[rbak-nsp] CLIPS session in context depending on RADIUS
Arjan Van Der Oest
Arjan at voiceworks.nl
Tue Dec 21 14:09:02 EST 2010
Hi Stefano,
This doesn't make sense to me. From what I understand on the Smartedge you should point to the Global AAA config, from where you should (and only can) point to the AAA config in the local config. However, with your 'aaa authentication subscriber global' in local, you would point back to Global again, where it points back to local again.
However, I've tried this and it didn't work.
A show subscriber in the particular context sometimes briefly shows :
[vanderoest]nh-se1.redhosting.nl#show subscribers
TYPE CIRCUIT SUBSCRIBER CONTEXT START TIME
--------------------------------------------------------------------------------
clips 2/3 vlan-id 2001 clips 131 00:50:7f:a1:41:e9 vanderoes Dec 21 19:52:10
--------------------------------------------------------------------------------
Total=1
Type Authenticating Active Disconnecting
PPP 0 0 0
PPPoE 0 0 0
DOT1Q 0 0 0
CLIPs 0 1 0
But then disappears again.
Debug CLIPS all shows:
[vanderoest]nh-se1l#Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-CCT: Assigned session-id 131748
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit create to ISM
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit flags IP to ISM
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit config to ISM session id 131748
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit state UP to ISM
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Await-cct-up, was: Initial
Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: Processed CREATE from dhcpd: flags=0x0 ip=94.247.1.12 ctx=0x0 giaddr=0.0.0.0 mac=00:50:7f:a1:41:e9 (new sesid=131748)
Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: opt82_1=0x42534d2d4e444e2d44534c412d362061746d20312f312f31352f30353a302e
Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: opt82_2=0x50494c4f54454742455254
Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: client id len=7 type=1
Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: hostname len=10 hostname=egberthuis
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/7/2/676
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/7/2/676
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT state; CCT up
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: sub_event 2 state: Await-cct-up
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Sent-auth-req, was: Await-cct-up
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Sending authentication request to AAAd
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [33] Opt82_1: 42534d2d4e444e2d44534c412d362061746d20312f312f31352f30353a302e
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [11] Opt82_2: 50494c4f54454742455254
Dec 21 20:01:17: %CLIPS-7-AUTH: authen_req: recreate: 0
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [9] Vendor-class: Vigor2820
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [7] Cliend-id:
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [10] Hostname: egberthuis
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Authentication response status: Success
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Await-IP, was: Sent-auth-req
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Sending session up to AAAd
Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/1/2/17
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
Dec 21 20:01:17: [0002]: [2/3:1023:63/7/2/676]: %DHCP-3-PKT_ERR: Could not create DHCP options for client packet type DISCOVER with MAC 00:50:7f:a1:41:e9
Dec 21 20:01:17: [0002]: [2/3:1023:63/7/2/676]: %AAA-3-ERR: aaa_idx 500002a5: SET IPHOST TO NULL
Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/7/2/676
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-DHCP: Received DELETE (reason 17)
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: 2/3:1023:63/7/2/676: fsm_state Await-IP ism up 1 shut 0 dhcp 1 mac_set 1 auth fail 0 del_pend 0 bounce 0 starting 0
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Await-down-cplt, was: Await-IP
Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Sending session down to AAAd; cause: No error was recorded (0)
Dec 21 20:01:18: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT state; CCT del
Dec 21 20:01:18: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: sub_event 4 state: Await-down-cplt
Dec 21 20:01:18: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Unknown, was: Await-down-cplt
Dec 21 20:01:18: %CLIPS-7-ISM: ICR Lib processing ISM CCT DEL: 2/3:1023:63/7/2/676
Dec 21 20:01:18: [2/3:1023:63/1/2/17]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
Dec 21 20:01:18: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/1/2/17
I'm particular confused by:
Dec 21 20:01:17: [0002]: [2/3:1023:63/7/2/676]: %DHCP-3-PKT_ERR: Could not create DHCP options for client packet type DISCOVER with MAC 00:50:7f:a1:41:e9
As the context has a local DHCP server configured:
[vanderoest]nh-se1#show dhcp server range
Interface "kpn-wba-dhcp":
192.168.2.2 192.168.2.254 0 in use, 253 free, 0 reserved
--
Met vriendelijke groet,
Arjan van der Oest
Senior Network & Systems Engineer / Security Officer
Voiceworks BV - Editiestraat 29 - 1321 NG Almere
Mobile : (+31) (0)36 7600 197
Voiceworks winnaar Gouden FD Gazelle Award 2010 http://bit.ly/eksf8V
On 21Dec, 2010, at 19:11 , Stefano Rapari wrote:
> Hi Arjan,
>
> for binding to a different context, you need to use global authentication.
>
> In summary change the following :
>
> aaa global authentication subscriber radius context local
>
> context local
> aaa authentication subscriber global
>
> If that doesn't work, could you please post the "show subscriber active" for this subscriber ?
>
> Thanks
> Stefano
>
> On Dec 21, 2010, at 3:30 PM, Arjan Van Der Oest wrote:
>
>> Hi,
>>
>> I'm fairly new to the Redback platform. I'm trying to setup dynamic CLIPS. I'm receiving DSL customers from my telco via a single vlan (i know, don't ask...), they will set option82 with a unique key for each customer.
>>
>> The current config is straightforward:
>>
>> aaa global authentication subscriber radius context local
>> !
>> !
>> service multiple-contexts
>> !
>> context local
>> !
>> aaa authentication subscriber radius
>> !
>> radius server <bla> encrypted-key <bla>
>> !
>> subscriber default
>> dhcp max-addrs 1
>> !
>> interface kpn-wba-dhcp multibind
>> ip address 94.247.1.1/24
>> ip address 94.247.2.1/24 secondary
>> dhcp server interface
>> !
>> dhcp server policy
>> default-lease-time 1800
>> maximum-lease-time 3600
>> subnet 94.247.1.0/24
>> range 94.247.1.2 94.247.1.254
>> option router 94.247.1.1
>> option domain-name-server 8.8.8.8 4.4.4.4
>> subnet 94.247.2.0/24
>> range 94.247.2.2 94.247.2.254
>> option router 94.247.2.1
>> option domain-name-server 8.8.8.8 4.4.4.4
>> !
>> port ethernet 2/3
>> description NH-CES-ETH1-7
>> no shutdown
>> encapsulation dot1q
>> dot1q pvc 2001
>> service clips dhcp source-mac context local
>>
>> This works together with this RADIUS config:
>>
>> DEFAULT Auth-Type := Accept, Agent-Remote-Id == "PILOT"
>> Service-Type = Outbound-User,
>> Framed-IP-Address = 94.247.2.2,
>> Framed-IP-Netmask = 255.255.255.0,
>> Framed-Route = "94.247.3.0/24",
>> DHCP_Max_Leases = 1
>>
>> Session is up and running, the record is matched on the Agent-Remote-ID, regardless of the MAC address (the way I want it).
>>
>> Now I'm trying to redirect this CLIPS session to a second instance. So I've configured a context identical to local (testvpn) and I added "Context-Name = testvpn" to RADIUS. But somehow the Redback still tries to bind it to local. When I change the Framed-IP-Address (for example 192.168.1.1) then it fails to bind the clips, because this IP is obviously not present in local (but I've actually added it to the testvpn context).
>>
>> What am I missing here? Fingerpoints are appreciated.
>>
>> --
>> Met vriendelijke groet,
>>
>> Arjan van der Oest
>> Senior Network & Systems Engineer / Security Officer
>>
>> Voiceworks BV - Editiestraat 29 - 1321 NG Almere
>> Mobile : (+31) (0)36 7600 197
>> Voiceworks winnaar Gouden FD Gazelle Award 2010 http://bit.ly/eksf8V
>>
>>
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
>
More information about the redback-nsp
mailing list