Форум программистов, компьютерный форум, киберфорум
Наши страницы
Cisco
Войти
Регистрация
Восстановить пароль
 
 
Рейтинг 4.59/80: Рейтинг темы: голосов - 80, средняя оценка - 4.59
Jabbson
Эксперт по компьютерным сетям
3353 / 2427 / 746
Регистрация: 03.11.2009
Сообщений: 7,759
Записей в блоге: 3
1

Intelligent Services Gateway - быстрый обзор

04.06.2014, 04:14. Просмотров 15011. Ответов 20
Метки нет (Все метки)

ISG - Intelligent Services Gateway. Overview.

Intelligent Services Gateway - быстрый обзор


В этой посте я хотел бы (максимально кратко) показать пример настройки ISG.
Для тех, кто не знает, ISG (Intelligent Services Gateway - интеллектуальный сервисный шлюз) – это фреймворк в платформах Cisco 10000, Cisco 7200, Cisco 7300, Cisco ASR для организации пользовательского доступа, с упрощенной системой аутентификации, гибкой интегрированной системой управления правилами (политиками) и глубокой интеграцией на оперативном уровне, позволяющей связать этот фреймворк с существующими платформами AAA, биллинга и пользовательского портала.

Вот так Cisco описывает выгоды привнесения ISG:
  • ISG features in IOS offered across industry leading portfolio of Cisco routers
  • Interface for ATM, Gigabit Ethernet, VLAN, and IP Access
  • Transport service across IP, L2TP and MPLS network interfaces
  • Establish and control PPP as well as next generation IP or IP Subnet Sessions
  • Authenticate and authorize subscribers using DHCP or RADIUS based authentication
  • Define local intelligent policies directly in ISG router
  • Support standards based RADIUS CoA (RFC 3576) service control interface into BSS
  • Control & account for per-subscriber & per-service use for post-paid and pre-paid billing

Звучит сладко. Теперь о фичах. Чтобы особо не повторяться, приведу опять со слов циски:

Features
Intelligent Services Gateway - быстрый обзор

Intelligent Services Gateway - быстрый обзор

Intelligent Services Gateway - быстрый обзор


Материалы для ознакомления:
White Paper
Intelligent Service Gateway Features Roadmap (12.2, 15.0)
Cisco IOS Intelligent Services Gateway Command Reference
Cisco ISG Design and Deployment Guide: ATM Aggregation Using Cisco IOS Software Release 12.2(28)SB5
Cisco ISG Design and Deployment Guide: Gigabit Ethernet Aggregation Using Cisco IOS Software Release 12.2(31)SB2
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

На ciscolive по этому вопросу можно посмотреть следующие материалы:
  1. RRKSPG-3304: Subscriber Session Management: Wired and SP Wi-Fi Session Management
  2. BRKSPG-3304: Subscriber Aware Ethernet: Traditional Broadband Functions over Next-Gen Carrier Ethernet Networks
  3. BRKSPG-2803: Service Provider Wi-Fi
  4. и слегка состарившуюся презентацию
  5. BRKOPT-3301: Deploying Advanced Subscriber Management Using Intelligent Service Gateway

Теперь ближе к делу.

Для моего примера я возьму стандартную (и самую простую) схему, которая не отличается замысловатостью, но, при всем этом, позволит показать некотрые из возможностей Cisco ISG. Сразу уточню, что для демонстрации я буду использовать виртуализацию, как для сервисного шлюза, так и для конечного пользователя.

