассифицированного) мак адреса. Сессия у нас в state unauthen(ticated): ISG#show subscriber session
Код
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen - authenticated, TC Ct. - Number of Traffic Classes on the main session Current Subscriber Information: Total sessions 1 Uniq ID Interface State Service Up-time TC Ct. Identifier 15 IPv4 unauthen Lterm 00:04:09 2 172.16.1.2 Что только что произошло. Сработало первое правило нашей политики session-start: Код
class type control always event session-start 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R Пытаемся зайти на microsoft.com: и попадаем на портал. Вводим логин пароль (test/test) и видим, что портал нас пропустил (хотя это на самом деле ничего не значит, потому что ответы я не обрабатываю на сервере). Проверил, аутентифицировались ли мы: ISG#show subscriber session
Код
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen - authenticated, TC Ct. - Number of Traffic Classes on the main session Current Subscriber Information: Total sessions 1 Uniq ID Interface State Service Up-time TC Ct. Identifier 16 IPv4 authen Lterm 00:03:16 2 test ISG# Да. Что только что снова произошло? Сработало условие account-logon: Код
class type control always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET Пользователь в интернете. ISG#show subscriber session detailed
Код
Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: IPv4, UID: 16, State: authen, Identity: test IPv4 Address: 172.16.1.2 Session Up-time: 00:21:58, Last Changed: 00:21:15 Switch-ID: 4165 Policy information: Context 7FEDB056A2A0: Handle C5000057 AAA_id 00000020: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: accounting-list 0 "ISG_ACC" Downloaded User profile, including services: username 0 "OPEN_GARDEN" accounting-list 0 "ISG_ACC" traffic-class 0 "input access-group name INT_IN priority 50" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "in default drop" traffic-class 0 "out default drop" sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references traffic-class 0 "input access-group name INT_IN priority 50" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "in default drop" traffic-class 0 "out default drop" sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Unapplied) (Service) Profile name: S_L4R, 3 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip 192.168.8.227" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: test, 2 references accounting-list 0 "ISG_ACC" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: S_L4R, 3 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip 192.168.8.227" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: OPEN_GARDEN, 3 references password 0 <hidden> username 0 "OPEN_GARDEN" traffic-class 0 "input access-group name OPENGARDEN_IN priority 250" traffic-class 0 "output access-group name OPENGARDEN_OUT priority 250" traffic-class 0 "input default drop" traffic-class 0 "output default drop" Active services associated with session: name "INET" name "OPEN_GARDEN", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG condition always event session-start 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R subscriber rule-map ISG condition always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 771 101465 0 Match Any 1 Out 912 825309 0 Match Any 2 In 3 175 250 Match ACL OPENGARDEN_IN 3 Out 16 2324 250 Match ACL OPENGARDEN_OUT 6 In 752 99922 50 Match ACL INT_IN 7 Out 896 822985 50 Match ACL INT_OUT 4294967294 In 0 0 - Drop 4294967295 Out 0 0 - Drop Template Id : 14 Features: Accounting: Class-id Dir Packets Bytes Source 0 In 752 99922 Peruser 1 Out 896 822985 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:21:58 - OPEN_GARDEN SVC 00:21:15 - INET USR 00:21:15 - Peruser INT 00:21:58 - GigabitEthernet1 Использованные условия в политике: событие происходит по контрол-классу ISG-IP-UNAUTH (пользователь неаутентифицирован, таймер истек): Код
class type control ISG-IP-UNAUTH event timed-policy-expiry Код
class type control always event session-start Код
class type control always event session-restart Код
class type control always event account-logon Код
class type control always event account-logoff quota-depleted credit-exhausted но они являются частью логики биллинга и выходят за границы ознакомительного повествования, которое я тут развел. PS Это лишь малая часть возможностей ISG. Целью было лишь поверхностно ознакомить и дать почувствовать, так сказать, вкус.
4
|
04.06.2014, 04:14 | |
Ответы с готовыми решениями:
20
VPN тоннель Gateway to Gateway на RV320 AcBel Intelligent Power 510 Background Intelligent Transfer Service Как отключить Intelligent Energy Saver? |
58 / 49 / 3
Регистрация: 19.12.2013
Сообщений: 203
|
||||||
04.06.2014, 11:10 | 2 | |||||
Сразу скажу спасибо за статью!!!
хочу спросить вопрос: что будет в конкретно этой ситуации, если юзер авторизовался через портал, поработал некоторое время и отключился, после чего, лиза у нас "протухла" ну и повторно подключаемся, у нас тут мак адрес же никак не храниться? и придется на портале по новой авторизоваться? или мак адрес где то мы храним и в результате чего ISG сможет знать что юзер такой уже был тут и тупо создаст сессию authen. Другими словами, как в этой схеме можно реализовать конструкцию:
0
|
5901 / 3358 / 1036
Регистрация: 03.11.2009
Сообщений: 10,009
|
||||||
06.06.2014, 03:02 [ТС] | 3 | |||||
Извиняюсь за долгое молчание, работа.
Самый простой способ, который я вижу (ВНИМАНИЕ, это не готовое решение, это минимальный пример, с безусловным добавлением пользователя). Пишем на радиус сервере скрипт:
На ISG меняем в event session-start Код
class type control always event session-start 1 authorize identifier mac-address 3 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R пользователь попадет на портал, введет свои данные и через CoA они уйдут на ISG, который в свою очередь пошлет их на радиус, радиус поймает пакет (установить tcpdump), вырежет из него мак и вставит в мускульную базу (и само собой авторизует пользователя по логу/пассу). mysql> select * from radcheck;
Код
+----+----------------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------------+--------------------+----+-------+ | 1 | test | Cleartext-Password | := | test | | 5 | INET | Cleartext-Password | := | cisco | | 16 | 0050.5694.626a | Cleartext-Password | := | cisco | +----+----------------+--------------------+----+-------+ 3 rows in set (0.00 sec) mysql> Если на этот момент абонент отключится и снова подключится, авторизация по маку уже пройдут и правила 3,5,10 не сработают. PS> на самом деле, если подумать, мак добавится еще до портала, при попытке авторизироваться по правилу 1, это исправимо, но мне уже лень, думаю, идею Вы поняли.
1
|
5901 / 3358 / 1036
Регистрация: 03.11.2009
Сообщений: 10,009
|
|||||||||||
08.06.2014, 22:03 [ТС] | 4 | ||||||||||
мак можно привести к нужному виду через один сед, более громоздко, но выполняется на 1/1000 секунды быстрее.
0
|
58 / 49 / 3
Регистрация: 19.12.2013
Сообщений: 203
|
||||||
09.06.2014, 10:16 | 5 | |||||
Ну идея понятна, спасибо еще раз будет, что "поковырять" на досуге, как раз собираю щас подобный стенд на виртуалках, чтобы побольше вкурить все это дело, идея с порталом понравилась попробую реализовать на стенде.
задался еще таким вопросом: К примеру, имеется у меня ISG она же является DHCP сервером, и есть например пул адресов на лупбэке ну и несколько интерфейсов unnambered (l2connected) на этот лупбэк пул к примеру /22 и имею в среднем 700-800 сессий. Ну и и авторизую их не по маку(ведь мак подделать проще), а по option82 то есть интерфейс примерно такой :
Так же добавлю, в asr1k заявлена возможность в качестве идентификатора отправлять пару тэгов, внутренний и внешний, но это не работает, и когда сделают неизвестно) Ну и море вопросов. Может есть какие мысли ? =) Как можно зарезервировать все это дело если поставить 2ю ISG? Делить пул нельзя ведь в случае выхода из строя ISG не хватит адресов. Выносить DHCP, на отдельный сервак и релеить на него, а между ISG например HSRP(VRRP) или более экзотичный вариант с GLBP ? Ну и самый интересный вопрос, как дела будут обстоять с сессиями? Ведь чтоб появилась сессия мне надо ждать дисковер, от клиента, принципе можно сделать lease поменьше, но как то некрасиво наверно будет... в любом случае буду пробовать
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
11.08.2014, 15:52 | 6 |
Отлично, спасибо, изрядно помогло уложить в голове логику.
Ломаю голову над вопросом qos из радиуса. Конфиг из статьи приводит к следующему результату: Код
Policy information: Context 7FD41ABE49D8: Handle 950002B4 AAA_id 00006C3C: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: accounting-list 0 "ISG_ACC" Downloaded User profile, including services: username 0 "OPEN_GARDEN" accounting-list 0 "ISG_ACC" sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Access-type: Web-user-logon Client: Account Command-Handler Пытался сделать ещё один сервис, вида: Код
| 12 | test | Cisco-AVPair | += | subscriber:service-name=50M | policy-map type service 50M service-policy input SUB-QOS-IN-50M service-policy output SUB-QOS-OUT-50M ! policy-map SUB-QOS-IN-50M class class-default police cir 52428500 bc 3276800 be 3276800 conform-action transmit exceed-action drop violate-action drop policy-map SUB-QOS-OUT-50M class class-default police cir 52428500 bc 3276800 be 3276800 conform-action transmit exceed-action drop violate-action drop Код
Downloaded User profile, excluding services: accounting-list 0 "ISG_ACC" service-name 0 "50M" command 0 "activate-service" Downloaded User profile, including services: username 0 "OPEN_GARDEN" accounting-list 0 "ISG_ACC" service-name 0 "50M" command 0 "activate-service" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Access-type: Web-user-logon Client: Account Command-Handler Единственный вариант когда оно заработало - когда я для смеха сделал примерно такую конструкцию: Код
class type control always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET 40 service-policy type service name 50M Буду благодарен за пинок в нужную сторону.
