- Cisco Community
- Technology and Support
- Data Center and Cloud
- Server Networking
- csr 1000v,Radius AAA with Coa, captive portal redirection, and DHCP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
csr 1000v,Radius AAA with Coa, captive portal redirection, and DHCP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-29-2013 12:47 PM
Hi
I attached my full configuration used on CSR1000V to do AAA with an external radius server, external captive portal using COA. Also arhitecture attached.
Here is my inspiration link and scenario :
http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa4.html
My COA work good, I used for testing radclient and changes the subscriber session from unauth to authenticated.
My issue is that the redirect to captive portal is not working and I don't know why?
show subsecriber policy all looks good also.
Can you please help me with my config?
Here are parts from my config also:
aaa new-model
!
!
aaa group server radius RAD-SRV-GRP
server 192.168.100.123 auth-port 1812 acct-port 1813
ip radius source-interface Loopback1
!
aaa authentication login RAD-ALL group RAD-SRV-GRP
aaa authorization network RAD-ALL group RAD-SRV-GRP
aaa authorization subscriber-service default local group RAD-SRV-GRP
aaa accounting network RAD-ALL
action-type start-stop
group RAD-SRV-GRP
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.100.123
server-key cisco
port 3799
auth-type all
ignore session-key
ignore server-key
!
aaa session-id common
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool WiFi_DHCP_POOL1
network 192.168.200.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.200.1
lease 0 0 30
class DHCP-WiFi-CL
!
!
ip dhcp class DHCP-WiFi-CL
subscriber service coa-rfc-compliant
subscriber service session-accounting
subscriber authorization enable
class-map type traffic match-any REDIRECT-MAP
match access-group input name REDIRECT-ACL-UP
!
class-map type traffic match-any INTERNET-MAP
match access-group input name INTERNET-ACL-UP
match access-group output name INTERNET-ACL-DW
!
class-map type traffic match-any OPENGARDEN-MAP
match access-group input name OPENGARDEN-ACL-UP
match access-group output name OPENGARDEN-ACL-DW
!
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
!
policy-map type service REDIRECT-SERV
class type traffic REDIRECT-MAP
redirect to ip 192.168.100.123 port 80
!
class type traffic default input
drop
!
!
policy-map type service OPENGARDEN-SERV
class type traffic OPENGARDEN-MAP
police input 1000000
police output 3000000
!
class type traffic default in-out
drop
!
!
policy-map type service INTERNET-SERV
class type traffic INTERNET-MAP
timeout idle 300
timeout absolute 3600
police input 5000000
police output 10000000
!
class type traffic default in-out
drop
!
!
policy-map type service PBHK-SERV
ip portbundle
!
policy-map type control WIFI-POL-1
class type control INIT-SESSION event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
10 service-policy type service name PBHK-SERV
20 collect identifier mac-address
30 authorize aaa list RAD-ALL identifier mac-address
40 service-policy type service name REDIRECT-SERV
50 service-policy type service name OPENGARDEN-SERV
60 set-timer INIT-SESSION-TIMER 5
!
class type control always event account-logon
10 authenticate aaa list RAD-ALL
!
class type control always event service-start
10 service-policy type service unapply name PBHK-SERV
20 service-policy type service unapply name REDIRECT-SERV
30 service-policy type service unapply name OPENGARDEN-SERV
40 service-policy type service identifier service-name
!
class type control always event account-logoff
10 service disconnect delay 5
!
class type control always event service-stop
10 service-policy type service unapply identifier service-name
20 service-policy type service name PBHK-SERV
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
!
!
!
!
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.255
!
interface GigabitEthernet1
description "Internet_Interface"
ip address 192.168.1.28 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber routed
initiator unclassified ip-address
initiator dhcp
!
interface GigabitEthernet3
description "Radius-Portal_Interface"
ip address 192.168.100.131 255.255.255.0
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.50.130 255.255.255.0
negotiation auto
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended INTERNET-ACL-DW
permit ip any 192.168.200.0 0.0.0.255
ip access-list extended INTERNET-ACL-UP
permit ip any 192.168.200.0 0.0.0.255
ip access-list extended OPENGARDEN-ACL-DW
permit ip host 192.168.100.123 any
permit udp any eq domain any
ip access-list extended OPENGARDEN-ACL-UP
permit udp any any eq domain
permit tcp any host 192.168.100.123
ip access-list extended REDIRECT-ACL-UP
deny ip any host 192.168.100.123
permit tcp any any eq www
permit tcp any any eq 8080
permit tcp any any eq 443
!
!
ip portbundle
match access-list 101
source Loopback1
!
access-list 101 permit tcp any host 192.168.100.123
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 5
radius-server timeout 10
radius-server key cisco
!