Intelligent Services Gateway - быстрый обзор


Устройства:
ISG: CSR1000v
ISG#sh ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:09 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

ISG uptime is 1 day, 59 minutes
Uptime for this control processor is 1 day, 1 hour, 0 minutes
System returned to ROM by reload at 11:47:31 FET Mon Jun 2 2014
System restarted at 11:49:05 FET Mon Jun 2 2014
System image file is "bootflashackages.conf"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: premium
License Type: Evaluation License
Next reload license Level: premium

cisco CSR1000V (VXE) processor with 2170596K/6147K bytes of memory.
Processor board ID 9G4FLFSIQPY
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102
DHCP: CSR1000v
DHCP_SERVER#show ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:09 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

DHCP_SERVER uptime is 1 week, 5 days, 1 hour, 49 minutes
Uptime for this control processor is 1 week, 5 days, 1 hour, 50 minutes
System returned to ROM by reload
System restarted at 11:00:23 FET Thu May 22 2014
System image file is "bootflashackages.conf"
Last reload reason: Unknown reason



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: limited
License Type: Default. No valid license found.
Next reload license Level: limited

cisco CSR1000V (VXE) processor with 804580K/6147K bytes of memory.
Processor board ID 9FGH5Z8MDHJ
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3145728K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102
INT-GW: CSR1000V
INT_GW#sh ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:09 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

INT_GW uptime is 1 day, 2 hours, 29 minutes
Uptime for this control processor is 1 day, 2 hours, 29 minutes
System returned to ROM by reload
System image file is "bootflashackages.conf"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: limited
License Type: Default. No valid license found.
Next reload license Level: limited

cisco CSR1000V (VXE) processor with 804580K/6147K bytes of memory.
Processor board ID 90FUTHQ505J
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3145728K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102
RADIUS (freeradius) / SQL (mysql) / WEB-PORTAL (самописный): vmware host
root@freeradius:~# uname -a
Linux freeradius 3.2.0-4-686-pae #1 SMP Debian 3.2.57-3+deb7u1 i686 GNU/Linux
root@freeradius:~#


Конфиги:
ISG
hostname ISG
!
aaa new-model
!
aaa group server radius RAD_SRV
server name RAD_SRV1
load-balance method least-outstanding batch-size 1 ignore-preferred-server
!
aaa authentication login default local
aaa authentication login RAD_SRV group RAD_SRV
aaa authorization exec default local
aaa authorization network default group RAD_SRV
aaa authorization subscriber-service default local group RAD_SRV
aaa accounting delay-start
aaa accounting jitter maximum 0
aaa accounting update periodic 1
aaa accounting commands 0 default none
aaa accounting commands 1 default none
aaa accounting commands 15 default none
aaa accounting network default start-stop group RAD_SRV
aaa accounting network ISG_ACC start-stop group RAD_SRV
!
aaa nas port extended
!
aaa server radius dynamic-author
client 192.168.8.227 server-key cisco
auth-type any
ignore session-key
ignore server-key
!
ip domain name office.cisco.com
ip name-server 8.8.8.8
ip name-server 192.168.6.9
!
subscriber service multiple-accept
subscriber service session-accounting
subscriber service accounting interim-interval 1
subscriber redundancy dynamic periodic-update interval 15
subscriber templating
subscriber authorization enable
!
username a.ivanov privilege 15 secret 5 $1$YaAl$OVACRX6v0trI3Ms/4RDwm/
!
redundancy
mode none
!
cdp run
!
class-map type traffic match-any TC_L4R
match access-group input name ACL_IN_L4R
!
class-map type traffic match-any OPEN_GARDEN
match access-group input name OPENGARDEN_IN
match access-group output name OPENGARDEN_OUT
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service S_L4R
250 class type traffic TC_L4R
redirect to ip 192.168.8.227
!
policy-map type service OPEN_GARDEN
250 class type traffic OPEN_GARDEN
!
class type traffic default in-out
drop
!
policy-map type control ISG
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
1 service-policy type service name OPEN_GARDEN
5 set-timer UNAUTH-TIMER 5
10 service-policy type service name S_L4R
!
class type control always event session-restart
1 service-policy type service name OPEN_GARDEN
5 set-timer UNAUTH-TIMER 5
10 service-policy type service name S_L4R
!
class type control always event account-logon
10 authenticate aaa list RAD_SRV
20 service-policy type service unapply name S_L4R
30 service-policy type service name INET
!
class type control always event account-logoff
10 service-policy type service unapply name INET
!
policy-map SUB-QOS-IN
class class-default
police cir 100000
!
policy-map SUB-QOS-OUT
class class-default
police cir 100000
!
interface GigabitEthernet1
description host
ip address 172.16.1.254 255.255.255.0
ip helper-address 192.168.8.228
service-policy type control ISG
ip subscriber l2-connected
initiator unclassified mac-address
!
interface GigabitEthernet2
description server-dhcp-int_gw
ip address dhcp
!
ip route 0.0.0.0 0.0.0.0 192.168.8.226
ip route 192.168.0.0 255.255.0.0 192.168.8.1
!
ip access-list extended ACL_IN_L4R
permit tcp any any eq www
permit tcp any any eq 443
!
ip access-list extended INT_IN
permit ip 172.16.1.0 0.0.0.255 any
!
ip access-list extended INT_OUT
permit ip any 172.16.1.0 0.0.0.255
!
ip access-list extended OPENGARDEN_IN
permit ip any host 192.168.8.227
permit ip any host 192.168.6.9
!
ip access-list extended OPENGARDEN_OUT
permit ip host 192.168.8.227 any
permit ip host 192.168.6.9 any
!
snmp-server community public RO
snmp-server location lab@office.cisco.com
snmp ifmib ifindex persist
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 30 original-called-number
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
radius-server retransmit 2
radius-server timeout 3
radius-server key cisco
!
radius server RAD_SRV1
address ipv4 192.168.8.227 auth-port 1812 acct-port 1813
key cisco
!
alias exec shs show subscriber session
alias exec cls clear subscriber session all
alias exec cld clear ip dhcp binding *
!
end
DHCP_SERVER
hostname DHCP_SERVER
!
ip dhcp pool SUBSCRIBERS
network 172.16.1.0 255.255.255.0
dns-server 192.168.6.9
default-router 172.16.1.254
!
interface GigabitEthernet2
ip address dhcp
negotiation auto
!
ip route 172.16.1.0 255.255.255.0 192.168.8.230
INT_GW
hostname INT_GW
!
interface GigabitEthernet1
ip address 178.172.213.10 255.255.255.0
ip nat outside
!
interface GigabitEthernet2
ip address dhcp
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 172.16.1.0 255.255.255.0 192.168.8.230
ip route 192.168.0.0 255.255.0.0 192.168.8.1
!
ip access-list extended NAT
permit ip 172.16.1.0 0.0.0.255 any
permit ip host 192.168.8.230 any
!
end


