отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

RADIUS + Cisco ISG

Всем привет!

Не могу победить трабл, вроде все настроено, как положено https://drive.google...DZVdnBGdFU/view а в логах постоянно одно и тоже, unauthen.

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1) 




пробовал с версиями s6, s7. в s1 есть идентификатор, а в версиях s6, s7 нет :\

Oct  2 19:41:48 10.10.7.1 474: Oct  2 19:41:48.735: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol) 
Oct  2 19:41:48 10.10.7.1 475: Oct  2 19:41:48.735: SSS INFO: Element type is Media-Type = 2 (IP)
Oct  2 19:41:48 10.10.7.1 476: Oct  2 19:41:48.735: SSS INFO: Element type is AccIe-Hdl = 3288334347 (C400000B)
Oct  2 19:41:48 10.10.7.1 477: Oct  2 19:41:48.735: SSS INFO: Element type is AAA-Id = 84 (00000054)
Oct  2 19:41:48 10.10.7.1 478: Oct  2 19:41:48.735: SSS INFO: Element type is SHDB-Handle = 0 (00000000)
Oct  2 19:41:48 10.10.7.1 479: Oct  2 19:41:48.735: SSS INFO: Element type is Input Interface = "GigabitEthernet0/3.30"
Oct  2 19:41:48 10.10.7.1 480: Oct  2 19:41:48.735: SSS INFO: Element type is Mac-Address = 84c9.b20a.3f37
Oct  2 19:41:48 10.10.7.1 481: Oct  2 19:41:48.735: SSS INFO: Element type is Unauth-User = "84c9.b20a.3f37"
Oct  2 19:41:48 10.10.7.1 482: Oct  2 19:41:48.735: SSS INFO: Element type is Circuit-id = "0004001e0013"
Oct  2 19:41:48 10.10.7.1 483: Oct  2 19:41:48.735: SSS INFO: Element type is Remote-id = "0006340804c565e5"
Oct  2 19:41:48 10.10.7.1 484: Oct  2 19:41:48.735: SSS INFO: Element type is Vendor-Class-id = "udhcp 0.9.8"
Oct  2 19:41:48 10.10.7.1 485: Oct  2 19:41:48.735: SSS INFO: Element type is Restart = 1 (YES)
Oct  2 19:41:48 10.10.7.1 486: Oct  2 19:41:48.735: SSS INFO: Element type is Access-Type = 18 (DHCP)
Oct  2 19:41:48 10.10.7.1 487: Oct  2 19:41:48.735: SSS MGR [uid:11]: Sending a Session Assert ID Mgr request
Oct  2 19:41:48 10.10.7.1 488: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following keys:
Oct  2 19:41:48 10.10.7.1 489:   aaa-unique-id        0   84 (0x54)
Oct  2 19:41:48 10.10.7.1 490:   clid-mac-addr        0   84 C9 B2 0A 3F 37
Oct  2 19:41:48 10.10.7.1 491:   username             0   "84c9.b20a.3f37"
Oct  2 19:41:48 10.10.7.1 492: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following data- smgr hdl0x3700000B :
Oct  2 19:41:48 10.10.7.1 493:   circuit-id-tag       0   "0004001e0013"
Oct  2 19:41:48 10.10.7.1 494:   remote-id-tag        0   "0006340804c565e5"
Oct  2 19:41:48 10.10.7.1 495:   vendor-class-id-tag  0   "udhcp 0.9.8"
Oct  2 19:41:48 10.10.7.1 496: Oct  2 19:41:48.735: SSS MGR [uid:11]: ID Mgr returned status: 'success' for Session Assert
Oct  2 19:41:48 10.10.7.1 497: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event client-service-request, state changed from wait-for-req to authorizing
Oct  2 19:41:48 10.10.7.1 498: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Policy Service Authorize action (1 pending sessions)
Oct  2 19:41:48 10.10.7.1 499: Oct  2 19:41:48.735: SSS MGR [uid:11]: Got reply Need More Keys from PM
Oct  2 19:41:49 10.10.7.1 500: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event policy-or-mgr-need-more-keys, state changed from authorizing to pm-needs-more-keys
Oct  2 19:41:49 10.10.7.1 501: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Need More Keys action
Oct  2 19:41:49 10.10.7.1 502: Oct  2 19:41:48.735: SSS MGR [uid:11]: Use authen list "IPoE"



C7206-BRAS#sh sss ses 
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated
, TC Ct. - Number of Traffic Classes on the main session



Current Subscriber Information: Total sessions 1 
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
11      DHCP         unauthen Attempting  00:03:07 0      84c9.b20a.3f37



C7206-BRAS#sh sss ses det 
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCP, UID: 11, State: unauthen, Identity: 84c9.b20a.3f37
Session Up-time: 00:03:34, Last Changed: 00:03:34
Switch-ID: 0

Policy information:
 
Context 51639648: Handle 1B000017
  AAA_id
00000054: Flow_handle 0
 
Authentication status: unauthen
 
Rules, actions and conditions executed:
    subscriber rule
-map ISG-RADIUS-PROFILES
      condition always
event session-restart
       
10 authorize aaa list IPoE identifier source-ip-address



Конфига 7206:

aaa group server radius ISG-RADIUS-PROFILES 
 server name UTM5
-RADIUS
 ip radius source
-interface Loopback1
!
aaa
group server radius ISG-IPoE
 server name UTM5
-RADIUS
 ip radius source
-interface Loopback2
!
aaa
group server radius ACC-IPoE
 server name UTM5
-RADIUS
 ip radius source
-interface Loopback2
!
aaa authentication login
IPoE group ISG-IPoE
aaa authorization network
IPoE group ISG-IPoE
aaa authorization subscriber
-service default group ISG-RADIUS-PROFILES
aaa accounting update periodic
5
aaa accounting network
IPoE start-stop group ACC-IPoE

aaa server radius dynamic
-author
 client
10.10.4.2 server-key 7 secret
 auth
-type all
 ignore session
-key
 ignore server
-key

ip dhcp relay information option
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust
-all
no ip dhcp use vrf connected

ip dhcp pool UTM5
 relay source
172.22.22.0 255.255.255.0
 relay destination
10.10.5.2

subscriber authorization enable

redirect server
-group L4R
 server ip
10.10.10.1 port 80
!
!
!
!
!
!
class-map type control match-all ISG-IP-UNAUTH
 match timer UNAUTH
-TIMER
 match authen
-status unauthenticated

policy
-map type control ISG-RADIUS-PROFILES
 
class type control ISG-IP-UNAUTH event timed-policy-expiry
 
1 service disconnect
 
!
 
class type control always event session-start
 
10 authorize aaa list IPoE identifier source-ip-address
 
20 service-policy type service name OG_SRV
 
30 service-policy type service name L4R_SRV
 
40 set-timer UNAUTH-TIMER 1
 
!
 
class type control always event session-restart
 
10 authorize aaa list IPoE identifier source-ip-address
 
20 service-policy type service name OG_SRV
 
30 service-policy type service name L4R_SRV
 
40 set-timer UNAUTH-TIMER 1

interface Loopback1
 description AAA_Profile
 ip address
10.10.1.1 255.255.255.255
 
no ip redirects
 
no ip unreachables
 
no ip proxy-arp
 ntp disable
!
interface Loopback2
 description AAA_IPoE
 ip address
10.10.2.1 255.255.255.255
 
no ip redirects
 
no ip unreachables
 
no ip proxy-arp
 ntp disable

interface Loopback11
 ip address
172.22.22.254 255.255.255.0
 
no ip redirects
 
no ip unreachables
 ntp disable

interface GigabitEthernet0/3.30
 description
-=IPoE_Clients=-
 encapsulation dot1Q
30
 ip unnumbered
Loopback11
 
no ip redirects
 
no ip unreachables
 
no ip proxy-arp
 ip flow monitor ISG
-BRAS sampler ISG-BRAS input
 ip flow monitor ISG
-BRAS sampler ISG-BRAS output
 service
-policy type control ISG-RADIUS-PROFILES
 ip subscriber l2
-connected
  initiator dhcp

radius
-server attribute 44 include-in-access-req all
radius
-server attribute 6 on-for-login-auth
radius
-server attribute 8 include-in-access-req
radius
-server attribute 32 include-in-access-req
radius
-server attribute 32 include-in-accounting-req
radius
-server attribute 55 include-in-acct-req
radius
-server attribute 55 access-request include
radius
-server attribute nas-port format d
radius
-server attribute 61 extended
radius
-server attribute 31 send nas-port-detail mac-only
radius
-server attribute 31 remote-id
radius
-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id
radius
-server vsa send cisco-nas-port
radius
-server vsa send accounting
radius
-server vsa send authentication
!
radius server UTM5
-RADIUS
 address ipv4
10.10.4.2 auth-port 1812 acct-port 1813
 key
7 secret

Ну ни в какую не хочет авторизовываться. Куда копнуть подскажите, копну.

Oct 7 19:41:02 10.10.7.1 852: Oct 7 19:41:02.919: SSS PM [637790EC 63779230 63779554] [uid:6][67312424]: RULE: Evaluate "ISG-RADIUS-PROFILES" for session-restart
Oct 7 19:41:02 10.10.7.1 853: Oct 7 19:41:02.919: SSS PM [63778E24 637790EC 63779230] [uid:6][67312424]: RULE: Wrong type "ISG-RADIUS-PROFILES/ISG-IP-UNAUTH event timed-policy-expiry"
Oct 7 19:41:02 10.10.7.1 854: Oct 7 19:41:02.919: SSS PM [63778E24 637790EC 63779230] [uid:6][67312424]: RULE: Wrong type "ISG-RADIUS-PROFILES/always event session-start"
Oct 7 19:41:02 10.10.7.1 855: Oct 7 19:41:02.919: SSS PM [63778E24 637790EC 63779230] [uid:6][67312424]: RULE: Matched "ISG-RADIUS-PROFILES/always event session-restart"
Oct 7 19:41:02 10.10.7.1 856: Oct 7 19:41:02.923: SSS PM [637790EC 63779230 63779554] [uid:6][67312424]: RULE: Matched "ISG-RADIUS-PROFILES/always event session-restart/10 authorize aaa list IPoE identifier source-ip-address"
Oct 7 19:41:02 10.10.7.1 857: Oct 7 19:41:02.923: SSS PM [63777A94 63779A98 62156224] [uid:6][67312424]: RULE[0]: Start
Oct 7 19:41:02 10.10.7.1 858: Oct 7 19:41:02.923: SSS PM [63777ABC 63779A98 62156224] [uid:6][67312424]: RULE[0]: ISG-RADIUS-PROFILES/always event session-restart/10 authorize aaa list IPoE identifier source-ip-address
Oct 7 19:41:02 10.10.7.1 859: Oct 7 19:41:02.923: SSS PM [6377BC44 63777B28 63779A98] [uid:6][67312424]: RULE[0]: Using author method AAA service
Oct 7 19:41:02 10.10.7.1 860: Oct 7 19:41:02.923: SSS PM [6377A234 6377A3AC 6377BD34] [uid:6][67312424]: SIP [DHCP] can provide more keys
Oct 7 19:41:02 10.10.7.1 861: Oct 7 19:41:02.923: SSS PM [637785D0 6377A270 6377A3AC] [uid:6][67312424]: RULE[0]: Using AAA-Authen-Method-List IPoE
Oct 7 19:41:02 10.10.7.1 862: Oct 7 19:41:02.923: SSS PM [63779BB8 6377A350 6377A3AC] [uid:6][67312424]: RULE[0]: Need key source-ip-address
Oct 7 19:41:02 10.10.7.1 863: Oct 7 19:41:02.923: SSS PM [63777A94 63779A98 62156224] [uid:6][67312424]: RULE[1]: Start
Oct 7 19:41:02 10.10.7.1 864: Oct 7 19:41:02.923: SSS PM [63777ABC 63779A98 62156224] [uid:6][67312424]: RULE[1]: ISG-RADIUS-PROFILES/always event session-restart/10 authorize aaa list IPoE identifier source-ip-address
Oct 7 19:41:02 10.10.7.1 865: Oct 7 19:41:02.923: SSS PM [63777744 63777B28 63779A98] [uid:6][67312424]: Event <need keys>, State: initial-req to need-init-keys
Oct 7 19:41:02 10.10.7.1 866: Oct 7 19:41:02.923: SSS PM [63777744 63777B28 63779A98] [uid:6][67312424]: Policy reply - Need More Keys
Oct 7 19:41:02 10.10.7.1 867: Oct 7 19:41:02.923: SSS PM [6214F9D8 63777744 63777B28] [uid:6][67312424]: IDMGR: Need:
Oct 7 19:41:02 10.10.7.1 868: Oct 7 19:41:02.923: SSS PM [64BBBF38 6215F368 0] [uid:6][67312424]: Asking client for more keys
Oct 7 19:41:02 10.10.7.1 869: Oct 7 19:41:02.923: SSS PM [1 65364FAC 1] [uid:6][67312424]: Policy reply - Need More Keys
Oct 7 19:41:02 10.10.7.1 870: Oct 7 19:41:02.923: SSS MGR [63777B28 63779A98 62156224] [uid:6]: Got reply Need More Keys from PM
Oct 7 19:41:02 10.10.7.1 871: Oct 7 19:41:02.923: SSS MGR [63777B28 63779A98 62156224] [uid:6]: Event policy-or-mgr-need-more-keys, state changed from authorizing to pm-needs-more-keys
Oct 7 19:41:02 10.10.7.1 872: Oct 7 19:41:02.923: SSS MGR [63777744 63777B28 63779A98] [uid:6]: Handling Need More Keys action
Oct 7 19:41:03 10.10.7.1 873: Oct 7 19:41:02.927: SSS MGR [6213F81C 6213F9A4 62141804] [uid:6]: Use authen list "IPoE"

Что вообще еще нужно не пойму...

3 ОТВЕТ.
New Member

В случае l2-connected нельзя

В случае l2-connected нельзя использовать identifier source-ip-address. У вас айпи адреса еще нет. мак поставьте или другие параметры типа влан тэгов и прочего )

New Member

Вы ошибаетесь. Как раз такая

Вы ошибаетесь. Как раз такая схема и заработала.

New Member

Конфиг в студию финальный ! :

Конфиг в студию финальный ! :)

Oct  2 19:41:48 10.10.7.1 480: Oct  2 19:41:48.735: SSS INFO: Element type is Mac-Address = 84c9.b20a.3f37
Oct  2 19:41:48 10.10.7.1 481: Oct  2 19:41:48.735: SSS INFO: Element type is Unauth-User = "84c9.b20a.3f37"

и т.д. нигде нет IP :-)  и инициатор у вас DHCP :-)

в случае ip subscriber routed возможен айпишник.

 

213
Просмотры
0
Полезный материал
3
Ответы