| forum.bitel.ru http://forum.bitel.ru/ |
|
| Стенд L3 авторизации с релеем c домового коммутатора http://forum.bitel.ru/viewtopic.php?f=44&t=10322 |
Страница 1 из 1 |
| Автор: | iseed [ 24 мар 2015, 09:49 ] |
| Заголовок сообщения: | Стенд L3 авторизации с релеем c домового коммутатора |
Доброго дня. Пробую собрать схему l3 авторизции на стенде. Руководствовался http://wiki.bitel.ru/index.php/ISG,_%D1 ... 7%D0%B0%29 Клиент: вер. 6.1.835 / 10.03.2015 20:19:59 os: Linux; java: OpenJDK 64-Bit Server VM, v.1.7.0_65 ВНИМАНИЕ: Виртуальная машина OpenJDK 64-Bit Server VM не рекомендуется ВНИМАНИЕ: версия на сервере: 6.1.838 / 20.03.2015 15:47:59 Сервер: вер. 6.1.1054 / 20.03.2015 15:48:03 os: Linux; java: Java HotSpot(TM) 64-Bit Server VM, v.1.8.0_40 ВНИМАНИЕ: Спецификация версии 1.8 не рекомендуется Абонент ->{DHCP} -> DES-3200-28{DHCP_RELAY}(1) -> Cisco 7200 {BRAS}(2) -> Bgbiling(3) 1) На релей отписал ---- # ADDRBIND config address_binding ip_mac ports 1-24 state enable strict allow_zeroip enable forward_dhcppkt enable config address_binding ip_mac ports 1-28 mode arp stop_learning_threshold 500 # DHCP_RELAY enable dhcp_relay config dhcp_relay hops 16 time 0 config dhcp_relay option_82 state enable config dhcp_relay option_82 check disable config dhcp_relay option_82 policy replace config dhcp_relay option_82 circuit_id default config dhcp_relay option_82 remote_id default config dhcp_relay add ipif System 10.1.19.237 config dhcp_relay ports 1-24 state enable config dhcp_relay ports 25-28 state disable ---- Получил: ---- DES-3200-28:5#show dhcp_relay Command: show dhcp_relay DHCP/BOOTP Relay Status : Enabled DHCP/BOOTP Hops Count Limit : 16 DHCP/BOOTP Relay Time Threshold : 0 DHCP Relay Agent Information Option 82 State : Enabled DHCP Relay Agent Information Option 82 Check : Disabled DHCP Relay Agent Information Option 82 Policy : Replace DHCP Relay Agent Information Option 82 Circuit ID : Default DHCP Relay Agent Information Option 82 Remote ID : Default Interface Server 1 Server 2 Server 3 Server 4 ------------ --------------- --------------- --------------- -------------- System 10.1.19.237 Server VLAN ID List ------------- ------------------------------------ ---- 2) На 7200 отписал: ---- aaa new-model ! aaa group server radius ipoe-radius server-private 10.1.19.237 auth-port 1812 acct-port 1813 non-standard key 123123 ip radius source-interface Loopback0 ! aaa group server radius ipoe-services-radius server-private 10.1.19.237 auth-port 1811 acct-port 1813 non-standard key 123123 ip radius source-interface Loopback0 ! aaa authentication login ipoe-isg-aaa group ipoe-radius aaa authorization network ipoe-isg-aaa group ipoe-radius aaa authorization subscriber-service default local group ipoe-services-radius aaa accounting update periodic 2 aaa accounting network ipoe-isg-aaa action-type start-stop group ipoe-radius ! aaa nas port extended ! aaa server radius dynamic-author client 10.1.19.237 server-key 123123 ignore session-key ignore server-key ! aaa session-id common ip source-route no ip icmp rate-limit unreachable ip cef ! no ip domain lookup ip domain name test.cisco.mycentra.ru no ipv6 cef ! ! redirect server-group NO-MONEY server ip 10.1.19.6 port 82 ! multilink bundle-name authenticated password encryption aes ! ip tcp synwait-time 5 ip ssh version 2 class-map type traffic match-any LOCAL-TRAFFIC match access-group output 2110 ! class-map type traffic match-any OPENGARDEN-TRAFFIC match access-group input 155 match access-group output 156 ! class-map type traffic match-any ALL-TRAFFIC match access-group input 101 match access-group output 102 ! class-map type traffic match-any TRAFFIC-FOR-REDIRECT match access-group input name traffic-for-redirect ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service L4REDIRECT 20 class type traffic TRAFFIC-FOR-REDIRECT redirect to group NO-MONEY ! ! policy-map type service OPENGARDEN 40 class type traffic OPENGARDEN-TRAFFIC accounting aaa list ipoe-isg-aaa police input 1024000 police output 1024000 ! class type traffic default in-out drop ! ! policy-map type service ISG-LOCAL 100 class type traffic LOCAL-TRAFFIC accounting aaa list ipoe-isg-aaa police input 102400000 police output 102400000 ! ! policy-map type control IPoE-ISG class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event session-start 10 authorize aaa list ipoe-isg-aaa password cisco identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name L4REDIRECT 40 service-policy type service name OPENGARDEN ! class type control always event service-stop 