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
11.08.2014, 20:55 | 8 |
Переписал конфиг с нуля, по исходному сообщению.
Полный конфиг: Кликните здесь для просмотра всего текста
service timestamps debug datetime msec
service timestamps log datetime msec service password-encryption service unsupported-transceiver no platform punt-keepalive disable-kernel-core ! hostname ASR1002-X ! boot-start-marker boot-end-marker ! aqm-register-fnf ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! aaa new-model ! ! aaa group server radius RAD_SRV server name RAD_SRV1 load-balance method least-outstanding batch-size 1 ignore-preferred-server ! aaa authentication login default local aaa authentication login RAD_SRV group RAD_SRV aaa authorization exec default local aaa authorization network default group RAD_SRV aaa authorization subscriber-service default local group RAD_SRV aaa accounting delay-start aaa accounting jitter maximum 0 aaa accounting update periodic 1 aaa accounting commands 0 default none aaa accounting commands 1 default none aaa accounting commands 15 default none aaa accounting network default start-stop group RAD_SRV aaa accounting network ISG_ACC start-stop group RAD_SRV ! aaa nas port extended ! ! ! aaa server radius dynamic-author client *.*.128.27 server-key 7 070D282F4D06 client *.*.205.229 server-key 7 00081A150754 auth-type any ignore session-key ignore server-key ! aaa session-id common ! ! ! ! ! ! ! ip domain name testnet.ru ip name-server *.*.205.226 ip name-server *.*.205.254 ip dhcp relay information policy keep ip dhcp relay information trust-all ! ! ! ! ! ! ! ! ! ! subscriber redundancy dynamic periodic-update interval 15 subscriber service multiple-accept subscriber service session-accounting subscriber service accounting interim-interval 1 subscriber templating subscriber authorization enable ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! redundancy mode none ! ! ! ! ! ! ip tftp source-interface GigabitEthernet0 ip ssh authentication-retries 2 ip ssh version 2 class-map type traffic match-any TC_L4R match access-group input name ACL_IN_L4R ! class-map type traffic match-any OPEN_GARDEN match access-group input name OPENGARDEN_IN match access-group output name OPENGARDEN_OUT ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service S_L4R 250 class type traffic TC_L4R redirect to ip *.*.205.249 port 9002 ! ! policy-map type service OPEN_GARDEN 250 class type traffic OPEN_GARDEN ! class type traffic default in-out drop ! ! policy-map type control ISG class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event session-start 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R ! class type control always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R ! class type control always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET ! class type control always event account-logoff 10 service-policy type service unapply name INET ! ! ! policy-map SUB-QOS-IN class class-default police cir 100000 policy-map SUB-QOS-OUT class class-default police cir 100000 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 description main unnumbered source interface ip address *.*.133.1 255.255.255.0 ! interface Loopback1 description ip nat pool ip address *.*.29.129 255.255.255.224 ! interface Port-channel1 ip address *.*.204.57 255.255.255.224 ip nat outside ip ospf mtu-ignore negotiation auto ! interface Port-channel1.102 description management vlan encapsulation dot1Q 102 ip address 10.140.2.9 255.255.255.0 ! interface Port-channel1.1634 encapsulation dot1Q 1634 ip unnumbered Loopback0 ip helper-address *.*.128.28 ip nat inside ip flow egress service-policy type control ISG ip subscriber l2-connected initiator dhcp ! interface GigabitEthernet0/0/0 no ip address negotiation auto channel-group 1 mode passive ! interface GigabitEthernet0/0/1 no ip address negotiation auto channel-group 1 mode passive ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface TenGigabitEthernet0/1/0 no ip address shutdown ! interface TenGigabitEthernet0/2/0 no ip address shutdown ! interface TenGigabitEthernet0/3/0 no ip address shutdown ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! router ospf 1 router-id *.*.204.57 redistribute connected subnets network *.*.204.32 0.0.0.31 area 0.0.0.0 ! ip nat settings mode cgn no ip nat settings support mapping outside ip nat pool main_nat_pool *.*.29.128 *.*.29.159 netmask 255.255.255.224 ip nat inside source list NAT_RULES pool main_nat_pool overload ip forward-protocol nd ! ip flow-export destination *.*.205.229 5096 no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 *.*.204.35 ! ip access-list extended ACL_IN_L4R permit tcp any any eq www permit tcp any any eq 443 ip access-list extended INT_IN permit ip any any ip access-list extended INT_OUT permit ip any any ip access-list extended NAT_RULES deny ip 10.97.0.0 0.0.255.255 *.*.204.0 0.0.3.255 deny ip 10.97.0.0 0.0.255.255 *.*.24.0 0.0.7.255 deny ip 10.97.0.0 0.0.255.255 *.*.128.0 0.0.127.255 deny ip 10.97.0.0 0.0.255.255 10.0.0.0 0.255.255.255 deny ip 10.97.0.0 0.0.255.255 172.16.0.0 0.15.255.255 permit ip 10.97.0.0 0.0.255.255 any ip access-list extended OPENGARDEN_IN permit ip any host *.*.205.229 permit ip any host *.*.205.249 permit ip any host *.*.204.254 permit ip any host *.*.205.226 ip access-list extended OPENGARDEN_OUT permit ip host *.*.205.229 any permit ip host *.*.205.249 any permit ip host *.*.204.254 any permit ip host *.*.205.226 any ! ! snmp-server community public RO ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 30 original-called-number no radius-server attribute nas-port radius-server attribute 31 mac format ietf radius-server attribute 31 send nas-port-detail mac-only radius-server retransmit 2 radius-server timeout 3 radius-server key 7 13061E210803 ! radius server RAD_SRV1 address ipv4 *.*.128.27 auth-port 1812 acct-port 1813 key 7 06100625494114181412 ! ! control-plane ! ! ! ! ! ! ! ! ! alias exec shs show subscriber session alias exec cls clear subscriber session all ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport input ssh ! ! end select * from radreply (полностью идентично оригиналу): Кликните здесь для просмотра всего текста
+----+----------+--------------+----+---------------------------------------------------------------+
| id | username | attribute | op | value | +----+----------+--------------+----+---------------------------------------------------------------+ | 1 | INET | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS-IN | | 2 | INET | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS-OUT | | 3 | INET | Cisco-AVPair | += | ip:traffic-class=in default drop | | 4 | INET | Cisco-AVPair | += | ip:traffic-class=out default drop | | 5 | INET | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 | | 6 | INET | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50 | | 7 | test | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC | +----+----------+--------------+----+---------------------------------------------------------------+ show subscriber session detailed Кликните здесь для просмотра всего текста
Код
Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: DHCPv4, UID: 2, State: authen, Identity: test IPv4 Address: *.*.133.11 Session Up-time: 00:05:12, Last Changed: 00:03:59 Switch-ID: 4097 Policy information: Context 7F70759389F0: Handle D2000006 AAA_id 0000000E: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: accounting-list 0 "ISG_ACC" Downloaded User profile, including services: username 0 "OPEN_GARDEN" accounting-list 0 "ISG_ACC" sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Unapplied) (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip *.*.205.249 port 9002" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: test, 2 references accounting-list 0 "ISG_ACC" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip *.*.205.249 port 9002" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: OPEN_GARDEN, 3 references password 0 <hidden> username 0 "OPEN_GARDEN" traffic-class 0 "input access-group name OPENGARDEN_IN priority 250" traffic-class 0 "output access-group name OPENGARDEN_OUT priority 250" traffic-class 0 "input default drop" traffic-class 0 "output default drop" Active services associated with session: name "INET" name "OPEN_GARDEN", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG condition always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R subscriber rule-map ISG condition always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 1415 146164 0 Match Any 1 Out 926 251376 0 Match Any 6 In 37 2400 250 Match ACL OPENGARDEN_IN 7 Out 174 23754 250 Match ACL OPENGARDEN_OUT 10 In 989 113236 50 Match ACL INT_IN 11 Out 747 227290 50 Match ACL INT_OUT 4294967294 In 214 16589 - Drop 4294967295 Out 5 332 - Drop Template Id : 2 Features: Accounting: Class-id Dir Packets Bytes Source 0 In 972 112374 Peruser 1 Out 741 226996 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:05:12 - OPEN_GARDEN SVC 00:03:59 - INET USR 00:03:59 - Peruser INT 00:05:12 - Port-channel1.1634
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
12.08.2014, 15:09 | 10 |
Да, пусто.
Дебаг, увы, на мысли не навёл. Часть 1: Кликните здесь для просмотра всего текста
Код
*Aug 12 02:07:00.474: CH-IDMGR: Entered ch_get_id_mgr_record *Aug 12 02:07:00.474: SSS PM: CH-IDMGR: (00000000): "ssg-account-info" testing address *.*.133.11 *Aug 12 02:07:00.474: SSS PM: CH-IDMGR: (00000000): ssg-account-info SSG:*.*.133.11 *Aug 12 02:07:00.474: CH-IDMGR: req id 0: next hop for ip *.*.133.11 is Port-channel1.1634 *Aug 12 02:07:00.474: CH-IDMGR: IDMGR query request *Aug 12 02:07:00.475: CH-MAIN: CH ctx 0x7F706A42FC88 allocated *Aug 12 02:07:00.475: CH-IDMGR: Entered ch_get_id_mgr_record_from_sess *Aug 12 02:07:00.475: CH-IDMGR: Query for all available information request *Aug 12 02:07:00.475: CH-MAIN: processing a new CoA request *Aug 12 02:07:00.475: CH-MAIN: enabling accounting queueing *Aug 12 02:07:00.475: CH-UTILS: Entered ch_get_idmgr_attributes *Aug 12 02:07:00.475: CH-UTILS: Entered ch_get_command_attributes *Aug 12 02:07:00.475: SSS PM: CH-UTILS: (00000000): "ssg-account-info" testing address *.*.133.11 *Aug 12 02:07:00.475: SSS PM: CH-UTILS: (00000000): ssg-account-info SSG:*.*.133.11 *Aug 12 02:07:00.475: CH-MAIN: *.*.133.11 processing account-logon *Aug 12 02:07:00.475: CH-IDMGR: *.*.133.11 Entered ch_idmgr_proxy_response *Aug 12 02:07:00.475: CH-IDMGR: *.*.133.11 Entered account_logon_idmgr_success *Aug 12 02:07:00.475: COA_CCM: [SESSION CH EVENT] Event = NEW-REQUEST (ctx: 0x7F706A42FC88, msg: ACCOUNT LOGON) *Aug 12 02:07:00.475: COA_CCM: Rxd CH context - user 'test', service '', IP 0.0.0.0, Acct Sess ID 4026531883, SSS hdl 0x1040000B063850B *Aug 12 02:07:00.475: COA_CCM: Found SHDB handle 0x7F000014 for SSS handle 0xF000002B *Aug 12 02:07:00.475: COA_HA: [ERR] COA context is not found *Aug 12 02:07:00.475: COA_CCM: Found acct_sess_id 0x178E from parent_aaa_id 0x16FC *Aug 12 02:07:00.475: COA_CCM: New dynamic session (shdb 0x7F000014, ctx 0x7F706A42FC88, dsess_hdl 0x1, acct_session_id 0x178E) ACCOUNT LOGON OK *Aug 12 02:07:00.475: CH-IDMGR: *.*.133.11 IDMGR response list *Aug 12 02:07:00.475: CH-IDMGR: :*.*.133.11 *Aug 12 02:07:00.475: CH-MAIN: attr session-handle = 4026531883(F000002B) *Aug 12 02:07:00.475: CH-MAIN: attr session-guid = C2BBCC39000016FC *Aug 12 02:07:00.475: CH-MAIN: attr aaa-unique-id = 5884(000016FC) *Aug 12 02:07:00.475: CH-MAIN: attr clid-mac-addr = 001374000000 *Aug 12 02:07:00.475: CH-MAIN: attr domainip-vrf = B063850B0000 *Aug 12 02:07:00.475: CH-MAIN: attr circuit-id-tag = 00040662000b *Aug 12 02:07:00.475: CH-MAIN: attr remote-id-tag = 0006acf1dfafe720 *Aug 12 02:07:00.475: CH-MAIN: attr vendor-class-id-tag = MSFT 5.0 *Aug 12 02:07:00.475: CH-MAIN: attr authen-status = unauthen *Aug 12 02:07:00.475: CH-MAIN: attr interface = nas-port:0.0.0.0:255/0/1/1634 *Aug 12 02:07:00.475: CH-MAIN: attr addr = *.*.133.11 *Aug 12 02:07:00.475: CH-MAIN: attr service-name = S_L4R *Aug 12 02:07:00.475: CH-MAIN: attr idmgr-svc-key = F000002B75000008 *Aug 12 02:07:00.475: CH-MAIN: attr authen-status = unauthen *Aug 12 02:07:00.475: CH-MAIN: attr service-name = OPEN_GARDEN *Aug 12 02:07:00.475: CH-MAIN: attr idmgr-svc-key = F000002B1C000003 *Aug 12 02:07:00.475: CH-MAIN: attr authen-status = unauthen *Aug 12 02:07:00.475: CH-UTILS: *.*.133.11 Entered ch_is_session_deactivating *Aug 12 02:07:00.475: CH-SSS: *.*.133.11 Sending a account logon request to PM *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Updated key list: *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Access-Type = 12 (Web-user-logon) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: IP-Address-VRF = IP *.*.133.11:0 *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: source-ip-address = 7F7075486760 *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Mac-Address = 0013.7400.0000 *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Sign-Of-Life = 2 (00000002) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: IP-Session-Handle = 2550136844 (9800000C) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Circuit-id = "00040662000b" *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Remote-id = "0006acf1dfafe720" *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Vendor-Class-id = "MSFT 5.0" *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Authen-Status = 1 (Unauthenticated) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Nasport = PPPoEoVLAN: slot 255 adapter 0 port 1 sub-interface 1634 IP 0.0.0.0 VPI 0 VCI 0 VLAN 1634 *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Session-Handle = 4026531883 (F000002B) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Restart = 1 (YES) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Protocol-Type = 4 (IP Access Protocol) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Media-Type = 2 (IP) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Switch-Id = 4134 (00001026) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Segment-Hdl = 4135 (00001027) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: AccIe-Hdl = 1006632971 (3C00000B) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: AAA-Id = 5884 (000016FC) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: SHDB-Handle = 2130706452 (7F000014) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Input Interface = "Port-channel1.1634" *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: IP-Address = *.*.133.11 (B063850B) *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Unauth-User = "test" *Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Account Command-Handler Policy invoke - Account-Logon *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Looking for a rule for event account-logon *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Intf CloneSrc Po1.1634: service-rule any: ISG *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Evaluate "ISG" for account-logon *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Not matched "ISG/ISG-IP-UNAUTH event timed-policy-expiry" *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Not matched "ISG/always event session-start" *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Not matched "ISG/always event session-restart" *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Matched "ISG/always event account-logon" *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Matched "ISG/always event account-logon/10 authenticate aaa list RAD_SRV " *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: Start *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: SIP [Web-user-logon] can provide more keys *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: SIP [Web-user-logon] can provide more keys *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: Using AAA-Authen-Method-List RAD_SRV *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: Need key Auth-User *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[1]: Start *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[1]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Event <need keys>, State: wait-for-events to need-init-keys *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Policy reply - Need More Keys *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: Need: *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: ask for authen status *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: request, Query Session Authenticated Status *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: reply, Query Session Authenticated Status = no-record-found *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: session NOT authenticated *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Event <idmgr didn't get keys>, State: need-init-keys to need-init-keys *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Asking client for more keys *Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Policy reply - Need More Keys *Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Entered Account logon call back *Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Result Need More Keys *Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Policy requested more keys *Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Got a method list name RAD_SRV *Aug 12 02:07:00.476: CH-UTILS: *.*.133.11 Entered ch_add_framed_ip *Aug 12 02:07:00.476: CH-UTILS: *.*.133.11 ch_add_framed_ip: adding framed ip:0xB0F3850B *Aug 12 02:07:00.478: CH-MAIN: *.*.133.11 AAA authentication successful *Aug 12 02:07:00.478: CH-MAIN: :*.*.133.11 *Aug 12 02:07:00.478: CH-MAIN: reply, attr accounting-list *Aug 12 02:07:00.478: CH-MAIN: *.*.133.11 Sending more keys request to PM *Aug 12 02:07:00.478: CH-SSS: *.*.133.11 Sending a account logon request to PM *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Authen status update; is now "authen" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IDMGR: assert authen status "authen" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IDMGR: send event Session Update *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IDMGR: with username "test" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Session activation: ok *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Updated key list: *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Restart = 1 (YES) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Protocol-Type = 4 (IP Access Protocol) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Media-Type = 2 (IP) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Switch-Id = 4134 (00001026) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Segment-Hdl = 4135 (00001027) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: AccIe-Hdl = 1006632971 (3C00000B) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: AAA-Id = 5884 (000016FC) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: SHDB-Handle = 2130706452 (7F000014) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Input Interface = "Port-channel1.1634" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IP-Address = *.