Сегодня столкнулся с такой вещью:
Человек подключается по pppoe, входит в сеть, интернет работает. В другом месте включается роутер, где соединение настроено на используемый логин и подключается к интернету. Если подключен только роутер, то подключение с рабочей станции по pppoe не происходит.
Полноценной работу не назовешь, не всегда страницы сразу открываются.
С другими логинами пока не проверял, но с этим ситуация воспроизводится.
Разве такое поведение нормально для UTM5? У нас 5.2.1-008 release.
Как с этим бороться?
Две сессии одновременно под одним логином
ок, покажите мне в конфиге(дефолтном) радиуса это волшебное значениеgtk писал(а): вы ошибаетесь.
Топик Стартер, скорее всего менял дефолтные значения в конфиге.
Код: Выделить всё
##
## /netup/utm5/radius5.cfg
## UTM5 RADIUS server configuration file
##
## =============================================================================
## MAIN RADIUS SERVER PARAMETERS
## =============================================================================
## core_host
## Description: IP address of a host running the utm5_core
## Possible values: an IP address
## Required field.
core_host=127.0.0.1
## core_port
## Description: UTM5 core listening port. Equal to stream_bind_port parameter
## in utm5.cfg.
## Possible values: an integer from 1 to 65534
## Required field.
core_port=12758
## radius_login
## Description: A system user login to access the UTM5 core.
## Possible values: <string>
## Default value: radius
## radius_password
## Description: A system user password to access the UTM5 core.
## Possible values: <string>
## Default value: radius
## radius_ssl_type
## Description: SSL connection type. If 'none' is set, the connection
## is unencrypted.
## Possible values: tls1, ssl3, none
## Default value: none
#radius_ssl_type=none
## radius_acct_host
## Description: IP address of the host receiving Accounting-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0
## radius_acct_port
## Description: Port of the host receiving Accounting-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1813
## radius_auth_host
## Description: IP address of the host receiving Access-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0
## radius_auth_port
## Description: Port of the host receiving Access-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1812
## radius_auth_mppe
## Description: Enables MPPE 128 bit key generation used for authorization
## via MS-CHAP-v2 protocol.
## Possible values: enable
## Default value: the keys are not generated
radius_auth_mppe=enable
## radius_auth_vap
## Description: If the value is set, authorization of blocked users, whose
## logins are set in IP traffic service link, is disallowed.
## Possible values: 1
## Default value: authorization is allowed
## radius_ippool_acct_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after sending Access-Accept.
## Possible values: time in seconds
## Default value: 30
## radius_ippool_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after receiving Accounting-Start.
## Possible values: time in seconds
## Default value: The address is labeled as occupied until coming of the
## Stop packet
## radius_auth_null
## Description: If enabled, the RADIUS server authorizes requests without
## User-Password(2) attribute, if the user's password, defined in the
## service link, is empty.
## Possible values: yes, enable
## Default value: authorization without a password is not performed
#radius_auth_null=yes
## radius_auth_h323_remote_address
## Description: If enabled, then telephone calls authentication is performed
## using h323-remote-address(9;23) attribute value, but not using
## User-Name(1) attribute. The attribute value is used as a login.
## Possible values: enable, on, yes
## Default value: replacement of login with h323-remote-address is not
## performed
## radius_nas_port_vpn
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the IP traffic service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: Checking against NAS-Port-Type for the IP traffic service
## link is not performed
## radius_nas_port_dialup
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Dial-up service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Dial-up service link
## is not performed
## radius_nas_port_tel
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Telephony service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Telephony service
## link is not performed
## radius_card_autoadd
## Description: If 'yes' is set, the automatic registration of users is
## enabled via the RADIUS server using prepaid cards. In this case in the
## Login field a user enters the card number and in the Password field - the
## PIN code. In case of the Telephony service, in the Login field it is
## entered the PIN code or its first part and the remainder is used as a
## password.
## Possible values: yes, on, enable
## Default value: automatic registration is not performed
radius_card_autoadd=yes
## send_xpgk_ep_number
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value:
## xpgk-ep-number=<a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests
## send_h323_ivr_in
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value: h323-ivr-in=terminal-alias:
## <a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests
## enable_fast_telephony
## Description: This option enables the rapid mechanism for determination of
## directions and zones when rating telephone calls. In this case templates
## for telephone directions must contain the digits from 0 to 9 and the
## symbols: ^ $ + )( |.
## Possible values: enable, yes
## Default value: the default mechanism for determination of zone/direction
## is used
## h323_origin_reject
## Description: Sets zero cost for Accounting-Requests in which the
## h323-call-origin(9;26) attribute equals the value of this parameter.
## Possible values: <string>
## Default value: unset
#h323_origin_reject=originate {answer|callback|etc}
## interim_update_interval
## Description: Enables session control mechanism using Interim-Update
## packets. The value is transmitted in the Acct-Interim-Interval(85)
## attribute of the Access-Accept packet.
## Possible values: time in seconds, more than 61
## Default value: the default session closure control mechanism is used
## radius_default_session_timeout
## Description: A value of the Session-Timeout(27) attribute transmitted in
## Access-Accept for the IP traffic service link.
## Possible values: a positive integer
## Default value: 86400
## radius_callback_avpair_enable
## Description: Enables transmission of the Cisco-AVPair(9;1) attribute with
## the value lcp:callback-dialstring=<callback number>, where
## <callback number> is the part of the login from the beginning to the
## ':'-symbol.
## Possible values: <any>
## Default value: unset
## radius_acct_rewrite_login_answer
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'originate', then setting this parameter enables replacing of the login
## with the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset
## radius_acct_rewrite_login_originate
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'answer', then setting this parameter enables replacing of the login with
## the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset
## =============================================================================
## LOGGING (valid if logfile rotation is enabled)
## =============================================================================
## log_level
## Description: Logging level.
## Possible values: 0, 1, 2, 3
## Default value: 1
## log_file_main
## Description: Main logfile path.
## Possible values: <filename>
## Default value: STDERR
log_file_main=/netup/utm5/log/radius.log
## log_file_debug
## Description: Debug logfile path.
## Possible values: <filename>
## Default value: STDERR
log_file_debug=/netup/utm5/log/radius.log
## log_file_critical
## Description: Critical logfile path.
## Possible values: <filename>
## Default value: STDERR
## rotate_logs
## Description: Enables rotation of logfiles.
## Possible values: yes, on, enable
## Default value: rotation is disabled
## max_logfile_size
## Description: Maximum logfile size. When logfile size reaches this limit,
## a rotation is performed.
## Possible values: a size in bytes
## Default value: 10485760
## max_logfile_count
## Description: Maximum number of logfiles to retain. Valid if logfile rotation
## is on.
## Default value: not limited
## guest_pool_name
## Description: named IP pool of guest users
## Possible values: pool name
## Default value: not set
## blocked_pool_name
## Description: named IP pool of blocked users
## Possible values: pool name
## Default value: not set
## auth_unknown_users
## Description: authorize unknown users as IP pool users and assign IP address from guest_pool_name
## if it's set
## Possible values: yes, on, enable
## Default value: disabled
В услуге коммутируемый доступ. Лимит одновременных сессий = 1.
на циске:
на циске:
Код: Выделить всё
bba-group pppoe <name>
virtual-template 1
mac-address <mac-cisco-router-subinterface>
sessions per-mac limit 1
sessions per-vlan limit 1500
sessions auto cleanup
!
radius-server attribute 31 mac format ietf (default)
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 77 include-in-access-req
## core_hostgtk писал(а):вы так и не показали свой конфиг радиуса.
## Description: IP address of a host running the utm5_core
## Possible values: an IP address
## Required field.
core_host=127.0.0.1
## core_port
## Description: UTM5 core listening port. Equal to stream_bind_port parameter
## in utm5.cfg.
## Possible values: an integer from 1 to 65534
## Required field.
core_port=12698
## radius_login
## Description: A system user login to access the UTM5 core.
## Possible values: <string>
## Default value: radius
radius_login=radius_login
radius_password=radius_password
## radius_password
## Description: A system user password to access the UTM5 core.
## Possible values: <string>
## Default value: radius
## radius_ssl_type
## Description: SSL connection type. If 'none' is set, the connection
## is unencrypted.
## Possible values: tls1, ssl3, none
## Default value: none
#radius_ssl_type=none
## radius_acct_host
## Description: IP address of the host receiving Accounting-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0
## radius_acct_port
## Description: Port of the host receiving Accounting-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1813
## radius_auth_host
## Description: IP address of the host receiving Access-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0
## radius_auth_port
## Description: Port of the host receiving Access-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1812
## radius_auth_mppe
## Description: Enables MPPE 128 bit key generation used for authorization
## via MS-CHAP-v2 protocol.
## Possible values: enable
## Default value: the keys are not generated
radius_auth_mppe=enable
## radius_auth_vap
## Description: If the value is set, authorization of blocked users, whose
## logins are set in IP traffic service link, is disallowed.
## Possible values: 1
## Default value: authorization is allowed
radius_auth_vap=1
## radius_ippool_acct_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after sending Access-Accept.
## Possible values: time in seconds
## Default value: 30
## radius_ippool_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after receiving Accounting-Start.
## Possible values: time in seconds
## Default value: The address is labeled as occupied until coming of the
## Stop packet
##radius_ippool_timeout=0
##radius_ippool_acct_timeout=0
radius_ippool_timeout=60
interim_update_interval=120
## radius_ippool_timeout=0
## radius_auth_null
## Description: If enabled, the RADIUS server authorizes requests without
## User-Password(2) attribute, if the user's password, defined in the
## service link, is empty.
## Possible values: yes, enable
## Default value: authorization without a password is not performed
#radius_auth_null=yes
## radius_auth_h323_remote_address
## Description: If enabled, then telephone calls authentication is performed
## using h323-remote-address(9;23) attribute value, but not using
## User-Name(1) attribute. The attribute value is used as a login.
## Possible values: enable, on, yes
## Default value: replacement of login with h323-remote-address is not
## performed
## radius_nas_port_vpn
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the IP traffic service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: Checking against NAS-Port-Type for the IP traffic service
## link is not performed
## radius_nas_port_dialup
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Dial-up service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Dial-up service link
## is not performed
## radius_nas_port_tel
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Telephony service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Telephony service
## link is not performed
## radius_card_autoadd
## Description: If 'yes' is set, the automatic registration of users is
## enabled via the RADIUS server using prepaid cards. In this case in the
## Login field a user enters the card number and in the Password field - the
## PIN code. In case of the Telephony service, in the Login field it is
## entered the PIN code or its first part and the remainder is used as a
## password.
## Possible values: yes, on, enable
## Default value: automatic registration is not performed
radius_card_autoadd=no
## send_xpgk_ep_number
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value:
## xpgk-ep-number=<a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests
## send_h323_ivr_in
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value: h323-ivr-in=terminal-alias:
## <a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests
## enable_fast_telephony
## Description: This option enables the rapid mechanism for determination of
## directions and zones when rating telephone calls. In this case templates
## for telephone directions must contain the digits from 0 to 9 and the
## symbols: ^ $ + )( |.
## Possible values: enable, yes
## Default value: the default mechanism for determination of zone/direction
## is used
## h323_origin_reject
## Description: Sets zero cost for Accounting-Requests in which the
## h323-call-origin(9;26) attribute equals the value of this parameter.
## Possible values: <string>
## Default value: unset
#h323_origin_reject=originate {answer|callback|etc}
## interim_update_interval
## Description: Enables session control mechanism using Interim-Update
## packets. The value is transmitted in the Acct-Interim-Interval(85)
## attribute of the Access-Accept packet.
## Possible values: time in seconds, more than 61
## Default value: the default session closure control mechanism is used
interim_update_interval=120
## radius_default_session_timeout
## Description: A value of the Session-Timeout(27) attribute transmitted in
## Access-Accept for the IP traffic service link.
## Possible values: a positive integer
## Default value: 86400
## radius_callback_avpair_enable
## Description: Enables transmission of the Cisco-AVPair(9;1) attribute with
## the value lcp:callback-dialstring=<callback number>, where
## <callback number> is the part of the login from the beginning to the
## ':'-symbol.
## Possible values: <any>
## Default value: unset
## radius_acct_rewrite_login_answer
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'originate', then setting this parameter enables replacing of the login
## with the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset
## radius_acct_rewrite_login_originate
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'answer', then setting this parameter enables replacing of the login with
## the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset