[c-nsp] Cisco ASR1K ISG+L4REDIRECT+OPENGARDEN+Radius+CoA problem
Georgi Genov
linuxloader at gmail.com
Fri Jul 20 06:12:31 EDT 2012
Hi all
We have a ASR1K with
Cisco IOS Software, IOS-XE Software
(X86_64_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(2)S, RELEASE
SOFTWARE (fc1)
IOS XE Version: 03.06.00.S
ASR1000-ESP40
ASR1000-SIP40
Case that we have with the ISG , is very strange .
Here are the policy and acl for the services
class-map type traffic match-any ISG_OPENGARDEN
match access-group output name ACL_OUT_OPENGARDEN
match access-group input name ACL_IN_OPENGARDEN
!
class-map type traffic match-any L4REDIRECT
match access-group input name ACL_IN_L4REDIRECT
!
policy-map type service L4REDIRECT_SERVICE
10 class type traffic L4REDIRECT
redirect to group ISG_GROUP
!
class type traffic default in-out
drop
ip access-list extended ACL_IN_L4REDIRECT
deny tcp any host x.x.x.114 eq 4040
deny tcp any host x.x.x.114
deny udp any any eq domain
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit ip any any
ip access-list extended ACL_IN_OPENGARDEN
permit ip any host x.x.x.114
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any
deny ip any any
ip access-list extended ACL_OUT_OPENGARDEN
permit ip host x.x.x.114 any
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any
deny ip any any
Here is and the control policy-map
policy-map type control ISG_IPOE_SESSION_RULE1
class type control always event session-start
10 authorize aaa list TAL_AUTHEN_LIST password AAACISCO identifier
circuit-id plus mac-address separator #
!
class type control always event account-logon
10 authenticate aaa list TAL_AUTHEN_LIST
!
class type control always event account-logoff
10 service disconnect delay 3
!
Here is the radius and aaa part
aaa authentication login TAL_AUTHEN_LIST group RADIUS_GR
aaa authorization network TAL_AUTHEN_LIST group RADIUS_GR
aaa accounting network TAL_AUTHEN_LIST start-stop group RADIUS_GR
aaa group server radius RADIUS_GR
ip radius source-interface Loopback0
ip radius source-interface Loopback0
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 218 mandatory
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute 4 loopback0
radius-server host x.x.x.135 auth-port 1812 acct-port 1813 key 7 removed
radius-server key 7 removed
radius-server vsa send accounting
radius-server vsa send authentication
* And final here is the case .*
If we set in the radius access-request
Cisco-AVPair, "subscriber:service-name=L4REDIRECT_SERVICE
Cisco-AVPair, "subscriber:command=activate-service
Cisco-AVPair, "subscriber:service-name=OPENGARDEN_SERVICE
Cisco-AVPair", "subscriber:command=activate-service
Subscriber looks like that.
And the redirect and opengarden didn`t work.
> Type: IP, UID: 59, State: authen, Identity: x.x.x.2 xpon
> 0/5/5:8.361.1#d4ca.6d45.4ed2
> IPv4 Address: x.x.x.10
> Session Up-time: 00:00:13, Last Changed: 00:00:12
> Switch-ID: 20355
>
> Policy information:
> Context 7F0F3D0B88B0: Handle D3000BC4
> AAA_id 00000602: Flow_handle 0
> Authentication status: authen
> Downloaded User profile, excluding services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Downloaded User profile, including services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Config history for session (recent to oldest):
> Access-type: IP Client: DHCP
> Policy event: Session-Update
> Profile name: apply-config-only, 2 references
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Access-type: IP Client: SM
> Policy event: Service Selection Request
> Profile name: x.x.x.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2, 2
> references
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> Rules, actions and conditions executed:
> subscriber rule-map ISG_IPOE_SESSION_RULE1
> condition always event session-start
> 10 authorize aaa list TAL_AUTHEN_LIST identifier
> circuit-id#mac-address
>
> Classifiers:
> Class-id Dir Packets Bytes Pri. Definition
> 0 In 3 369 0 Match Any
> 1 Out 0 0 0 Match Any
>
> Features:
>
> Accounting:
> Class-id Dir Packets Bytes Source
> 0 In 3 351 Peruser
> 1 Out 0 0 Peruser
>
> Configuration Sources:
> Type Active Time AAA Service ID Name
> USR 00:00:14 - Peruser
> INT 00:00:14 - TenGigabitEthernet0/0/0.361
But is the same services are send via CoA
Redirect and opengarden works like charm and subscriber looks like that.
> Type: IP, UID: 59, State: authen, Identity: x.x.x.2 xpon
> 0/5/5:8.361.1#d4ca.6d45.4ed2
> IPv4 Address: x.x.x.10
> Session Up-time: 00:02:40, Last Changed: 00:00:01
> Switch-ID: 20355
>
> Policy information:
> Context 7F0F3D0B88B0: Handle D3000BC4
> AAA_id 00000602: Flow_handle 0
> Authentication status: authen
> Downloaded User profile, excluding services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Downloaded User profile, including services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> l4redirect 0 "redirect to group ISG_GROUP"
> username 0 "OPENGARDEN_SERVICE"
> traffic-class 0 "output access-group name
> ACL_OUT_OPENGARDEN priority 20"
> traffic-class 0 "input access-group name
> ACL_IN_OPENGARDEN priority 20"
> Config history for session (recent to oldest):
> Access-type: Web-service-logon Client: SM
> Policy event: Apply Config Success (Service)
> Profile name: OPENGARDEN_SERVICE, 427916 references
> password 0 <hidden>
> username 0 "OPENGARDEN_SERVICE"
> traffic-class 0 "output access-group name
> ACL_OUT_OPENGARDEN priority 20"
> traffic-class 0 "input access-group name
> ACL_IN_OPENGARDEN priority 20"
> Access-type: Web-service-logon Client: SM
> Policy event: Apply Config Success (Service)
> Profile name: L4REDIRECT_SERVICE, 427922 references
> password 0 <hidden>
> username 0 "L4REDIRECT_SERVICE"
> traffic-class 0 "input access-group name
> ACL_IN_L4REDIRECT priority 10"
> l4redirect 0 "redirect to group ISG_GROUP"
> traffic-class 0 "input default drop"
> traffic-class 0 "output default drop"
> Access-type: IP Client: DHCP
> Policy event: Session-Update
> Profile name: apply-config-only, 2 references
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Access-type: IP Client: SM
> Policy event: Service Selection Request
> Profile name: x.x.x.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2, 2
> references
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> Active services associated with session:
> name "OPENGARDEN_SERVICE"
> name "L4REDIRECT_SERVICE"
> Rules, actions and conditions executed:
> subscriber rule-map ISG_IPOE_SESSION_RULE1
> condition always event session-start
> 10 authorize aaa list TAL_AUTHEN_LIST identifier
> circuit-id#mac-address
> subscriber rule-map default-internal-rule
> condition always event service-start
> 1 service-policy type service identifier service-name
> subscriber rule-map default-internal-rule
> condition always event service-start
> 1 service-policy type service identifier service-name
>
> Classifiers:
> Class-id Dir Packets Bytes Pri. Definition
> 0 In 14 1356 0 Match Any
> 1 Out 6 444 0 Match Any
> 856010 In 0 0 10 Match ACL
> ACL_IN_L4REDIRECT
> 856012 In 0 0 20 Match ACL
> ACL_IN_OPENGARDEN
> 856013 Out 0 0 20 Match ACL
> ACL_OUT_OPENGARDEN
> 4294967294 In 0 0 - Drop
>
> Features:
>
> Accounting:
> Class-id Dir Packets Bytes Source
> 0 In 14 1176 Peruser
> 1 Out 6 336 Peruser
>
> L4 Redirect:
> Class-id Rule cfg Definition Source
> 856010 #1 SVC to group ISG_GROUP L4REDIRECT_SERVICE
>
> Configuration Sources:
> Type Active Time AAA Service ID Name
> SVC 00:00:03 - L4REDIRECT_SERVICE
> SVC 00:00:03 - OPENGARDEN_SERVICE
> USR 00:02:41 - Peruser
> INT 00:02:41 - TenGigabitEthernet0/0/0.361
>
Any ideas ?
More information about the cisco-nsp
mailing list