Intelligent Services Gateway - быстрый обзор

Jabbson · Регистрация: 03.11.2009

Author24 — интернет-сервис помощи студентам

ISG - Intelligent Services Gateway. Overview.

Intelligent Services Gateway - быстрый обзор

В этой посте я хотел бы (максимально кратко) показать пример настройки ISG.
Для тех, кто не знает, ISG (Intelligent Services Gateway - интеллектуальный сервисный шлюз) – это фреймворк в платформах Cisco 10000, Cisco 7200, Cisco 7300, Cisco ASR для организации пользовательского доступа, с упрощенной системой аутентификации, гибкой интегрированной системой управления правилами (политиками) и глубокой интеграцией на оперативном уровне, позволяющей связать этот фреймворк с существующими платформами AAA, биллинга и пользовательского портала.

Вот так Cisco описывает выгоды привнесения ISG:

ISG features in IOS offered across industry leading portfolio of Cisco routers
Interface for ATM, Gigabit Ethernet, VLAN, and IP Access
Transport service across IP, L2TP and MPLS network interfaces
Establish and control PPP as well as next generation IP or IP Subnet Sessions
Authenticate and authorize subscribers using DHCP or RADIUS based authentication
Define local intelligent policies directly in ISG router
Support standards based RADIUS CoA (RFC 3576) service control interface into BSS
Control & account for per-subscriber & per-service use for post-paid and pre-paid billing

Звучит сладко. Теперь о фичах. Чтобы особо не повторяться, приведу опять со слов циски:

Features

Материалы для ознакомления:
White Paper
Intelligent Service Gateway Features Roadmap (12.2, 15.0)
Cisco IOS Intelligent Services Gateway Command Reference
Cisco ISG Design and Deployment Guide: ATM Aggregation Using Cisco IOS Software Release 12.2(28)SB5
Cisco ISG Design and Deployment Guide: Gigabit Ethernet Aggregation Using Cisco IOS Software Release 12.2(31)SB2
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

На ciscolive по этому вопросу можно посмотреть следующие материалы:

RRKSPG-3304: Subscriber Session Management: Wired and SP Wi-Fi Session Management
BRKSPG-3304: Subscriber Aware Ethernet: Traditional Broadband Functions over Next-Gen Carrier Ethernet Networks
BRKSPG-2803: Service Provider Wi-Fi
и слегка состарившуюся презентацию
BRKOPT-3301: Deploying Advanced Subscriber Management Using Intelligent Service Gateway

Теперь ближе к делу.

Для моего примера я возьму стандартную (и самую простую) схему, которая не отличается замысловатостью, но, при всем этом, позволит показать некотрые из возможностей Cisco ISG. Сразу уточню, что для демонстрации я буду использовать виртуализацию, как для сервисного шлюза, так и для конечного пользователя.

Устройства:

ISG: CSR1000v

ISG#sh ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:09 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

ISG uptime is 1 day, 59 minutes
Uptime for this control processor is 1 day, 1 hour, 0 minutes
System returned to ROM by reload at 11:47:31 FET Mon Jun 2 2014
System restarted at 11:49:05 FET Mon Jun 2 2014
System image file is "bootflash

ackages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/expor... stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: premium
License Type: Evaluation License
Next reload license Level: premium

cisco CSR1000V (VXE) processor with 2170596K/6147K bytes of memory.
Processor board ID 9G4FLFSIQPY
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

DHCP: CSR1000v

DHCP_SERVER#show ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:09 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

DHCP_SERVER uptime is 1 week, 5 days, 1 hour, 49 minutes
Uptime for this control processor is 1 week, 5 days, 1 hour, 50 minutes
System returned to ROM by reload
System restarted at 11:00:23 FET Thu May 22 2014
System image file is "bootflash

ackages.conf"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/expor... stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: limited
License Type: Default. No valid license found.
Next reload license Level: limited

cisco CSR1000V (VXE) processor with 804580K/6147K bytes of memory.
Processor board ID 9FGH5Z8MDHJ
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3145728K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

INT-GW: CSR1000V

INT_GW#sh ver
Cisco IOS XE Software, Version 03.12.00.S - Standard Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 26-Mar-14 21:09 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

INT_GW uptime is 1 day, 2 hours, 29 minutes
Uptime for this control processor is 1 day, 2 hours, 29 minutes
System returned to ROM by reload
System image file is "bootflash

ackages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/expor... stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: limited
License Type: Default. No valid license found.
Next reload license Level: limited

cisco CSR1000V (VXE) processor with 804580K/6147K bytes of memory.
Processor board ID 90FUTHQ505J
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3145728K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

RADIUS (freeradius) / SQL (mysql) / WEB-PORTAL (самописный): vmware host

root@freeradius:~# uname -a
Linux freeradius 3.2.0-4-686-pae #1 SMP Debian 3.2.57-3+deb7u1 i686 GNU/Linux
root@freeradius:~#

Конфиги:

ISG

hostname ISG
!
aaa new-model
!
aaa group server radius RAD_SRV
server name RAD_SRV1
load-balance method least-outstanding batch-size 1 ignore-preferred-server
!
aaa authentication login default local
aaa authentication login RAD_SRV group RAD_SRV
aaa authorization exec default local
aaa authorization network default group RAD_SRV
aaa authorization subscriber-service default local group RAD_SRV
aaa accounting delay-start
aaa accounting jitter maximum 0
aaa accounting update periodic 1
aaa accounting commands 0 default none
aaa accounting commands 1 default none
aaa accounting commands 15 default none
aaa accounting network default start-stop group RAD_SRV
aaa accounting network ISG_ACC start-stop group RAD_SRV
!
aaa nas port extended
!
aaa server radius dynamic-author
client 192.168.8.227 server-key cisco
auth-type any
ignore session-key
ignore server-key
!
ip domain name office.cisco.com
ip name-server 8.8.8.8
ip name-server 192.168.6.9
!
subscriber service multiple-accept
subscriber service session-accounting
subscriber service accounting interim-interval 1
subscriber redundancy dynamic periodic-update interval 15
subscriber templating
subscriber authorization enable
!
username a.ivanov privilege 15 secret 5 $1$YaAl$OVACRX6v0trI3Ms/4RDwm/
!
redundancy
mode none
!
cdp run
!
class-map type traffic match-any TC_L4R
match access-group input name ACL_IN_L4R
!
class-map type traffic match-any OPEN_GARDEN
match access-group input name OPENGARDEN_IN
match access-group output name OPENGARDEN_OUT
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service S_L4R
250 class type traffic TC_L4R
redirect to ip 192.168.8.227
!
policy-map type service OPEN_GARDEN
250 class type traffic OPEN_GARDEN
!
class type traffic default in-out
drop
!
policy-map type control ISG
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
1 service-policy type service name OPEN_GARDEN
5 set-timer UNAUTH-TIMER 5
10 service-policy type service name S_L4R
!
class type control always event session-restart
1 service-policy type service name OPEN_GARDEN
5 set-timer UNAUTH-TIMER 5
10 service-policy type service name S_L4R
!
class type control always event account-logon
10 authenticate aaa list RAD_SRV
20 service-policy type service unapply name S_L4R
30 service-policy type service name INET
!
class type control always event account-logoff
10 service-policy type service unapply name INET
!
policy-map SUB-QOS-IN
class class-default
police cir 100000
!
policy-map SUB-QOS-OUT
class class-default
police cir 100000
!
interface GigabitEthernet1
description host
ip address 172.16.1.254 255.255.255.0
ip helper-address 192.168.8.228
service-policy type control ISG
ip subscriber l2-connected
initiator unclassified mac-address
!
interface GigabitEthernet2
description server-dhcp-int_gw
ip address dhcp
!
ip route 0.0.0.0 0.0.0.0 192.168.8.226
ip route 192.168.0.0 255.255.0.0 192.168.8.1
!
ip access-list extended ACL_IN_L4R
permit tcp any any eq www
permit tcp any any eq 443
!
ip access-list extended INT_IN
permit ip 172.16.1.0 0.0.0.255 any
!
ip access-list extended INT_OUT
permit ip any 172.16.1.0 0.0.0.255
!
ip access-list extended OPENGARDEN_IN
permit ip any host 192.168.8.227
permit ip any host 192.168.6.9
!
ip access-list extended OPENGARDEN_OUT
permit ip host 192.168.8.227 any
permit ip host 192.168.6.9 any
!
snmp-server community public RO
snmp-server location lab@office.cisco.com
snmp ifmib ifindex persist
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 30 original-called-number
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
radius-server retransmit 2
radius-server timeout 3
radius-server key cisco
!
radius server RAD_SRV1
address ipv4 192.168.8.227 auth-port 1812 acct-port 1813
key cisco
!
alias exec shs show subscriber session
alias exec cls clear subscriber session all
alias exec cld clear ip dhcp binding *
!
end

DHCP_SERVER

hostname DHCP_SERVER
!
ip dhcp pool SUBSCRIBERS
network 172.16.1.0 255.255.255.0
dns-server 192.168.6.9
default-router 172.16.1.254
!
interface GigabitEthernet2
ip address dhcp
negotiation auto
!
ip route 172.16.1.0 255.255.255.0 192.168.8.230

INT_GW

hostname INT_GW
!
interface GigabitEthernet1
ip address 178.172.213.10 255.255.255.0
ip nat outside
!
interface GigabitEthernet2
ip address dhcp
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 172.16.1.0 255.255.255.0 192.168.8.230
ip route 192.168.0.0 255.255.0.0 192.168.8.1
!
ip access-list extended NAT
permit ip 172.16.1.0 0.0.0.255 any
permit ip host 192.168.8.230 any
!
end

Настройку radius и mysql тут приводить не буду, предполагаю, что читающий знаком с этими вещами

Radius:
в /etc/freeradius/radiusd.conf включаем $INCLUDE sql.conf
в самом sql.conf - описываем нашу бд.

в mysql:

show tables from radius_db;

Код

mysql> show tables from radius_db;
+------------------------+
| Tables_in_radius_db    |
+------------------------+
| batch_history          |
| billing_history        |
| billing_merchant       |
| billing_paypal         |
| billing_plans          |
| billing_plans_profiles |
| billing_rates          |
| cui                    |
| dictionary             |
| hotspots               |
| invoice                |
| invoice_items          |
| invoice_status         |
| invoice_type           |
| nas                    |
| node                   |
| operators              |
| operators_acl          |
| operators_acl_files    |
| payment                |
| payment_type           |
| proxys                 |
| radacct                |
| radcheck               |
| radgroupcheck          |
| radgroupreply          |
| radhuntgroup           |
| radippool              |
| radpostauth            |
| radreply               |
| radusergroup           |
| realms                 |
| userbillinfo           |
| userinfo               |
| wimax                  |
+------------------------+
35 rows in set (0.01 sec)

mysql>

основной интерес представляют таблицы radcheck, radreply и radacct.
Вот как это выглядит с уже существующим пользователем, атрибутами и аккаунтингом.

mysql> select * from radcheck;

Код

+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
|  1 | test     | Cleartext-Password | := | test  |
|  5 | INET     | Cleartext-Password | := | cisco |
+----+----------+--------------------+----+-------+
2 rows in set (0.00 sec)

mysql>

mysql> select * from radreply;