Настройку radius и mysql тут приводить не буду, предполагаю, что читающий знаком с этими вещами

Radius:
в /etc/freeradius/radiusd.conf включаем $INCLUDE sql.conf
в самом sql.conf - описываем нашу бд.

в mysql:

show tables from radius_db;
Код
mysql> show tables from radius_db;
+------------------------+
| Tables_in_radius_db    |
+------------------------+
| batch_history          |
| billing_history        |
| billing_merchant       |
| billing_paypal         |
| billing_plans          |
| billing_plans_profiles |
| billing_rates          |
| cui                    |
| dictionary             |
| hotspots               |
| invoice                |
| invoice_items          |
| invoice_status         |
| invoice_type           |
| nas                    |
| node                   |
| operators              |
| operators_acl          |
| operators_acl_files    |
| payment                |
| payment_type           |
| proxys                 |
| radacct                |
| radcheck               |
| radgroupcheck          |
| radgroupreply          |
| radhuntgroup           |
| radippool              |
| radpostauth            |
| radreply               |
| radusergroup           |
| realms                 |
| userbillinfo           |
| userinfo               |
| wimax                  |
+------------------------+
35 rows in set (0.01 sec)

mysql>


основной интерес представляют таблицы radcheck, radreply и radacct.
Вот как это выглядит с уже существующим пользователем, атрибутами и аккаунтингом.

mysql> select * from radcheck;


Intelligent Services Gateway - быстрый обзор


Код
+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
|  1 | test     | Cleartext-Password | := | test  |
|  5 | INET     | Cleartext-Password | := | cisco |
+----+----------+--------------------+----+-------+
2 rows in set (0.00 sec)

mysql>
mysql> select * from radreply;


