[rbak-nsp] CLIPS session in context depending on RADIUS

Stefano Rapari s.rapari at gmail.com
Tue Dec 21 14:46:37 EST 2010


No, no loop back

All you would do is tell the smartedge to accept the context from global radius authentication, in which case correspond to your context, instead of forcing the usage of your starting configured context. 

Thanks
S



On Dec 21, 2010, at 20:38, Arjan Van Der Oest <Arjan at voiceworks.nl> wrote:

> Sorry for being stubborn but the manual says the same:
> 
> The following example configures the context siteA to globally authenticate its subscriber sessions using the RADIUS server with the IP address of 10.2.3.4 configured in the local context:
> 
> [local]Redback(config)#aaa global authentication subscriber radius context local 
> [local]Redback(config)#context local 
> [local]Redback(config-ctx)#radius server 10.2.3.4 key TopSecret 
> [local]Redback(config)#context siteA
> [local]Redback(config-ctx)#aaa authentication subscriber global
> 
> 
> What you tell me to do is to add a loop back into the global config, from the local context. 
> 
> show subscribers active does not show any subscribers.
> 
> 
> -- 
> Met vriendelijke groet,
> 
> Arjan van der Oest
> Senior Network & Systems Engineer / Security Officer
> 
> Voiceworks BV - Editiestraat 29 - 1321 NG Almere
> Mobile : (+31) (0)36 7600 197
> Voiceworks winnaar Gouden FD Gazelle Award 2010 http://bit.ly/eksf8V
> 
> On 21Dec, 2010, at 20:17 , Stefano Rapari wrote:
> 
>> Hello Arjan, 
>> 
>> I understand it may be confusing, but if you want to use the radius context configuration you need to use global authentication. Maybe I would suggest to check the manuals. 
>> 
>> What I'm also asking is the "show subscriber active" and not the "show subscriber".
>> 
>> The fact that you see the subs, and it than disappear, it means something went wrong and the subs didn't connect properly. The error I see below it point to a possible configuration issue. 
>> 
>> 
>> Thanks
>> S
>> 
>> 
>> 
>> On Dec 21, 2010, at 20:09, Arjan Van Der Oest <Arjan at voiceworks.nl> wrote:
>> 
>>> Hi Stefano,
>>> 
>>> This doesn't make sense to me. From what I understand on the Smartedge you should point to the Global AAA config, from where you should (and only can) point to the AAA config in the local config. However, with your 'aaa authentication subscriber global' in local, you would point back to Global again, where it points back to local again.
>>> 
>>> However, I've tried this and it didn't work.
>>> 
>>> A show subscriber in the particular context sometimes briefly shows :
>>> 
>>> [vanderoest]nh-se1.redhosting.nl#show subscribers
>>> TYPE    CIRCUIT                    SUBSCRIBER         CONTEXT   START TIME     
>>> --------------------------------------------------------------------------------
>>> clips   2/3 vlan-id 2001 clips 131 00:50:7f:a1:41:e9  vanderoes Dec 21 19:52:10
>>> --------------------------------------------------------------------------------
>>> Total=1
>>> 
>>> Type            Authenticating          Active          Disconnecting
>>> PPP                          0               0                      0
>>> PPPoE                        0               0                      0
>>> DOT1Q                        0               0                      0
>>> CLIPs                        0               1                      0
>>> 
>>> But then disappears again.
>>> 
>>> Debug CLIPS all shows:
>>> 
>>> [vanderoest]nh-se1l#Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-CCT: Assigned session-id 131748
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit create to ISM
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit flags IP to ISM
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit config to ISM session id 131748
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Sending circuit state UP to ISM
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Await-cct-up, was: Initial
>>> Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: Processed CREATE from dhcpd: flags=0x0 ip=94.247.1.12 ctx=0x0 giaddr=0.0.0.0 mac=00:50:7f:a1:41:e9 (new sesid=131748)
>>> Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: opt82_1=0x42534d2d4e444e2d44534c412d362061746d20312f312f31352f30353a302e
>>> Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: opt82_2=0x50494c4f54454742455254
>>> Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: client id len=7 type=1
>>> Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-DHCP: hostname len=10 hostname=egberthuis
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
>>> Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/7/2/676
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
>>> Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/7/2/676
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT state; CCT up
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: sub_event 2 state: Await-cct-up
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Sent-auth-req, was: Await-cct-up
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Sending authentication request to AAAd
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [33] Opt82_1: 42534d2d4e444e2d44534c412d362061746d20312f312f31352f30353a302e
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [11] Opt82_2: 50494c4f54454742455254
>>> Dec 21 20:01:17: %CLIPS-7-AUTH: authen_req: recreate: 0
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [9] Vendor-class: Vigor2820
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [7] Cliend-id: 
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: [10] Hostname: egberthuis
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Authentication response status: Success
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Await-IP, was: Sent-auth-req
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Sending session up to AAAd
>>> Dec 21 20:01:17: [2/3:1023:63/1/2/17]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
>>> Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/1/2/17
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
>>> Dec 21 20:01:17: [0002]: [2/3:1023:63/7/2/676]: %DHCP-3-PKT_ERR: Could not create DHCP options for client packet type DISCOVER with MAC 00:50:7f:a1:41:e9
>>> Dec 21 20:01:17: [0002]: [2/3:1023:63/7/2/676]: %AAA-3-ERR: aaa_idx 500002a5: SET IPHOST TO NULL
>>> Dec 21 20:01:17: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/7/2/676
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-DHCP: Received DELETE (reason 17)
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: 2/3:1023:63/7/2/676: fsm_state Await-IP ism up 1 shut 0 dhcp 1 mac_set 1 auth fail 0 del_pend 0 bounce 0 starting 0
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Await-down-cplt, was: Await-IP
>>> Dec 21 20:01:17: [2/3:1023:63/7/2/676]: %CLIPS-7-AUTH: Sending session down to AAAd; cause: No error was recorded (0)
>>> Dec 21 20:01:18: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: Processing ISM event: CCT state; CCT del
>>> Dec 21 20:01:18: [2/3:1023:63/7/2/676]: %CLIPS-7-ISM: sub_event 4 state: Await-down-cplt
>>> Dec 21 20:01:18: [2/3:1023:63/7/2/676]: %CLIPS-7-FSM: State now: Unknown, was: Await-down-cplt
>>> Dec 21 20:01:18: %CLIPS-7-ISM: ICR Lib processing ISM CCT DEL: 2/3:1023:63/7/2/676
>>> Dec 21 20:01:18: [2/3:1023:63/1/2/17]: %CLIPS-7-ISM: Processing ISM event: CCT cfg; CCT 1qcfg
>>> Dec 21 20:01:18: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG : 2/3:1023:63/1/2/17
>>> 
>>> I'm particular confused by:
>>> 
>>> Dec 21 20:01:17: [0002]: [2/3:1023:63/7/2/676]: %DHCP-3-PKT_ERR: Could not create DHCP options for client packet type DISCOVER with MAC 00:50:7f:a1:41:e9
>>> 