- Labels:
-
Server Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2013 02:44 AM
Hi luke;
According to your configuration and as i remember
the problem may be in your redirect command as follow
you configure redirect as
!
policy-map type service REDIRECT-SERV
class type traffic REDIRECT-MAP
redirect to ip 192.168.100.123 port 80
!
I suggest to replace
redirect to ip 192.168.100.123 port 80
with
redirect to group REDIRECT_SERVER_NAME
And in global configuration you add
redirect server-group REDIRECT_SERVER_NAME
server ip 192.168.100.123
Please Try and tell us ...
And tell me do you know the function of the follow commands and also why you use
As you didn't call them??!!!
!
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
!
BR
AbdelGalil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2013 12:54 PM
Hi AbdelGalil
I changed and used server group for redirect. Same thing.
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
Is used for Captive Portal to set the timer for unauthenticated users. Anyway I removed this but same behaviour.
This is the new full config
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CISCO-CSR1000v
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 ................
!
aaa new-model
!
!
aaa group server radius RAD-SRV-GROUP
server 192.168.100.123 auth-port 1812 acct-port 1813
ip radius source-interface Loopback1
!
aaa authentication login default none
aaa authentication login RAD-ALL group RAD-SRV-GROUP
aaa authorization network RAD-ALL group RAD-SRV-GROUP
aaa authorization subscriber-service default local group RAD-SRV-GROUP
aaa accounting delay-start
aaa accounting update periodic 5
aaa accounting network RAD-ALL
action-type start-stop
group RAD-SRV-GROUP
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.100.123
server-key cisco
port 3799
auth-type all
ignore session-key
ignore server-key
!
aaa session-id common
no ip source-route
!
!
!
!
!
!
!
!
!
ip name-server 192.168.1.1
ip address-pool local
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool WiFi_DHCP_POOL1
network 192.168.200.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.200.1
lease 0 0 30
class UNAUTH-DHCP
!
!
ip dhcp class UNAUTH-DHCP
!
!
!
!
!
!
!
!
!
subscriber service coa-rfc-compliant
subscriber authorization enable
service-policy type control WIFI-POL-1
multilink bundle-name authenticated
!
!
!
username root privilege 15 password 0 1 xxxxxxxxxx
!
redundancy
mode none
redirect server-group PORTAL-PAGE
server ip 192.168.2.123 port 80
!
!
!
!
ip tftp source-interface GigabitEthernet0
class-map type traffic match-any REDIRECT-MAP
match access-group output 197
match access-group input 197
!
class-map type traffic match-any OPENGARDEN-MAP
match access-group output 195
match access-group input 195
!
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
!
policy-map type service REDIRECT-SERV
ip access-group 197 in
ip access-group 197 out
1 class type traffic REDIRECT-MAP
redirect to group PORTAL-PAGE
!
class type traffic default input
drop
!
!
policy-map type service OPENGARDEN-SERV
class type traffic OPENGARDEN-MAP
police input 96000 1000 1500
police output 96000 1000 1500
!
class type traffic default in-out
drop
!
!
policy-map type service PBHK-SERV
service local
ip portbundle
!
policy-map type control WIFI-POL-1
class type control INIT-SESSION event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
2 service-policy type service name PBHK-SERV
5 collect identifier mac-address
10 authorize aaa list RAD-ALL password cisco identifier mac-address
20 set-timer INIT-SESSION-TIMER 10
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
!
class type control always event account-logon
2 service-policy type service unapply name PBHK-SERV
10 authenticate aaa list RAD-ALL
20 service-policy type service unapply name REDIRECT-SERV
30 service-policy type service unapply name OPENGARDEN-SERV
!
class type control always event service-start
2 service-policy type service unapply name PBHK-SERV
10 service-policy type service unapply name REDIRECT-SERV
20 service-policy type service unapply name OPENGARDEN-SERV
30 service-policy type service identifier service-name
!
class type control always event account-logoff
10 service disconnect delay 5
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
10 service-policy type service unapply identifier service-name
12 service-policy type service unapply name PBHK-SERV
20 service-policy type service name REDIRECT-SERV
30 service-policy type service name OPENGARDEN-SERV
!
!
!
!
