Не могу победить трабл, вроде все настроено, как положено https://drive.google.com/file/d/0B4dvaf ... BGdFU/view а в логах постоянно одно и тоже, unauthen.
Код: Выделить всё
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
Код: Выделить всё
Oct 2 19:41:48 10.10.7.1 474: Oct 2 19:41:48.735: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol)
Oct 2 19:41:48 10.10.7.1 475: Oct 2 19:41:48.735: SSS INFO: Element type is Media-Type = 2 (IP)
Oct 2 19:41:48 10.10.7.1 476: Oct 2 19:41:48.735: SSS INFO: Element type is AccIe-Hdl = 3288334347 (C400000B)
Oct 2 19:41:48 10.10.7.1 477: Oct 2 19:41:48.735: SSS INFO: Element type is AAA-Id = 84 (00000054)
Oct 2 19:41:48 10.10.7.1 478: Oct 2 19:41:48.735: SSS INFO: Element type is SHDB-Handle = 0 (00000000)
Oct 2 19:41:48 10.10.7.1 479: Oct 2 19:41:48.735: SSS INFO: Element type is Input Interface = "GigabitEthernet0/3.30"
Oct 2 19:41:48 10.10.7.1 480: Oct 2 19:41:48.735: SSS INFO: Element type is Mac-Address = 84c9.b20a.3f37
Oct 2 19:41:48 10.10.7.1 481: Oct 2 19:41:48.735: SSS INFO: Element type is Unauth-User = "84c9.b20a.3f37"
Oct 2 19:41:48 10.10.7.1 482: Oct 2 19:41:48.735: SSS INFO: Element type is Circuit-id = "0004001e0013"
Oct 2 19:41:48 10.10.7.1 483: Oct 2 19:41:48.735: SSS INFO: Element type is Remote-id = "0006340804c565e5"
Oct 2 19:41:48 10.10.7.1 484: Oct 2 19:41:48.735: SSS INFO: Element type is Vendor-Class-id = "udhcp 0.9.8"
Oct 2 19:41:48 10.10.7.1 485: Oct 2 19:41:48.735: SSS INFO: Element type is Restart = 1 (YES)
Oct 2 19:41:48 10.10.7.1 486: Oct 2 19:41:48.735: SSS INFO: Element type is Access-Type = 18 (DHCP)
Oct 2 19:41:48 10.10.7.1 487: Oct 2 19:41:48.735: SSS MGR [uid:11]: Sending a Session Assert ID Mgr request
Oct 2 19:41:48 10.10.7.1 488: Oct 2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following keys:
Oct 2 19:41:48 10.10.7.1 489: aaa-unique-id 0 84 (0x54)
Oct 2 19:41:48 10.10.7.1 490: clid-mac-addr 0 84 C9 B2 0A 3F 37
Oct 2 19:41:48 10.10.7.1 491: username 0 "84c9.b20a.3f37"
Oct 2 19:41:48 10.10.7.1 492: Oct 2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following data- smgr hdl0x3700000B :
Oct 2 19:41:48 10.10.7.1 493: circuit-id-tag 0 "0004001e0013"
Oct 2 19:41:48 10.10.7.1 494: remote-id-tag 0 "0006340804c565e5"
Oct 2 19:41:48 10.10.7.1 495: vendor-class-id-tag 0 "udhcp 0.9.8"
Oct 2 19:41:48 10.10.7.1 496: Oct 2 19:41:48.735: SSS MGR [uid:11]: ID Mgr returned status: 'success' for Session Assert
Oct 2 19:41:48 10.10.7.1 497: Oct 2 19:41:48.735: SSS MGR [uid:11]: Event client-service-request, state changed from wait-for-req to authorizing
Oct 2 19:41:48 10.10.7.1 498: Oct 2 19:41:48.735: SSS MGR [uid:11]: Handling Policy Service Authorize action (1 pending sessions)
Oct 2 19:41:48 10.10.7.1 499: Oct 2 19:41:48.735: SSS MGR [uid:11]: Got reply Need More Keys from PM
Oct 2 19:41:49 10.10.7.1 500: Oct 2 19:41:48.735: SSS MGR [uid:11]: Event policy-or-mgr-need-more-keys, state changed from authorizing to pm-needs-more-keys
Oct 2 19:41:49 10.10.7.1 501: Oct 2 19:41:48.735: SSS MGR [uid:11]: Handling Need More Keys action
Oct 2 19:41:49 10.10.7.1 502: Oct 2 19:41:48.735: SSS MGR [uid:11]: Use authen list "IPoE"
Код: Выделить всё
C7206-BRAS#sh sss ses
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session
Current Subscriber Information: Total sessions 1
Uniq ID Interface State Service Up-time TC Ct. Identifier
11 DHCP unauthen Attempting 00:03:07 0 84c9.b20a.3f37
Код: Выделить всё
C7206-BRAS#sh sss ses det
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCP, UID: 11, State: unauthen, Identity: 84c9.b20a.3f37
Session Up-time: 00:03:34, Last Changed: 00:03:34
Switch-ID: 0
Policy information:
Context 51639648: Handle 1B000017
AAA_id 00000054: Flow_handle 0
Authentication status: unauthen
Rules, actions and conditions executed:
subscriber rule-map ISG-RADIUS-PROFILES
condition always event session-restart
10 authorize aaa list IPoE identifier source-ip-address
Код: Выделить всё
aaa group server radius ISG-RADIUS-PROFILES
server name UTM5-RADIUS
ip radius source-interface Loopback1
!
aaa group server radius ISG-IPoE
server name UTM5-RADIUS
ip radius source-interface Loopback2
!
aaa group server radius ACC-IPoE
server name UTM5-RADIUS
ip radius source-interface Loopback2
!
aaa authentication login IPoE group ISG-IPoE
aaa authorization network IPoE group ISG-IPoE
aaa authorization subscriber-service default group ISG-RADIUS-PROFILES
aaa accounting update periodic 5
aaa accounting network IPoE start-stop group ACC-IPoE
aaa server radius dynamic-author
client 10.10.4.2 server-key 7 secret
auth-type all
ignore session-key
ignore server-key
ip dhcp relay information option
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
no ip dhcp use vrf connected
ip dhcp pool UTM5
relay source 172.22.22.0 255.255.255.0
relay destination 10.10.5.2
subscriber authorization enable
redirect server-group L4R
server ip 10.10.10.1 port 80
!
!
!
!
!
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
policy-map type control ISG-RADIUS-PROFILES
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
10 authorize aaa list IPoE identifier source-ip-address
20 service-policy type service name OG_SRV
30 service-policy type service name L4R_SRV
40 set-timer UNAUTH-TIMER 1
!
class type control always event session-restart
10 authorize aaa list IPoE identifier source-ip-address
20 service-policy type service name OG_SRV
30 service-policy type service name L4R_SRV
40 set-timer UNAUTH-TIMER 1
interface Loopback1
description AAA_Profile
ip address 10.10.1.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ntp disable
!
interface Loopback2
description AAA_IPoE
ip address 10.10.2.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ntp disable
interface Loopback11
ip address 172.22.22.254 255.255.255.0
no ip redirects
no ip unreachables
ntp disable
interface GigabitEthernet0/3.30
description -=IPoE_Clients=-
encapsulation dot1Q 30
ip unnumbered Loopback11
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow monitor ISG-BRAS sampler ISG-BRAS input
ip flow monitor ISG-BRAS sampler ISG-BRAS output
service-policy type control ISG-RADIUS-PROFILES
ip subscriber l2-connected
initiator dhcp
radius-server attribute 44 include-in-access-req all
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute nas-port format d
radius-server attribute 61 extended
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server UTM5-RADIUS
address ipv4 10.10.4.2 auth-port 1812 acct-port 1813
key 7 secret