Привет.
Тут есть закрепленная тема о схемах с ISG по порту коммутатора, но я решил создать отдельную тему, потому что: а) у меня авторизации по порту не происходит, б) в вышеупомянутой теме с декабря 2014 года никто ничего не писал...
Пытаемся реализовать схему, когда клиент подключен по технологии IPoE со статическим адресом. Т.е. мы аутентифицируем его по его IP, который является одновременно и логином. Никаких DHCP и 82-х опций нет. Есть тестовая ISG (7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S6), BGBillng 6.0 модуль Inet.
ISG настраивался одновременно по нескольким статьям (http://wiki.bitel.ru/index.php/ISG,_%D1%81%D1%85%D0%B5%D0%BC%D0%B0_%D1%81%D0%BE_%D1%81%D1%82%D0%B0%D1%80%D1%82%D0%BE%D0%BC_%D1%81%D0%B5%D1%81%D1%81%D0%B8%D0%B8_%D0%B8_%D0%B5%D0%B5_%D0%B0%D0%B2%D1%82%D0%BE%D1%80%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B5%D0%B9_%D0%BF%D0%BE_IP,_%D0%B2%D1%8B%D0%B4%D0%B0%D1%87%D0%B0_%D0%B0%D0%B4%D1%80%D0%B5%D1%81%D0%BE%D0%B2_%D0%BD%D0%B0_%D0%BE%D1%81%D0%BD%D0%BE%D0%B2%D0%B5_option82, https://www.lanbilling.ru/lanbilling-cisco-isg. Собственно, схемы именно по ISG в этих статьях почти идентичные.
Что бы не быть голословным, вот конфиги:
ISG:
Код: ISG99#sh run
Building configuration...
Current configuration : 6186 bytes
!
! Last configuration change at 09:27:31 RTZ-3 Thu Sep 29 2016
! NVRAM config last updated at 09:27:32 RTZ-3 Thu Sep 29 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname ISG99
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius ISG_TEST
server 10.63.9.105 auth-port 1812 acct-port 1813
ip radius source-interface FastEthernet0/0
attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
!
aaa authentication login IPOE-CLIENTS group ISG_TEST
aaa authentication ppp PPPOE-CLIENTS group ISG_TEST
aaa authorization network PPPOE-CLIENTS group ISG_TEST
aaa authorization network IPOE-CLIENTS group ISG_TEST
aaa authorization subscriber-service default local group ISG_TEST
aaa authorization subscriber-service PPPOE-CLIENTS local group ISG_TEST
aaa authorization subscriber-service IPOE-CLIETNS local group ISG_TEST
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
aaa accounting network PPPOE-CLIENTS start-stop group ISG_TEST
aaa accounting network IPOE-CLIENTS start-stop group ISG_TEST
!
!
!
!
aaa server radius dynamic-author
client 10.63.9.105 server-key cisco
auth-type any
ignore session-key
ignore server-key
!
aaa session-id common
clock timezone RTZ-3 4 0
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
subscriber authorization enable
async-bootp dns-server 81.22.63.7
multilink bundle-name authenticated
!
!
!
!
!
!
!
username aneye privilege 15 secret 5 $1$OfaS$jw84G4UwlVogs.DQQqAhK0
redirect server-group PORTAL
server ip 81.22.63.53 port 80
!
!
!
!
!
!
ip tcp synwait-time 5
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group input 199
match access-group output 199
!
class-map type traffic match-any CLASS-TRUSTED
match access-group input 198
match access-group output 198
!
class-map type control match-all ISG-IP-UNAUTH
match authen-status unauthenticated
match timer UNAUTH-TIMER
!
policy-map type service LOCAL-L4R
5 class type traffic CLASS-TO-REDIRECT
redirect to group PORTAL
!
class type traffic default in-out
drop
!
!
policy-map type service SERVICE-TRUSTED
1 class type traffic CLASS-TRUSTED
police input 1024000 192000 384000
police output 1024000 192000 384000
!
class type traffic default input
drop
!
!
policy-map type control ISG
class type control always event session-start
1 authenticate aaa list PPPOE-CLIENTS
!
