×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

cisco aaa coa and l4 redirect not working on csr 1000v

Unanswered Question
Dec 5th, 2013
User Badges:

Hi

I try to configure a cisco CSR 1000V in VMvare having 4 interfaces to do DHCP session creation with AAA Radius CoA and L4 Redirec to a portal page using PBHK service.


This my full configuration used.


Here is my inspiration link and scenario :

http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa4.html



My COA work good, I used for testing radclient and changes the subscriber session from unauth to authenticated.


My issue is that the redirect to captive portal is not working and I don't know why?


Do I have to add AAA user profiles for l4 service on Radius server? What config should be added on Radius server ?


Can you please help me with config?


Here are parts from my config also:


!

! Last configuration change at 22:48:29 UTC Fri Nov 29 2013

!

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

service internal

no platform punt-keepalive disable-kernel-core

platform console virtual

!

hostname CISCO-CSR1000v

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 XXXXXXXXXXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa group server radius RAD-SRV-GRP

server 192.168.100.123 auth-port 1812 acct-port 1813

ip radius source-interface Loopback1

!

aaa authentication login RAD-ALL group RAD-SRV-GRP

aaa authorization network RAD-ALL group RAD-SRV-GRP

aaa authorization subscriber-service default local group RAD-SRV-GRP

aaa accounting network RAD-ALL

action-type start-stop

group RAD-SRV-GRP

!

!

!

!

!

aaa server radius dynamic-author

client 192.168.100.123

server-key cisco

port 3799

auth-type all

ignore session-key

ignore server-key

!

aaa session-id common

no ip source-route

!

!

!

!

!

!

!

!

!

no ip domain lookup

ip address-pool local

ip dhcp excluded-address 192.168.200.1

!

ip dhcp pool WiFi_DHCP_POOL1

network 192.168.200.0 255.255.255.0

dns-server 192.168.1.1

default-router 192.168.200.1

lease 0 0 30

class DHCP-WiFi-CL

!

!

ip dhcp class DHCP-WiFi-CL

!

!

!

!

!

!

!

!

!

subscriber service coa-rfc-compliant

subscriber service session-accounting

subscriber authorization enable

multilink bundle-name authenticated

!

!

!

username root privilege 15 password 0 rootpass

!

redundancy

mode none

redirect server-group CP-PORTAL

server ip 192.168.100.123 port 80

!

!

!

!

no ip tftp source-interface GigabitEthernet0

class-map type traffic match-any REDIRECT-MAP

match access-group input name REDIRECT-ACL-UP

!

class-map type traffic match-any OPENGARDEN-MAP

match access-group input name OPENGARDEN-ACL-UP

match access-group output name OPENGARDEN-ACL-DW

!

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

!

policy-map type service REDIRECT-SERV

class type traffic REDIRECT-MAP

  redirect to ip 192.168.100.123 port 80

!

class type traffic default input

  drop

!

!

policy-map type service OPENGARDEN-SERV

class type traffic OPENGARDEN-MAP

  police input 1000000

  police output 3000000

!

class type traffic default in-out

  drop

!

!

policy-map type service PBHK-SERV

ip portbundle

!

policy-map type control WIFI-POL-1

class type control INIT-SESSION event timed-policy-expiry

  10 service disconnect

!

class type control always event session-start

  10 service-policy type service name PBHK-SERV

  20 service-policy type service name REDIRECT-SERV

  30 service-policy type service name OPENGARDEN-SERV

  40 set-timer INIT-SESSION-TIMER 5

!

class type control always event account-logon

  10 authenticate aaa list RAD-ALL

!

class type control always event service-start

  10 service-policy type service unapply name PBHK-SERV

  20 service-policy type service unapply name REDIRECT-SERV

  30 service-policy type service unapply name OPENGARDEN-SERV

  40 service-policy type service identifier service-name

!

class type control always event account-logoff

  10 service disconnect delay 5

!

class type control always event service-stop

  10 service-policy type service unapply identifier service-name

  20 service-policy type service name PBHK-SERV

  30 service-policy type service name REDIRECT-SERV

  40 service-policy type service name OPENGARDEN-SERV

!

!

!

!

!

!

interface Loopback1

ip address 192.168.255.1 255.255.255.255

!

interface GigabitEthernet1

description "Internet_Interface"

ip address 192.168.1.28 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

description "AP_Interface"

ip address 192.168.200.1 255.255.255.0

negotiation auto

service-policy type control WIFI-POL-1

ip subscriber routed

  initiator unclassified ip-address

  initiator dhcp

!

interface GigabitEthernet3

description "Radius-Portal_Interface"

ip address 192.168.100.131 255.255.255.0

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

ip address 192.168.50.130 255.255.255.0

negotiation auto

!

!

virtual-service csr_mgmt

activate

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

ip access-list extended OPENGARDEN-ACL-DW

permit ip host 192.168.100.123 any

permit udp any eq domain any

ip access-list extended OPENGARDEN-ACL-UP

permit udp any any eq domain

permit tcp any host 192.168.100.123

ip access-list extended REDIRECT-ACL-UP

deny   ip any host 192.168.100.123

permit tcp any any eq www

permit tcp any any eq 8080

permit tcp any any eq 443

!

!

ip portbundle

match access-list 101

source Loopback1

!

access-list 101 permit tcp any host 192.168.100.123

!

!

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 31 send nas-port-detail mac-only

radius-server attribute 31 remote-id

radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco

radius-server retransmit 5

radius-server timeout 10

radius-server key cisco

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0

exec-timeout 30 0

transport input telnet

line vty 1

exec-timeout 30 0

length 0

transport input telnet

line vty 2 4

exec-timeout 30 0

transport input telnet

!

onep

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhruv.ranparia1 Wed, 12/09/2015 - 23:04
User Badges:

Hello,


Did you used External Portal ? and how do you identifies the session and generate CoA  ? as i am got stuck at generation CoA from Portal with PBHK identifier

can you help get the session information to generate CoA.  

Actions

This Discussion