[cisco-nas] Per-User ACL problem
szilard.matyas at enternet.hu
szilard.matyas at enternet.hu
Mon Jan 26 08:40:55 EST 2004
Hi all!
We have a strange problem. We use AS5350s for dial-in (async, isdn). When the user dial in, we send them per-user acl from radius....
If the user dial in with async and single link ISDN (no virtual-access created) everything is ok, but when he dial in with isdn multilink and virtual-access interface is created the acl is not freed. And there is hundreds of per-user acl in the nas referring to virtual-access interfaces. Here is the debug:
debug aaa per-user:
User dials in with async:
Jan 28 12:27:52.914 MET: AAA/PER-USER: mode = config; command = [ip access-list extended Async1/48#358241
permit tcp any host xxx.xxx.xx.xx eq smtp
deny tcp any any eq smtp
deny tcp any host xx.xxx.xxx.xx eq 3128
permit ip any any
]
Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [ip access-list extended Async1/48#358241]
Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [permit tcp any host xxx.xxx.xxx.xxx eq smtp]
Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [deny tcp any any eq smtp]
Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [deny tcp any host xxx.xxx.xxx.xxx eq 3128]
Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [permit ip any any]
Jan 28 12:27:52.918 MET: AAA/PER-USER: mode = interface; command = [IP access-group Async1/48#358241 in
]
Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [IP access-group Async1/48#358241 in]
The ACL is applied normally!
User Disconnects:
Jan 28 12:28:00.390 MET: AAA/PER-USER: mode = interface; command = [no IP access-group Async1/48#358241 in
]
Jan 28 12:28:00.390 MET: AAA/PER-USER: line = [no IP access-group Async1/48#358241 in]
Jan 28 12:28:00.390 MET: AAA/PER-USER: mode = config; command = [no ip access-list extended Async1/48#358241
]
Jan 28 12:28:00.390 MET: AAA/PER-USER: line = [no ip access-list extended Async1/48#358241]
The ACL is removed normally!
When the user dials in with multilink ISDN:
Jan 28 14:06:47.105 MET: AAA/PER-USER: mode = config; command = [ip access-list extended Virtual-Access143#358961
permit tcp any host xxx.xxx.xxx.xxx eq smtp
deny tcp any any eq smtp
deny tcp any host xxx.xxx.xxx.xxx eq 3128
permit ip any any
]
Jan 28 14:06:47.105 MET: AAA/PER-USER: line = [ip access-list extended Virtual-Access143#358961]
Jan 28 14:06:47.105 MET: AAA/PER-USER: line = [permit tcp any host xxx.xxx.xxx.xxx eq smtp]
Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [deny tcp any any eq smtp]
Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [deny tcp any host xxx.xxx.xxx.xxx eq 3128]
Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [permit ip any any]
The ACL is applied normally!
And when the user disconnects:
Jan 28 14:07:01.793 MET: AAA/PER-USER: mode = config; command = [no ip access-list extended Virtual-Access143#358961
]
Jan 28 14:07:01.793 MET: AAA/PER-USER: line = [no ip access-list extended Virtual-Access143#358961]
I don't know why the nas don't put off the ACL from the interface......it only wants to remove the ACL (global) when virtual-acces is used....I guess that the nas can't remove the acl, because it applied to an interface..... It is a bug ?
I tried it with 122-2.XB12.bin , 122-15.T10.bin, 122-2.XB14.bin and I get the same result.....
Here is my konfig:
Cisco Internetwork Operating System Software
IOS (tm) 5350 Software (C5350-IS-M), Version 12.2(15)T10, RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 11-Dec-03 09:53 by pwade
Image text-base: 0x6000895C, data-base: 0x61600000
ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1)
BOOTLDR: 5350 Software (C5350-BOOT-M), Version 12.2(2)XA5, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
nas-26 uptime is 4 weeks, 23 hours, 22 minutes
System returned to ROM by reload at 15:12:32 MET Tue Dec 30 2003
System restarted at 15:13:09 MET Tue Dec 30 2003
System image file is "flash:c5350-is-mz.122-15.T10.bin"
cisco AS5350 (R7K) processor (revision T) with 131072K/65536K bytes of memory.
Processor board ID JAE0531002D
R7000 CPU at 250Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3 Cache
Last reset from IOS reload
Channelized E1, Version 1.0.
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Primary Rate ISDN software, Version 1.1.