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.255
!
interface GigabitEthernet1
description "Internet_Interface"
ip address 192.168.1.253 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber l2-connected
initiator unclassified mac-address
initiator dhcp
!
interface GigabitEthernet3
description "Radius-Portal_Interface"
ip address 192.168.100.131 255.255.255.0
negotiation auto
!
interface GigabitEthernet4
ip address 192.168.2.100 255.255.255.0
ip portbundle outside
negotiation auto
!
interface GigabitEthernet0
description "PORTAL"
vrf forwarding Mgmt-intf
ip address 192.168.50.130 255.255.255.0
negotiation auto
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip portbundle
length 5
match access-list 101
source Loopback1
!
logging trap debugging
access-list 101 permit ip any any
access-list 195 permit ip any any
access-list 196 permit ip any any
access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 deny ip any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 31 mac format unformatted
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 5
radius-server timeout 10
radius-server key cisco
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0
exec-timeout 30 0
transport input telnet
line vty 1
exec-timeout 30 0
length 0
transport input telnet
line vty 2 4
exec-timeout 30 0
transport input telnet
!
onep
!
end
LOG attached.
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Root SIP DHCP
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Enable IP parsing
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Enable DHCP parsing
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Enable IP-Interface parsing
*Dec 6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[0]: Snapshot captured in Active context
*Dec 6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[0]: Active context created
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Event
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Active key set to Apply-Service
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Authorizing key OPENGARDEN-SERV
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Set authorization profile type to service
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: AAA request sent for key OPENGARDEN-SERV
*Dec 6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: Downloading service "OPENGARDEN-SERV"
*Dec 6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: RULE[2]: Continue
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Received an AAA pass
Initial attr password 0
Initial attr username 0 "OPENGARDEN-SERV"
Initial attr traffic-class 0 "output access-group 195"
Initial attr traffic-class 0 "input access-group 195"
Initial attr ssg-service-info 0 "QU;96000;1000;1500;D;96000;1000;1500"
Initial attr traffic-class 0 "input default drop"
Initial attr traffic-class 0 "output default drop"
*Dec 6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Could not parse AAA interim interval
*Dec 6 20:56:56.917: SSS PM: PARAMETERIZED-QoS: QOS parameters
*Dec 6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: RULE: VRF Parsing routine:
password 0
username 0 "OPENGARDEN-SERV"
traffic-class 0 "output access-group 195"
traffic-class 0 "input access-group 195"
ssg-service-info 0 "QU;96000;1000;1500;D;96000;1000;1500"
traffic-class 0 "input default drop"
traffic-class 0 "output default drop"
*Dec 6 20:56:56.917: SSS PM: VPDN is not enabled
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: Set class ids: 484.485
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Feature
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP Root parser not installed
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP IP-Interface parser not installed
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP IP[2672EF0] parsed as Ignore
*Dec 6 20:56:56.918: IPSUB: Invalid magic 0xFADEDEAF in IP session 0x7FAF3761C8E8
*Dec 6 20:56:56.918: IPSUB-VRFSET: Entered allocate feature info
*Dec 6 20:56:56.918: IPSUB-VRFSET: Allocated sg vrfset info 0x7FAF37CB1160
*Dec 6 20:56:56.918: IPSUB-VRFSET: Freeing the sg vrfset info 0x7FAF37CB1160
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP IP[2687F00] parsed as Ignore
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP DHCP[2672EF0] parsed as Ignore
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Event
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: No service authorization info found
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Active Handle present - FE000189
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Attr list is NULL, apply config handle [0] not reset
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Freeing Active Handle; SSS Policy Context Handle = 8500030F
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[989]: Released active handle
*Dec 6 20:56:56.918: SSS PM [7FAF8F619C68]: Create context 7FAF8F619C68
*Dec 6 20:56:56.918: SSS PM: PROFILE-DB: is profile "OPENGARDEN-SERV" in DB
*Dec 6 20:56:56.918: SSS PM: PROFILE-DB: Computed hash value = 1769598160
*Dec 6 20:56:56.918: SSS PM: PROFILE-DB: No, add new list
*Dec 6 20:56:56.918: SSS PM: PROFILE-DB: create "OPENGARDEN-SERV"
*Dec 6 20:56:56.918: SSS PM: PROFILE-DB: create "OPENGARDEN-SERV"/7FAF37CB32A8 hdl F1000358 ref 1
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: downloaded first version
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SVM download for "OPENGARDEN-SERV" ok
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [8500030F]: client download ok
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [SVM-to-client-msg:8500030F] locked 0->1
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [AAA-Download:7FAF37E758E8] unlocked 1->0
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Event
*Dec 6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Cancel request
*Dec 6 20:56:56.918: SSS PM [7FAF8F619C68]: Destroy context 7FAF8F619C68
*Dec 6 20:56:56.918: SSS PM: [PARAMETERIZED-QoS]: In removed_from_rbpl_ctx_temp_hold for policy handle[84000315
*Dec 6 20:56:56.918: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [84000315], nothing to return
*Dec 6 20:56:56.918: CH-UTILS: Invalid command handle
*Dec 6 20:56:56.918: SSS PM [7FAF8F619C68]: PROFILE: destroy all config
*Dec 6 20:56:56.918: SSS PM [7FAF8F619C68]: SSS PM: destroy all user profile info from policy context
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: SVM service download success
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: download completed for "OPENGARDEN-SERV" version 1
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: alloc feature info
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [SVM-Feature-Info:7FAF373D5C80] locked 0->1
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: has Policy info
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [PM-Info:7FAF8F64DB40] locked 0->1
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: has Policy info
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: PROFILE: store profile "OPENGARDEN-SERV"
*Dec 6 20:56:56.918: SSS PM: PROFILE-DB: incremented ref "OPENGARDEN-SERV"/7FAF37CB32A8 hdl F1000358 ref 2
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: PROFILE: create 7FAF8F65A260, ref 1
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: populated client
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [PM-Download:8500030F] unlocked 1->0
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [SVM-to-client-msg:8500030F] unlocked 1->0
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Handling Author Not Found Event
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Feature info: 7FAF373D5CC0 Type: Service Config
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : Config level: Service Profile
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : IDB type: Sub-if or not required
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : 16 bytes:
SSS PM [uid:172][7FAF8F61AAA8]: : Data: 000000 00 00 A3 00 01 46 00 00 .....f..
SSS PM [uid:172][7FAF8F61AAA8]: : Data: 000008 00 00 A7 00 03 10 00 00 ........
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Feature info: 7FAF373D5CA0 Type: Service Config
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : Config level: Service Profile
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : IDB type: Sub-if or not required
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : 16 bytes:
SSS PM [uid:172][7FAF8F61AAA8]: : Data: 000000 00 00 94 00 01 47 00 00 .....g..
SSS PM [uid:172][7FAF8F61AAA8]: : Data: 000008 00 00 31 00 03 12 00 00 ..1.....
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Feature info: 7FAF373D5C80 Type: Service Config
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : Config level: Service Profile
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : IDB type: Sub-if or not required
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: : 16 bytes:
SSS PM [uid:172][7FAF8F61AAA8]: : Data: 000000 00 00 D2 00 01 48 00 00 .....h..
SSS PM [uid:172][7FAF8F61AAA8]: : Data: 000008 00 00 69 00 03 14 00 00 ..i.....
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Service starting
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Parent 7FAF8F61AAA8 (same as session)
*Dec 6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [PM-Service:7FAF37CB5378] locked 0->1
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Start-pending request: Ok
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Event
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Handling Next Authorization Check
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[0]: Continue
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[0]: WIFI-POL-1/always event session-start/40 service-policy type service name OPENGARDEN-SERV
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[0]: No more actions to run
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: Continue
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: WIFI-POL-1/always event session-start/40 service-policy type service name OPENGARDEN-SERV
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: State: check-auth-needed to initial-req
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: Using previously offered directive Local Terminate
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[2]: Continue
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[2]: WIFI-POL-1/always event session-start/40 service-policy type service name OPENGARDEN-SERV
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Event
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Handling Service Direction
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Plumbing proposed by default, not FSP
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Plumbing proposed by default, not FSP
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Looking for a rule for event session-service-found
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Intf CloneSrc Gi2: service-rule any: WIFI-POL-1
*Dec 6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Evaluate "WIFI-POL-1" for session-service-found
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event session-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logon"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logoff"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-stop"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: No match for "WIFI-POL-1"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Intf AccessIE Gi2: service-rule any: WIFI-POL-1
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Evaluate "WIFI-POL-1" for session-service-found
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event session-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logon"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logoff"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-stop"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: No match for "WIFI-POL-1"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Intf InputI/f Gi2: service-rule any: WIFI-POL-1
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Evaluate "WIFI-POL-1" for session-service-found