>>> As the context has a local DHCP server configured:
>>> 
>>> [vanderoest]nh-se1#show dhcp server range       
>>> 
>>> Interface "kpn-wba-dhcp":
>>> 192.168.2.2     192.168.2.254                 0 in use, 253 free,   0 reserved
>>> 
>>> 
>>> -- 
>>> Met vriendelijke groet,
>>> 
>>> Arjan van der Oest
>>> Senior Network & Systems Engineer / Security Officer
>>> 
>>> Voiceworks BV - Editiestraat 29 - 1321 NG Almere
>>> Mobile : (+31) (0)36 7600 197
>>> Voiceworks winnaar Gouden FD Gazelle Award 2010 http://bit.ly/eksf8V
>>> 
>>> On 21Dec, 2010, at 19:11 , Stefano Rapari wrote:
>>> 
>>>> Hi Arjan, 
>>>> 
>>>> for binding to a different context, you need to use global authentication.
>>>> 
>>>> In summary change the following :
>>>> 
>>>> aaa global authentication subscriber radius context local
>>>> 
>>>> context local 
>>>> aaa authentication subscriber global
>>>> 
>>>> If that doesn't work, could you please post the "show subscriber active" for this subscriber ?
>>>> 
>>>> Thanks
>>>> Stefano
>>>> 
>>>> On Dec 21, 2010, at 3:30 PM, Arjan Van Der Oest wrote:
>>>> 
>>>>> Hi,
>>>>> 
>>>>> I'm fairly new to the Redback platform. I'm trying to setup dynamic CLIPS. I'm receiving DSL customers from my telco via a single vlan (i know, don't ask...), they will set option82 with a unique key for each customer.
>>>>> 
>>>>> The current config is straightforward:
>>>>> 
>>>>> aaa global authentication subscriber radius context local
>>>>> !
>>>>> !
>>>>> service multiple-contexts
>>>>> !
>>>>> context local
>>>>> !
>>>>> aaa authentication subscriber radius  
>>>>> !
>>>>> radius server <bla> encrypted-key <bla>
>>>>> !
>>>>> subscriber default
>>>>> dhcp max-addrs 1
>>>>> !
>>>>> interface kpn-wba-dhcp multibind
>>>>> ip address 94.247.1.1/24
>>>>> ip address 94.247.2.1/24 secondary
>>>>> dhcp server interface
>>>>> !
>>>>> dhcp server policy
>>>>> default-lease-time 1800
>>>>> maximum-lease-time 3600
>>>>> subnet 94.247.1.0/24
>>>>> range 94.247.1.2 94.247.1.254
>>>>> option router 94.247.1.1
>>>>> option domain-name-server 8.8.8.8 4.4.4.4
>>>>> subnet 94.247.2.0/24
>>>>> range 94.247.2.2 94.247.2.254
>>>>> option router 94.247.2.1
>>>>> option domain-name-server 8.8.8.8 4.4.4.4
>>>>> !
>>>>> port ethernet 2/3
>>>>> description NH-CES-ETH1-7
>>>>> no shutdown
>>>>> encapsulation dot1q
>>>>> dot1q pvc 2001 
>>>>> service clips dhcp source-mac context local
>>>>> 
>>>>> This works together with this RADIUS config:
>>>>> 
>>>>> DEFAULT Auth-Type := Accept, Agent-Remote-Id == "PILOT"
>>>>>   Service-Type = Outbound-User,
>>>>>   Framed-IP-Address = 94.247.2.2,
>>>>>   Framed-IP-Netmask = 255.255.255.0,
>>>>>   Framed-Route = "94.247.3.0/24",
>>>>>   DHCP_Max_Leases = 1
>>>>> 
>>>>> Session is up and running, the record is matched on the Agent-Remote-ID, regardless of the MAC address (the way I want it).
>>>>> 
>>>>> Now I'm trying to redirect this CLIPS session to a second instance. So I've configured a context identical to local (testvpn) and I added "Context-Name = testvpn" to RADIUS. But somehow the Redback still tries to bind it to local. When I change the Framed-IP-Address (for example 192.168.1.1) then it fails to bind the clips, because this IP is obviously not present in local (but I've actually added it to the testvpn context).
>>>>> 
>>>>> What am I missing here? Fingerpoints are appreciated.
>>>>> 
>>>>> -- 
>>>>> Met vriendelijke groet,
>>>>> 
>>>>> Arjan van der Oest
>>>>> Senior Network & Systems Engineer / Security Officer
>>>>> 
>>>>> Voiceworks BV - Editiestraat 29 - 1321 NG Almere
>>>>> Mobile : (+31) (0)36 7600 197
>>>>> Voiceworks winnaar Gouden FD Gazelle Award 2010 http://bit.ly/eksf8V
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> redback-nsp mailing list
>>>>> redback-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>> 
>>> 
> 




More information about the redback-nsp mailing list