Intelligent Services Gateway - быстрый обзор


Код
+----+----------+--------------+----+---------------------------------------------------------------+
| id | username | attribute    | op | value                                                         |
+----+----------+--------------+----+---------------------------------------------------------------+
| 19 | INET     | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS-IN                               |
| 20 | INET     | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS-OUT                             |
| 17 | INET     | Cisco-AVPair | += | ip:traffic-class=in default drop                              |
| 18 | INET     | Cisco-AVPair | += | ip:traffic-class=out default drop                             |
| 16 | INET     | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 |
| 15 | INET     | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50   |
| 26 | test     | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC                            |
+----+----------+--------------+----+---------------------------------------------------------------+
7 rows in set (0.00 sec)

mysql>
mysql> select radacctid,username,nasipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets from radacct;


Intelligent Services Gateway - быстрый обзор


Код
+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+
| radacctid | username | nasipaddress  | acctstarttime       | acctstoptime        | acctinputoctets | acctoutputoctets |
+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+
|        19 | test     | 192.168.8.230 | 2014-06-02 15:46:19 | NULL                |          725731 |           705781 |
|        18 | test     | 192.168.8.230 | 2014-06-02 15:39:00 | 2014-06-02 15:40:22 |            4913 |             4647 |
|        17 | test     | 192.168.8.230 | 2014-06-02 15:29:30 | 2014-06-02 15:38:33 |             240 |             3223 |
|        16 | test     | 192.168.8.230 | 2014-06-02 14:58:42 | 2014-06-02 15:27:00 |             852 |             1249 |
|        15 | test     | 192.168.8.230 | 2014-06-02 14:51:15 | 2014-06-02 14:57:25 |             252 |              649 |
|        14 | test     | 192.168.8.230 | 2014-06-02 14:46:41 | 2014-06-02 14:50:34 |            1051 |             1950 |
|        13 | test     | 192.168.8.230 | 2014-06-02 14:37:08 | 2014-06-02 14:46:24 |             288 |             1639 |
+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+
7 rows in set (0.00 sec)

mysql>



Web-portal (Apache):

netland@freeradius:~$ cat /var/www/index.php


Intelligent Services Gateway - быстрый обзор


HTML5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<html>
<body>
 
<h1>It works!!!</h1>
 
<form name="input" action="isg.php" method="POST">
<pre> Username: <input type="text" name="user"> </pre>
<pre> Password: <input type="text" name="pass"> </pre>
  <input type="submit" name="action" value="Login">
  <input type="submit" name="action" value="Logout">
  <input type="submit" name="action" value="Boost">
</form>
 
</body>
</html>
netland@freeradius:~$ cat /var/www/isg.php


Intelligent Services Gateway - быстрый обзор


PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
 
$U = $_POST['user'];
$P = $_POST['pass'];
$I = $_SERVER['REMOTE_ADDR'];
 
echo "<html>";
 
echo "<head>";
echo "<title>form</title>";
echo "</head>";
echo "<body>";
 
echo "username:&nbsp;&nbsp;$U<br>";
echo "password:&nbsp;&nbsp;$P<br>";
echo "ip address:&nbsp;$I<br><br>";
 
if ($_POST['action'] == 'Login') {
   shell_exec("echo \"User-Name=\"$U\",User-Password=\"$P\",Cisco-Command-Code=\"\001$U\",Cisco-Account-Info=S\"$I\"\" | radclient -x 192.168.8.230:1700 coa cisco");
   echo "done";
} elseif ($_POST['action'] == 'Logout') {
    shell_exec("echo \"User-Name=\"$U\",Cisco-Command-Code=\"\002$U\",Cisco-Account-Info=S\"$I\"\" | radclient -x 192.168.8.230:1700 coa cisco");
    echo "done";
} elseif ($_POST['action'] == 'Boost') {
    shell_exec("echo \"User-Name=\"$U\",Cisco-Command-Code=\"\002$U\",Cisco-Account-Info=S\"$I\"\" | radclient -x 192.168.8.230:1700 coa cisco");
    echo "done";
} else {
    echo "invalid request";
};
 
echo "</body>";
echo "</html>";
 
?>


А теперь немного по трафик-флоу:

Абонент подключается к сети и запрашивает адрес по DHCP. На порту настроен ip address-helper, думаю, что он делает объяснять ну нужно.