Код

+----+----------+--------------+----+---------------------------------------------------------------+
| id | username | attribute    | op | value                                                         |
+----+----------+--------------+----+---------------------------------------------------------------+
| 19 | INET     | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS-IN                               |
| 20 | INET     | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS-OUT                             |
| 17 | INET     | Cisco-AVPair | += | ip:traffic-class=in default drop                              |
| 18 | INET     | Cisco-AVPair | += | ip:traffic-class=out default drop                             |
| 16 | INET     | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 |
| 15 | INET     | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50   |
| 26 | test     | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC                            |
+----+----------+--------------+----+---------------------------------------------------------------+
7 rows in set (0.00 sec)

mysql>

mysql> select radacctid,username,nasipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets from radacct;

Код

+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+
| radacctid | username | nasipaddress  | acctstarttime       | acctstoptime        | acctinputoctets | acctoutputoctets |
+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+
|        19 | test     | 192.168.8.230 | 2014-06-02 15:46:19 | NULL                |          725731 |           705781 |
|        18 | test     | 192.168.8.230 | 2014-06-02 15:39:00 | 2014-06-02 15:40:22 |            4913 |             4647 |
|        17 | test     | 192.168.8.230 | 2014-06-02 15:29:30 | 2014-06-02 15:38:33 |             240 |             3223 |
|        16 | test     | 192.168.8.230 | 2014-06-02 14:58:42 | 2014-06-02 15:27:00 |             852 |             1249 |
|        15 | test     | 192.168.8.230 | 2014-06-02 14:51:15 | 2014-06-02 14:57:25 |             252 |              649 |
|        14 | test     | 192.168.8.230 | 2014-06-02 14:46:41 | 2014-06-02 14:50:34 |            1051 |             1950 |
|        13 | test     | 192.168.8.230 | 2014-06-02 14:37:08 | 2014-06-02 14:46:24 |             288 |             1639 |
+-----------+----------+---------------+---------------------+---------------------+-----------------+------------------+
7 rows in set (0.00 sec)

mysql>

Web-portal (Apache):

netland@freeradius:~$ cat /var/www/index.php

HTML5

<html>
<body>
 
<h1>It works!!!</h1>
 
<form name="input" action="isg.php" method="POST">
<pre> Username: <input type="text" name="user"> </pre>
<pre> Password: <input type="text" name="pass"> </pre>
  <input type="submit" name="action" value="Login">
  <input type="submit" name="action" value="Logout">
  <input type="submit" name="action" value="Boost">
</form>
 
</body>
</html>

netland@freeradius:~$ cat /var/www/isg.php

PHP

<?php
 
$U = $_POST['user'];
$P = $_POST['pass'];
$I = $_SERVER['REMOTE_ADDR'];
 
echo "<html>";
 
echo "<head>";
echo "<title>form</title>";
echo "</head>";
echo "<body>";
 
echo "username:&nbsp;&nbsp;$U<br>";
echo "password:&nbsp;&nbsp;$P<br>";
echo "ip address:&nbsp;$I<br><br>";
 
if ($_POST['action'] == 'Login') {
   shell_exec("echo \"User-Name=\"$U\",User-Password=\"$P\",Cisco-Command-Code=\"\001$U\",Cisco-Account-Info=S\"$I\"\" | radclient -x 192.168.8.230:1700 coa cisco");
   echo "done";
} elseif ($_POST['action'] == 'Logout') {
    shell_exec("echo \"User-Name=\"$U\",Cisco-Command-Code=\"\002$U\",Cisco-Account-Info=S\"$I\"\" | radclient -x 192.168.8.230:1700 coa cisco");
    echo "done";
} elseif ($_POST['action'] == 'Boost') {
    shell_exec("echo \"User-Name=\"$U\",Cisco-Command-Code=\"\002$U\",Cisco-Account-Info=S\"$I\"\" | radclient -x 192.168.8.230:1700 coa cisco");
    echo "done";
} else {
    echo "invalid request";
};
 
echo "</body>";
echo "</html>";
 
?>

А теперь немного по трафик-флоу:

Абонент подключается к сети и запрашивает адрес по DHCP. На порту настроен ip address-helper, думаю, что он делает объяснять ну нужно.

DHCP_SERVER#show ip dhcp binding

Код

Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
172.16.1.2      0100.5056.9462.6a       Jun 04 2014 10:04 PM    Automatic  Active     Unknown

На этом же интерфейсе применена политика ISG, которая и является нашей основной политикой, где мы рулим различными событиями и указано, что сессия будет создана на основе нового (неклассифицированного) мак адреса.

Сессия у нас в state unauthen(ticated):

ISG#show subscriber session

Код

Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Current Subscriber Information: Total sessions 1
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
15      IPv4         unauthen Lterm       00:04:09 2      172.16.1.2

Что только что произошло. Сработало первое правило нашей политики session-start:

Код

class type control always event session-start
  1 service-policy type service name OPEN_GARDEN
  5 set-timer UNAUTH-TIMER 5
  10 service-policy type service name S_L4R

Применился сервис OPEN_GARDEN (ресурсы, на которые есть доступ неавторизованным пользвателям), включился таймер на 5 минут и применился сервис S_L4R (layer 4 redirect на портал по портам 80, 443).

Пытаемся зайти на microsoft.com:

и попадаем на портал.

Вводим логин пароль (test/test) и видим, что портал нас пропустил (хотя это на самом деле ничего не значит, потому что ответы я не обрабатываю на сервере).

Проверил, аутентифицировались ли мы:

ISG#show subscriber session

Код

Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Current Subscriber Information: Total sessions 1
Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
16      IPv4         authen   Lterm       00:03:16 2      test

ISG#

Да. Что только что снова произошло? Сработало условие account-logon:

Код

 class type control always event account-logon
  10 authenticate aaa list RAD_SRV
  20 service-policy type service unapply name S_L4R
  30 service-policy type service name INET

То есть мы взяли предоставленные логин и пароль и послали запрос в радиус, по получиении ответа отменили сервис перенаправления на портал и применили сервис INET, который тоже заведен (опционально) на радиусе, как пользователь и возвращает атрибуты, которые содержат ACL, который нужно применить к сессии и QOS.

Пользователь в интернете.

ISG#show subscriber session detailed

Код

Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IPv4, UID: 16, State: authen, Identity: test
IPv4 Address: 172.16.1.2
Session Up-time: 00:21:58, Last Changed: 00:21:15
Switch-ID: 4165

Policy information:
  Context 7FEDB056A2A0: Handle C5000057
  AAA_id 00000020: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    accounting-list      0   "ISG_ACC"
  Downloaded User profile, including services:
    username             0   "OPEN_GARDEN"
    accounting-list      0   "ISG_ACC"
    traffic-class        0   "input access-group name INT_IN priority 50"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    sub-qos-policy-in    0   "SUB-QOS-IN"
    sub-qos-policy-out   0   "SUB-QOS-OUT"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        traffic-class        0   "input access-group name INT_IN priority 50"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        sub-qos-policy-in    0   "SUB-QOS-IN"
        sub-qos-policy-out   0   "SUB-QOS-OUT"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Unapplied) (Service)
      Profile name: S_L4R, 3 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 192.168.8.227"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys
      Profile name: test, 2 references
        accounting-list      0   "ISG_ACC"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: S_L4R, 3 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 192.168.8.227"
    Access-type: IP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: OPEN_GARDEN, 3 references
        password             0   <hidden>
        username             0   "OPEN_GARDEN"
        traffic-class        0   "input access-group name OPENGARDEN_IN priority 250"
        traffic-class        0   "output access-group name OPENGARDEN_OUT priority 250"
        traffic-class        0   "input default drop"
        traffic-class        0   "output default drop"
  Active services associated with session:
    name "INET"
    name "OPEN_GARDEN", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map ISG
      condition always event session-start
        1 service-policy type service name OPEN_GARDEN
        5 set-timer UNAUTH-TIMER 5
        10 service-policy type service name S_L4R
    subscriber rule-map ISG
      condition always event account-logon
        10 authenticate aaa list RAD_SRV
        20 service-policy type service unapply name S_L4R
        30 service-policy type service name INET
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    771        101465                 0    Match Any
1           Out   912        825309                 0    Match Any
2           In    3          175                    250  Match ACL OPENGARDEN_IN
3           Out   16         2324                   250  Match ACL OPENGARDEN_OUT
6           In    752        99922                  50   Match ACL INT_IN
7           Out   896        822985                 50   Match ACL INT_OUT
4294967294  In    0          0                      -    Drop
4294967295  Out   0          0                      -    Drop

Template Id : 14

Features:

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   752        99922                 Peruser
1          Out  896        822985                Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:21:58     -               OPEN_GARDEN
SVC   00:21:15     -               INET
USR   00:21:15     -               Peruser
INT   00:21:58     -               GigabitEthernet1

Использованные условия в политике:
событие происходит по контрол-классу ISG-IP-UNAUTH (пользователь неаутентифицирован, таймер истек):

Код

 class type control ISG-IP-UNAUTH event timed-policy-expiry

Создана сессия:

Код

 class type control always event session-start

Пересоздана сессия:

Код

 class type control always event session-restart

CoA c портала о login:

Код

 class type control always event account-logon

CoA с портала о logoff:

Код

 class type control always event account-logoff

Неиспользованными остались такие частоиспользуемые события как:
quota-depleted
credit-exhausted
но они являются частью логики биллинга и выходят за границы ознакомительного повествования, которое я тут развел.

PS
Это лишь малая часть возможностей ISG. Целью было лишь поверхностно ознакомить и дать почувствовать, так сказать, вкус.

@cat_driver · 04.06.2014, 11:10

Сразу скажу спасибо за статью!!!
хочу спросить вопрос:
что будет в конкретно этой ситуации, если юзер авторизовался через портал, поработал некоторое время и отключился, после чего, лиза у нас "протухла" ну и повторно подключаемся, у нас тут мак адрес же никак не храниться? и придется на портале по новой авторизоваться? или мак адрес где то мы храним и в результате чего ISG сможет знать что юзер такой уже был тут и тупо создаст сессию authen.
Другими словами, как в этой схеме можно реализовать конструкцию:

C++

policy-map type control ISG
 class type control always event session-start
  10 authorize aaa list RAD_SRV identifier mac-address 
 class type control always event session-restart
  10 authorize aaa list RAD_SRV identifier mac-address

Хотя это наверно вопрос настройки, портала и радиуса, чтобы на портале при регистрации происходила привязка мака к имени юзера?

Jabbson · 06.06.2014, 03:02 **[ТС]**

Извиняюсь за долгое молчание, работа.

Самый простой способ, который я вижу (ВНИМАНИЕ, это не готовое решение, это минимальный пример, с безусловным добавлением пользователя).