1 service-policy type service unapply identifier service-name 10 log-session-state ! class type control always event session-restart 10 authorize aaa list ipoe-isg-aaa password cisco identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name L4REDIRECT 40 service-policy type service name OPENGARDEN ! ! interface FastEthernet0/0 ip address ZZZ.XXX.104.237 255.255.255.192 duplex full ! interface FastEthernet1/0 ip address ZZZ.XXX.104.129 255.255.255.192 duplex full service-policy type control IPoE-ISG ip subscriber routed initiator unclassified ip-address ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 ZZZ.XXX.104.254 ! access-list 155 permit tcp any any eq www access-list 156 permit tcp any any eq www ! ---- Получил: ----- cisco#sho radius server-group all Server group radius Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1 Server group ipoe-radius Sharecount = 1 sg_unconfigured = FALSE Type = non-standard Memlocks = 1 Server(10.1.19.237:1812,1813) Transactions: Authen: 0 Author: 732 Acct: 4801 Server_auto_test_enabled: FALSE Server group ipoe-services-radius Sharecount = 1 sg_unconfigured = FALSE Type = non-standard Memlocks = 1 Server(10.1.19.237:1811,1813) Transactions: Authen: 0 Author: 0 Acct: 0 Server_auto_test_enabled: FALSE ----- 3) В биллинге имеется дерево устройств следующего вида: Устройство 0 -ProcessGroup 1 --CiscoISG[ZZZ.XXX.104.237] 2 ---Switch[10.75.10.181] 1228 Типы устройств: 1 CiscoISG 2 Switch 3 ProcessGroup CiscoISG имеет конфигурацию: ----- snmp.version=2 snmp.uptimeOid=1.3.6.1.2.1.1.3.0 flow.agent.type=netflow flow.agent.link={@deviceId}:-1 dhcp.deviceSearchMode=1 dhcp.option82.removeHeader=2 dhcp.option82.agentRemoteId.position=0 dhcp.servSearchMode=1 dhcp.disable.mode=1 radius.password.verification=0 radius.address.fromRequest=1 radius.realm.default.attributes=Acct-Interim-Interval=60;Idle-Timeout=1300;cisco-avpair=subscriber:accounting-list=ipoe-isg-aaa radius.inetOption.2.attributes=cisco-SSG-Account-Info=AISG-5MBPS radius.inetOption.3.attributes=cisco-SSG-Account-Info=AISG-10MBPS radius.inetOption.4.attributes=cisco-SSG-Account-Info=AISG-LOCAL radius.realm.default.ipCategories=4 radius.disable.attributes=Acct-Interim-Interval=60;cisco-avpair=subscriber:accounting-list=ipoe-isg-aaa;cisco-SSG-Account-Info=AL4REDIRECT;cisco-SSG-Account-Info=AOPENGARDEN radius.disable.ipCategories=2 radius.servSearchMode=0 subscriber:command= в раздельных пакетах для каждого сервиса sa.radius.connection.coa.mode=2 sa.radius.connection.close.mode=3 sa.radius.connection.withoutBreak=0 sa.radius.connection.attributes=Acct-Session-Id,User-Name,Framed-IP-Address radius.connection.attributes=Acct-Session-Id,User-Name,Framed-IP-Address sa.radius.connection.close.removeFromKeyMap=0 sa.radius.log=1 manage.error.pause=5 manage.uptime.pause=360 manage.uptime.error.pause=360 ----- Switch имеет конфигурацию: ----- dhcp.option82.agentRemoteId.code=2 dhcp.option82.agentRemoteId.position=2 dhcp.option82.agentRemoteId.length=6 dhcp.option82.vlanId.code=1 dhcp.option82.vlanId.position=0 dhcp.option82.vlanId.length=2 dhcp.option82.interfaceId.code=1 dhcp.option82.interfaceId.position=2 dhcp.option82.interfaceId.length=2 dhcp.option.leaseTime=3600 # параметры DHCP к сети не привязанные dhcp.option.serverIdentifier=0.0.0.0 ----- ProcessGroup имеет конфигурацию: ----- access.group=1 radius.key.device.TypeIds=1 accounting.worker.1.thread.count=1 accounting.worker.1.tariffication.1.minDeltaAmount=0 accounting.worker.1.tarification.1.delay=1 accounting.worker.1.tarification.1.batchSize=100 accounting.worker.1.tracking.1.delay=2 accounting.worker.1.tracking.1.batchSize=100 accounting.worker.2.thread.count=1 accounting.worker.2.tariffication.1.minDeltaAmount=0 accounting.worker.2.tarification.1.delay=2 accounting.worker.2.tarification.1.batchSize=500 accounting.worker.3.thread.count=1 accounting.worker.3.tarification.1.delay=2 accounting.worker.3.tarification.1.batchSize=500 connection.start.fromAccept=1 connection.suspend.timeout=900 connection.close.timeout=1300 connection.disable.suspend.timeout=900 connection.disable.close.timeout=1300 connection.finish.timeout=5 session.split.onTariffOption=1 session.split.onDeviceState=1 ----- Вот конфиг inet-access.xml ----- <?xml version="1.0" encoding="UTF-8"?