Intelligent Services Gateway - быстрый обзор


DHCP_SERVER#show ip dhcp binding
Код
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
172.16.1.2      0100.5056.9462.6a       Jun 04 2014 10:04 PM    Automatic  Active     Unknown


На этом же интерфейсе применена политика ISG, которая и является нашей основной политикой, где мы рулим различными событиями и указано, что сессия будет создана на основе нового (неклассифицированного) мак адреса.

Сессия у нас в state unauthen(ticated):

ISG#show subscriber session
Код
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Current Subscriber Information: Total sessions 1
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
15      IPv4         unauthen Lterm       00:04:09 2      172.16.1.2

Что только что произошло. Сработало первое правило нашей политики session-start:

Код
class type control always event session-start
  1 service-policy type service name OPEN_GARDEN
  5 set-timer UNAUTH-TIMER 5
  10 service-policy type service name S_L4R
Применился сервис OPEN_GARDEN (ресурсы, на которые есть доступ неавторизованным пользвателям), включился таймер на 5 минут и применился сервис S_L4R (layer 4 redirect на портал по портам 80, 443).

Пытаемся зайти на microsoft.com:
Intelligent Services Gateway - быстрый обзор

и попадаем на портал.

Вводим логин пароль (test/test) и видим, что портал нас пропустил (хотя это на самом деле ничего не значит, потому что ответы я не обрабатываю на сервере).
Intelligent Services Gateway - быстрый обзор


Проверил, аутентифицировались ли мы:

ISG#show subscriber session
Код
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Current Subscriber Information: Total sessions 1
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
16      IPv4         authen   Lterm       00:03:16 2      test

ISG#


Да. Что только что снова произошло? Сработало условие account-logon:

Код
 class type control always event account-logon
  10 authenticate aaa list RAD_SRV
  20 service-policy type service unapply name S_L4R
  30 service-policy type service name INET
То есть мы взяли предоставленные логин и пароль и послали запрос в радиус, по получиении ответа отменили сервис перенаправления на портал и применили сервис INET, который тоже заведен (опционально) на радиусе, как пользователь и возвращает атрибуты, которые содержат ACL, который нужно применить к сессии и QOS.

Пользователь в интернете.

Intelligent Services Gateway - быстрый обзор


ISG#show subscriber session detailed
Код
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IPv4, UID: 16, State: authen, Identity: test
IPv4 Address: 172.16.1.2
Session Up-time: 00:21:58, Last Changed: 00:21:15
Switch-ID: 4165

Policy information:
  Context 7FEDB056A2A0: Handle C5000057
  AAA_id 00000020: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    accounting-list      0   "ISG_ACC"
  Downloaded User profile, including services:
    username             0   "OPEN_GARDEN"
    accounting-list      0   "ISG_ACC"
    traffic-class        0   "input access-group name INT_IN priority 50"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    sub-qos-policy-in    0   "SUB-QOS-IN"
    sub-qos-policy-out   0   "SUB-QOS-OUT"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        traffic-class        0   "input access-group name INT_IN priority 50"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        sub-qos-policy-in    0   "SUB-QOS-IN"
        sub-qos-policy-out   0   "SUB-QOS-OUT"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Unapplied) (Service)
      Profile name: S_L4R, 3 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 192.168.8.227"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys
      Profile name: test, 2 references
        accounting-list      0   "ISG_ACC"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: S_L4R, 3 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 192.168.8.227"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: OPEN_GARDEN, 3 references
        password             0   <hidden>
        username             0   "OPEN_GARDEN"
        traffic-class        0   "input access-group name OPENGARDEN_IN priority 250"
        traffic-class        0   "output access-group name OPENGARDEN_OUT priority 250"
        traffic-class        0   "input default drop"
        traffic-class        0   "output default drop"
  Active services associated with session:
    name "INET"
    name "OPEN_GARDEN", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map ISG
      condition always event session-start
        1 service-policy type service name OPEN_GARDEN
        5 set-timer UNAUTH-TIMER 5
        10 service-policy type service name S_L4R
    subscriber rule-map ISG
      condition always event account-logon
        10 authenticate aaa list RAD_SRV
        20 service-policy type service unapply name S_L4R
        30 service-policy type service name INET
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    771        101465                 0    Match Any
1           Out   912        825309                 0    Match Any
2           In    3          175                    250  Match ACL OPENGARDEN_IN
3           Out   16         2324                   250  Match ACL OPENGARDEN_OUT
6           In    752        99922                  50   Match ACL INT_IN
7           Out   896        822985                 50   Match ACL INT_OUT
4294967294  In    0          0                      -    Drop
4294967295  Out   0          0                      -    Drop

Template Id : 14

Features:

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   752        99922                 Peruser
1          Out  896        822985                Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:21:58     -               OPEN_GARDEN
SVC   00:21:15     -               INET
USR   00:21:15     -               Peruser
INT   00:21:58     -               GigabitEthernet1


Использованные условия в политике:
событие происходит по контрол-классу ISG-IP-UNAUTH (пользователь неаутентифицирован, таймер истек):
Код
 class type control ISG-IP-UNAUTH event timed-policy-expiry
Создана сессия:
Код
 class type control always event session-start
Пересоздана сессия:
Код
 class type control always event session-restart
CoA c портала о login:
Код
 class type control always event account-logon
CoA с портала о logoff:
Код
 class type control always event account-logoff
Неиспользованными остались такие частоиспользуемые события как:
quota-depleted
credit-exhausted

но они являются частью логики биллинга и выходят за границы ознакомительного повествования, которое я тут развел.

PS
Это лишь малая часть возможностей ISG. Целью было лишь поверхностно ознакомить и дать почувствовать, так сказать, вкус.
4
Similar
Эксперт
41792 / 34177 / 6122
Регистрация: 12.04.2006
Сообщений: 57,940
04.06.2014, 04:14
Ответы с готовыми решениями:

VPN тоннель Gateway to Gateway на RV320
Добрый день, настроил VPN тоннель типа &quot;Gateway to Gateway&quot; между RV320 и...

CISCO в режиме Gateway, настройка firewall
Помогите с такой проблемой: При переходе в режим роутинга Gateway, при...

CISCO, в Gateway, через WAN, не проходит пинг в обе стороны
Помогите с такой проблемой: При переходе в режим роутинга Gateway, при...

Background Intelligent Transfer Service
Подскажите как включить Background Intelligent Transfer Service пожалуйста!!!...

Как отключить Intelligent Energy Saver?
Проблема такая поставил на старый комп более мощный проц, но показывает:...

20
cat_driver
57 / 48 / 3
Регистрация: 19.12.2013
Сообщений: 203
19.10.2015, 11:26 21
Цитата Сообщение от ququ Посмотреть сообщение
Есть ещё эпичный косяк связанный с работой dhcp-relay + Opt82 в режиме QinQ, но это видимо стоит отдельной ветки.
этот косяк проявляется в том случае если интерфейс в VRF или всегда?
0
19.10.2015, 11:26
MoreAnswers
Эксперт
37091 / 29110 / 5898
Регистрация: 17.06.2006
Сообщений: 43,301
19.10.2015, 11:26

В AMI BIOS нет пункта MB Intelligent Tweaker
Хотел разогнать процессор, а пункта MIT нет вообще. (AMI v32.12, обновил...

Gateway
Привет. На днях заходил в магазин. Увидел ноутбук фирмы Gateway. ПРоцессор COre...

Проверка Gateway
Как узнать MAC адрес gateway локальной сети? И какой командой проверить...


Искать еще темы с ответами

Или воспользуйтесь поиском по форуму:
21
Ответ Создать тему
Опции темы

КиберФорум - форум программистов, компьютерный форум, программирование
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Рейтинг@Mail.ru