Пишем на радиус сервере скрипт:

Bash

#!/usr/bin/env bash
name=<name here>
pass=<pass here>
 
while true
do
  add=$(tcpdump -i eth0 -c 1 -nn -v -l "udp port 1812 and src host 192.168.8.230" \
        2>/dev/null | grep --line-buffered -o -E "(.{2}\-){5}.{2}" | sed 's/-//g' | \
        sed 's/^\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)/\1.\2.\3/g')
  eval $(mysql -D radius_db -u$name -p$pass -e "insert ignore into radcheck \
         (username,attribute,op,value) values ('$add','Cleartext-Password',':=','cisco')")
done

и запускаем его.

На ISG меняем в event session-start

Код

class type control always event session-start
  1 authorize identifier mac-address
  3 service-policy type service name OPEN_GARDEN
  5 set-timer UNAUTH-TIMER 5
  10 service-policy type service name S_L4R

первый раз авторизация по маку не пройдет и сработают правила 3,5,10
пользователь попадет на портал, введет свои данные и через CoA они уйдут на ISG, который в свою очередь пошлет их на радиус, радиус поймает пакет (установить tcpdump), вырежет из него мак и вставит в мускульную базу (и само собой авторизует пользователя по логу/пассу).

mysql> select * from radcheck;

Код

+----+----------------+--------------------+----+-------+
| id | username       | attribute          | op | value |
+----+----------------+--------------------+----+-------+
|  1 | test           | Cleartext-Password | := | test  |
|  5 | INET           | Cleartext-Password | := | cisco |
| 16 | 0050.5694.626a | Cleartext-Password | := | cisco |
+----+----------------+--------------------+----+-------+
3 rows in set (0.00 sec)

mysql>

Если на этот момент абонент отключится и снова подключится, авторизация по маку уже пройдут и правила 3,5,10 не сработают.

PS> на самом деле, если подумать, мак добавится еще до портала, при попытке авторизироваться по правилу 1, это исправимо, но мне уже лень, думаю, идею Вы поняли.

Jabbson · 08.06.2014, 22:03 **[ТС]**

мак можно привести к нужному виду через один сед, более громоздко, но выполняется на 1/1000 секунды быстрее.

Bash

1	sed 's/^$.\{2\}$.$.\{2\}$.$.\{2\}$.$.\{2\}$.$.\{2\}$.$.\{2\}$/\1\2.\3\4.\5\6/g'

или, что еще проще, но немного нагрузочнее на процессор (хотя на этих тысячных, думаю не критично)

Bash

1	awk -F'-' '{print $1$2"."$3$4"."$5$6;}'

а ловить можно tshark-ом, через -T fields -e radius.Calling_Station_Id -R "radius.code==44", что, в принципе, несколько удобнее.

@cat_driver · 09.06.2014, 10:16

Ну идея понятна, спасибо еще раз будет, что "поковырять" на досуге, как раз собираю щас подобный стенд на виртуалках, чтобы побольше вкурить все это дело, идея с порталом понравилась попробую реализовать на стенде.
задался еще таким вопросом:

К примеру, имеется у меня ISG она же является DHCP сервером, и есть например пул адресов на лупбэке ну и несколько интерфейсов unnambered (l2connected) на этот лупбэк
пул к примеру /22 и имею в среднем 700-800 сессий. Ну и и авторизую их не по маку(ведь мак подделать проще), а по option82 то есть интерфейс примерно такой :

C++

interface GigabitEthernet0/0/2.555
 encapsulation dot1Q 555 second-dot1q 556-580
 ip unnumbered Loopback2
 service-policy type control DHCP-Subscriber
 ip subscriber l2-connected
  initiator dhcp

кстати поделюcь читерской ссылкой, как в DHCP-клиент подставлять опцию DHCP, может пригодится когда нибудь)
Так же добавлю, в asr1k заявлена возможность в качестве идентификатора отправлять пару тэгов, внутренний и внешний, но это не работает, и когда сделают неизвестно)

Ну и море вопросов. Может есть какие мысли ? =)
Как можно зарезервировать все это дело если поставить 2ю ISG?
Делить пул нельзя ведь в случае выхода из строя ISG не хватит адресов.
Выносить DHCP, на отдельный сервак и релеить на него, а между ISG например HSRP(VRRP) или более экзотичный вариант с GLBP

?

Ну и самый интересный вопрос, как дела будут обстоять с сессиями? Ведь чтоб появилась сессия мне надо ждать дисковер, от клиента, принципе можно сделать lease поменьше, но как то некрасиво наверно будет...
в любом случае буду пробовать

@ququ · 11.08.2014, 15:52

Отлично, спасибо, изрядно помогло уложить в голове логику.

Ломаю голову над вопросом qos из радиуса.
Конфиг из статьи приводит к следующему результату:

Код

Policy information:
  Context 7FD41ABE49D8: Handle 950002B4
  AAA_id 00006C3C: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    accounting-list      0   "ISG_ACC"
  Downloaded User profile, including services:
    username             0   "OPEN_GARDEN"
    accounting-list      0   "ISG_ACC"
    sub-qos-policy-in    0   "SUB-QOS-IN"
    sub-qos-policy-out   0   "SUB-QOS-OUT"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "input access-group name INT_IN priority 50"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        sub-qos-policy-in    0   "SUB-QOS-IN"
        sub-qos-policy-out   0   "SUB-QOS-OUT"
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "input access-group name INT_IN priority 50"
    Access-type: Web-user-logon Client: Account Command-Handler

Т.е. sub-qos-policy в теории есть. На практике, эффекта не вижу.

Пытался сделать ещё один сервис, вида:

Код

| 12 | test     | Cisco-AVPair | += | subscriber:service-name=50M                                   |

policy-map type service 50M
  service-policy input SUB-QOS-IN-50M
  service-policy output SUB-QOS-OUT-50M
!
policy-map SUB-QOS-IN-50M
 class class-default
  police cir 52428500 bc 3276800 be 3276800 conform-action transmit  exceed-action drop  violate-action drop
policy-map SUB-QOS-OUT-50M
 class class-default
  police cir 52428500 bc 3276800 be 3276800 conform-action transmit  exceed-action drop  violate-action drop

Эффект стабилен. Вижу:

Код

  Downloaded User profile, excluding services:
    accounting-list      0   "ISG_ACC"
    service-name         0   "50M"
    command              0   "activate-service"
  Downloaded User profile, including services:
    username             0   "OPEN_GARDEN"
    accounting-list      0   "ISG_ACC"
    service-name         0   "50M"
    command              0   "activate-service"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "input access-group name INT_IN priority 50"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "input access-group name INT_IN priority 50"
    Access-type: Web-user-logon Client: Account Command-Handler

Фактически сервис не работает.

Единственный вариант когда оно заработало - когда я для смеха сделал примерно такую конструкцию:

Код

 class type control always event account-logon
  10 authenticate aaa list RAD_SRV
  20 service-policy type service unapply name S_L4R
  30 service-policy type service name INET
  40 service-policy type service name 50M

Я догадываюсь что не заметил чего-то совсем очевидного, но мысли закончились.
Буду благодарен за пинок в нужную сторону.

Jabbson · 11.08.2014, 19:40 **[ТС]**

Для ответа, хотелось бы посмотреть полный вывод show subscriber session detailed на момент когда пользователь уже стабилен и получил что нужно, а также конфиг ISG.

@ququ · 11.08.2014, 20:55

Переписал конфиг с нуля, по исходному сообщению.

Полный конфиг:

Кликните здесь для просмотра всего текста

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
!
hostname ASR1002-X
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
aaa new-model
!
!
aaa group server radius RAD_SRV
server name RAD_SRV1
load-balance method least-outstanding batch-size 1 ignore-preferred-server
!
aaa authentication login default local
aaa authentication login RAD_SRV group RAD_SRV
aaa authorization exec default local
aaa authorization network default group RAD_SRV
aaa authorization subscriber-service default local group RAD_SRV
aaa accounting delay-start
aaa accounting jitter maximum 0
aaa accounting update periodic 1
aaa accounting commands 0 default none
aaa accounting commands 1 default none
aaa accounting commands 15 default none
aaa accounting network default start-stop group RAD_SRV
aaa accounting network ISG_ACC start-stop group RAD_SRV
!
aaa nas port extended
!
!
!
aaa server radius dynamic-author
client *.*.128.27 server-key 7 070D282F4D06
client *.*.205.229 server-key 7 00081A150754
auth-type any
ignore session-key
ignore server-key
!
aaa session-id common
!
!
!
!
!
!
!

ip domain name testnet.ru
ip name-server *.*.205.226
ip name-server *.*.205.254
ip dhcp relay information policy keep
ip dhcp relay information trust-all
!
!
!
!
!
!
!
!
!
!
subscriber redundancy dynamic periodic-update interval 15
subscriber service multiple-accept
subscriber service session-accounting
subscriber service accounting interim-interval 1
subscriber templating
subscriber authorization enable
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
mode none
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
ip ssh authentication-retries 2
ip ssh version 2
class-map type traffic match-any TC_L4R
match access-group input name ACL_IN_L4R
!
class-map type traffic match-any OPEN_GARDEN
match access-group input name OPENGARDEN_IN
match access-group output name OPENGARDEN_OUT
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service S_L4R
250 class type traffic TC_L4R
redirect to ip *.*.205.249 port 9002
!
!
policy-map type service OPEN_GARDEN
250 class type traffic OPEN_GARDEN
!
class type traffic default in-out
drop
!
!
policy-map type control ISG
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
1 service-policy type service name OPEN_GARDEN
5 set-timer UNAUTH-TIMER 5
10 service-policy type service name S_L4R
!
class type control always event session-restart
1 service-policy type service name OPEN_GARDEN
5 set-timer UNAUTH-TIMER 5
10 service-policy type service name S_L4R
!
class type control always event account-logon
10 authenticate aaa list RAD_SRV
20 service-policy type service unapply name S_L4R
30 service-policy type service name INET
!
class type control always event account-logoff
10 service-policy type service unapply name INET
!
!
!
policy-map SUB-QOS-IN
class class-default
police cir 100000
policy-map SUB-QOS-OUT
class class-default
police cir 100000
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description main unnumbered source interface
ip address *.*.133.1 255.255.255.0
!
interface Loopback1
description ip nat pool
ip address *.*.29.129 255.255.255.224
!
interface Port-channel1
ip address *.*.204.57 255.255.255.224
ip nat outside
ip ospf mtu-ignore
negotiation auto
!
interface Port-channel1.102
description management vlan
encapsulation dot1Q 102
ip address 10.140.2.9 255.255.255.0
!
interface Port-channel1.1634
encapsulation dot1Q 1634
ip unnumbered Loopback0
ip helper-address *.*.128.28
ip nat inside
ip flow egress
service-policy type control ISG
ip subscriber l2-connected
initiator dhcp
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 1 mode passive
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 1 mode passive
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
no ip address
shutdown
!
interface TenGigabitEthernet0/2/0
no ip address
shutdown
!
interface TenGigabitEthernet0/3/0
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
router-id *.*.204.57
redistribute connected subnets
network *.*.204.32 0.0.0.31 area 0.0.0.0
!
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat pool main_nat_pool *.*.29.128 *.*.29.159 netmask 255.255.255.224
ip nat inside source list NAT_RULES pool main_nat_pool overload
ip forward-protocol nd
!
ip flow-export destination *.*.205.229 5096
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 *.*.204.35
!
ip access-list extended ACL_IN_L4R
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended INT_IN
permit ip any any
ip access-list extended INT_OUT
permit ip any any
ip access-list extended NAT_RULES
deny ip 10.97.0.0 0.0.255.255 *.*.204.0 0.0.3.255
deny ip 10.97.0.0 0.0.255.255 *.*.24.0 0.0.7.255
deny ip 10.97.0.0 0.0.255.255 *.*.128.0 0.0.127.255
deny ip 10.97.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 10.97.0.0 0.0.255.255 172.16.0.0 0.15.255.255
permit ip 10.97.0.0 0.0.255.255 any
ip access-list extended OPENGARDEN_IN
permit ip any host *.*.205.229
permit ip any host *.*.205.249
permit ip any host *.*.204.254
permit ip any host *.*.205.226
ip access-list extended OPENGARDEN_OUT
permit ip host *.*.205.229 any
permit ip host *.*.205.249 any
permit ip host *.*.204.254 any
permit ip host *.*.205.226 any
!
!
snmp-server community public RO
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 30 original-called-number
no radius-server attribute nas-port
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
radius-server retransmit 2
radius-server timeout 3
radius-server key 7 13061E210803
!
radius server RAD_SRV1
address ipv4 *.*.128.27 auth-port 1812 acct-port 1813
key 7 06100625494114181412
!
!
control-plane
!
!
!
!
!
!
!
!
!
alias exec shs show subscriber session
alias exec cls clear subscriber session all
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
!
!
end