!
policy-map type control ISG-IPOE-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
10 authorize aaa list IPOE-CLIENTS password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 3
30 service-policy type service name SERVICE-TRUSTED
40 service-policy type service name LOCAL-L4R
!
class type control always event session-restart
10 authorize aaa list IPOE-CLIENTS password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 3
30 service-policy type service name SERVICE-TRUSTED
40 service-policy type service name LOCAL-L4R
!
class type control always event radius-timeout
1 service-policy type service name SERVICE-TRUSTED
2 service-policy type service name LOCAL-L4R
!
class type control always event account-logoff
1 service disconnect delay 5
!
!
!
!
!
!
!
!
!
!
bba-group pppoe global
virtual-template 1
sessions auto cleanup
!
!
interface FastEthernet0/0
ip address 10.63.2.96 255.255.255.0
ip nat outside
duplex full
!
interface FastEthernet0/0.2
!
interface FastEthernet1/0
no ip address
duplex full
pppoe enable group global
!
interface FastEthernet1/0.251
encapsulation dot1Q 251
ip address 60.1.1.1 255.255.255.252
ip nat inside
service-policy type control ISG-IPOE-POLICY
ip subscriber routed
initiator unclassified ip-address
!
interface Virtual-Template1
mtu 1492
ip unnumbered FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no peer default ip address
ppp authentication chap pap ms-chap-v2 PPPOE-CLIENTS
ppp authorization PPPOE-CLIENTS
ppp accounting PPPOE-CLIENTS
service-policy type control ISG
!
ip local pool PPPOE-CLIENT-POOL 10.99.99.200 10.99.99.254
ip nat inside source list NAT interface FastEthernet0/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.63.2.254
!
ip access-list standard NAT
permit 10.37.37.0 0.0.0.255
permit 60.1.1.0 0.0.0.3
!
ip access-list extended PPPOE-ACL-IN
deny icmp any any
permit ip any any
ip access-list extended PPPOE-ACL-OUT
deny icmp any any
permit ip any any
!
ip radius source-interface FastEthernet0/0
access-list 197 permit tcp any any eq www
access-list 198 permit udp any any eq domain
access-list 198 permit udp any eq domain any
access-list 198 permit tcp any host 194.54.14.159 eq www
access-list 198 permit tcp any host 194.54.14.159 eq 443
access-list 198 permit icmp any any
access-list 198 deny ip any any
access-list 199 permit tcp any any eq www
access-list 199 permit tcp any any eq 443
access-list 199 permit tcp any any eq 8080
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute 31 send nas-port-detail mac-only
radius-server host 10.63.9.105 auth-port 1812 acct-port 1813 key cisco
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password 15xbkjdtr
transport input telnet
!
ntp update-calendar
ntp server 132.163.4.101
ntp server 132.163.4.103
!
end
Вот конфигурация устройства ISG в BGBilling:
Код: radius.servSearchMode=0
radius.realm=default
connection.suspend.timeout=900
connection.close.timeout=130
connection.finish.timeout=5
radius.username.removeDomain=0
radius.realm.default.attributes=Acct-Interim-Interval=60;Idle-Timeout=1300;cisco-avpair=subscriber:accounting-list=IPOE-CLIENTS;cisco-avpair=subscriber:policy-directive=authenticate aaa list IPOE-CLIENTS;
radius.inetOption.33.template=framed-mtu=1492;cisco-SSG-Service-Info=I$optionTitle;cisco-SSG-Service-Info=QU;;$speed;;$nburst;;$eburst;;D;;$speed;;$nburst;;$eburst;;;
radius.connection.attributes=Acct-Session-Id,User-Name,Framed-IP-Address
authorization.mode=1
radius.disable.attributes=Acct-Interim-Interval=60;cisco-avpair=subscriber:accounting-list=IPOE-CLIENTS;cisco-SSG-Service-Info=QU;;1000000;;187500;;375000;;D;;1000000;;187500;;375000;;;cisco-ssg-account-info=ASERVICE-TRUSTED;cisco-ssg-account-info=ALOCAL-L4R;
