[c-nsp] Cisco ASR1K ISG+L4REDIRECT+OPENGARDEN+Radius+CoA problem
Georgi Genov
linuxloader at gmail.com
Fri Jul 20 06:23:40 EDT 2012
Sorry , everywhere is
command 0 "activate-service"
not command 0 "deactivate-service"
just copy/paste error :)
On Fri, Jul 20, 2012 at 1:12 PM, Georgi Genov <linuxloader at gmail.com> wrote:
> Hi all
> We have a ASR1K with
> Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVIPSERVICESK9-M),
> Version 15.2(2)S, RELEASE SOFTWARE (fc1)
> IOS XE Version: 03.06.00.S
> ASR1000-ESP40
> ASR1000-SIP40
>
> Case that we have with the ISG , is very strange .
> Here are the policy and acl for the services
>
> class-map type traffic match-any ISG_OPENGARDEN
> match access-group output name ACL_OUT_OPENGARDEN
> match access-group input name ACL_IN_OPENGARDEN
> !
> class-map type traffic match-any L4REDIRECT
> match access-group input name ACL_IN_L4REDIRECT
> !
> policy-map type service L4REDIRECT_SERVICE
> 10 class type traffic L4REDIRECT
> redirect to group ISG_GROUP
> !
> class type traffic default in-out
> drop
>
> ip access-list extended ACL_IN_L4REDIRECT
> deny tcp any host x.x.x.114 eq 4040
> deny tcp any host x.x.x.114
> deny udp any any eq domain
> permit icmp any any
> permit tcp any any eq www
> permit tcp any any eq 443
> permit ip any any
> ip access-list extended ACL_IN_OPENGARDEN
> permit ip any host x.x.x.114
> permit udp any any eq domain
> permit udp any eq domain any
> permit icmp any any
> deny ip any any
> ip access-list extended ACL_OUT_OPENGARDEN
> permit ip host x.x.x.114 any
> permit udp any any eq domain
> permit udp any eq domain any
> permit icmp any any
> deny ip any any
>
>
>
>
> Here is and the control policy-map
>
> policy-map type control ISG_IPOE_SESSION_RULE1
> class type control always event session-start
> 10 authorize aaa list TAL_AUTHEN_LIST password AAACISCO identifier
> circuit-id plus mac-address separator #
> !
> class type control always event account-logon
> 10 authenticate aaa list TAL_AUTHEN_LIST
> !
> class type control always event account-logoff
> 10 service disconnect delay 3
> !
>
> Here is the radius and aaa part
> aaa authentication login TAL_AUTHEN_LIST group RADIUS_GR
> aaa authorization network TAL_AUTHEN_LIST group RADIUS_GR
> aaa accounting network TAL_AUTHEN_LIST start-stop group RADIUS_GR
> aaa group server radius RADIUS_GR
> ip radius source-interface Loopback0
> ip radius source-interface Loopback0
> radius-server attribute 44 include-in-access-req default-vrf
> radius-server attribute 218 mandatory
> radius-server attribute 6 on-for-login-auth
> radius-server attribute 6 support-multiple
> radius-server attribute 8 include-in-access-req
> radius-server attribute 32 include-in-access-req
> radius-server attribute 32 include-in-accounting-req
> radius-server attribute 55 include-in-acct-req
> radius-server attribute 55 access-request include
> radius-server attribute 25 access-request include
> radius-server attribute 4 loopback0
> radius-server host x.x.x.135 auth-port 1812 acct-port 1813 key 7 removed
> radius-server key 7 removed
> radius-server vsa send accounting
> radius-server vsa send authentication
>
>
>
> * And final here is the case .*
> If we set in the radius access-request
> Cisco-AVPair, "subscriber:service-name=L4REDIRECT_SERVICE
> Cisco-AVPair, "subscriber:command=activate-service
> Cisco-AVPair, "subscriber:service-name=OPENGARDEN_SERVICE
> Cisco-AVPair", "subscriber:command=activate-service
>
> Subscriber looks like that.
> And the redirect and opengarden didn`t work.
>
> Type: IP, UID: 59, State: authen, Identity: x.x.x.2 xpon
> 0/5/5:8.361.1#d4ca.6d45.4ed2
> IPv4 Address: x.x.x.10
> Session Up-time: 00:00:13, Last Changed: 00:00:12
> Switch-ID: 20355
>
> Policy information:
> Context 7F0F3D0B88B0: Handle D3000BC4
> AAA_id 00000602: Flow_handle 0
> Authentication status: authen
> Downloaded User profile, excluding services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Downloaded User profile, including services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Config history for session (recent to oldest):
> Access-type: IP Client: DHCP
> Policy event: Session-Update
> Profile name: apply-config-only, 2 references
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Access-type: IP Client: SM
> Policy event: Service Selection Request
> Profile name: x.x.x.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2, 2 references
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> Rules, actions and conditions executed:
> subscriber rule-map ISG_IPOE_SESSION_RULE1
> condition always event session-start
> 10 authorize aaa list TAL_AUTHEN_LIST identifier
> circuit-id#mac-address
>
> Classifiers:
> Class-id Dir Packets Bytes Pri. Definition
> 0 In 3 369 0 Match Any
> 1 Out 0 0 0 Match Any
>
> Features:
>
> Accounting:
> Class-id Dir Packets Bytes Source
> 0 In 3 351 Peruser
> 1 Out 0 0 Peruser
>
> Configuration Sources:
> Type Active Time AAA Service ID Name
> USR 00:00:14 - Peruser
> INT 00:00:14 - TenGigabitEthernet0/0/0.361
>
>
>
>
> But is the same services are send via CoA
> Redirect and opengarden works like charm and subscriber looks like that.
>
> Type: IP, UID: 59, State: authen, Identity: x.x.x.2 xpon
> 0/5/5:8.361.1#d4ca.6d45.4ed2
> IPv4 Address: x.x.x.10
> Session Up-time: 00:02:40, Last Changed: 00:00:01
> Switch-ID: 20355
>
> Policy information:
> Context 7F0F3D0B88B0: Handle D3000BC4
> AAA_id 00000602: Flow_handle 0
> Authentication status: authen
> Downloaded User profile, excluding services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Downloaded User profile, including services:
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> l4redirect 0 "redirect to group ISG_GROUP"
> username 0 "OPENGARDEN_SERVICE"
> traffic-class 0 "output access-group name ACL_OUT_OPENGARDEN
> priority 20"
> traffic-class 0 "input access-group name ACL_IN_OPENGARDEN
> priority 20"
> Config history for session (recent to oldest):
> Access-type: Web-service-logon Client: SM
> Policy event: Apply Config Success (Service)
> Profile name: OPENGARDEN_SERVICE, 427916 references
> password 0 <hidden>
> username 0 "OPENGARDEN_SERVICE"
> traffic-class 0 "output access-group name
> ACL_OUT_OPENGARDEN priority 20"
> traffic-class 0 "input access-group name
> ACL_IN_OPENGARDEN priority 20"
> Access-type: Web-service-logon Client: SM
> Policy event: Apply Config Success (Service)
> Profile name: L4REDIRECT_SERVICE, 427922 references
> password 0 <hidden>
> username 0 "L4REDIRECT_SERVICE"
> traffic-class 0 "input access-group name
> ACL_IN_L4REDIRECT priority 10"
> l4redirect 0 "redirect to group ISG_GROUP"
> traffic-class 0 "input default drop"
> traffic-class 0 "output default drop"
> Access-type: IP Client: DHCP
> Policy event: Session-Update
> Profile name: apply-config-only, 2 references
> clid-mac-addr 0 D4 CA 6D 45 4E D2
> addr 0 x.x.x.10
> netmask 0 255.255.255.255
> config-source-dpm 0 True
> circuit-id-tag 0 "x.x.x.2 xpon 0/5/5:8.361.1"
> Access-type: IP Client: SM
> Policy event: Service Selection Request
> Profile name: x.x.x.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2, 2 references
> service-type 0 2 [Framed]
> accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST"
> service-name 0 "L4REDIRECT_SERVICE"
> command 0 "deactivate-service"
> service-name 0 "OPENGARDEN_SERVICE"
> command 0 "deactivate-service"
> Active services associated with session:
> name "OPENGARDEN_SERVICE"
> name "L4REDIRECT_SERVICE"
> Rules, actions and conditions executed:
> subscriber rule-map ISG_IPOE_SESSION_RULE1
> condition always event session-start
> 10 authorize aaa list TAL_AUTHEN_LIST identifier
> circuit-id#mac-address
> subscriber rule-map default-internal-rule
> condition always event service-start
> 1 service-policy type service identifier service-name
> subscriber rule-map default-internal-rule
> condition always event service-start
> 1 service-policy type service identifier service-name
>
> Classifiers:
> Class-id Dir Packets Bytes Pri. Definition
> 0 In 14 1356 0 Match Any
> 1 Out 6 444 0 Match Any
> 856010 In 0 0 10 Match ACL
> ACL_IN_L4REDIRECT
> 856012 In 0 0 20 Match ACL
> ACL_IN_OPENGARDEN
> 856013 Out 0 0 20 Match ACL
> ACL_OUT_OPENGARDEN
> 4294967294 In 0 0 - Drop
>
> Features:
>
> Accounting:
> Class-id Dir Packets Bytes Source
> 0 In 14 1176 Peruser
> 1 Out 6 336 Peruser
>
> L4 Redirect:
> Class-id Rule cfg Definition Source
> 856010 #1 SVC to group ISG_GROUP
> L4REDIRECT_SERVICE
>
> Configuration Sources:
> Type Active Time AAA Service ID Name
> SVC 00:00:03 - L4REDIRECT_SERVICE
> SVC 00:00:03 - OPENGARDEN_SERVICE
> USR 00:02:41 - Peruser
> INT 00:02:41 - TenGigabitEthernet0/0/0.361
>
>
>
> Any ideas ?
>
>
>
More information about the cisco-nsp
mailing list