[cisco-nas] Per-User ACL problem
Dennis Peng
dpeng at cisco.com
Wed Jan 28 14:05:36 EST 2004
This is CSCec69599. I just tested the fix for it yesterday and it
should be integrated in a few days. As a workaround, you can turn on
virtual-profiles.
Dennis
szilard.matyas at enternet.hu [szilard.matyas at enternet.hu] wrote:
> Hi all!
>
> We have a strange problem. We use AS5350s for dial-in (async, isdn). When the user dial in, we send them per-user acl from radius....
> If the user dial in with async and single link ISDN (no virtual-access created) everything is ok, but when he dial in with isdn multilink and virtual-access interface is created the acl is not freed. And there is hundreds of per-user acl in the nas referring to virtual-access interfaces. Here is the debug:
>
> debug aaa per-user:
>
>
> User dials in with async:
>
> Jan 28 12:27:52.914 MET: AAA/PER-USER: mode = config; command = [ip access-list extended Async1/48#358241
> permit tcp any host xxx.xxx.xx.xx eq smtp
> deny tcp any any eq smtp
> deny tcp any host xx.xxx.xxx.xx eq 3128
> permit ip any any
> ]
> Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [ip access-list extended Async1/48#358241]
> Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [permit tcp any host xxx.xxx.xxx.xxx eq smtp]
> Jan 28 12:27:52.914 MET: AAA/PER-USER: line = [deny tcp any any eq smtp]
> Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [deny tcp any host xxx.xxx.xxx.xxx eq 3128]
> Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [permit ip any any]
> Jan 28 12:27:52.918 MET: AAA/PER-USER: mode = interface; command = [IP access-group Async1/48#358241 in
> ]
> Jan 28 12:27:52.918 MET: AAA/PER-USER: line = [IP access-group Async1/48#358241 in]
>
> The ACL is applied normally!
>
>
> User Disconnects:
>
>
>
> Jan 28 12:28:00.390 MET: AAA/PER-USER: mode = interface; command = [no IP access-group Async1/48#358241 in
> ]
> Jan 28 12:28:00.390 MET: AAA/PER-USER: line = [no IP access-group Async1/48#358241 in]
> Jan 28 12:28:00.390 MET: AAA/PER-USER: mode = config; command = [no ip access-list extended Async1/48#358241
> ]
> Jan 28 12:28:00.390 MET: AAA/PER-USER: line = [no ip access-list extended Async1/48#358241]
>
> The ACL is removed normally!
>
>
> When the user dials in with multilink ISDN:
>
> Jan 28 14:06:47.105 MET: AAA/PER-USER: mode = config; command = [ip access-list extended Virtual-Access143#358961
> permit tcp any host xxx.xxx.xxx.xxx eq smtp
> deny tcp any any eq smtp
> deny tcp any host xxx.xxx.xxx.xxx eq 3128
> permit ip any any
> ]
> Jan 28 14:06:47.105 MET: AAA/PER-USER: line = [ip access-list extended Virtual-Access143#358961]
> Jan 28 14:06:47.105 MET: AAA/PER-USER: line = [permit tcp any host xxx.xxx.xxx.xxx eq smtp]
> Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [deny tcp any any eq smtp]
> Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [deny tcp any host xxx.xxx.xxx.xxx eq 3128]
> Jan 28 14:06:47.109 MET: AAA/PER-USER: line = [permit ip any any]
>
> The ACL is applied normally!
>
>
> And when the user disconnects:
>
>
> Jan 28 14:07:01.793 MET: AAA/PER-USER: mode = config; command = [no ip access-list extended Virtual-Access143#358961
> ]
> Jan 28 14:07:01.793 MET: AAA/PER-USER: line = [no ip access-list extended Virtual-Access143#358961]
>
> I don't know why the nas don't put off the ACL from the interface......it only wants to remove the ACL (global) when virtual-acces is used....I guess that the nas can't remove the acl, because it applied to an interface..... It is a bug ?
>
>
> I tried it with 122-2.XB12.bin , 122-15.T10.bin, 122-2.XB14.bin and I get the same result.....