sa.radius.connection.coa.mode=2
sa.radius.connection.close.mode=3
sa.radius.connection.withoutBreak=0
sa.radius.connection.attributes=Acct-Session-Id,User-Name,Framed-IP-Address
session.split.onDeviceState=0
session.split.onTariffOption=1
sa.radius.realm.addAttributes=0
sa.radius.connection.attributes=Acct-Session-Id
Так вот, проблема в следующем: если у абонента отрицательный баланс, ему возвращается ошибка 12 и Access-Reject:
Код: Packet type: Access-Reject
Identifier: 6
Authenticator: {DF F5 50 AF 2F 08 66 9F 1F F1 3E B8 42 56 C6 3A}
Attributes:
Reply-Message=12
На ISG при этом поднимается сессия и применяются сервисы, описанные в policy-map:
Код: ISG99#show subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IP, UID: 7, State: unauthen, Identity: 60.1.1.2
IPv4 Address: 60.1.1.2
Session Up-time: 00:00:02, Last Changed: 00:00:02
Switch-ID: 4135
Policy information:
Context 680E7378: Handle 6700001F
AAA_id 00000012: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
ssg-service-info 0 "QU;1024000;192000;384000;D;1024000;192000;384000"
username 0 "LOCAL-L4R"
traffic-class 0 "input access-group 199 priority 5"
traffic-class 0 "output access-group 199 priority 5"
l4redirect 0 "redirect to group PORTAL"
traffic-class 0 "input default drop"
traffic-class 0 "output default drop"
Config history for session (recent to oldest):
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: LOCAL-L4R, 3 references
password 0 <hidden>
username 0 "LOCAL-L4R"
traffic-class 0 "input access-group 199 priority 5"
traffic-class 0 "output access-group 199 priority 5"
l4redirect 0 "redirect to group PORTAL"
traffic-class 0 "input default drop"
traffic-class 0 "output default drop"
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: SERVICE-TRUSTED, 3 references
password 0 <hidden>
username 0 "SERVICE-TRUSTED"
traffic-class 0 "input access-group 198 priority 1"
traffic-class 0 "output access-group 198 priority 1"
ssg-service-info 0 "QU;1024000;192000;384000;D;1024000;192000;384000"
traffic-class 0 "input default drop"
[b]Active services associated with session:
name "LOCAL-L4R", applied before account logon
name "SERVICE-TRUSTED", applied before account logon[/b]
Rules, actions and conditions executed:
subscriber rule-map ISG-IPOE-POLICY
condition always event session-start
10 authorize aaa list IPOE-CLIENTS identifier source-ip-address
20 set-timer UNAUTH-TIMER 3
30 service-policy type service name SERVICE-TRUSTED
40 service-policy type service name LOCAL-L4R
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 0 0 0 Match Any
1 Out 0 0 0 Match Any
26 In 0 0 1 Match ACL 198
27 Out 0 0 1 Match ACL 198
28 In 0 0 5 Match ACL 199
29 Out 0 0 5 Match ACL 199
4294967294 In 0 0 - Drop
4294967295 Out 0 0 - Drop
Features:
L4 Redirect:
Class-id Rule cfg Definition Source
28 #1 SVC to group PORTAL LOCAL-L4R
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
26 In 1024000 192000 384000 SERVICE-TRUSTED
27 Out 1024000 192000 384000 SERVICE-TRUSTED
Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:00:02 - SERVICE-TRUSTED
SVC 00:00:02 - LOCAL-L4R
USR 00:00:02 - Peruser
INT 00:00:02 - FastEthernet1/0.251
Но! Ничего не происходит! Т.е. нет ни редиректа, не выборочного "пущания" на сайты (в ACL 198 указан IP sberbank.ru). Подскажите пожалуйста, в чем может быть трабл? Я подозреваю, что проблема скорее цисковская, чем БГ-шная, но к сожалению, на одном хорошем форуме циско пока молчат, как партизаны... А здесь данная тема, на сколько я успел понять, обсуждалась достаточно активно.
|
А если точнее - в ACL. Вот рабочий вариант: