Попробовал сделать через ISG.
В конфиге типа устройства:
Код:
radius.inetOption.2.attributes=Cisco-SSG-Account-Info=ABOD1M
На cisco:
Код:
aaa authentication login default local-case
aaa authentication ppp PPPOE group RAD_PPPOE
aaa authorization exec default local
aaa authorization network PPPOE group RAD_PPPOE
aaa authorization subscriber-service default local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network PPPOE start-stop group RAD_PPPOE
class-map type traffic match-any BOD1M_TC
match access-group input name BOD1M_IN_ACL_IN
match access-group output name BOD1M_ACL_OUT
policy-map type service BOD1M
10 class type traffic BOD1M_TC
police input 512000 256000 5000
police output 1024000 512000 5000
!
class type traffic default in-out
drop
!
!
ip access-list extended BOD1M_IN_ACL_IN
permit ip any 172.18.32.0 0.0.15.255
deny ip any any
ip access-list extended BOD1M_ACL_OUT
permit ip 172.18.32.0 0.0.15.255 any
deny ip any any
В логах:
Код:
*Sep 20 15:41:59: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 15:41:59: RADIUS: User-Name [1] 10 "testuser"
*Sep 20 15:41:59: RADIUS: CHAP-Password [3] 19 *
*Sep 20 15:41:59: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 15:41:59: RADIUS: NAS-Port [5] 6 0
*Sep 20 15:41:59: RADIUS: NAS-Port-Id [87] 11 "0/0/0/101"
*Sep 20 15:41:59: RADIUS: Vendor, Cisco [26] 41
*Sep 20 15:41:59: RADIUS: Cisco AVpair [1] 35 "client-mac-address=001b.789a.d2d0"
*Sep 20 15:41:59: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 15:41:59: RADIUS: NAS-IP-Address [4] 6 X.X.X.9
*Sep 20 15:41:59: RADIUS(00000035): Sending a IPv4 Radius Packet
*Sep 20 15:41:59: RADIUS(00000035): Started 5 sec timeout
*Sep 20 15:42:00: RADIUS: Received from id 1645/40 X.X.X.26:1812, Access-Accept, len 57
*Sep 20 15:42:00: RADIUS: authenticator 77 9F DE 9A ED F0 F0 02 - 2C 0E 36 A7 66 8A 52 87
*Sep 20 15:42:00: RADIUS: Acct-Interim-Interva[85] 6 600
*Sep 20 15:42:00: RADIUS: Framed-IP-Address [8] 6 172.18.63.172
*Sep 20 15:42:00: RADIUS: Vendor, Unknown [26] 11
*Sep 20 15:42:00: RADIUS: Ascend-Private-Route[104] 5
*Sep 20 15:42:00: RADIUS: 50 50 50 [ PPP]
*Sep 20 15:42:00: RADIUS: Vendor, Cisco [26] 14
*Sep 20 15:42:00: RADIUS: ssg-account-info [250] 8 "ABOD1M"
Ниже:
*Sep 20 15:42:00: SSS PM [422577A0]: Updated key list:
*Sep 20 15:42:00: SSS PM [422577A0]: Logon-Service = "BOD1M"
*Sep 20 15:42:00: SSS PM [422577A0]: Nasport = PPPoEoVLAN: slot 0 adapter 0 port 0 sub-interface 101 IP 0.0.0.0 VPI 0 VCI 0 VLAN 101
*Sep 20 15:42:00: SSS PM [422577A0]: Access-Type = 11 (Web-service-logon)
*Sep 20 15:42:00: SSS PM [422577A0]: Authen-Status = 1 (Unauthenticated)
*Sep 20 15:42:00: SSS PM [422577A0]: Session-Handle = 754974798 (2D00004E)
Еще ниже:
*Sep 20 15:42:00: RADIUS: User-Password [2] 18 *
*Sep 20 15:42:00: RADIUS: User-Name [1] 7 "BOD1M"
*Sep 20 15:42:00: RADIUS: Service-Type [6] 6 Outbound [5]
*Sep 20 15:42:00: RADIUS: NAS-IP-Address [4] 6 X.X.X.9
Еще ниже:
*Sep 20 15:47:15: RADIUS(00000000): Send Access-Request to X.X.X.26:1812 id 1645/43, len 57
*Sep 20 15:47:15: RADIUS: authenticator C7 E6 70 30 3F B4 D1 ED - E8 42 61 73 9A 61 C8 C1
*Sep 20 15:47:15: RADIUS: User-Password [2] 18 *
*Sep 20 15:47:15: RADIUS: User-Name [1] 7 "BOD1M"
*Sep 20 15:47:15: RADIUS: Service-Type [6] 6 Outbound [5]
*Sep 20 15:47:15: RADIUS: NAS-IP-Address [4] 6 X.X.X.9
*Sep 20 15:47:15: RADIUS(00000000): Sending a IPv4 Radius Packet
*Sep 20 15:47:15: RADIUS(00000000): Started 5 sec timeout
*Sep 20 15:47:15: RADIUS: Received from id 1645/43 X.X.X.26:1812, Access-Reject, len 23
*Sep 20 15:47:15: RADIUS: authenticator 90 DD BE 99 26 13 8E BB - 74 B6 2A 90 D2 45 6E 8A
*Sep 20 15:47:15: RADIUS: Reply-Message [18] 3
*Sep 20 15:47:15: RADIUS: 31 [ 1]
Т.е. авторизация ISG уходит на Radius-сервер. Но в настройках Cisco есть строчка:
Код:
aaa authorization subscriber-service default local
Которая по идее должна авторизовать сервис локально на ISG. Почему авторизация уходит на радиус?
Вход
Регистрация
FAQ
Поиск
