Netup Radius + ISG

Технические вопросы по UTM 5.0
Закрыто
Аватара пользователя
TiRider
Сообщения: 568
Зарегистрирован: Сб июн 07, 2008 12:43

Netup Radius + ISG

Сообщение TiRider »

Всем привет!

Не могу победить трабл, вроде все настроено, как положено https://drive.google.com/file/d/0B4dvaf ... BGdFU/view а в логах постоянно одно и тоже, unauthen.

Код: Выделить всё

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
пробовал с версиями s6, s7. в s1 есть идентификатор, а в версиях s6, s7 нет :\

Код: Выделить всё

Oct  2 19:41:48 10.10.7.1 474: Oct  2 19:41:48.735: SSS INFO: Element type is Protocol-Type = 4 (IP Access Protocol)
Oct  2 19:41:48 10.10.7.1 475: Oct  2 19:41:48.735: SSS INFO: Element type is Media-Type = 2 (IP)
Oct  2 19:41:48 10.10.7.1 476: Oct  2 19:41:48.735: SSS INFO: Element type is AccIe-Hdl = 3288334347 (C400000B)
Oct  2 19:41:48 10.10.7.1 477: Oct  2 19:41:48.735: SSS INFO: Element type is AAA-Id = 84 (00000054)
Oct  2 19:41:48 10.10.7.1 478: Oct  2 19:41:48.735: SSS INFO: Element type is SHDB-Handle = 0 (00000000)
Oct  2 19:41:48 10.10.7.1 479: Oct  2 19:41:48.735: SSS INFO: Element type is Input Interface = "GigabitEthernet0/3.30"
Oct  2 19:41:48 10.10.7.1 480: Oct  2 19:41:48.735: SSS INFO: Element type is Mac-Address = 84c9.b20a.3f37
Oct  2 19:41:48 10.10.7.1 481: Oct  2 19:41:48.735: SSS INFO: Element type is Unauth-User = "84c9.b20a.3f37"
Oct  2 19:41:48 10.10.7.1 482: Oct  2 19:41:48.735: SSS INFO: Element type is Circuit-id = "0004001e0013"
Oct  2 19:41:48 10.10.7.1 483: Oct  2 19:41:48.735: SSS INFO: Element type is Remote-id = "0006340804c565e5"
Oct  2 19:41:48 10.10.7.1 484: Oct  2 19:41:48.735: SSS INFO: Element type is Vendor-Class-id = "udhcp 0.9.8"
Oct  2 19:41:48 10.10.7.1 485: Oct  2 19:41:48.735: SSS INFO: Element type is Restart = 1 (YES)
Oct  2 19:41:48 10.10.7.1 486: Oct  2 19:41:48.735: SSS INFO: Element type is Access-Type = 18 (DHCP)
Oct  2 19:41:48 10.10.7.1 487: Oct  2 19:41:48.735: SSS MGR [uid:11]: Sending a Session Assert ID Mgr request
Oct  2 19:41:48 10.10.7.1 488: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following keys:
Oct  2 19:41:48 10.10.7.1 489:   aaa-unique-id        0   84 (0x54)
Oct  2 19:41:48 10.10.7.1 490:   clid-mac-addr        0   84 C9 B2 0A 3F 37
Oct  2 19:41:48 10.10.7.1 491:   username             0   "84c9.b20a.3f37"
Oct  2 19:41:48 10.10.7.1 492: Oct  2 19:41:48.735: SSS MGR [uid:11]: Updating ID Mgr with the following data- smgr hdl0x3700000B :
Oct  2 19:41:48 10.10.7.1 493:   circuit-id-tag       0   "0004001e0013"
Oct  2 19:41:48 10.10.7.1 494:   remote-id-tag        0   "0006340804c565e5"
Oct  2 19:41:48 10.10.7.1 495:   vendor-class-id-tag  0   "udhcp 0.9.8"
Oct  2 19:41:48 10.10.7.1 496: Oct  2 19:41:48.735: SSS MGR [uid:11]: ID Mgr returned status: 'success' for Session Assert
Oct  2 19:41:48 10.10.7.1 497: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event client-service-request, state changed from wait-for-req to authorizing
Oct  2 19:41:48 10.10.7.1 498: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Policy Service Authorize action (1 pending sessions)
Oct  2 19:41:48 10.10.7.1 499: Oct  2 19:41:48.735: SSS MGR [uid:11]: Got reply Need More Keys from PM
Oct  2 19:41:49 10.10.7.1 500: Oct  2 19:41:48.735: SSS MGR [uid:11]: Event policy-or-mgr-need-more-keys, state changed from authorizing to pm-needs-more-keys
Oct  2 19:41:49 10.10.7.1 501: Oct  2 19:41:48.735: SSS MGR [uid:11]: Handling Need More Keys action
Oct  2 19:41:49 10.10.7.1 502: Oct  2 19:41:48.735: SSS MGR [uid:11]: Use authen list "IPoE"