> <application context="access"> <param name="app.name" value="BGInetAccess"/> <param name="app.id" value="1"/> <param name="moduleId" value="9"/> <param name="db.driver" value="com.mysql.jdbc.Driver"/> <param name="db.url" value="jdbc:mysql://127.0.0.1/bgbilling?useUnicode=true&characterEncoding=Cp1251&allowUrlInLocalInfile=true&zeroDateTimeBehavior=convertToNull&jdbcCompliantTruncation=false&queryTimeoutKillsConnection=true"/> <param name="db.user" value="bill"/> <param name="db.pswd" value="XXXXXXXXX"/> <param name="mq.url" value="failover:(tcp://localhost:61616)"/> <param name="mq.user" value="bill"/> <param name="mq.pswd" value="XXXXXXXXXX"/> <!-- код корневого устройства --> <param name="rootDeviceId" value="1"/> <!-- типы фейковых устройств, являющихся аккаунтинг серверами --> <param name="accounting.deviceTypeIds" value="1"/> <param name="commonIdentifierName" value="rootDeviceId" /> <bean name="access" class="ru.bitel.bgbilling.modules.inet.access.Access" /> <param name="datalog.radius.dir" value="/netflow_logs/BGInetAccess/data/radius"/> <param name="datalog.dhcp.dir" value="/netflow_logs/BGInetAccess/data/dhcp" /> <context name="radius"> <!-- Cоздание процессора radius-пакетов --> <bean name="radiusProcessor" class="ru.bitel.bgbilling.modules.inet.radius.InetRadiusHelperProcessor"/> <!-- Служебный ScheduledExecutorService, необходимый для dataLogger --> <scheduledExecutorService name="hrlydtlggr" corePoolSize="1" /> <!-- Cоздание dataLogger, сохраняющего radius-пакеты на диск (только один экземпляр) --> <bean name="radiusDataLogger" class="ru.bitel.bgbilling.modules.inet.radius.RadiusHourlyDataLogger"> <param name="scheduledExecutor">hrlydtlggr</param> </bean> <!-- Cоздание слушателя radius-пакетов на порту с передачей ему процессора и dataLogger --> <bean name="radiusListener" class="ru.bitel.bgbilling.modules.inet.radius.InetRadiusListener"> <constructor> <!-- Хост (интерфейс), на котором будет открыт сокет. Если пусто - на всех --> <param name="host" value=""/> <!-- Порт, на котором будет открыт сокет --> <param name="port" value="1812"/> <!-- Размер буфера приема слушателя --> <param name="recvBufferSize">512 * 1024</param> <!-- Рекомендуемый SO_RCVBUF сокета --> <param name="soRCVBUF"></param> <!-- Количество потоков-обработчиков --> <param name="threadCount">10</param> <!-- Максимальное количество пакетов в очереди на обработку --> <param name="maxQueueSize">200</param> <!-- Передача процессора --> <param name="processor">radiusProcessor</param> <!-- Режим работы, RadiusListener.Mode.authentication --> <param name="mode">RadiusListener.Mode.authentication</param> <!-- Передача dataLogger --> <param name="dataLogger">radiusDataLogger</param> </constructor> </bean> </context> <context name="dhcp"> <!-- Cоздание процессора dhcp-пакетов --> <bean name="dhcpProcessor" class="ru.bitel.bgbilling.modules.inet.dhcp.InetDhcpProcessor"/> <scheduledExecutorService name="hrlydtlggr" corePoolSize="1" /> <!-- Cоздание dataLogger, сохраняющего dhcp-пакеты на диск --> <bean name="dhcpDataLogger" class="ru.bitel.bgbilling.modules.inet.dhcp.DhcpHourlyDataLogger"> <param name="scheduledExecutor">hrlydtlggr</param> </bean> <!-- Cоздание слушателя dhcp-пакетов на порту с передачей ему процессора и dataLogger --> <bean name="dhcpListener" class="ru.bitel.bgbilling.kernel.network.dhcp.DhcpListener"> <constructor> <!-- Хост (интерфейс), на котором будет открыт сокет. Если пусто - на всех --> <param name="host" value=""/> <!-- Порт, на котором будет открыт сокет --> <param name="port" value="67"/> <!-- Размер буфера приема слушателя --> <param name="recvBufferSize">512 * 1024</param> <!-- Количество потоков-обработчиков --> <param name="threadCount">10</param> <!-- Максимальное количество пакетов в очереди на обработку --> <param name="maxQueueSize">200</param> <!-- Передача процессора --> <param name="processor">dhcpProcessor</param> <!-- Передача dataLogger --> <param name="dataLogger">dhcpDataLogger</param> </constructor> </bean> </context> </application> ----- inet-accounting.xml ----- <?xml version="1.0" encoding="UTF-8"?> <application context="accounting"> <!-- Уникальное имя приложения --> <param name="app.name" value="BGInetAccounting"/> <!-- Уникальный числовой id приложения --> <param name="app.id" value="2"/> <!-- Параметры подключения к БД --> <param name="db.driver" value="com.mysql.jdbc.Driver"/> <param name="db.url" value="jdbc:mysql://127.0.0.1/bgbilling?useUnicode=true&characterEncoding=Cp1251&allowUrlInLocalInfile=true&zeroDateTimeBehavior=convertToNull&jdbcCompliantTruncation=false&queryTimeoutKillsConnection=true&connectTimeout=1000"/> <param name="db.user" value="bill"/> <param name="db.pswd" value="XXXXXXXXXX"/> <param name="db.validationTimeout" value="10"/> <!