*.133.11 (B063850B) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Unauth-User = "test" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IP-Address-VRF = IP *.*.133.11:0 *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: source-ip-address = 7F2075486760 *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Mac-Address = 0013.7400.0000 *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Sign-Of-Life = 2 (00000002) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IP-Session-Handle = 2550136844 (9800000C) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Circuit-id = "00040662000b" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Remote-id = "0006acf1dfafe720" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Vendor-Class-id = "MSFT 5.0" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Authen-Status = 0 (Authenticated) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Nasport = PPPoEoVLAN: slot 255 adapter 0 port 1 sub-interface 1634 IP 0.0.0.0 VPI 0 VCI 0 VLAN 1634 *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Session-Handle = 4026531883 (F000002B) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: AAA-Authen-Method-List = "RAD_SRV" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: AAA-Attr-List = FE000BAB *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: accounting-list 0 "ISG_ACC" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Access-Type = 12 (Web-user-logon) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Final = 1 (YES) *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Auth-User = "test" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Account Command-Handler Policy invoke - Got More Keys *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Must apply config before continuing *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Handling Config Request from Client *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Event <got process config req>, State: need-init-keys to need-init-keys *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Handling Process Config *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Apply config request set to AAA list Config: accounting-list 0 "ISG_ACC" *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Sending test request to AAA *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: SSS PM: Allocating per-user profile info *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: SSS PM: Add per-user profile info to policy context *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Root SIP DHCP *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Enable IP parsing *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Enable DHCP parsing *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Enable IP-Interface parsing *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[0]: Snapshot captured in Active context *Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[0]: Active context created *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Event <make request>, state changed from idle to authorizing *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Active key set to Auth-User *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Authorizing key test *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Spoofed AAA reply sent for key test *Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Received an AAA pass Initial attr accounting-list 0 "ISG_ACC"
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
12.08.2014, 15:10 | 11 |
Часть 2 (не влезло в лимит сообщения):
Кликните здесь для просмотра всего текста
Код
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE: VRF Parsing routine: accounting-list 0 "ISG_ACC" *Aug 12 02:07:00.479: SSS PM: VPDN is not enabled *Aug 12 02:07:00.479: SSF[Peruser/Accounting]: AAA feature Accounting created, for Per-user configuration source *Aug 12 02:07:00.479: Portbundle Hostkey: portbundle not configured on the router *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: SIP IP[7DD7550] parsed as Ignore *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: SIP IP[7E12A70] parsed as Ignore *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: SIP DHCP[7E12A70] parsed as Ignore *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Event <service not found>, state changed from authorizing to complete *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: No service authorization info found *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Active Handle present - C000000E *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Apply config handle [FE000BAB] now set to [1000BA5] *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Freeing Active Handle; SSS Policy Context Handle = 4200002C *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[2133]: Released active handle *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: PROFILE: store profile "test" *Aug 12 02:07:00.479: SSS PM: PROFILE-DB: is profile "test" in DB *Aug 12 02:07:00.479: SSS PM: PROFILE-DB: Computed hash value = 912537302 *Aug 12 02:07:00.479: SSS PM: PROFILE-DB: No, add new list *Aug 12 02:07:00.479: SSS PM: PROFILE-DB: create "test" *Aug 12 02:07:00.479: SSS PM: PROFILE-DB: create "test"/7F70759EBFF0 hdl 9E000B9B ref 1 *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: PROFILE: create 7F70759F0140, ref 1 *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Event <free request>, state changed from complete to terminal *Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Cancel request *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Handling Author Not Found Event *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70778A10F0 Type: Accounting *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: : Config level: Per-user *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: : IDB type: Sub-if or not required *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: : 32 bytes: SSS PM [uid:11][7F70759389F0]: : Data: 000000 00 00 00 00 00 00 00 00 ........ SSS PM [uid:11][7F70759389F0]: : Data: 000008 00 00 00 00 7F 70 75 3F .....pu? SSS PM [uid:11][7F70759389F0]: : Data: 000010 C6 38 00 00 00 00 00 00 .8...... SSS PM [uid:11][7F70759389F0]: : Data: 000018 00 00 00 00 00 00 00 00 ........ *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Apply of config finished; returning *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Account Command-Handler Policy invoke - Got More Keys *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Access type Web-user-logon: final key *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: Start *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV *Aug 12 02:07:00.479: SSS PM CCM: Found SHDB handle 0x7F000014 for policy context 0x7F70759389F0 *Aug 12 02:07:00.479: SSS PM CCM: [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7F70759389F0, action: AUTHENTICATE) *Aug 12 02:07:00.479: SSS PM HA: Dynsess not required shdb = 0x7F000014 spol_ctx = 0x7F70759389F0 *Aug 12 02:07:00.479: SSS PM CCM: Set PM HA as not ready (session 0x7F000014) successfully *Aug 12 02:07:00.479: SSS PM HA: Adding an action (type AUTHENTICATE) into the PM HA queue *Aug 12 02:07:00.479: SSS PM HA: Setting current elem, from 0x7F707099B9F8 to 0x7F707099B868 *Aug 12 02:07:00.479: SSS PM CCM: New bulk session (shdb 0x7F000014), ctx 0x7F70759389F0, dsess_hdl 0x0, AUTHENTICATE OK *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: Run action with no altered name *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: State: need-init-keys to initial-req *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: Have key Auth-User *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[1]: Start *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[1]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[2]: Start *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[2]: ISG/always event account-logon/20 service-policy type service unapply name S_L4R *Aug 12 02:07:00.479: SSS PM CCM: Found SHDB handle 0x7F000014 for policy context 0x7F70759389F0 *Aug 12 02:07:00.479: SSS PM CCM: [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7F70759389F0, action: UNAPPLY-SERVICE) *Aug 12 02:07:00.479: SSS PM HA: Dynsess not required shdb = 0x7F000014 spol_ctx = 0x7F70759389F0 *Aug 12 02:07:00.479: SSS PM CCM: Set PM HA as not ready (session 0x7F000014) successfully *Aug 12 02:07:00.479: SSS PM HA: Adding an action (type UNAPPLY-SERVICE) into the PM HA queue *Aug 12 02:07:00.479: SSS PM HA: Setting current elem, from 0x7F707099B868 to 0x7F707099B7A0 *Aug 12 02:07:00.479: SSS PM CCM: New bulk session (shdb 0x7F000014), ctx 0x7F70759389F0, dsess_hdl 0x0, UNAPPLY-SERVICE OK *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: State: initial-req to check-auth-needed *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: check-auth-needed to authorizing *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Handling AAA service Authorization *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Sending AAA request for 'S_L4R' *Aug 12 02:07:00.479: SVM [75000008/S_L4R]: already downloaded; sharing *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: service "S_L4R" in cache *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: Root SIP DHCP *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: Enable IP parsing *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: Enable DHCP parsing *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: Enable IP-Interface parsing *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: SIP IP[7DD7550] parsed as Ignore *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: SIP IP[7E12A70] parsed as Ignore *Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: SIP DHCP[7E12A70] parsed as Ignore *Aug 12 02:07:00.479: SVM [75000008/S_L4R]: [4200002C]: client download