>
>
> Here is my konfig:
>
> Cisco Internetwork Operating System Software
> IOS (tm) 5350 Software (C5350-IS-M), Version 12.2(15)T10, RELEASE SOFTWARE (fc2)
> TAC Support: http://www.cisco.com/tac
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> Compiled Thu 11-Dec-03 09:53 by pwade
> Image text-base: 0x6000895C, data-base: 0x61600000
>
> ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1)
> BOOTLDR: 5350 Software (C5350-BOOT-M), Version 12.2(2)XA5, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
>
> nas-26 uptime is 4 weeks, 23 hours, 22 minutes
> System returned to ROM by reload at 15:12:32 MET Tue Dec 30 2003
> System restarted at 15:13:09 MET Tue Dec 30 2003
> System image file is "flash:c5350-is-mz.122-15.T10.bin"
>
> cisco AS5350 (R7K) processor (revision T) with 131072K/65536K bytes of memory.
> Processor board ID JAE0531002D
> R7000 CPU at 250Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3 Cache
> Last reset from IOS reload
> Channelized E1, Version 1.0.
> Bridging software.
> X.25 software, Version 3.0.0.
> SuperLAT software (copyright 1990 by Meridian Technology Corp).
> Primary Rate ISDN software, Version 1.1.
> Manufacture Cookie Info:
> EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x32,
> Board Hardware Version 3.27, Item Number 800-5171-02,
> Board Revision A0, Serial Number JAE0531002D,
> PLD/ISP Version 2.2, Manufacture Date 30-Jul-2001.
> Processor 0x14, MAC Address 0x044DC54B48
> Backplane HW Revision 1.0, Flash Type 5V
> 2 FastEthernet/IEEE 802.3 interface(s)
> 134 Serial network interface(s)
> 60 terminal line(s)
> 4 Channelized E1/PRI port(s)
> 512K bytes of non-volatile configuration memory.
> 32768K bytes of processor board System flash (Read/Write)
> 8192K bytes of processor board Boot flash (Read/Write)
>
> Configuration register is 0x2102
>
>
> version 12.2
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> !
> hostname xxxxxxxxxxxxxxxxxxxxxxxxxxx
> !
> boot system flash flash:c5350-is-mz.122-15.T10.bin
> boot system flash flash:c5350-is-mz.122-2.XB12.bin
> no boot startup-test
> logging queue-limit 100
> no logging console
> enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> !
> username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxx
> !
> !
> resource-pool enable
> resource-pool call treatment resource busy
> resource-pool call treatment profile busy
> resource-pool call treatment discriminator busy
> !
> resource-pool group resource nextport
> range port 1/0 1/59
> pool-alloc round-robin
> !
> resource-pool group resource isdn
> range limit 60
> !
> resource-pool profile customer CUST1
> limit base-size 25
> limit overflow-size 30
> resource isdn digital
> resource nextport speech
> resource nextport V110
> resource isdn piafs
> resource nextport V120
> dnis group CUST1
> !
> resource-pool profile customer CUST2
> limit base-size 5
> limit overflow-size 12
> resource isdn digital
> resource nextport speech
> resource nextport V110
> resource isdn piafs
> resource nextport V120
> dnis group CUST2
> vpdn group CUST2
> !
> resource-pool profile customer CUST3
> limit base-size 0
> limit overflow-size 18
> resource isdn digital
> resource nextport speech
> resource nextport V110
> resource isdn piafs
> resource nextport V120
> dnis group CUST3
> !
> resource-pool profile customer CUST4
> limit base-size 0
> limit overflow-size 0
> resource isdn digital
> resource nextport speech
> resource nextport V110
> resource isdn piafs
> resource nextport V120
> dnis group CUST4
> vpdn group CUST4
> !
> resource-pool profile customer CUST5
> limit base-size 0
> limit overflow-size 0
> resource isdn digital
> resource nextport speech
> resource nextport V110
> resource isdn piafs
> resource nextport V120
> dnis group CUST5
> vpdn group CUST5
> resource-pool aaa protocol local
> clock timezone MET 1
> clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
> spe call-record modem quiet
> !
> spe default-firmware spe-firmware-1
> spe 1/00 1/09
> firmware location flash:np.8.3.spe
> !
> aaa new-model
> aaa session-mib disconnect
> !
> !
> aaa authentication login telnet group tacacs+ local
> aaa authentication enable default enable
> aaa authentication ppp dialin local group radius
> aaa authorization network dialin local group radius
> aaa accounting delay-start
> aaa accounting suppress null-username
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network dialin start-stop group radius
> aaa accounting system default start-stop group radius
> aaa session-id common
> ip subnet-zero
> ip cef
> ip tftp source-interface Loopback0
> no ip domain lookup
> !
> virtual-profile if-needed
> vpdn enable
> vpdn logging
> vpdn logging local
> vpdn logging remote
> vpdn logging user
> vpdn logging tunnel-drop
> vpdn history failure table-size 50
> vpdn search-order dnis
> !
> vpdn-group PPPoE
> description *** PPPoE ***
> accept-dialin
> protocol pppoe
> virtual-template 1
> pppoe limit per-mac 1
> !
> vpdn-group CUST4
> description *** CUST4 L2TP ***
> request-dialin
> protocol l2tp
> dnis CUST4
> initiate-to ip xxxxxxxxxxxxx
> source-ip xxxxxxxxxxxxxx
> multilink bundle 2
> multilink link 2
> l2tp hidden
> l2tp tunnel password 7 xxxxxxxxxxxxxxx
> !
> vpdn-group CUST2
> description *** CUST2 L2TP ***
> request-dialin
> protocol l2tp
> dnis CUST2
> initiate-to ip xxxxxxxxxxxx
> source-ip xxxxxxxxxxxxxxxxx
> multilink bundle 2
> multilink link 2
> l2tp hidden
> l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
> !
> vpdn-group CUST5
> description *** CUST5 L2TP ***
> request-dialin
> protocol l2tp
> initiate-to xxxxxxxxxxxxxxxxxxx
> source-ip xxxxxxxxxxxxxxxxxx
> multilink bundle 2
> multilink link 2
> l2tp hidden
> l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxx
> !
> isdn switch-type primary-net5
> !
> !
> !
> !
> !
> !
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> !
> fax interface-type fax-mail
> mta receive maximum-recipients 0
> !
> !
> !
> controller E1 2/0
> pri-group timeslots 1-31
>
> !
> controller E1 2/1
> pri-group timeslots 1-31
>
> !
> controller E1 3/0
> pri-group timeslots 1-31
> !
> controller E1 3/1
> pri-group timeslots 1-31
> !
> !
> interface Loopback0
> ip address xxxxxxxxxxxxxxxxxx
> !
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip proxy-arp
> shutdown
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address xxxxxxxxxxxxxxxx secondary
> ip address xxxxxxxxxxxxxxxx secondary
> ip address xxxxxxxxxxxxxxxxxxxxx
> ip access-group xxxxxxxxxxxx out
> duplex auto
> speed auto
> pppoe enable
> !
> interface Serial0/0
> ip address xxxxxxxxxxxxxxxx
> ip route-cache flow
> ip summary-address rip xxxxxxxxxxxxxxxxxxxxx
> load-interval 30
> !
> interface Serial0/1
> no ip address
> shutdown
> clockrate 2000000
> !
> interface Serial2/0:15
> no ip address
> no ip redirects
> no ip proxy-arp
> encapsulation ppp
> ip route-cache flow
> dialer rotary-group 1
> isdn switch-type primary-net5
> isdn incoming-voice modem
> isdn piafs_enabled
> no keepalive
> no fair-queue
> no cdp enable
> !
> interface Serial2/1:15
> no ip address
> no ip redirects
> no ip proxy-arp
> encapsulation ppp
> ip route-cache flow
> dialer rotary-group 1
> isdn switch-type primary-net5
> isdn incoming-voice modem
> isdn piafs_enabled
> no keepalive
> no fair-queue
> no cdp enable
> !
> interface Serial3/0:15
> no ip address
> no ip redirects
> no ip proxy-arp
> encapsulation ppp
> ip route-cache flow
> dialer rotary-group 1
> isdn switch-type primary-net5
> isdn incoming-voice modem
> isdn piafs_enabled
> no keepalive
> no fair-queue
> no cdp enable
> !
> interface Serial3/1:15
> no ip address
> no ip redirects
> no ip proxy-arp
> encapsulation ppp
> ip route-cache flow
> dialer rotary-group 1
> isdn switch-type primary-net5
> isdn incoming-voice modem
> isdn piafs_enabled
> no keepalive
> no fair-queue
> no cdp enable
> !
> interface Virtual-Template1
> mtu 1492
> ip unnumbered Loopback0
> ip route-cache flow
> load-interval 30
> peer default ip address pool dialin
> ppp authentication pap dialin
> ppp authorization dialin
> ppp accounting dialin
> !
> interface Group-Async0
> no ip address
> no ip redirects
> no ip proxy-arp
> ip route-cache flow
> dialer in-band
> dialer rotary-group 1
> async mode interactive
> no keepalive
> no fair-queue
> group-range 1/00 1/59
> !
> interface Dialer1
> ip unnumbered Loopback0
> ip verify unicast reverse-path 101
> no ip redirects
> no ip proxy-arp
> encapsulation ppp
> ip route-cache flow
> load-interval 30
> dialer in-band
> dialer idle-timeout 0
> peer default ip address pool dialin
> no fair-queue
> no cdp enable
> ppp authentication pap dialin
> ppp authorization dialin
> ppp accounting dialin
> ppp multilink
> !
> router rip
> version 2
> redistribute connected
> redistribute static route-map nodefault
> passive-interface default
> no passive-interface Serial0/0
> network xxxxxxxxxxxxxxxxx
> default-metric 2
> no auto-summary
> !
> ip local pool dialin xxxxxxxxxxxxxxxxxxxxxx
> ip flow-aggregation cache source-prefix-tos
> mask source minimum 32
> enabled
> !
> ip flow-aggregation cache destination-prefix-tos
> mask destination minimum 32
> enabled
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 xxxxxxxxxx
> ip route xxxxxxxxxxxxxxxxxxxxxx Null0
> ip tacacs source-interface Loopback0
> no ip http server
> !
> !
> !
> ip radius source-interface Loopback0
> !
> logging facility local2
> logging source-interface Loopback0
> logging xxxxxxxxxxxx
> logging xxxxxxxxxxxxxxxxxxxxxxxx
> !
> dialer dnis group CUST1
> number 001
> number 000
> !
> dialer dnis group CUST2
> number 007
> number 005
> !
> dialer dnis group CUST3
> number 002
> !
> dialer dnis group CUST4
> number 008
> number 006
> !
> dialer dnis group CUST5
> number 004
> !
> route-map nodefault permit 10
> match ip address 5
> !
> tacacs-server hostxxxxxxxxxxxxx port xxxx key xxxxxxxxxxxxxx
> tacacs-server directed-request
> snmp-server community xxxxxxxxxxxxx RO 1
> no snmp-server enable traps tty
> !
> radius-server attribute 32 include-in-access-req
> radius-server host xxxxxxxxxxxxxx auth-port xxxx acct-port xxxxx
> radius-server retransmit 4
> radius-server key 7 xxxxxxxxxxxxxxxxxxxxxxx
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> voice-port 2/0:D
> !
> voice-port 2/1:D
> !
> voice-port 3/0:D
> !
> voice-port 3/1:D
> !
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> !
> !
> !
> alias exec sp show processes cpu | exc 0.00% 0.00% 0.00%
> alias exec sv show version | inc image
> !
> line con 0
> logging synchronous
> transport output none
> line aux 0
> line vty 0 4
> session-timeout 30
> timeout login response 20
> logging synchronous
> login authentication telnet
> transport input telnet
> line vty 5 15
> session-timeout 30
> timeout login response 20
> logging synchronous
> login authentication telnet
> transport input telnet
> line 1/00 1/59
> no flush-at-activation
> no modem callout
> modem Dialin
> modem autoconfigure type nextport
> transport input all
> autoselect during-login
> autoselect ppp
> !
> scheduler allocate 10000 400
> ntp clock-period 17179978
> ntp source Loopback0
> ntp access-group peer 10
> ntp update-calendar
> ntp server xxxxxxxxxxxxxxxx
> end
>
> Thanks in advance everybody's response.
>
> Regards,
>
> Szicsu
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
More information about the cisco-nas
mailing list