-- Параметры подключения к MQ --> <param name="mq.url" value="failover:(tcp://localhost:61616)"/> <param name="mq.user" value="bill"/> <param name="mq.pswd" value="XXXXXXXXX"/> <!-- id модуля --> <param name="moduleId" value="9"/> <!-- id корневого устройства --> <param name="rootDeviceId" value="1"/> <!-- Брать задания на обработку логов --> <param name="processLogs" value="true" /> <!-- Внутренняя переменная приложения, не изменять --> <param name="commonIdentifierName" value="rootDeviceId"/> <!-- Параметры сохранения radius-пакетов в файлы логов --> <!-- Директория, в которую сохранять radius логи --> <param name="datalog.radius.dir" value="/netflow_logs/BGInetAccounting/data/radius" /> <!-- Размер блока данных в файле лога, также размер буфера на поток слушателя --> <param name="datalog.radius.chunk.size" value="524288" /> <!-- Сжимать radius логи: 0 - не сжимать, 1 - zlib --> <param name="datalog.radius.compression.type" value="1" /> <!-- Параметры сохранения flow-пакетов в файлы логов --> <!-- Директория, в которую сохранять flow логи --> <param name="datalog.flow.dir" value="/netflow_logs/BGInetAccounting/data/flow" /> <!-- Размер блока данных в файле лога, также размер буфера на поток слушателя --> <param name="datalog.flow.chunk.size" value="524288" /> <!-- Сжимать flow логи: 0 - не сжимать, 1 - zlib --> <param name="datalog.flow.compression.type" value="1" /> <!-- Создание Accounting --> <bean name="accounting" class="ru.bitel.bgbilling.modules.inet.accounting.Accounting"/> <context name="radius"> <!-- Cоздание процессора radius-пакетов --> <bean name="radiusProcessor" class="ru.bitel.bgbilling.modules.inet.radius.InetRadiusHelperProcessor"/> <!-- Служебный ScheduledExecutorService, необходимый для dataLogger --> <scheduledExecutorService name="hrlydtlggr" corePoolSize="1"/> <!-- Cоздание dataLogger, сохраняющего radius-пакеты на диск (только один экземпляр) --> <bean name="radiusDataLogger" class="ru.bitel.bgbilling.modules.inet.radius.RadiusHourlyDataLogger"> <param name="scheduledExecutor">hrlydtlggr</param> </bean> <!-- Cоздание слушателя radius-пакетов на порту с передачей ему процессора и dataLogger --> <bean name="radiusListener" class="ru.bitel.bgbilling.modules.inet.radius.InetRadiusListener"> <constructor> <!-- Хост (интерфейс), на котором будет открыт сокет. Если пусто - на всех --> <param name="host" value=""/> <!-- Порт, на котором будет открыт сокет --> <param name="port" value="1813"/> <!-- Размер буфера приема слушателя --> <param name="recvBufferSize">1 * 1024 * 1024</param> <!-- Рекомендуемый SO_RCVBUF сокета --> <param name="soRCVBUF"></param> <!-- Количество потоков-обработчиков --> <param name="threadCount">10</param> <!-- Максимальное количество пакетов в очереди на обработку --> <param name="maxQueueSize">200</param> <!-- Передача процессора --> <param name="processor">radiusProcessor</param> <!-- Режим работы, RadiusListener.Mode.accounting --> <param name="mode">RadiusListener.Mode.accounting</param> <!-- Передача setup --> <param name="setup">setup</param> <!-- Передача dataLogger --> <param name="dataLogger">radiusDataLogger</param> </constructor> </bean> </context> <!-- Cоздание процессора flow-пакетов <context name="collector"> <scheduledExecutorService name="hrlydtlggr" corePoolSize="1"/> <bean name="flowDataLogger" class="ru.bitel.bgbilling.modules.inet.collector.IPHourlyDataLogger"> <param name="scheduledExecutor">hrlydtlggr</param> </bean> <bean name="flowListener" class="ru.bitel.bgbilling.modules.inet.collector.InetFlowListener"> <constructor factoryMethod="newInstance"> <param name="type" value="netflow"/> <param name="host" value=""/> <param name="port" value="2001"/> <param name="recvBufferSize">8 * 1024 * 1024</param> <param name="soRCVBUF">512 * 1024</param> <param name="threadCount" value="10"/> <param name="agentDeviceIds" value=""/> <param name="processAgentDeviceIds" value=""/> <param name="ipResourceFilter" value=""/> <param name="dataLogger">flowDataLogger</param> </constructor> </bean> <bean name="flowListener" class="ru.bitel.bgbilling.modules.inet.collector.InetFlowListener"> <constructor factoryMethod="newInstance"> <param name="type" value="netflow9"/> <param name="host" value=""/> <param name="port" value="9367"/> <param name="recvBufferSize">4 * 1024 * 1024</param> <param name="soRCVBUF">512 * 1024</param> <param name="threadCount" value="8"/> <param name="agentDeviceIds" value="4"/> <param name="dataLogger">flowDataLogger</param> </constructor> </bean> <bean name="flowListener" class="ru.bitel.bgbilling.modules.inet.collector.InetFlowListener"> <constructor