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event session-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logon"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logoff"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-stop"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: No match for "WIFI-POL-1"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Glob: service-rule any: WIFI-POL-1
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Evaluate "WIFI-POL-1" for session-service-found
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event session-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logon"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-start"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event account-logoff"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Wrong type "WIFI-POL-1/always event service-stop"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE: No match for "WIFI-POL-1"
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: Plumbing proposed by default, not FSP
*Dec 6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate
*Dec 6 20:56:56.919: SSS MGR [uid:172]: Event policy-start-service, state changed from authorizing to connecting-service
*Dec 6 20:56:56.919: SSS MGR [uid:172]: Event policy-or-mgr-need-more-keys, state changed from connecting-service to sm-needs-more-keys
*Dec 6 20:56:58.923: IPSUB_DP: [Gi2:I:PROC:000c.2986.2791] Packet classified, results = 0x40
*Dec 6 20:56:58.923: IPSUB_DP: [Gi2:I:PROC:000c.2986.2791] Rx driver allowing IP routing
*Dec 6 20:56:58.923: Session found in sip common DB for mac 000c.2986.2791
*Dec 6 20:56:58.923: Session found in sip common DB for mac 000c.2986.2791
*Dec 6 20:56:58.923: IPSUB: IPSUB: Sent self message 0
*Dec 6 20:56:58.924: SSS MGR [uid:172]: Event client-got-more-keys, state changed from sm-needs-more-keys to connecting-service
*Dec 6 20:56:58.924: SSS MGR [uid:172]: Event service-connected, state changed from connecting-service to provisioning-client
*Dec 6 20:56:58.924: SSS MGR [uid:172]: Event client-updated, state changed from provisioning-client to installing-config
*Dec 6 20:56:58.924: SVM [A3000146/PBHK-SERV]: [FM-Bind:05000116] locked 0->1
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [PBHK-SERV]: Bind notify: Ok
*Dec 6 20:56:58.924: SVM [94000147/REDIRECT-SERV]: [FM-Bind:05000116] locked 0->1
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [REDIRECT-SERV]: Bind notify: Ok
*Dec 6 20:56:58.924: SVM [D2000148/OPENGARDEN-SERV]: [FM-Bind:05000116] locked 0->1
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Bind notify: Ok
*Dec 6 20:56:58.924: SVM [A3000146/PBHK-SERV]: [SVM-Feature-Info:7FAF373D5CC0] unlocked 1->0
*Dec 6 20:56:58.924: SVM [94000147/REDIRECT-SERV]: [SVM-Feature-Info:7FAF373D5CA0] unlocked 1->0
*Dec 6 20:56:58.924: SVM [D2000148/OPENGARDEN-SERV]: [SVM-Feature-Info:7FAF373D5C80] unlocked 1->0
*Dec 6 20:56:58.924: SSS MGR [uid:172]: Event feature-success, state changed from installing-config to connected
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Username key not found in set domain key API
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Username key not found in set domain key API
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Updated key list:
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Protocol-Type = 4 (IP Access Protocol)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Media-Type = 2 (IP)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SHDB-Handle = 0 (00000000)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Input Interface = "GigabitEthernet2"
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IP-Address = 192.168.200.37 (C0A8C825)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IP-Address-VRF = IP 192.168.200.37:0
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: source-ip-address = 7FAF37B3AF28
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Mac-Address = 000c.2986.2791
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Sign-Of-Life = 2 (00000002)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Final = 1 (YES)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IP-Session-Handle = 3053453370 (B600003A)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Access-Type = 15 (IP)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Remote-id = "020a0000c0a8c80100000000"
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Vendor-Class-id = "MSFT 5.0"
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Converted-Session = 0 (NO)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Authen-Status = 1 (Unauthenticated)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Nasport = PPPoEoE: slot 0 adapter 0 port 0 IP 0.0.0.0 VPI 0 VCI 0 VLAN 0
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Session-Handle = 83886358 (05000116)
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SM Policy invoke - Apply Config Success
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Access type IP: final key
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Apply config handle is INVALID;
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Per-user merge to the parent is not possible, thus ignored
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Child and parent context are same
*Dec 6 20:56:58.924: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [8500030F], returning compatible
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Event
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Handling Apply Config; SUCCESS
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: session start done
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Complete-Pending
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: service start
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Assert
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "OPENGARDEN-SERV"
*Dec 6 20:56:58.924: SVM [D2000148/OPENGARDEN-SERV]: already downloaded; sharing
*Dec 6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: assert authen status "unauthen"
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Update
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "OPENGARDEN-SERV"
*Dec 6 20:56:58.925: SVM [D2000148/OPENGARDEN-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: update service
