Коллеги приветствую.
Столкнулся с проблемой на тестовом стенде - пытаюсь реализовать старт абонента по DHCP с навешиванием на него сервисов.
Для этого поднял ISC DHCP сервер + Freeradius ( на одном сервере с ip 172.16.0.11). Opt82 вставляет Dlink DES-3200 с включенным dhcp_local_relay.
Конфиг csr:
!
! Last configuration change at 13:18:36 UTC Mon Apr 18 2016 by cisco
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ASR-1000-test
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
aaa new-model
!
!
aaa group server radius ipoe-radius
server 172.16.0.11 auth-port 1812 acct-port 1813
!
aaa authentication login ISG-AUTH group ipoe-radius
aaa authorization network ISG-AUTH group ipoe-radius
aaa authorization subscriber-service default local group ipoe-radius
aaa accounting update newinfo periodic 30
aaa accounting network ISG-AUTH
action-type start-stop
group ipoe-radius
!
aaa accounting network ipoe-radius
action-type start-stop
group ipoe-radius
!
!
!
!
!
aaa server radius dynamic-author
client 172.16.0.11 server-key testing123
auth-type any
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name test.local
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
!
!
!
!
!
!
!
!
!
!
subscriber service multiple-accept
subscriber templating
subscriber authorization enable
service-policy type control ISG-CUSTOMER-POLICY
multilink bundle-name authenticated
!
!
license udi pid CSR1000V sn 9VYTLL9KKJA
!
username cisco privilege 15 password 0 cisco
!
redundancy
mode none
!
!
!
class-map type traffic match-any Internet
match access-group output name Any-Traf
match access-group input name Any-Traf
!
policy-map type service Unlim-Test-1M
class type traffic Internet
police input 1000000 187500 375000
police output 1000000 187500 375000
!
!
policy-map type control CUSTOMERS-POLICY
class type control always event session-start
10 authorize aaa password TEST identifier remote-id plus circuit-id
!
!
!
!
!
!
interface Loopback2
ip address 10.10.8.1 255.255.248.0
!
interface GigabitEthernet1
ip address 172.16.0.10 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
mtu 9216
ip dhcp relay information trusted
no ip address
negotiation auto
!
interface GigabitEthernet2.3999
encapsulation dot1Q 3999
ip address 172.16.255.1 255.255.255.0
!
interface GigabitEthernet2.4000
encapsulation dot1Q 4000 second-dot1q 1-1000
ip unnumbered Loopback2
ip helper-address 172.16.0.11
service-policy type control CUSTOMERS-POLICY
ip subscriber l2-connected
initiator dhcp
!
router ospf 1
redistribute connected subnets
network 172.16.0.0 0.0.0.255 area 0
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip forward-protocol udp bootpc
!
no ip http server
no ip http secure-server
!
ip access-list extended Any-Traf
permit ip any any
!
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 31 mac format unformatted
radius-server host 172.16.0.11 auth-port 1812 acct-port 1813 key testing123
radius-server vsa send cisco-nas-port
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
!
!
end
[/spoiler]В результате на радиус приходит запрос:[spoiler]
Mon Apr 18 13:43:57 2016
Packet-Type = Access-Request
User-Name = ';010b582d414b2d35365f315f35:00040fa00001';
NAS-Port-Type = Virtual
Cisco-NAS-Port = ';0/0/0/1.4000';
NAS-Port = 0
NAS-Port-Id = ';0/0/0/1.4000';
Cisco-AVPair = ';circuit-id-tag=00040fa00001';
Cisco-AVPair = ';remote-id-tag=010b582d414b2d35365f315f35';
Service-Type = Outbound-User
NAS-IP-Address = 172.16.0.10
Acct-Session-Id = ';AC10000A0000030F';
Радиус отвечает:
Mon Apr 18 13:44:34 2016
Packet-Type = Access-Accept
Cisco-Service-Info = ';Unlim-Test-1M';
Acct-Interim-Interval = 300
Но до DHCP-сервера запрос не доходит, а в логах творится следующее:
*Apr 18 13:07:50.837: RADIUS/ENCODE(00000174):Orig. component type = Iedge DHCP SIP
*Apr 18 13:07:50.837: RADIUS(00000174): Config NAS IP: 172.16.0.10
*Apr 18 13:07:50.837: RADIUS(00000174): Config NAS IPv6:::
*Apr 18 13:07:50.837: RADIUS/ENCODE(00000174): acct_session_id: 362
*Apr 18 13:07:50.837: RADIUS(00000174): sending
*Apr 18 13:07:50.837: RADIUS(00000174): Send Access-Request to 172.16.0.11:1812 id 1645/104, len 238
*Apr 18 13:07:50.837: RADIUS: authenticator 45 1B 9E 8E 4C 6B FE AE - E3 2B A0 58 89 2A A6 A6
*Apr 18 13:07:50.837: RADIUS: User-Name [1] 41 ';010b582d414b2d35365f315f35:00040fa00001';
*Apr 18 13:07:50.837: RADIUS: User-Password [2] 18 *
*Apr 18 13:07:50.837: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Apr 18 13:07:50.837: RADIUS: Vendor, Cisco [26] 20
*Apr 18 13:07:50.837: RADIUS: cisco-nas-port [2] 14 ';0/0/0/1.4000';
*Apr 18 13:07:50.837: RADIUS: NAS-Port [5] 6 0
*Apr 18 13:07:50.837: RADIUS: NAS-Port-Id [87] 14 ';0/0/0/1.4000';
*Apr 18 13:07:50.837: RADIUS: Vendor, Cisco [26] 35
*Apr 18 13:07:50.837: RADIUS: Cisco AVpair [1] 29 ';circuit-id-tag=00040fa00001';
*Apr 18 13:07:50.837: RADIUS: Vendor, Cisco [26] 48
*Apr 18 13:07:50.837: RADIUS: Cisco AVpair [1] 42 ';remote-id-tag=010b582d414b2d35365f315f35';
*Apr 18 13:07:50.837: RADIUS: Service-Type [6] 6 Outbound [5]
*Apr 18 13:07:50.837: RADIUS: NAS-IP-Address [4] 6 172.16.0.10
*Apr 18 13:07:50.837: RADIUS: Acct-Session-Id [44] 18 ';AC10000A0000016A';
*Apr 18 13:07:50.837: RADIUS(00000174): Sending a IPv4 Radius Packet
*Apr 18 13:07:50.837: RADIUS(00000174): Started 5 sec timeout
*Apr 18 13:07:50.838: RADIUS: Received from id 1645/104 172.16.0.11:1812, Access-Accept, len 47
*Apr 18 13:07:50.838: RADIUS: authenticator 0B 2E DC 59 F4 88 97 74 - 67 CF F8 39 D8 90 0B 9F
*Apr 18 13:07:50.838: RADIUS: Vendor, Cisco [26] 21
*Apr 18 13:07:50.838: RADIUS: ssg-service-info [251] 15 ';Unlim-Test-1M';
*Apr 18 13:07:50.838: RADIUS: Acct-Interim-Interva[85] 6 300
*Apr 18 13:07:50.838: RADIUS(00000174): Received from id 1645/104
*Apr 18 13:07:50.838: IPSUB: Invalid magic 0xFADEDEAF in IP session 0x7F22D725E538
*Apr 18 13:07:50.838: IPSUB-VRFSET: Entered allocate feature info
*Apr 18 13:07:50.838: IPSUB-VRFSET: Allocated sg vrfset info 0x7F22D7A9C108
*Apr 18 13:07:50.838: IPSUB-VRFSET: Freeing the sg vrfset info 0x7F22D7A9C108
*Apr 18 13:07:50.839: Deleting mac 000c.29e1.7c18 from SIP common DB
*Apr 18 13:07:50.839: Deleted mac 000c.29e1.7c18 from SIP common DB
Прошу помощи, т.к. с cisco и ISG до этого дел не имел ( сидим на SE100, а на нем всё как-то сразу взлетело )
↧