factoryMethod="newInstance"> <param name="type" value="netflow"/> <param name="host" value=""/> <param name="port" value="9368"/> <param name="recvBufferSize">8 * 1024 * 1024</param> <param name="soRCVBUF">512 * 1024</param> <param name="threadCount" value="8"/> <param name="agentDeviceIds" value="20"/> <param name="dataLogger">flowDataLogger</param> </constructor> </bean> <bean name="snmpWorker" class="ru.bitel.bgbilling.modules.inet.accounting.InetSnmpWorker"> <constructor> <param name="agentDeviceIds" value="" /> <param name="period" value="30" /> </constructor> </bean> <context name="detail"> <bean name="detailWorker" class="ru.bitel.bgbilling.modules.inet.accounting.detail.InetDetailWorker"/> </context> </context> --> </application> ----- Собственно теперь ситуация: Абонент на данной конфиге получает IP адрес с InetDhcpProcessor ----- 03-24/10:27:33 DEBUG [dhcpLstnr-p-11-t-4] InetAbstractDhcpProcessor - OP_BOOT_REQUEST 03-24/10:27:33 DEBUG [dhcpLstnr-p-11-t-4] InetAbstractDhcpProcessor - Found device by giaddr id=1228 03-24/10:27:33 DEBUG [dhcpLstnr-p-11-t-4] InetDhcpProcessor - DHCP_REQUEST 03-24/10:27:33 DEBUG [dhcpLstnr-p-11-t-4] InetDhcpProcessor - request.giaddr= 10.75.10.181, clientAddress=/10.75.10.181:68 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetDhcpDevice - Search serv on deviceId: 1228; 1; interfaceId: 1 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetDhcpProcessor - InetServ found: ContractId: 40280; status: 0; servId: 11980 LOGIN:00061c7ee5687b20:0001 1c7ee5687b20:1 Options [] TariffModuleTreeSet [929:01.03.2015-…; ] Device state: 1; optionSet:56 03-24/10:27:33 DEBUG [dhcpLstnr-p-11-t-4] InetAccountingPeriodList - Create: AccountingPeriod: 151236: 02.03.2015 00:00:00.0 - 31.03.2015 23:59:59.999 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetApplication - TariffOptionMap: {} 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetApplication - inetServ[id=11980] balance ok: 10.99 [0] 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetApplication - OptionSet: [56] 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetDhcpProcessor - Updating of existing connection: InetConnection [id=20223644-0, iface=1228:1, sessId=7fd9174, start=23.03.2015 16:02:00, uname=null, addr=ZZZ.232.104.130] 03-24/10:27:33 INFO [dhcpLstnr-p-11-t-4] InetAbstractDhcpProcessor - RESPONSE: Message type: BOOT_RESPONSE Dhcp message type: DHCP ACK{5} htype: 1, hlen: 6, hops: 1 xid: 1984397165, secs: 0, flags: 0 Client IP: ZZZ.XXX.104.130 Your IP: ZZZ.XXX.104.130 Server IP: 0.0.0.0 Relay IP: 10.75.10.181 Client MAC: {88AE1D39DAC2} Agent information{82}= sub{1}={000400020001} sub{2}={00061C7EE5687B20} Router{3}=ZZZ.XXX.104.129 Subnet mask{1}=255.255.255.192 DNS{6}={5EE8683A} IP Address Lease Time{51}=3600 Server Identifier{54}={00000000} ----- C этим IP получаю сессию в биллинге: ----- http://joxi.ru/L21v9g6fnq7JAX ----- BRAS на основе IP открывает сессию: ----- cisco#sho ip subscriber Displaying subscribers in the default service vrf: Type Subscriber Identifier Display UID Status --------- ---------------------- ------------ ------ routed ZZZ.XXX.104.130/32 [112] up cisco#sho sss session Current Subscriber Information: Total sessions 1 Uniq ID Interface State Service Identifier Up-time 184 IP unauthen Local Term ZZZ.XXX.104.130 00:00:39 ----- и делает запрос к биллингу: ---- 03-24/10:30:32 INFO [rdsLstnr-p-9-t-8] InetRadiusProcessor - REQUEST_AFTER_PREPROCESS: Packet type: Access-Request Identifier: 217 Authenticator: {EE 9B 33 A4 37 9D 90 CE 45 E0 90 10 40 F8 B0 6E} Attributes: User-Name=ZZZ.XXX.104.130 NAS-Port-Id=1/0/0/0 User-Password=cisco NAS-IP-Address=ZZZ.XXX.104.237 NAS-Port=0 Service-Type=5 NAS-Port-Type=5 03-24/10:30:32 DEBUG [rdsLstnr-p-9-t-8] RadiusProcessor - Create new radius session. 03-24/10:30:32 INFO [rdsLstnr-p-9-t-8] InetNas - Search by username=ZZZ.XXX.104.130 03-24/10:30:32 INFO [rdsLstnr-p-9-t-8] InetRadiusProcessor - [username=ZZZ.XXX.104.130] InetServ not found. 03-24/10:30:32 INFO [rdsLstnr-p-9-t-8] InetRadiusProcessor - Return code=1 03-24/10:30:32 INFO [rdsLstnr-p-9-t-8] InetRadiusProcessor - RESPONSE_BEFORE_POSTPROCESS: Packet type: Access-Reject Identifier: 217 Authenticator: {} Attributes: Reply-Message=1 ---- Получаю ошибку InetServ not found. Подскажите кто реализовывал L3 схему где еще можно покопать чтобы понять почему мой сервис не находиться? |
|
| Автор: | Amir [ 24 мар 2015, 14:14 ] |
| Заголовок сообщения: | Re: Стенд L3 авторизации с релеем c домового коммутатора |
У вас опечатка radius.key.device.TypeIds большая T и точка. Должно быть radius.key.deviceTypeIds= |
|
| Автор: | iseed [ 26 мар 2015, 13:02 ] |
| Заголовок сообщения: | Re: Стенд L3 авторизации с релеем c домового коммутатора |
Да. Ошибочка закралась. Теперь ----- 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetRadiusProcessor - REQUEST_AFTER_PREPROCESS: Packet type: Access-Request Identifier: 1 Authenticator: {A2 EA 32 BB 48 4F 77 50 E8 F3 5A BD A7 2A AC 83} Attributes: User-Name=XXXX.YYY.104.131 User-Password=cisco NAS-IP-Address=XXX.YYY.104.237 NAS-Port=0 Service-Type=5 NAS-Port-Id=1/0/0/0 NAS-Port-Type=5 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] RadiusProcessor - Create new radius session. 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] InetRadiusHelperProcessor - Search serv by key XXX.YYY.104.131 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] InetRadiusProcessor - Password verification disabled. 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetRadiusProcessor - [username=XXX.YYY.104.131] Authenticated as inetServId:12015 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] InetNas - agentRemoteId=null 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] InetRadiusProcessor - Identifier from request: null 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] InetRadiusProcessor - MAC-address from request: 88AE1D39DAC2 03-24/17:15:50 DEBUG [rdsLstnr-p-9-t-1] InetAccountingPeriodList - Create: AccountingPeriod: 151236: 02.03.2015 00:00:00.0 - 31.03.2015 23:59:59.999 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetApplication - TariffOptionMap: {} 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetApplication - inetServ[id=12015] balance ok: 10.99 [0] 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetApplication - OptionSet: [56] 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetRadiusProcessor - Write new waiting connection to DB 03-24/17:15:50 INFO [rdsLstnr-p-9-t-1] InetRadiusProcessor - New connection id=20223996 03-24/17:15:51 INFO [rdsLstnr-p-9-t-1] InetRadiusProcessor - Return code=0 03-24/17:15:51 INFO [rdsLstnr-p-9-t-1] InetRadiusProcessor - RESPONSE_BEFORE_POSTPROCESS: Packet type: Access-Accept Identifier: 1 Authenticator: {} Attributes: Acct-Interim-Interval=60 Idle-Timeout=1300 cisco-avpair=subscriber:accounting-list=ipoe-isg-aaa ----- |
|
| Автор: | Amir [ 26 мар 2015, 15:26 ] |
| Заголовок сообщения: | Re: Стенд L3 авторизации с релеем c домового коммутатора |
Вроде бы правильно, только выдачи сервисов ISG не хватает, которая прописываеться через тариф/опции Inet. |
|
| Автор: | iseed [ 30 мар 2015, 13:26 ] |
| Заголовок сообщения: | Re: Стенд L3 авторизации с релеем c домового коммутатора |
Вот что на выходе: Packet type: Access-Accept Identifier: 196 Authenticator: {74 02 66 0E E6 8B BD 21 83 70 4A 1E 7F BB 9C D1} Attributes: Acct-Interim-Interval=300 Idle-Timeout=1300 cisco-avpair=subscriber:accounting-list=ipoe-isg-aaa cisco-avpair=ip:traffic-class=in access-group 101 priority 200 cisco-avpair=ip:traffic-class=in default drop cisco-avpair=ip:traffic-class=out access-group 101 priority 200 cisco-avpair=ip:traffic-class=out default drop cisco-SSG-Service-Info=QU;76800000;14400000;28800000;D;76800000;14400000;28800000 Process time auth: 193 На Cisco ----- Type: IP, UID: 5414, State: authen, Identity: XXX.YYY.104.130 Session Up-time: 01:53:51, Last Changed: 01:53:51 Switch-ID: 8671734 Policy information: Context 7F4591C1B098: Handle 4F010661 AAA_id 001E0E24: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: idletime 1300 (0x514) accounting-list "ipoe-isg-aaa" traffic-class "in access-group 101 priority 200" traffic-class "in default drop" traffic-class "out access-group 101 priority 200" traffic-class "out default drop" ssg-service-info "QU;76800000;14400000;28800000;D;76800000;14400000;28800000" Downloaded User profile, including services: idletime 1300 (0x514) accounting-list "ipoe-isg-aaa" traffic-class "in access-group 101 priority 200" traffic-class "in default drop" traffic-class "out access-group 101 priority 200" traffic-class "out default drop" ssg-service-info "QU;76800000;14400000;28800000;D;76800000;14400000;28800000" Config history for session (recent to oldest): Access-type: IP Client: SM Policy event: Service Selection Request Profile name: XXX.YYY.104.130, 2 references idletime 1300 (0x514) accounting-list "ipoe-isg-aaa" traffic-class "in access-group 101 priority 200" traffic-class "in default drop" traffic-class "out access-group 101 priority 200" traffic-class "out default drop" ssg-service-info "QU;76800000;14400000;28800000;D;76800000;14400000;28800000" Rules, actions and conditions executed: subscriber rule-map IPoE-ISG condition always event session-start 10 authorize aaa list ipoe-isg-aaa identifier source-ip-address Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 441243 484543548 0 Match Any 1 Out 448840 398336457 0 Match Any Features: Idle Timeout: Class-id Dir Timeout value Idle-Time Source 1 Out 1300 00:00:47 Peruser Accounting: Class-id Dir Packets Bytes Source 0 In 441205 476592020 Peruser 1 Out 448840 390257337 Peruser Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 0 In 76800000 14400000 28800000 Peruser 1 Out 76800000 14400000 28800000 Peruser Configuration Sources: Type Active Time AAA Service ID Name USR 01:53:51 - Peruser INT 01:53:51 - TenGigabitEthernet1/0/0.399 ----- Теперь возник вопрос с аккаунтигом: На биллинге принимаю пакет accounting ----- Packet type: Accounting-Request Identifier: 207 Authenticator: {85 72 B0 A1 A5 26 42 D0 A4 41 55 4A 4C 8A B8 10} Attributes: UNKNOWN[-1-192]={00 00 00 00} User-Name=XXX.YYY.104.130 UNKNOWN[-1-193]={00 00 00 00} UNKNOWN[-1-196]={00 00 00 0A} NAS-IP-Address=10.1.20.2 NAS-Port=5685371 UNKNOWN[-1-198]={00 00 00 05} Service-Type=2 Framed-Protocol=1 Framed-IP-Address=XXX.YYY.104.130 NAS-Port-Id=1/0/0/399 UNKNOWN[-1-151]={42 39 33 41 38 33 46 37} NAS-Identifier=nas.pem-com.ru Acct-Status-Type=3 Acct-Delay-Time=0 Acct-Input-Octets=476536744 Acct-Output-Octets=389680644 Acct-Session-Id=1/0/0/399_9D0000000056C07B Acct-Authentic=2 Acct-Session-Time=6303 Acct-Input-Packets=440449 Acct-Output-Packets=447975 Event-Timestamp=1427697794 NAS-Port-Type=33 UNKNOWN[-1-190]={00 00 00 00} UNKNOWN[-1-191]={00 00 00 00} cisco-avpair=connect-progress=Call Up cisco-NAS-Port=1/0/0/399 cisco-SSG-Control-Info=I0;476536744 cisco-SSG-Control-Info=O0;389680644 03-30/13:44:24 INFO [rdsLstnr-p-8-t-7] InetRadiusProcessor - Session 1/0/0/399_9D0000000056C07B found. 03-30/13:44:24 DEBUG [rdsLstnr-p-8-t-7] ProcessorRequest - Sending to /10.1.20.2:1646 03-30/13:44:24 INFO [rdsLstnr-p-8-t-7] update - RESPONSE: Packet type: Accounting-Response Identifier: 207 Authenticator: {49 E1 07 6F 57 23 33 B3 B7 A6 30 A4 B1 2C 2C DB} Attributes: Process time update: 46 ----- В inet-accounting/radius.log виден как: ----- Packet type: Accounting-Request Identifier: 73 Authenticator: {6B AD 42 23 55 E0 20 60 3D F5 45 20 F9 61 E8 3E} Attributes: UNKNOWN[-1-192]={00 00 00 00} User-Name=XXX.YYY.104.130 UNKNOWN[-1-193]={00 00 00 00} UNKNOWN[-1-196]={00 00 00 0A} NAS-IP-Address=10.1.20.2 NAS-Port=5685371 UNKNOWN[-1-198]={00 00 00 05} Service-Type=2 Framed-Protocol=1 Framed-IP-Address=XXX.YYY.104.130 NAS-Port-Id=1/0/0/399 UNKNOWN[-1-151]={42 39 33 41 38 33 46 37} NAS-Identifier=nas.pem-com.ru Acct-Status-Type=3 Acct-Delay-Time=0 Acct-Input-Octets=476673936 Acct-Output-Octets=393623113 Acct-Session-Id=1/0/0/399_9D0000000056C07B Acct-Authentic=2 Acct-Session-Time=8421 Acct-Input-Packets=441978 Acct-Output-Packets=451362 Event-Timestamp=1427699912 NAS-Port-Type=33 UNKNOWN[-1-190]={00 00 00 00} UNKNOWN[-1-191]={00 00 00 00} cisco-avpair=connect-progress=Call Up cisco-NAS-Port=1/0/0/399 cisco-SSG-Control-Info=I0;476673936 cisco-SSG-Control-Info=O0;393623113 03-30/14:19:43 INFO [rdsLstnr-p-8-t-5] InetRadiusProcessor - Session 1/0/0/399_9D0000000056C07B found. 03-30/14:19:43 DEBUG [rdsLstnr-p-8-t-5] ProcessorRequest - Sending to /10.1.20.2:1646 03-30/14:19:43 INFO [rdsLstnr-p-8-t-5] update - RESPONSE: Packet type: Accounting-Response Identifier: 73 Authenticator: {C3 B3 56 33 B5 42 78 23 9B 86 95 2B 74 93 CD D0} Attributes: Process time update: 46 ----- А в биллинге на поднятой сессии не видно данных по времени сессии аккаунтинга: http://joxi.ru/nAyBnlvI4XVerZ Где можно глянуть? |
|
| Автор: | iseed [ 02 апр 2015, 11:53 ] |
| Заголовок сообщения: | Re: Стенд L3 авторизации с релеем c домового коммутатора |