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Update
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "OPENGARDEN-SERV"
*Dec 6 20:56:58.925: SVM [D2000148/OPENGARDEN-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Started
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [REDIRECT-SERV]: Complete-Pending
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: service start
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Assert
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "REDIRECT-SERV"
*Dec 6 20:56:58.925: SVM [94000147/REDIRECT-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: assert authen status "unauthen"
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Update
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "REDIRECT-SERV"
*Dec 6 20:56:58.925: SVM [94000147/REDIRECT-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: update service
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Update
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "REDIRECT-SERV"
*Dec 6 20:56:58.925: SVM [94000147/REDIRECT-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [REDIRECT-SERV]: Started
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [PBHK-SERV]: Complete-Pending
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: service start
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Assert
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "PBHK-SERV"
*Dec 6 20:56:58.925: SVM [A3000146/PBHK-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: assert authen status "unauthen"
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Update
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "PBHK-SERV"
*Dec 6 20:56:58.925: SVM [A3000146/PBHK-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: update service
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: send event Service Update
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: with service name "PBHK-SERV"
*Dec 6 20:56:58.925: SVM [A3000146/PBHK-SERV]: already downloaded; sharing
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [PBHK-SERV]: Started
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: no callback for callback north
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: Null client block; Can't update RP
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: No pending events to process
*Dec 6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: No pending eventst
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Entered allocate feature info
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Allocated sg vrfset info 0x7FAF37CB1160
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Applying SG VRFSET info
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Context not present, creating context
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Entered the sg vrfset context alloc
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Returning the sg vrfset context 0x7FAF37DFABE8
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Filling the context from vrfset_info
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] SG VRFSET apply succeeded
*Dec 6 20:56:58.925: IPSUB-VRFSET: [uid:172] Freeing the sg vrfset info 0x7FAF37CB1160
*Dec 6 20:56:58.925: IPSUB-ROUTE: [uid:172] Checking whether routes to be inserted/removed: Context Present 0 context 0x0
*Dec 6 20:56:58.925: IPSUB-ROUTE: [uid:172] Context not present, creating context fixup reqd 1
*Dec 6 20:56:58.925: IPSUB-ROUTE: [uid:172] Entered the sg subrte context alloc
*Dec 6 20:56:58.925: IPSUB-ROUTE: [uid:172] Returning the sg subrte context 0x7FAF8F7CDED0
*Dec 6 20:56:58.925: IPSUB-ROUTE: [uid:172] Installed ARP entry [DFL]: 192.168.200.37
*Dec 6 20:56:58.926: IPSUB-ROUTE: [uid:172] Added Fib Prefix [DFL]: 192.168.200.37/255.255.255.255
*Dec 6 20:56:58.926: IPSUB-ROUTE: [uid:172] Route[DFL]: 192.168.200.37 idb 7FAF349BA7F8, Action: No Need to Add Route L2_con 1 msi 0
*Dec 6 20:56:58.926: IPSUB-ROUTE: [uid:172] Both IP addresses and VRF are same, no need to add route
*Dec 6 20:56:58.926: IPSUB_DP: [uid:0] Setup event for session (session hdl 0)
*Dec 6 20:56:58.926: IPSUB_DP: [uid:0] Insert new entry for mac 000c.2986.2791
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Added upstream entry into the classifier
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] MAC = 000c.2986.2791
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Added downstream entry into the classifier
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] VRF = DFL, IP = 192.168.200.37, MASK = 255.255.255.255
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Session setup successful
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Event setup-session, state changed from idle to established
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Sent update msg to the control plane
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Activate event for session
*Dec 6 20:56:58.926: IPSUB_DP: [uid:172] Event activate-session, state changed from established to connected
*Dec 6 20:56:58.926: Received Session UP event for mac 000c.2986.2791
*Dec 6 20:56:58.926: Session found in sip common DB for mac 000c.2986.2791
*Dec 6 20:56:58.926: Deleting mac 000c.2986.2791 from SIP common DB
*Dec 6 20:56:58.926: Deleted mac 000c.2986.2791 from SIP common DB
*Dec 6 20:56:59.005: IPSUB:
*Dec 6 20:56:59.005: arhrd 0x1 arpro 0x800 arhln 6 arpln 4 opcode 1 ipspro C0A8C825 iptpro C0A8C825
*Dec 6 20:56:59.005: IPSUB: ipshdw 000c.2986.2791 ipthdw 0000.0000.0000 is bcast 0 is zero add 1
*Dec 6 20:56:59.862: IPSUB:
*Dec 6 20:56:59.862: arhrd 0x1 arpro 0x800 arhln 6 arpln 4 opcode 1 ipspro C0A8C825 iptpro C0A8C825
*Dec 6 20:56:59.862: IPSUB: ipshdw 000c.2986.2791 ipthdw 0000.0000.0000 is bcast 0 is zero add 1
*Dec 6 20:57:00.862: IPSUB:
*Dec 6 20:57:00.862: arhrd 0x1 arpro 0x800 arhln 6 arpln 4 opcode 1 ipspro C0A8C825 iptpro C0A8C825
*Dec 6 20:57:00.862: IPSUB: ipshdw 000c.2986.2791 ipthdw 0000.0000.0000 is bcast 0 is zero add 1
*Dec 6 20:57:01.915: IPSUB:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2013 02:17 PM
Hello luke;
I hope you doing well.
Sorry for you i forget to request the all configuration.
I want you to check the follow:-
The port bundle should be the same between ISG and AAA
If you can ping the portal from the ISG.
And i found some conflict from cisco configuration guide.
ACL not configure in the redirect service but in the open garden
policy-map type service REDIRECT-SERV
no ip access-group 197 in
no ip access-group 197 out
Re-configure open garden by add ACL
policy-map type service OPENGARDEN-SERV
1 class type traffic ACL_TRAFFIC
end
conf t
class-map type traffic match-any ACL_TRAFFIC
match access-group output name ACL_TRAFFIC_OUT
match access-group input name ACL_TRAFFIC_IN
ip access-list extended ACL_TRAFFIC_OUT
permit ip any host 192.168.100.123
ip access-list extended ACL_TRAFFIC_IN
permit ip host 192.168.100.123 any
ping the portal again
Now it will work ISA.
Can you tell me why you using MAC & IP as identifier to the session ??!!
interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber l2-connected
initiator unclassified mac-address
initiator dhcp
Best Regards
AbdelGalil Farid
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2013 02:13 AM
Hi,
I try to see why users are not redirected to portal.... Ping to portal works, all semms to be right.
Config changed but same issue with the redirect:
class-map type traffic match-any ACL_TRAFFIC
match access-group output name ACL_TRAFFIC_OUT
match access-group input name ACL_TRAFFIC_IN
!
class-map type traffic match-any OPENGARDEN-MAP
match access-group output 195
match access-group input 195
!
class-map type traffic match-any REDIRECT-MAP
match access-group output 197
match access-group input 197
!
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
!
policy-map type service REDIRECT-SERV
1 class type traffic ACL_TRAFFIC
redirect to group PORTAL-PAGE
!
class type traffic default input
drop
!
!
policy-map type service OPENGARDEN-SERV
class type traffic OPENGARDEN-MAP
police input 96000 1000 1500
police output 96000 1000 1500
!
class type traffic default in-out
drop
!
!
policy-map type service PBHK-SERV
service local
ip portbundle
!
policy-map type control WIFI-POL-1
class type control INIT-SESSION event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
2 service-policy type service name PBHK-SERV
5 collect identifier mac-address
10 authorize aaa list CAR-ALL password cisco identifier mac-address
20 set-timer INIT-SESSION-TIMER 10
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
!
class type control always event account-logon
2 service-policy type service unapply name PBHK-SERV
10 authenticate aaa list CAR-ALL
20 service-policy type service unapply name REDIRECT-SERV
30 service-policy type service unapply name OPENGARDEN-SERV
!
class type control always event service-start
2 service-policy type service unapply name PBHK-SERV
10 service-policy type service unapply name REDIRECT-SERV
20 service-policy type service unapply name OPENGARDEN-SERV
30 service-policy type service identifier service-name
!
class type control always event account-logoff
10 service disconnect delay 5
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
10 service-policy type service unapply identifier service-name
12 service-policy type service unapply name PBHK-SERV
20 service-policy type service name REDIRECT-SERV
30 service-policy type service name OPENGARDEN-SERV
!
!
!
!
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.255
!
interface GigabitEthernet1
description "Internet_Interface"
ip address 192.168.1.253 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
ip portbundle outside
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber l2-connected
initiator unclassified mac-address
initiator dhcp
!
interface GigabitEthernet3
description "Radius-Portal_Interface"
ip address 192.168.100.131 255.255.255.0
negotiation auto
!
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCPv4, UID: 19, State: unauthen, Identity: 192.168.200.4
IPv4 Address: 192.168.200.4
Session Up-time: 00:02:28, Last Changed: 00:02:30
Switch-ID: 4148
Policy information:
Authentication status: unauthen
Active services associated with session:
name "OPENGARDEN-SERV", applied before account logon
name "REDIRECT-SERV", applied before account logon
name "PBHK-SERV", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map WIFI-POL-1
condition always event session-start
2 service-policy type service name PBHK-SERV
5 collect identifier mac-address
10 authorize aaa list CAR-ALL identifier mac-address
20 set-timer INIT-SESSION-TIMER 10
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 12 1152 0 Match Any
1 Out 0 0 0 Match Any
30 In 0 0 1 Match ACL ACL_TRAFFIC_IN
31 Out 0 0 1 Match ACL ACL_TRAFFIC_OUT
32 In 12 1152 0 Match ACL 195
33 Out 0 0 0 Match ACL 195
4294967294 In 0 0 - Drop
4294967295 Out 0 0 - Drop
Features:
L4 Redirect:
Class-id Rule cfg Definition Source
30 #1 SVC to group PORTAL-PAGE REDIRECT-SERV
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
32 In 96000 1000 1500 OPENGARDEN-SERV
33 Out 96000 1000 1500 OPENGARDEN-SERV
Portbundle Hostkey:
Class-id IP address Bundle Number Source
0 192.168.255.1 39 PBHK-SERV
Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:02:28 - REDIRECT-SERV
SVC 00:02:28 - OPENGARDEN-SERV
USR 00:02:28 - Peruser
SVC 00:02:28 - PBHK-SERV
INT 00:02:28 - GigabitEthernet2
Ping from win:
Pinging 192.168.100.123 with 32 bytes of data:
Reply from 192.168.100.123: bytes=32 time=1ms TTL=63
Reply from 192.168.100.123: bytes=32 time<1ms TTL=63
Reply from 192.168.100.123: bytes=32 time<1ms TTL=63
Reply from 192.168.100.123: bytes=32 time<1ms TTL=63
Ping from CISCO:
CISCO-CSR1000v#ping 192.168.100.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCPv4, UID: 19, State: unauthen, Identity: 192.168.200.4
IPv4 Address: 192.168.200.4
Session Up-time: 00:05:57, Last Changed: 00:05:59
Switch-ID: 4148
Policy information:
Context 7F3800E968E8: Handle 4A00003D
AAA_id 00000026: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
sss-service 0 6 [local-termination]
portbundle 0 "enable"
l4redirect 0 "redirect to group PORTAL-PAGE"
username 0 "OPENGARDEN-SERV"
traffic-class 0 "output access-group 195"
traffic-class 0 "input access-group 195"
ssg-service-info 0 "QU;96000;1000;1500;D;96000;1000;1500"
traffic-class 0 "input default drop"
traffic-class 0 "output default drop"
Config history for session (recent to oldest):
Access-type: DHCP Client: SM
Policy event: Service Selection Request (Service)
Profile name: OPENGARDEN-SERV, 3 references
password 0
username 0 "OPENGARDEN-SERV"
traffic-class 0 "output access-group 195"
traffic-class 0 "input access-group 195"
ssg-service-info 0 "QU;96000;1000;1500;D;96000;1000;1500"
traffic-class 0 "input default drop"
traffic-class 0 "output default drop"
Access-type: DHCP Client: SM
Policy event: Service Selection Request (Service)
Profile name: REDIRECT-SERV, 3 references
password 0
username 0 "REDIRECT-SERV"
traffic-class 0 "input default drop"
traffic-class 0 "output access-group name ACL_TRAFFIC_OUT priority 1"
traffic-class 0 "input access-group name ACL_TRAFFIC_IN priority 1"
l4redirect 0 "redirect to group PORTAL-PAGE"
Access-type: DHCP Client: SM
Policy event: Service Selection Request (Service)
Profile name: PBHK-SERV, 3 references
password 0
username 0 "PBHK-SERV"
sss-service 0 6 [local-termination]
portbundle 0 "enable"
Active services associated with session:
name "OPENGARDEN-SERV", applied before account logon
name "REDIRECT-SERV", applied before account logon
name "PBHK-SERV", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map WIFI-POL-1
condition always event session-start
2 service-policy type service name PBHK-SERV
5 collect identifier mac-address
10 authorize aaa list CAR-ALL identifier mac-address
20 set-timer INIT-SESSION-TIMER 10
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 12 1152 0 Match Any
1 Out 0 0 0 Match Any
30 In 0 0 1 Match ACL ACL_TRAFFIC_IN
31 Out 0 0 1 Match ACL ACL_TRAFFIC_OUT
32 In 12 1152 0 Match ACL 195
33 Out 0 0 0 Match ACL 195
4294967294 In 0 0 - Drop
4294967295 Out 0 0 - Drop
Features:
L4 Redirect:
Class-id Rule cfg Definition Source
30 #1 SVC to group PORTAL-PAGE REDIRECT-SERV
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
32 In 96000 1000 1500 OPENGARDEN-SERV
33 Out 96000 1000 1500 OPENGARDEN-SERV
Portbundle Hostkey:
Class-id IP address Bundle Number Source
0 192.168.255.1 39 PBHK-SERV
Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:05:57 - REDIRECT-SERV
SVC 00:05:57 - OPENGARDEN-SERV
USR 00:05:57 - Peruser
SVC 00:05:57 - PBHK-SERV
INT 00:05:57 - GigabitEthernet2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-09-2014 08:48 PM
You are missing ip portbundle outside command on your upstream interfaces pointing towards the captive portal
This command (common configuration error) is required if you are using PBHK.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