Код: Выделить всё

C7206-BRAS#sh sss ses
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Current Subscriber Information: Total sessions 1
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
11      DHCP         unauthen Attempting  00:03:07 0      84c9.b20a.3f37

Код: Выделить всё

C7206-BRAS#sh sss ses det
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCP, UID: 11, State: unauthen, Identity: 84c9.b20a.3f37
Session Up-time: 00:03:34, Last Changed: 00:03:34
Switch-ID: 0

Policy information:
  Context 51639648: Handle 1B000017
  AAA_id 00000054: Flow_handle 0
  Authentication status: unauthen
  Rules, actions and conditions executed:
    subscriber rule-map ISG-RADIUS-PROFILES
      condition always event session-restart
        10 authorize aaa list IPoE identifier source-ip-address
Конфига 7206

Код: Выделить всё

aaa group server radius ISG-RADIUS-PROFILES
 server name UTM5-RADIUS
 ip radius source-interface Loopback1
!
aaa group server radius ISG-IPoE
 server name UTM5-RADIUS
 ip radius source-interface Loopback2
!
aaa group server radius ACC-IPoE
 server name UTM5-RADIUS
 ip radius source-interface Loopback2
!
aaa authentication login IPoE group ISG-IPoE
aaa authorization network IPoE group ISG-IPoE
aaa authorization subscriber-service default group ISG-RADIUS-PROFILES
aaa accounting update periodic 5
aaa accounting network IPoE start-stop group ACC-IPoE

aaa server radius dynamic-author
 client 10.10.4.2 server-key 7 secret
 auth-type all
 ignore session-key
 ignore server-key

ip dhcp relay information option
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
no ip dhcp use vrf connected

ip dhcp pool UTM5
 relay source 172.22.22.0 255.255.255.0
 relay destination 10.10.5.2

subscriber authorization enable

redirect server-group L4R
 server ip 10.10.10.1 port 80
!
!
!
!
!
!
class-map type control match-all ISG-IP-UNAUTH
 match timer UNAUTH-TIMER
 match authen-status unauthenticated

policy-map type control ISG-RADIUS-PROFILES
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event session-start
  10 authorize aaa list IPoE identifier source-ip-address
  20 service-policy type service name OG_SRV
  30 service-policy type service name L4R_SRV
  40 set-timer UNAUTH-TIMER 1
 !
 class type control always event session-restart
  10 authorize aaa list IPoE identifier source-ip-address
  20 service-policy type service name OG_SRV
  30 service-policy type service name L4R_SRV
  40 set-timer UNAUTH-TIMER 1

interface Loopback1
 description AAA_Profile
 ip address 10.10.1.1 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ntp disable
!
interface Loopback2
 description AAA_IPoE
 ip address 10.10.2.1 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ntp disable

interface Loopback11
 ip address 172.22.22.254 255.255.255.0
 no ip redirects
 no ip unreachables
 ntp disable

interface GigabitEthernet0/3.30
 description -=IPoE_Clients=-
 encapsulation dot1Q 30
 ip unnumbered Loopback11
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow monitor ISG-BRAS sampler ISG-BRAS input
 ip flow monitor ISG-BRAS sampler ISG-BRAS output
 service-policy type control ISG-RADIUS-PROFILES
 ip subscriber l2-connected
  initiator dhcp

radius-server attribute 44 include-in-access-req all
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute nas-port format d
radius-server attribute 61 extended
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server UTM5-RADIUS
 address ipv4 10.10.4.2 auth-port 1812 acct-port 1813
 key 7 secret
Ну ни в какую не хочет авторизовываться. Куда копнуть подскажите, копну.
Вернуться к началу
Аватара пользователя
TiRider
Сообщения: 568
Зарегистрирован: Сб июн 07, 2008 12:43

Сообщение TiRider »

Народ есть идеи? :?
Вернуться к началу
Аватара пользователя
TiRider
Сообщения: 568
Зарегистрирован: Сб июн 07, 2008 12:43

Сообщение TiRider »

Есть кто за деньгу готов решить данный вопрос?
Вернуться к началу
Аватара пользователя
TiRider
Сообщения: 568
Зарегистрирован: Сб июн 07, 2008 12:43

Сообщение TiRider »

Нет авторизации utm5 radius с циской при отправке Request-Start.

Проверил путем тестирования: test aaa group radius server name UTM5-RADIUS user password port 1812 new-code count 1

Код: Выделить всё

Oct  8 23:30:02 10.10.7.1 3821: .Oct  8 23:30:02.251: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct  8 23:30:02 10.10.7.1 3822: .Oct  8 23:30:02.251: RADIUS/ENCODE: Skip encoding 0 length AAA attribute formatted-clid
Oct  8 23:30:02 10.10.7.1 3823: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct  8 23:30:02 10.10.7.1 3824: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IPv6: ::
Oct  8 23:30:02 10.10.7.1 3825: .Oct  8 23:30:02.251: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct  8 23:30:02 10.10.7.1 3826: .Oct  8 23:30:02.251: RADIUS(00000000): sending
Oct  8 23:30:02 10.10.7.1 3827: .Oct  8 23:30:02.251: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
Oct  8 23:30:02 10.10.7.1 3828: .Oct  8 23:30:02.251: RADIUS/ENCODE: Best Local IP-Address 10.10.4.1 for Radius-Server 10.10.4.2
Oct  8 23:30:02 10.10.7.1 3829: RADIUS/ENCODE: Nas-Identifier "C7206-BRAS"
Oct  8 23:30:02 10.10.7.1 3830: .Oct  8 23:30:02.251: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct  8 23:30:02 10.10.7.1 3831: .Oct  8 23:30:02.251: RADIUS(00000000): Send Access-Request to 10.10.4.2:1812 id 1645/1,len 88
Oct  8 23:30:02 10.10.7.1 3832: .Oct  8 23:30:02.251: RADIUS:  authenticator 93 ED C5 D4 C4 6F 0C ED - 62 DB 7C 2A 3C 41 33 8F
Oct  8 23:30:02 10.10.7.1 3833: .Oct  8 23:30:02.251: RADIUS:  User-Password       [2]   18  *
Oct  8 23:30:02 10.10.7.1 3834: .Oct  8 23:30:02.251: RADIUS:  User-Name           [1]   9   "testmax"
Oct  8 23:30:02 10.10.7.1 3835: .Oct  8 23:30:02.251: RADIUS:  Service-Type        [6]   6   Login                     [1]
Oct  8 23:30:02 10.10.7.1 3836: .Oct  8 23:30:02.251: RADIUS:  NAS-IP-Address      [4]   6   10.10.4.1
Oct  8 23:30:02 10.10.7.1 3837: .Oct  8 23:30:02.251: RADIUS:  Nas-Identifier      [32]  23  "C7206-BRAS"
Oct  8 23:30:03 10.10.7.1 3838: .Oct  8 23:30:02.251: RADIUS:  Event-Timestamp     [55]  6   1475944202
Oct  8 23:30:03 10.10.7.1 3839: .Oct  8 23:30:02.251: RADIUS(00000000): Started 5 sec timeout
Oct  8 23:30:07 10.10.7.1 3840: .Oct  8 23:30:07.275: RADIUS(00000000): Request timed out!
Oct  8 23:30:07 10.10.7.1 3841: .Oct  8 23:30:07.275: RADIUS: Retransmit to (10.10.4.2:1812,1813) for id 1645/1
Oct  8 23:30:07 10.10.7.1 3842: .Oct  8 23:30:07.275: RADIUS:  authenticator 93 ED C5 D4 C4 6F 0C ED - 62 DB 7C 2A 3C 41 33 8F
Oct  8 23:30:07 10.10.7.1 3843: .Oct  8 23:30:07.275: RADIUS:  User-Password       [2]   18  *
Oct  8 23:30:07 10.10.7.1 3844: .Oct  8 23:30:07.275: RADIUS:  User-Name           [1]   9   "testmax"
Oct  8 23:30:07 10.10.7.1 3845: .Oct  8 23:30:07.275: RADIUS:  Service-Type        [6]   6   Login                     [1]
Oct  8 23:30:07 10.10.7.1 3846: .Oct  8 23:30:07.275: RADIUS:  NAS-IP-Address      [4]   6   10.10.4.1
Oct  8 23:30:07 10.10.7.1 3847: .Oct  8 23:30:07.275: RADIUS:  Nas-Identifier      [32]  23  "C7206-BRAS"
Oct  8 23:30:08 10.10.7.1 3848: .Oct  8 23:30:07.275: RADIUS:  Event-Timestamp     [55]  6   1475944202
Oct  8 23:30:08 10.10.7.1 3849: .Oct  8 23:30:07.275: RADIUS(00000000): Started 5 sec timeout
Oct  8 23:30:12 10.10.7.1 3850: .Oct  8 23:30:12.299: RADIUS(00000000): Request timed out!
дамп

Код: Выделить всё

root@billing:~# tcpdump -i eth1.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.14, link-type EN10MB (Ethernet), capture size 262144 bytes
23:51:03.330179 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85
23:51:08.353560 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85
23:51:13.377885 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85
23:51:18.401808 IP 10.10.4.1.datametrics > 10.10.4.2.radius: RADIUS, Access Request (1), id: 0x02 length: 85
23:51:23.442722 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x06 length: 103
23:51:28.466111 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x07 length: 103
23:51:33.490294 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x08 length: 103
23:51:38.514390 IP 10.10.4.1.sa-msg-port > 10.10.4.2.radius-acct: RADIUS, Accounting Request (4), id: 0x09 length: 103
Но когда делаешь clear sss ses all и клиент переавторизовывается, то в дампе по нулям.

Люди нужна помощь!
Вернуться к началу
Закрыто

Вернуться в «UTM 5.0»