Manufacture Cookie Info:
EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x32,
Board Hardware Version 3.27, Item Number 800-5171-02,
Board Revision A0, Serial Number JAE0531002D,
PLD/ISP Version 2.2, Manufacture Date 30-Jul-2001.
Processor 0x14, MAC Address 0x044DC54B48
Backplane HW Revision 1.0, Flash Type 5V
2 FastEthernet/IEEE 802.3 interface(s)
134 Serial network interface(s)
60 terminal line(s)
4 Channelized E1/PRI port(s)
512K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
8192K bytes of processor board Boot flash (Read/Write)
Configuration register is 0x2102
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
boot system flash flash:c5350-is-mz.122-15.T10.bin
boot system flash flash:c5350-is-mz.122-2.XB12.bin
no boot startup-test
logging queue-limit 100
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxx
!
!
resource-pool enable
resource-pool call treatment resource busy
resource-pool call treatment profile busy
resource-pool call treatment discriminator busy
!
resource-pool group resource nextport
range port 1/0 1/59
pool-alloc round-robin
!
resource-pool group resource isdn
range limit 60
!
resource-pool profile customer CUST1
limit base-size 25
limit overflow-size 30
resource isdn digital
resource nextport speech
resource nextport V110
resource isdn piafs
resource nextport V120
dnis group CUST1
!
resource-pool profile customer CUST2
limit base-size 5
limit overflow-size 12
resource isdn digital
resource nextport speech
resource nextport V110
resource isdn piafs
resource nextport V120
dnis group CUST2
vpdn group CUST2
!
resource-pool profile customer CUST3
limit base-size 0
limit overflow-size 18
resource isdn digital
resource nextport speech
resource nextport V110
resource isdn piafs
resource nextport V120
dnis group CUST3
!
resource-pool profile customer CUST4
limit base-size 0
limit overflow-size 0
resource isdn digital
resource nextport speech
resource nextport V110
resource isdn piafs
resource nextport V120
dnis group CUST4
vpdn group CUST4
!
resource-pool profile customer CUST5
limit base-size 0
limit overflow-size 0
resource isdn digital
resource nextport speech
resource nextport V110
resource isdn piafs
resource nextport V120
dnis group CUST5
vpdn group CUST5
resource-pool aaa protocol local
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
spe call-record modem quiet
!
spe default-firmware spe-firmware-1
spe 1/00 1/09
firmware location flash:np.8.3.spe
!
aaa new-model
aaa session-mib disconnect
!
!
aaa authentication login telnet group tacacs+ local
aaa authentication enable default enable
aaa authentication ppp dialin local group radius
aaa authorization network dialin local group radius
aaa accounting delay-start
aaa accounting suppress null-username
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network dialin start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
ip subnet-zero
ip cef
ip tftp source-interface Loopback0
no ip domain lookup
!
virtual-profile if-needed
vpdn enable
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
vpdn history failure table-size 50
vpdn search-order dnis
!
vpdn-group PPPoE
description *** PPPoE ***
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1
!
vpdn-group CUST4
description *** CUST4 L2TP ***
request-dialin
protocol l2tp
dnis CUST4
initiate-to ip xxxxxxxxxxxxx
source-ip xxxxxxxxxxxxxx
multilink bundle 2
multilink link 2
l2tp hidden
l2tp tunnel password 7 xxxxxxxxxxxxxxx
!
vpdn-group CUST2
description *** CUST2 L2TP ***
request-dialin
protocol l2tp
dnis CUST2
initiate-to ip xxxxxxxxxxxx
source-ip xxxxxxxxxxxxxxxxx
multilink bundle 2
multilink link 2
l2tp hidden
l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
vpdn-group CUST5
description *** CUST5 L2TP ***
request-dialin
protocol l2tp
initiate-to xxxxxxxxxxxxxxxxxxx
source-ip xxxxxxxxxxxxxxxxxx
multilink bundle 2
multilink link 2
l2tp hidden
l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxx
!
isdn switch-type primary-net5
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
controller E1 2/0
pri-group timeslots 1-31
!
controller E1 2/1
pri-group timeslots 1-31
!
controller E1 3/0
pri-group timeslots 1-31
!
controller E1 3/1
pri-group timeslots 1-31
!
!
interface Loopback0
ip address xxxxxxxxxxxxxxxxxx
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip proxy-arp
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address xxxxxxxxxxxxxxxx secondary
ip address xxxxxxxxxxxxxxxx secondary
ip address xxxxxxxxxxxxxxxxxxxxx
ip access-group xxxxxxxxxxxx out
duplex auto
speed auto
pppoe enable
!
interface Serial0/0
ip address xxxxxxxxxxxxxxxx
ip route-cache flow
ip summary-address rip xxxxxxxxxxxxxxxxxxxxx
load-interval 30
!
interface Serial0/1
no ip address
shutdown
clockrate 2000000
!
interface Serial2/0:15
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
ip route-cache flow
dialer rotary-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn piafs_enabled
no keepalive
no fair-queue
no cdp enable
!
interface Serial2/1:15
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
ip route-cache flow
dialer rotary-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn piafs_enabled
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/0:15
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
ip route-cache flow
dialer rotary-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn piafs_enabled
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/1:15
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
ip route-cache flow
dialer rotary-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn piafs_enabled
no keepalive
no fair-queue
no cdp enable
!
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback0
ip route-cache flow
load-interval 30
peer default ip address pool dialin
ppp authentication pap dialin
ppp authorization dialin
ppp accounting dialin
!
interface Group-Async0
no ip address
no ip redirects
no ip proxy-arp
ip route-cache flow
dialer in-band
dialer rotary-group 1
async mode interactive
no keepalive
no fair-queue
group-range 1/00 1/59
!
interface Dialer1
ip unnumbered Loopback0
ip verify unicast reverse-path 101
no ip redirects
no ip proxy-arp
encapsulation ppp
ip route-cache flow
load-interval 30
dialer in-band
dialer idle-timeout 0
peer default ip address pool dialin
no fair-queue
no cdp enable
ppp authentication pap dialin
ppp authorization dialin
ppp accounting dialin
ppp multilink
!
router rip
version 2
redistribute connected
redistribute static route-map nodefault
passive-interface default
no passive-interface Serial0/0
network xxxxxxxxxxxxxxxxx
default-metric 2
no auto-summary
!
ip local pool dialin xxxxxxxxxxxxxxxxxxxxxx
ip flow-aggregation cache source-prefix-tos
mask source minimum 32
enabled
!
ip flow-aggregation cache destination-prefix-tos
mask destination minimum 32
enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxx
ip route xxxxxxxxxxxxxxxxxxxxxx Null0
ip tacacs source-interface Loopback0
no ip http server
!
!
!
ip radius source-interface Loopback0
!
logging facility local2
logging source-interface Loopback0
logging xxxxxxxxxxxx
logging xxxxxxxxxxxxxxxxxxxxxxxx
!
dialer dnis group CUST1
number 001
number 000
!
dialer dnis group CUST2
number 007
number 005
!
dialer dnis group CUST3
number 002
!
dialer dnis group CUST4
number 008
number 006
!
dialer dnis group CUST5
number 004
!
route-map nodefault permit 10
match ip address 5
!
tacacs-server hostxxxxxxxxxxxxx port xxxx key xxxxxxxxxxxxxx
tacacs-server directed-request
snmp-server community xxxxxxxxxxxxx RO 1
no snmp-server enable traps tty
!
radius-server attribute 32 include-in-access-req
radius-server host xxxxxxxxxxxxxx auth-port xxxx acct-port xxxxx
radius-server retransmit 4
radius-server key 7 xxxxxxxxxxxxxxxxxxxxxxx
radius-server authorization permit missing Service-Type
call rsvp-sync
!
voice-port 2/0:D
!
voice-port 2/1:D
!
voice-port 3/0:D
!
voice-port 3/1:D
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
alias exec sp show processes cpu | exc 0.00% 0.00% 0.00%
alias exec sv show version | inc image
!
line con 0
logging synchronous
transport output none
line aux 0
line vty 0 4
session-timeout 30
timeout login response 20
logging synchronous
login authentication telnet
transport input telnet
line vty 5 15
session-timeout 30
timeout login response 20
logging synchronous
login authentication telnet
transport input telnet
line 1/00 1/59
no flush-at-activation
no modem callout
modem Dialin
modem autoconfigure type nextport
transport input all
autoselect during-login
autoselect ppp
!
scheduler allocate 10000 400
ntp clock-period 17179978
ntp source Loopback0
ntp access-group peer 10
ntp update-calendar
ntp server xxxxxxxxxxxxxxxx
end
Thanks in advance everybody's response.
Regards,
Szicsu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-nas/attachments/20040126/c6fd7314/attachment-0001.html
More information about the cisco-nas
mailing list