ok *Aug 12 02:07:00.479: SVM [75000008/S_L4R]: [SVM-to-client-msg:4200002C] locked 0->1 *Aug 12 02:07:00.479: SVM [75000008/S_L4R]: [PM-Download:4200002C] locked 0->1 *Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: waiting for download response *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[2]: Downloading service "S_L4R" *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[3]: Start *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[3]: ISG/always event account-logon/20 service-policy type service unapply name S_L4R *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: authorizing to authorizing *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Action Ignore for <send auth> *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: SVM service download success *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: download completed for "S_L4R" version 1 *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: alloc feature info *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: is a feature remove *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: [SVM-Feature-Info:7F7075649A20] locked 0->1 *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: PROFILE: store profile "S_L4R" *Aug 12 02:07:00.480: SSS PM: PROFILE-DB: incremented ref "S_L4R"/7F70759EC050 hdl 7000096D ref 3 *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: PROFILE: create 7F70759F0118, ref 1 *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: populated client *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: [PM-Download:4200002C] unlocked 1->0 *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: [SVM-to-client-msg:4200002C] unlocked 1->0 *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Author Not Found Event *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Feature info: 7F7075649A20 Type: Service Config *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : Config level: Service Profile *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : IDB type: Sub-if or not required *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : Is being removed *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : 16 bytes: SSS PM [uid:11][7F70759389F0]: : Data: 000000 00 00 75 00 00 08 00 00 ..u..... SSS PM [uid:11][7F70759389F0]: : Data: 000008 00 00 BF 00 00 2E 00 00 ........ *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70778A10F0 Type: Accounting *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : Config level: Per-user *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : IDB type: Sub-if or not required *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: : 32 bytes: SSS PM [uid:11][7F70759389F0]: : Data: 000000 00 00 00 00 00 00 00 00 ........ SSS PM [uid:11][7F70759389F0]: : Data: 000008 00 00 00 00 7F 70 75 3F .....pu? SSS PM [uid:11][7F70759389F0]: : Data: 000010 C6 38 00 00 00 00 00 00 .8...... SSS PM [uid:11][7F70759389F0]: : Data: 000018 00 00 00 00 00 00 00 00 ........ *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Service ending *Aug 12 02:07:00.480: SVM [75000008/S_L4R]: already downloaded; sharing *Aug 12 02:07:00.480: SSS PM [7F7075937F40]: SERVICE [S_L4R]: Stop-pending request: Ok *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: SERVICE [S_L4R]: Sending Service logoff to DPM *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <srvf not found>, State: authorizing to check-auth-needed *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Next Authorization Check *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[0]: Continue *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[0]: ISG/always event account-logon/20 service-policy type service unapply name S_L4R *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: Continue *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: ISG/always event account-logon/30 service-policy type service name INET *Aug 12 02:07:00.480: SSS PM CCM: Found SHDB handle 0x7F000014 for policy context 0x7F70759389F0 *Aug 12 02:07:00.480: SSS PM CCM: [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7F70759389F0, action: APPLY-SERVICE) *Aug 12 02:07:00.480: SSS PM HA: Dynsess not required shdb = 0x7F000014 spol_ctx = 0x7F70759389F0 *Aug 12 02:07:00.480: SSS PM CCM: Set PM HA as not ready (session 0x7F000014) successfully *Aug 12 02:07:00.480: SSS PM HA: Adding an action (type APPLY-SERVICE) into the PM HA queue *Aug 12 02:07:00.480: SSS PM HA: Setting current elem, from 0x7F707099B7A0 to 0x7F707099B6D8 *Aug 12 02:07:00.480: SSS PM CCM: New bulk session (shdb 0x7F000014), ctx 0x7F70759389F0, dsess_hdl 0x0, APPLY-SERVICE OK *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Create context 7F70759382D0 *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: key lists to append are empty *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Authen status update; is now "unauthen" *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: IDMGR: assert authen status "unauthen" *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Authen status should not be updated from a child policy context *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Did not update authen status to IDMGR *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Updated NAS port for AAA ID 5884 *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: IDMGR: send event Session Update *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Updated key list: *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Authen-Status = 1 (Unauthenticated) *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Nasport = PPPoEoVLAN: slot 255 adapter 0 port 1 sub-interface 1634 IP 0.0.0.0 VPI 0 VCI 0 VLAN 1634 *Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Session-Handle = 4026531883 (F000002B) *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: This service INET is marked as not cancelled *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: check-auth-needed to authorizing *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling AAA service Authorization *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Sending AAA request for 'INET' *Aug 12 02:07:00.480: SVM [32000005/INET]: already downloaded; sharing *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: service "INET" in cache *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: Root SIP DHCP *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: Enable IP parsing *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: Enable DHCP parsing *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: Enable IP-Interface parsing *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: SIP IP[7DD7550] parsed as Ignore *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: SIP IP[7E12A70] parsed as Ignore *Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: SIP DHCP[7E12A70] parsed as Ignore *Aug 12 02:07:00.480: SVM [32000005/INET]: [4200002C]: client download ok *Aug 12 02:07:00.480: SVM [32000005/INET]: [SVM-to-client-msg:4200002C] locked 0->1 *Aug 12 02:07:00.480: SVM [32000005/INET]: [PM-Download:4200002C] locked 0->1 *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: waiting for download response *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: Downloading service "INET" *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[2]: Continue *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[2]: ISG/always event account-logon/30 service-policy type service name INET *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: authorizing to authorizing *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Action Ignore for <send auth> *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: SVM service download success *Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: download completed for "INET" version 1 *Aug 12 02:07:00.480: SVM [32000005/INET]: alloc feature info *Aug 12 02:07:00.481: SVM [32000005/INET]: [SVM-Feature-Info:7F70756499F8] locked 0->1 *Aug 12 02:07:00.481: SVM [32000005/INET]: has Policy info *Aug 12 02:07:00.481: SVM [32000005/INET]: [PM-Info:7F70759D1E68] locked 0->1 *Aug 12 02:07:00.481: SVM [32000005/INET]: has Policy info *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: PROFILE: store profile "INET" *Aug 12 02:07:00.481: SSS PM: PROFILE-DB: incremented ref "INET"/7F70759EBFC0 hdl 8B000266 ref 2 *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: PROFILE: create 7F70759F00F0, ref 1 *Aug 12 02:07:00.481: SVM [32000005/INET]: populated client *Aug 12 02:07:00.481: SVM [32000005/INET]: [PM-Download:4200002C] unlocked 1->0 *Aug 12 02:07:00.481: SVM [32000005/INET]: [SVM-to-client-msg:4200002C] unlocked 1->0 *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Handling Author Not Found Event *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Feature info: 7F7075649A20 Type: Service Config *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : Config level: Service Profile *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : IDB type: Sub-if or not required *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : Is being removed *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : 16 bytes: SSS PM [uid:11][7F70759389F0]: : Data: 000000 00 00 75 00 00 08 00 00 ..u..... SSS PM [uid:11][7F70759389F0]: : Data: 000008 00 00 BF 00 00 2E 00 00 ........ *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70756499F8 Type: Service Config *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : Config level: Service Profile *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : IDB type: Sub-if or not required *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : 16 bytes: SSS PM [uid:11][7F70759389F0]: : Data: 000000 00 00 32 00 00 05 00 00 ..2..... SSS PM [uid:11][7F70759389F0]: : Data: 000008 00 00 93 00 00 2F 00 00 ...../.. *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70778A10F0 Type: Accounting *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : Config level: Per-user *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : IDB type: Sub-if or not required *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: : 32 bytes: SSS PM [uid:11][7F70759389F0]: : Data: 000000 00 00 00 00 00 00 00 00 ........ SSS PM [uid:11][7F70759389F0]: : Data: 000008 00 00 00 00 7F 70 75 3F .....pu? SSS PM [uid:11][7F70759389F0]: : Data: 000010 C6 38 00 00 00 00 00 00 .8...... SSS PM [uid:11][7F70759389F0]: : Data: 000018 00 00 00 00 00 00 00 00 ........ *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Service starting *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: SERVICE [INET]: Parent 7F70759389F0 (same as session) *Aug 12 02:07:00.481: SVM [32000005/INET]: [PM-Service:7F70759F4250] locked 0->1 *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: SERVICE [INET]: Start-pending request: Ok *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Event <srvf not found>, State: authorizing to check-auth-needed *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Handling Next Authorization Check *Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: RULE[0]: Continue *Aug 12 02:08:00.534: Accounting[uid:11]: Collecting records for session accounting *Aug 12 02:08:00.534: Accounting[uid:11]: Dynamic record gathering started for ctx 7F70778C1068 *Aug 12 02:08:00.534: Accounting[uid:11]: Control info records gathering started for ctx 7F70778C1068 *Aug 12 02:08:00.534: Accounting[uid:11]: Updating attribute: I0;38224 *Aug 12 02:08:00.534: Accounting[uid:11]: Updating attribute: O0;114379 *Aug 12 02:08:00.534: SSF: Accounting Start attribute request is for session *Aug 12 02:08:00.534: SSF: Gathering attributes for flow 0 *Aug 12 02:08:00.534: SSF: No attributes found for flow features *Aug 12 02:08:00.534: SSS PM [uid:11][7F70759389F0]: SERVICE: Adding Service attributes to start *Aug 12 02:08:00.534: SSS PM [uid:11][7F70759389F0]: AUTOSERVICE: Services added to accounting ID 5884
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
12.08.2014, 15:29 | 12 |
Перепроверился, сделал так:
Код
policy-map SUB-QOS-IN class class-default police cir 50000000 policy-map SUB-QOS-OUT class class-default police cir 50000000 policy-map type service SUB-QOS service-policy input SUB-QOS-IN service-policy output SUB-QOS-OUT policy-map type control ISG ... class type control always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET 40 service-policy type service name SUB-QOS Кликните здесь для просмотра всего текста
Код
*Aug 12 04:14:54.370: SSF[Peruser/Accounting]: AAA feature Accounting created, for Per-user configuration source *Aug 12 04:14:54.370: Portbundle Hostkey: portbundle not configured on the router *Aug 12 04:14:54.370: QoS Policy Map: Process Attr: sub-policy-In *Aug 12 04:14:54.370: QoS Policy Map: Process Attr: sub-policy-Out *Aug 12 04:14:54.370: SSF[SUB-QOS/QoS Policy Map]: AAA feature QoS Policy Map created, for Service Profile configuration source *Aug 12 04:14:54.370: Portbundle Hostkey: portbundle not configured on the router *Aug 12 04:14:54.370: SSF[uid:17:0.1]: Sending Apply Config Request to FM *Aug 12 04:14:54.371: SSF[uid:17:0.1]: Received a config apply request from Session Manager for segment 7F707773DBC0 *Aug 12 04:14:54.371: SSF[INET/uid:17:0.1]: Apply Service Profile configured features from source(BC00000A) *Aug 12 04:14:54.371: SSF[uid:17:0.1]: Request flow segment context to be created *Aug 12 04:14:54.371: SSF[uid:17:0.1]: L2HW Segment init returned: Success *Aug 12 04:14:54.371: SSF[INET/uid:17:20.21]: Apply Service Profile configured features from source(BC00000A) *Aug 12 04:14:54.371: SSF[INET/uid:17:20.21]: Segment bound to a Service Profile configuration source Success *Aug 12 04:14:54.371: SSF[SUB-QOS/uid:17:0.1]: Apply Service Profile configured features from source(C600000E) *Aug 12 04:14:54.371: QoS Policy Map: START:qos_cca_peruser_apply:target = 0x37000037, target_type = 4, cb = 0x7F706E71C9E8, dir = 0, sense = 1 *Aug 12 04:14:54.371: QoS Policy Map: cb content:cb->username = , cb->class = 0,cb->parameterized_qos_policy = 0 *Aug 12 04:14:54.371: QoS Policy Map: dir = 0, cb->qos_policy_map_name = SUB-QOS-IN *Aug 12 04:14:54.371: QoS Policy Map: created cp context 0x7F70767B3438 *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: install_l2hw 1, update_l2hw 0 dir 0 status bits 0 *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cp policy *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cb policy SUB-QOS-IN *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: swidb if_number is 23 *Aug 12 04:14:54.371: SSF: Feature IP protocol mask: V4 & V6 *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: Success *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Install feature info request returned: Success *Aug 12 04:14:54.371: SSF[uid:17/QoS Policy Map]: Adding inbound direction feature context to segment *Aug 12 04:14:54.371: QoS Policy Map: notify install start: aaa 7322, shdb EC000020, dir 0, status 0 *Aug 12 04:14:54.371: QoS Policy Map: create policy_name 0x7F7077250350 *Aug 12 04:14:54.371: QoS Policy Map: END:qos_cca_peruser_apply ret SSF_FEATURE_SUCCESS bits 0x40 *Aug 12 04:14:54.371: QoS Policy Map: START:qos_cca_peruser_apply:target = 0x37000037, target_type = 4, cb = 0x7F706E71C9E8, dir = 1, sense = 1 *Aug 12 04:14:54.371: QoS Policy Map: cb content:cb->username = , cb->class = 0,cb->parameterized_qos_policy = 0 *Aug 12 04:14:54.371: QoS Policy Map: dir = 1, cb->qos_policy_map_name = SUB-QOS-OUT *Aug 12 04:14:54.371: QoS Policy Map: START:qos_sss_acct_accuracy_handler:dir = 1, sense = 1 *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: install_l2hw 0, update_l2hw 1 dir 1 status bits 40 *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cp policy *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cb policy SUB-QOS-OUT *Aug 12 04:14:54.371: QoS Policy Map[uid:17]: swidb if_number is 23 *Aug 12 04:14:54.371: QoS Policy Map: create callback context 0x7F7077AB8CD8; total allocated 1 *Aug 12 04:14:54.371: QoS Policy Map: CoA update on 0x1C9A, status bits 0x49. *Aug 12 04:14:54.371: SSF: Feature IP protocol mask: V4 & V6 *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: Success *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Update feature info request returned: Success *Aug 12 04:14:54.371: SSF[uid:17/QoS Policy Map]: Adding outbound direction feature context to segment *Aug 12 04:14:54.371: QoS Policy Map: create policy_name 0x7F7077250148 *Aug 12 04:14:54.371: QoS Policy Map: END:qos_cca_peruser_apply ret SSF_FEATURE_PENDING bits 0x49 *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: This feature has returned pending: mask = 2 *Aug 12 04:14:54.371: SSF[SUB-QOS/uid:17:0.1]: Segment bound to a Service Profile configuration source Pending *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Set feature handle [2042], ref_cnt [1] *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Install feature returned: Ready *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free. *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Update feature returned: Ready *Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free. *Aug 12 04:14:54.371: SSF[uid:17:0.1]: L2HW Activate features returned: Success *Aug 12 04:14:54.371: SSF[uid:17/QoS]: Installing inbound feature on Layer 3 IP switching path, IP-SIP segment *Aug 12 04:14:54.393: SSF[uid:17/QoS]: Installing outbound feature on Layer 3 IP switching path, IP-SIP segment *Aug 12 04:14:54.393: QoS Policy Map: START:qos_peruser_ssf_event_handler *Aug 12 04:14:54.393: QoS Policy Map: QoS Peruser - Rxed msg 3 from DP status_bits 49->49, policymap SUB-QOS-IN *Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install service on context 0x7F70767B3438 *Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install Success: policy-map SUB-QOS-IN *Aug 12 04:14:54.393: QoS Policy Map: notify install success: aaa 7322, shdb EC000020, dir 0, status 40 *Aug 12 04:14:54.393: SSF: Feature IP protocol mask: V4 & V6 *Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: No change *Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Update feature info request returned: Success *Aug 12 04:14:54.393: QoS Policy Map: END:qos_peruser_ssf_event_handler *Aug 12 04:14:54.393: QoS Policy Map: START:qos_peruser_ssf_event_handler *Aug 12 04:14:54.393: QoS Policy Map: QoS Peruser - Rxed msg 3 from DP status_bits 9->1, policymap SUB-QOS-OUT *Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install service on context 0x7F70767B3438 *Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install Success: policy-map SUB-QOS-OUT *Aug 12 04:14:54.393: QoS Policy Map: notify install success: aaa 7322, shdb EC000020, dir 1, status 0 *Aug 12 04:14:54.393: SSF: Feature IP protocol mask: V4 & V6 *Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: No change *Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Update feature info request returned: Success *Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Qos peruser conditional queue setup for aaa id 0x1C9A *Aug 12 04:14:54.393: QoS Policy Map: END:qos_peruser_ssf_event_handler *Aug 12 04:14:54.394: SSF: Processing feature done event *Aug 12 04:14:54.394: QoS Policy Map: START:qos_peruser_feature_callback *Aug 12 04:14:54.394: QoS Policy Map: f_cbctxt 0x7F7077AB8CD8 cp_context 0x7F70767B3438 coa_callback 7F7077AB8CD8 *Aug 12 04:14:54.394: QoS Policy Map: status bits 0x21 reply type 3 *Aug 12 04:14:54.394: QoS Policy Map: END:qos_peruser_feature_callback resp 0 *Aug 12 04:14:54.394: SSF[uid:17:0.1]: Continue feature apply, response Success *Aug 12 04:14:54.394: SSF: Feature callback return Success *Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: Unsetting feature pending flag. *Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: Feature apply continue: pending mask = 0x0 *Aug 12 04:14:54.394: SSF[INET/uid:17:0.1]: Apply Service Profile configured features from source(BC00000A) *Aug 12 04:14:54.394: SSF[INET/uid:17:20.21]: Config source Service Profile is already applied to this session, ignoring apply request *Aug 12 04:14:54.394: SSF[SUB-QOS/uid:17:0.1]: Config source Service Profile is already applied to this session, ignoring apply request *Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Update feature returned: Ready *Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free. *Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Update feature returned: Ready *Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free. *Aug 12 04:14:54.394: SSF[uid:17:0.1]: L2HW Activate features returned: Success *Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27]: Unbind flow segment notify. IETF 0/0 ASCEND 0/0 cause *Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27/L4 Redirect]: Removing feature on segment *Aug 12 04:14:54.394: L4 Redirect: Remove inbound direction from Service Profile configuration *Aug 12 04:14:54.394: L4 Redirect: Updating (remove) L4R feature context *Aug 12 04:14:54.394: SSF[uid:17:26.27/L4 Redirect]: L2HW IC bind feature returned: Success *Aug 12 04:14:54.394: SSF[uid:17:0.1/L4 Redirect]: L2HW InQ Update feature info request returned: Success *Aug 12 04:14:54.394: SSF[uid:17/L4 Redirect]: Stop timer *Aug 12 04:14:54.394: L4 Redirect: Deleted L4R rule context *Aug 12 04:14:54.394: L4 Redirect: Removing L4R feature context with no remaining rules *Aug 12 04:14:54.394: SSF[uid:17/L4 Redirect]: Removing inbound direction feature context from segment *Aug 12 04:14:54.394: L4 Redirect: Deleted L4R feature context *Aug 12 04:14:54.394: SSF[uid:17/L4 Redirect]: Removing outbound direction feature context from segment *Aug 12 04:14:54.394: L4 Redirect: Deleted L4R feature context *Aug 12 04:14:54.394: L4 Redirect: Templated session L4R freeing parent outbound *Aug 12 04:14:54.394: SSF: Removed feature in inbound direction: Success *Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27/L4 Redirect]: Successfully removed feature on segment *Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27]: Disassociated segment from Service Profile configuration source, Success *Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27]: Unbind flow segment from configuration source, Success *Aug 12 04:14:54.394: SSF[uid:17:0.1/L4 Redirect]: L2HW Queued feature info free. *Aug 12 04:14:54.394: SSF[uid:17:0.1]: L2HW Clear queued feature events returned: Success *Aug 12 04:14:54.394: SSF[uid:17:26.27]: Request flow segment context to be released *Aug 12 04:14:54.394: SSF[uid:17:26.27]: Deleting flow segment context *Aug 12 04:14:54.394: SSF[Peruser/uid:17:0.1]: Apply Per-user configured features from source(EE00000A) *Aug 12 04:14:54.394: SSF[Peruser/uid:17:0.1/Accounting]: Applying feature on segment ... Порезано При этом в фичах так же пусто, но появился раздел qos-policy-map: Кликните здесь для просмотра всего текста
Код
Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: DHCPv4, UID: 17, State: authen, Identity: test IPv4 Address: 176.99.133.11 Session Up-time: 00:05:48, Last Changed: 00:04:59 Switch-ID: 4158 Policy information: Context 7F70759389F0: Handle 1B000046 AAA_id 00001C9A: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: accounting-list 0 "ISG_ACC" Downloaded User profile, including services: accounting-list 0 "ISG_ACC" sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" username 0 "SUB-QOS" sub-policy-In 0 "SUB-QOS-IN" sub-policy-Out 0 "SUB-QOS-OUT" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: SUB-QOS, 3 references password 0 <hidden> username 0 "SUB-QOS" sub-policy-In 0 "SUB-QOS-IN" sub-policy-Out 0 "SUB-QOS-OUT" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Unapplied) (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip 194.187.205.249 port 9002" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: test, 2 references accounting-list 0 "ISG_ACC" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip 194.187.205.249 port 9002" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: OPEN_GARDEN, 3 references password 0 <hidden> username 0 "OPEN_GARDEN" traffic-class 0 "input access-group name OPENGARDEN_IN priority 250" traffic-class 0 "output access-group name OPENGARDEN_OUT priority 250" traffic-class 0 "input default drop" traffic-class 0 "output default drop" Active services associated with session: name "SUB-QOS" name "INET" name "OPEN_GARDEN", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG condition always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R subscriber rule-map ISG condition always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET 40 service-policy type service name SUB-QOS subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 55293 58737370 0 Match Any 1 Out 66921 61782972 0 Match Any 6 In 22 1395 250 Match ACL OPENGARDEN_IN 7 Out 106 14130 250 Match ACL OPENGARDEN_OUT 20 In 55060 58722263 50 Match ACL INT_IN 21 Out 66786 61767350 50 Match ACL INT_OUT 4294967294 In 106 6781 - Drop 4294967295 Out 29 1492 - Drop Template Id : 4 Features: QoS Policy Map: Class-id Dir Policy Name Source 0 In SUB-QOS-IN SUB-QOS 1 Out SUB-QOS-OUT SUB-QOS Accounting: Class-id Dir Packets Bytes Source 0 In 54472 57886842 Peruser 1 Out 66082 60718986 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:05:48 - OPEN_GARDEN SVC 00:04:59 - INET USR 00:04:59 - Peruser SVC 00:04:59 - SUB-QOS INT 00:05:48 - Port-channel1.1634 Чувствую что оно где-то рядом, но не могу уловить направление. =)
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
12.08.2014, 18:28 | 13 |
Нащупал.
Таблица radreply должна выглядеть так: Код
+----+----------+--------------+----+---------------------------------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------+----+---------------------------------------------------------------+ | 15 | INET | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50 | | 16 | INET | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 | | 17 | INET | Cisco-AVPair | += | ip:traffic-class=in default drop | | 18 | INET | Cisco-AVPair | += | ip:traffic-class=out default drop | | 19 | test | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS10-IN | | 20 | test | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS10-OUT | | 26 | test | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC | +----+----------+--------------+----+---------------------------------------------------------------+ Клиент при этом выглядит так: Кликните здесь для просмотра всего текста
Код
Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: DHCPv4, UID: 30, State: authen, Identity: test IPv4 Address: 176.99.133.11 Session Up-time: 00:02:55, Last Changed: 00:02:52 Switch-ID: 4213 Policy information: Context 7F70759389F0: Handle 1E000086 AAA_id 00001EFB: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: sub-qos-policy-in 0 "SUB-QOS10-IN" sub-qos-policy-out 0 "SUB-QOS10-OUT" accounting-list 0 "ISG_ACC" Downloaded User profile, including services: username 0 "OPEN_GARDEN" sub-qos-policy-in 0 "SUB-QOS10-IN" sub-qos-policy-out 0 "SUB-QOS10-OUT" accounting-list 0 "ISG_ACC" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Unapplied) (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip 194.187.205.249 port 9002" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: test, 2 references sub-qos-policy-in 0 "SUB-QOS10-IN" sub-qos-policy-out 0 "SUB-QOS10-OUT" accounting-list 0 "ISG_ACC" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip 194.187.205.249 port 9002" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: OPEN_GARDEN, 3 references password 0 <hidden> username 0 "OPEN_GARDEN" traffic-class 0 "input access-group name OPENGARDEN_IN priority 250" traffic-class 0 "output access-group name OPENGARDEN_OUT priority 250" traffic-class 0 "input default drop" traffic-class 0 "output default drop" Active services associated with session: name "INET" name "OPEN_GARDEN", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG condition always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R subscriber rule-map ISG condition always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 12908 13220477 0 Match Any 1 Out 14669 13694406 0 Match Any 6 In 6 367 250 Match ACL OPENGARDEN_IN 7 Out 26 3094 250 Match ACL OPENGARDEN_OUT 20 In 12888 13217434 50 Match ACL INT_IN 21 Out 14677 13707574 50 Match ACL INT_OUT 4294967294 In 0 0 - Drop 4294967295 Out 1 43 - Drop Template Id : 4 Features: QoS Policy Map: Class-id Dir Policy Name Source 0 In SUB-QOS10-IN Peruser 1 Out SUB-QOS10-OUT Peruser Accounting: Class-id Dir Packets Bytes Source 0 In 12158 12126567 Peruser 1 Out 13845 12461036 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:02:55 - OPEN_GARDEN SVC 00:02:52 - INET USR 00:02:52 - Peruser INT 00:02:55 - Port-channel1.1634 И оно работает. При вот так описанных сервисах: Код
policy-map SUB-QOS-IN class class-default police cir 50000000 policy-map SUB-QOS10-OUT class class-default police cir 10000000 policy-map SUB-QOS10-IN class class-default police cir 10000000 policy-map SUB-QOS-OUT class class-default police cir 50000000 Благодарю за подсказки и общую идею, пойду копать дальше.
0
|
5901 / 3358 / 1036
Регистрация: 03.11.2009
Сообщений: 10,009
|
|
12.08.2014, 21:20 [ТС] | 14 |
ququ, всегда пожалуйста.
P.S. насчет нашего с вами разговора - вся идея была сделать полисинг под-сервисом, назначаемым в контексте тарифного плана, а не каждому субскрайберу индивидуально. Накопаете еще чего интересного или просто захотите поделиться своим проектом в конечном итоге - было бы здорово и наверняка поможет кому-то еще в будущем.
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
13.08.2014, 13:46 | 15 |
Только заметил: в исходном сообщении, тоже нет следов подключенного пользователю qos. Так что грабли были запланированы.
0
|
Jabbson
|
13.08.2014, 14:37
[ТС]
#16
|
Не по теме: Абсолютно верно))) не мог же я взять и все карты открыть)
0
|
5901 / 3358 / 1036
Регистрация: 03.11.2009
Сообщений: 10,009
|
|
15.08.2014, 17:16 [ТС] | 17 |
Возвращаясь к нашим баранам. Передавать полисинг можно вот так:
Код
mysql> select * from radius.radcheck; +----+----------+--------------------+----+-------+ | id | username | attribute | op | value | +----+----------+--------------------+----+-------+ | 1 | test | Cleartext-Password | := | test | | 2 | INET4 | Cleartext-Password | := | cisco | +----+----------+--------------------+----+-------+ 2 rows in set (0.00 sec) mysql> select * from radius.radreply; +----+----------+--------------------+----+---------------------------------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+---------------------------------------------------------------+ | 1 | test | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC | | 2 | INET4 | Cisco-Service-Info | += | QU;1000000;D;1000000 | | 4 | INET4 | Cisco-AVPair | += | ip:traffic-class=in default drop | | 5 | INET4 | Cisco-AVPair | += | ip:traffic-class=out default drop | | 6 | INET4 | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 | | 7 | INET4 | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50 | +----+----------+--------------------+----+---------------------------------------------------------------+ 6 rows in set (0.00 sec) mysql> Код
R1#show subscriber service name INET4 detailed Service "INET4": Version 1: SVM ID : 1E000009 Class Id In: 00000018 Class Id Out: 00000019 Locked by : SVM-Printer [1] Locked by : PM-Service [1] Locked by : PM-Info [1] Locked by : FM-Bind [1] Locked by : Sbscr-Template [1] Profile : 7FC8856A45C0 Profile name: INET4, 3 references ssg-service-info 0 "QU;1000000;D;1000000" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Current Subscriber Information using service "INET4" Total sessions: 1 Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen - authenticated, TC Ct. - Number of Traffic Classes on the main session Uniq ID Interface State Service Up-time TC Ct. Identifier 60 DHCPv4 authen Lterm 00:06:40 2 test Код
R1#show subscriber session detail | b Policing: Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 18 In 1000000 187500 375000 INET4 19 Out 1000000 187500 375000 INET4 Configuration Sources: Type Active Time AAA Service ID Name SVC 00:07:49 - OPEN_GARDEN SVC 00:07:27 - INET4 USR 00:07:27 - Peruser INT 00:07:49 - GigabitEthernet1
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
09.10.2014, 19:07 | 18 |
И снова здравствуйте. =)
Есть задачка, стерминировать на этой же железке некоторое количество pppoe абонентов. Конфиг вышеописанный, плюс кусок pppoe: Кликните здесь для просмотра всего текста
vpdn enable
! vpdn-group pppoe ! Default L2TP VPDN group ! Default PPTP VPDN group accept-dialin protocol any virtual-template 1 bba-group pppoe global virtual-template 1 sessions max limit 3000 sessions per-vlan limit 1000 sessions auto cleanup interface Virtual-Template1 mtu 1492 ip unnumbered Loopback1 no ip proxy-arp ip nat inside ip flow egress ip policy route-map rm_user_dump no peer default ip address ppp authentication chap pap ms-chap ms-chap-v2 callin RAD_SRV ppp authorization RAD_SRV ppp ipcp dns 10.10.205.226 10.10.204.254 interface Port-channel1.384 description v384 encapsulation dot1Q 384 ip access-group malware-filter in pppoe enable group global Сервисы всё так же прописаны локально: Кликните здесь для просмотра всего текста
class-map type traffic match-any TC_L4R
match access-group input name ACL_IN_L4R ! class-map type traffic match-any OPEN_GARDEN match access-group input name OPENGARDEN_IN match access-group output name OPENGARDEN_OUT policy-map type service S_L4R 50 class type traffic TC_L4R redirect to ip 10.10.205.249 port 80 ! ! policy-map type service OPEN_GARDEN 250 class type traffic OPEN_GARDEN ! class type traffic default in-out drop ! AAA: Кликните здесь для просмотра всего текста
aaa authentication login default local aaa authentication login RAD_SRV group RAD_SRV aaa authentication ppp default group RAD_SRV aaa authentication ppp RAD_SRV group RAD_SRV aaa authorization exec default local aaa authorization network default group RAD_SRV aaa authorization network RAD_SRV group RAD_SRV aaa accounting delay-start aaa accounting jitter maximum 0 aaa accounting commands 0 default none aaa accounting commands 1 default none aaa accounting commands 15 default none aaa accounting network default start-stop group RAD_SRV aaa accounting network ISG_ACC start-stop group RAD_SRV Проблема в следующем: При работе по dhcp, сервисы успешно навешиваются при подключении, включаются-отключаются через CoA. При работе по pppoe, сервисы подключаются только до тех пор, пока есть сессия dhcp с этими подключенными сервисами. Как только dhcp сессия (плюс все pppoe сессии с этими сервисами) протухают, кошка начинает ломиться за сервисами на радиус. Обращение при навешенных сервисах: Сервис прописан локально, навешен одному из клиентов: Кликните здесь для просмотра всего текста
*Aug 27 09:01:06.003: SVM [49000025/S_L4R]: already downloaded; sharing
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: service "S_L4R" in cache *Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Root SIP PPPoE *Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable PPPoE parsing *Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable PPP parsing *Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable Web-service-logon parsing *Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [BD0001B4]: client download ok *Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [SVM-to-client-msg:BD0001B4] locked 0->1 *Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [PM-Download:BD0001B4] locked 0->1 *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: waiting for download response *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[0]: Downloading service "S_L4R" *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[1]: Start *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[1]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: Event <send auth>, State: authorizing to authorizing *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: Handling Action Ignore for <send auth> *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: SVM service download success *Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: download completed for "S_L4R" version 1 Сервис прописан локально, никому не навешен: Кликните здесь для просмотра всего текста
*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: service "L4R_NOMONEY" not in cache; needs download
*Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: allocated version 1 *Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [A40001AC]: client queued *Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [PM-Download:A40001AC] locked 0->1 *Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: download required *Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [AAA-Download:7F45E6051018] locked 0->1 *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Authorization:Fetching method list from SIP:Web-service-logon *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: using named author method list "RAD_SRV" *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Root SIP PPPoE *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable PPPoE parsing *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable PPP parsing *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable Web-service-logon parsing *Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: ACTIVE HANDLE[0]: Snapshot captured in Active context *Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: ACTIVE HANDLE[0]: Active context created *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Event <make request>, state changed from idle to authorizing *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Active key set to Apply-Service *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Authorizing key L4R_NOMONEY *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Set authorization profile type to service *Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: AAA request sent for key L4R_NOMONEY *Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: RULE[0]: Downloading service "L4R_NOMONEY" *Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: RULE[1]: Start *Aug 27 08:55:38.559: RADIUS/ENCODE(00000000):Orig. component type = Invalid *Aug 27 08:55:38.560: RADIUS/ENCODE: Skip encoding 0 length AAA attribute formatted-clid *Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IP: 0.0.0.0 *Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IPv6: :: *Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IP: 0.0.0.0 *Aug 27 08:55:38.560: RADIUS(00000000): sending *Aug 27 08:55:38.560: RADIUS/ENCODE: Best Local IP-Address 10.10.204.57 for Radius-Server 10.10.128.27 *Aug 27 08:55:38.560: RADIUS: nas-port-id(87) is not found in the request *Aug 27 08:55:38.560: RADIUS(00000000): Send Access-Request to 10.10.128.27:1812 id 1645/216, len 89 *Aug 27 08:55:38.560: RADIUS: authenticator 22 BC 3F B9 65 8F FF B1 - F5 0C EC D5 5C F8 9F BF *Aug 27 08:55:38.560: RADIUS: User-Password [2] 18 * *Aug 27 08:55:38.560: RADIUS: User-Name [1] 13 "L4R_NOMONEY" *Aug 27 08:55:38.560: RADIUS: Service-Type [6] 6 Outbound [5] *Aug 27 08:55:38.560: RADIUS: NAS-IP-Address [4] 6 10.10.204.57 *Aug 27 08:55:38.560: RADIUS: Nas-Identifier [32] 20 "ASR1002-X.testnet.ru" *Aug 27 08:55:38.560: RADIUS: Event-Timestamp [55] 6 1409129738 *Aug 27 08:55:38.560: RADIUS(00000000): Sending a IPv4 Radius Packet *Aug 27 08:55:38.560: RADIUS(00000000): Started 3 sec timeout *Aug 27 08:55:39.601: RADIUS: Received from id 1645/216 10.10.128.27:1812, Access-Reject, len 20 *Aug 27 08:55:39.601: RADIUS: authenticator D5 A5 84 08 C7 9C 83 05 - 8E 0D 1F FD B5 01 95 35 *Aug 27 08:55:39.601: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded *Aug 27 08:55:39.601: RADIUS(00000000): Received from id 1645/216 *Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: Received an AAA failure *Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: Event <service not found>, state changed from authorizing to complete *Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: No service authorization info found aaa authorization network default local не помогло. Куда бы ещё покопать? Понятно что во имя революции можно отдавать сервисы радиусом, но хотелось бы понять почему оно не работает локально.
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
13.10.2014, 15:07 | 19 |
Сам спросил - сам ответил: aaa authorization subscriber-service default local
0
|
0 / 0 / 0
Регистрация: 11.08.2014
Сообщений: 10
|
|
16.10.2015, 14:41 | 20 |
И снова здравствуйте. =)
Неспешно завожу вторую железку, попутно вычищая косяки накопившиеся на первой. Косяк вылезший в двух предыдущих сообщениях так и не исправлен, симптомы те же. <вытер кучу дебага - пока писал разобрался окончательно> Ключевое - два момента: Код
aaa authorization subscriber-service default local Код
interface Virtual-Template1 ... ppp authentication chap pap ms-chap ms-chap-v2 callin RAD_SRV ppp authorization RAD_SRV <- этой строки быть не должно! ppp ipcp dns 10.10.205.226 10.10.204.254
0
|
16.10.2015, 14:41 | |
16.10.2015, 14:41 | |
Помогаю со студенческими работами здесь
20
В AMI BIOS нет пункта MB Intelligent Tweaker Gateway Искать еще темы с ответами Или воспользуйтесь поиском по форуму: |