Апну тему: На Cisco отписал: ---- aaa authentication login ipoe-isg-aaa group ipoe-radius aaa authorization network ipoe-isg-aaa group ipoe-radius aaa authorization subscriber-service default local group ipoe-isg-aaa aaa accounting update periodic 1 aaa accounting network ipoe-isg-aaa start-stop group ipoe-radius aaa group server radius ipoe-radius server-private 10.1.ZZ.XXX auth-port 1812 acct-port 1813 key 7 075E731F1F5B4A ip radius source-interface TenGigabitEthernet1/0/0.20 ! aaa group server radius ipoe-services-radius server-private 10.1.ZZ.XXX auth-port 1811 acct-port 1813 key 7 08701E1D584B56 ip radius source-interface TenGigabitEthernet1/0/0.20 ! policy-map type control IPoE-ISG class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event session-start 10 authorize aaa list ipoe-isg-aaa password cisco identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE-TRUSTED 40 service-policy type service name SERVICE-REDIRECT ! class type control always event service-stop 1 service-policy type service unapply identifier service-name 5 service-policy type service unapply identifier service-name 10 log-session-state ! class type control always event session-restart 10 authorize aaa list ipoe-isg-aaa password cisco identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE-TRUSTED 40 service-policy type service name SERVICE-REDIRECT ! ! policy-map type service SERVICE-TRUSTED 10 class type traffic CLASS-TRUSTED police input 64000 8000 16000 police output 64000 8000 16000 ! class type traffic default input drop ! ! policy-map type service SERVICE-REDIRECT 10 class type traffic CLASS-REDIRECT redirect to group NO-MONEY-NO-HONEY ! class type traffic default input drop ! ! redirect server-group NO-MONEY-NO-HONEY server ip ZZ.XX.20.3 port 82 ! class-map type traffic match-any CLASS-REDIRECT match access-group input 155 match access-group output 155 ! class-map type traffic match-any CLASS-TRUSTED match access-group input 156 match access-group output 156 ! access-list 1 permit 10.1.ZZ.XX access-list 1 permit 10.1.ZZ.XX access-list 1 permit ZZ.XX.104.26 access-list 1 permit 10.1.ZZ.XX access-list 1 deny any access-list 99 permit ZZ.XX.104.58 access-list 101 permit tcp any any access-list 155 permit tcp any any eq www access-list 155 deny ip any any access-list 156 permit udp any any eq domain access-list 156 permit tcp any host ZZ.XX.20.3 eq www access-list 156 permit icmp any any access-list 156 deny ip any any access-list 196 permit ip any any interface TenGigabitEthernet1/0/0.399 encapsulation dot1Q 399 ip address XX.ZZ.104.129 255.255.255.192 no ip proxy-arp arp timeout 300 service-policy type control IPoE-ISG ip subscriber routed initiator unclassified ip-address ! ---- В билллинге отписал для BRAS: ----- radius.inetOption.56.attributes=cisco-SSG-Account-Info=ASPEED_75MB;cisco-avpair=ip:traffic-class=in access-group 101 priority 200;cisco-avpair=ip:traffic-class=in default drop;cisco-avpair=ip:traffic-class=out access-group 101 priority 200;cisco-avpair=ip:traffic-class=out default drop;cisco-SSG-Service-Info=QU;;76800000;;14400000;;28800000;;D;;76800000;;14400000;;28800000 ----- Биллинг ответил BRAS: ----- 04-02/12:16:14 INFO [rdsLstnr-p-9-t-2] InetRadiusListenerWorker - RESPONSE: Packet type: Access-Accept Identifier: 116 Authenticator: {52 84 EC 9A 75 1A 52 0A 72 D0 43 AA 0C BC 62 32} Attributes: Acct-Interim-Interval=300 Idle-Timeout=300 cisco-avpair=subscriber:accounting-list=ipoe-isg-aaa cisco-avpair=ip:traffic-class=in access-group 101 priority 200 cisco-avpair=ip:traffic-class=in default drop cisco-avpair=ip:traffic-class=out access-group 101 priority 200 cisco-avpair=ip:traffic-class=out default drop cisco-SSG-Account-Info=ASPEED_75MB cisco-SSG-Service-Info=QU;76800000;14400000;28800000;D;76800000;14400000;28800000 ----- В ответ Cisco подняла сессию: ------ Type: IP, UID: 6092, State: authen, Identity: XX.ZZ.104.131 Session Up-time: 00:22:57, Last Changed: 00:22:57 Switch-ID: 9179068 Policy information: Authentication status: authen Rules, actions and conditions executed: subscriber rule-map IPoE-ISG condition always event session-start 10 authorize aaa list ipoe-isg-aaa identifier source-ip-address Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 2822 277467 0 Match Any 1 Out 2837 443538 0 Match Any Features: Idle Timeout: Class-id Dir Timeout value Idle-Time Source 1 Out 300 00:00:07 Peruser Accounting: Class-id Dir Packets Bytes Source 0 In 2832 227451 Peruser 1 Out 2847 393727 Peruser Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 0 In 76800000 14400000 28800000 Peruser 1 Out 76800000 14400000 28800000 Peruser Configuration Sources: Type Active Time AAA Service ID Name USR 00:22:57 - Peruser INT 00:22:57 - TenGigabitEthernet1/0/0.399 ------ Но в сессии не присутствует аккаунт сессия: ----- cisco-SSG-Account-Info=ASPEED_75MB ----- и в биллинге соотвественно нет дочерних сессии: http://joxi.ru/a2Xx4jzFJ5wb2g Уважаемые цисководы, подскажите начинающему что нужно отписать в radius.inetOption.56.attributes чтобы он был принят циской и аккаунтинг начал зачислаться на этот сервис? |
|
| Страница 1 из 1 | Часовой пояс: UTC + 5 часов [ Летнее время ] |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|