select * from radreply (полностью идентично оригиналу):

Кликните здесь для просмотра всего текста

+----+----------+--------------+----+---------------------------------------------------------------+
| id | username | attribute | op | value |
+----+----------+--------------+----+---------------------------------------------------------------+
| 1 | INET | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS-IN |
| 2 | INET | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS-OUT |
| 3 | INET | Cisco-AVPair | += | ip:traffic-class=in default drop |
| 4 | INET | Cisco-AVPair | += | ip:traffic-class=out default drop |
| 5 | INET | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 |
| 6 | INET | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50 |
| 7 | test | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC |
+----+----------+--------------+----+---------------------------------------------------------------+

show subscriber session detailed

Кликните здесь для просмотра всего текста

Код

Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCPv4, UID: 2, State: authen, Identity: test
IPv4 Address: *.*.133.11
Session Up-time: 00:05:12, Last Changed: 00:03:59
Switch-ID: 4097

Policy information:
  Context 7F70759389F0: Handle D2000006
  AAA_id 0000000E: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    accounting-list      0   "ISG_ACC"
  Downloaded User profile, including services:
    username             0   "OPEN_GARDEN"
    accounting-list      0   "ISG_ACC"
    sub-qos-policy-in    0   "SUB-QOS-IN"
    sub-qos-policy-out   0   "SUB-QOS-OUT"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "input access-group name INT_IN priority 50"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        sub-qos-policy-in    0   "SUB-QOS-IN"
        sub-qos-policy-out   0   "SUB-QOS-OUT"
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "input access-group name INT_IN priority 50"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Unapplied) (Service)
      Profile name: S_L4R, 4 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip *.*.205.249 port 9002"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys
      Profile name: test, 2 references
        accounting-list      0   "ISG_ACC"
    Access-type: DHCP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: S_L4R, 4 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip *.*.205.249 port 9002"
    Access-type: DHCP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: OPEN_GARDEN, 3 references
        password             0   <hidden>
        username             0   "OPEN_GARDEN"
        traffic-class        0   "input access-group name OPENGARDEN_IN priority 250"
        traffic-class        0   "output access-group name OPENGARDEN_OUT priority 250"
        traffic-class        0   "input default drop"
        traffic-class        0   "output default drop"
  Active services associated with session:
    name "INET"
    name "OPEN_GARDEN", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map ISG
      condition always event session-restart
        1 service-policy type service name OPEN_GARDEN
        5 set-timer UNAUTH-TIMER 5
        10 service-policy type service name S_L4R
    subscriber rule-map ISG
      condition always event account-logon
        10 authenticate aaa list RAD_SRV
        20 service-policy type service unapply name S_L4R
        30 service-policy type service name INET
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    1415       146164                 0    Match Any
1           Out   926        251376                 0    Match Any
6           In    37         2400                   250  Match ACL OPENGARDEN_IN
7           Out   174        23754                  250  Match ACL OPENGARDEN_OUT
10          In    989        113236                 50   Match ACL INT_IN
11          Out   747        227290                 50   Match ACL INT_OUT
4294967294  In    214        16589                  -    Drop
4294967295  Out   5          332                    -    Drop

Template Id : 2

Features:

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   972        112374                Peruser
1          Out  741        226996                Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:05:12     -               OPEN_GARDEN
SVC   00:03:59     -               INET
USR   00:03:59     -               Peruser
INT   00:05:12     -               Port-channel1.1634

Jabbson · 12.08.2014, 11:10 **[ТС]**

show subscriber session feature qos-peruser
show policy-map interface

скорее всего там ничего не будет, потому что

Код

Features:

сделайте debug subscriber feature all - скорее всего там будет причина.

@ququ · 12.08.2014, 15:09

Да, пусто.

Дебаг, увы, на мысли не навёл.

Часть 1:

Кликните здесь для просмотра всего текста

Код

*Aug 12 02:07:00.474: CH-IDMGR: Entered ch_get_id_mgr_record
*Aug 12 02:07:00.474: SSS PM: CH-IDMGR: (00000000):  "ssg-account-info" testing address *.*.133.11
*Aug 12 02:07:00.474: SSS PM: CH-IDMGR: (00000000):  ssg-account-info SSG:*.*.133.11
*Aug 12 02:07:00.474: CH-IDMGR: req id 0: next hop for ip *.*.133.11 is Port-channel1.1634
*Aug 12 02:07:00.474: CH-IDMGR: IDMGR query request
*Aug 12 02:07:00.475: CH-MAIN: CH ctx 0x7F706A42FC88 allocated
*Aug 12 02:07:00.475: CH-IDMGR: Entered ch_get_id_mgr_record_from_sess
*Aug 12 02:07:00.475: CH-IDMGR: Query for all available information request
*Aug 12 02:07:00.475: CH-MAIN: processing a new CoA request
*Aug 12 02:07:00.475: CH-MAIN: enabling accounting queueing
*Aug 12 02:07:00.475: CH-UTILS: Entered ch_get_idmgr_attributes
*Aug 12 02:07:00.475: CH-UTILS: Entered ch_get_command_attributes
*Aug 12 02:07:00.475: SSS PM: CH-UTILS: (00000000):  "ssg-account-info" testing address *.*.133.11
*Aug 12 02:07:00.475: SSS PM: CH-UTILS: (00000000):  ssg-account-info SSG:*.*.133.11
*Aug 12 02:07:00.475: CH-MAIN: *.*.133.11 processing account-logon
*Aug 12 02:07:00.475: CH-IDMGR: *.*.133.11 Entered ch_idmgr_proxy_response
*Aug 12 02:07:00.475: CH-IDMGR: *.*.133.11 Entered account_logon_idmgr_success
*Aug 12 02:07:00.475: COA_CCM: [SESSION CH EVENT] Event = NEW-REQUEST (ctx: 0x7F706A42FC88, msg: ACCOUNT LOGON)
*Aug 12 02:07:00.475: COA_CCM: Rxd CH context - user 'test', service '', IP 0.0.0.0, Acct Sess ID 4026531883, SSS hdl 0x1040000B063850B
*Aug 12 02:07:00.475: COA_CCM: Found SHDB handle 0x7F000014 for SSS handle 0xF000002B
*Aug 12 02:07:00.475: COA_HA: [ERR] COA context is not found
*Aug 12 02:07:00.475: COA_CCM: Found acct_sess_id 0x178E from parent_aaa_id 0x16FC
*Aug 12 02:07:00.475: COA_CCM: New dynamic session (shdb 0x7F000014, ctx 0x7F706A42FC88, dsess_hdl 0x1, acct_session_id 0x178E) ACCOUNT LOGON OK
*Aug 12 02:07:00.475: CH-IDMGR: *.*.133.11 IDMGR response list
*Aug 12 02:07:00.475: CH-IDMGR: :*.*.133.11
*Aug 12 02:07:00.475: CH-MAIN:  attr session-handle = 4026531883(F000002B)
*Aug 12 02:07:00.475: CH-MAIN:  attr session-guid = C2BBCC39000016FC
*Aug 12 02:07:00.475: CH-MAIN:  attr aaa-unique-id = 5884(000016FC)
*Aug 12 02:07:00.475: CH-MAIN:  attr clid-mac-addr = 001374000000
*Aug 12 02:07:00.475: CH-MAIN:  attr domainip-vrf = B063850B0000
*Aug 12 02:07:00.475: CH-MAIN:  attr circuit-id-tag = 00040662000b
*Aug 12 02:07:00.475: CH-MAIN:  attr remote-id-tag = 0006acf1dfafe720
*Aug 12 02:07:00.475: CH-MAIN:  attr vendor-class-id-tag = MSFT 5.0
*Aug 12 02:07:00.475: CH-MAIN:  attr authen-status = unauthen
*Aug 12 02:07:00.475: CH-MAIN:  attr interface = nas-port:0.0.0.0:255/0/1/1634
*Aug 12 02:07:00.475: CH-MAIN:  attr addr = *.*.133.11
*Aug 12 02:07:00.475: CH-MAIN:  attr service-name = S_L4R
*Aug 12 02:07:00.475: CH-MAIN:  attr idmgr-svc-key = F000002B75000008
*Aug 12 02:07:00.475: CH-MAIN:  attr authen-status = unauthen
*Aug 12 02:07:00.475: CH-MAIN:  attr service-name = OPEN_GARDEN
*Aug 12 02:07:00.475: CH-MAIN:  attr idmgr-svc-key = F000002B1C000003
*Aug 12 02:07:00.475: CH-MAIN:  attr authen-status = unauthen
*Aug 12 02:07:00.475: CH-UTILS: *.*.133.11 Entered ch_is_session_deactivating
*Aug 12 02:07:00.475: CH-SSS: *.*.133.11 Sending a account logon request to PM
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Updated key list:
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Access-Type = 12 (Web-user-logon)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   IP-Address-VRF = IP *.*.133.11:0
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   source-ip-address = 7F7075486760
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Mac-Address = 0013.7400.0000
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Sign-Of-Life = 2 (00000002)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   IP-Session-Handle = 2550136844 (9800000C)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Circuit-id = "00040662000b"
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Remote-id = "0006acf1dfafe720"
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Vendor-Class-id = "MSFT 5.0"
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Authen-Status = 1 (Unauthenticated)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Nasport = PPPoEoVLAN: slot 255 adapter 0 port 1 sub-interface 1634 IP 0.0.0.0 VPI 0 VCI 0 VLAN 1634
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Session-Handle = 4026531883 (F000002B)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Restart = 1 (YES)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Protocol-Type = 4 (IP Access Protocol)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Media-Type = 2 (IP)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Switch-Id = 4134 (00001026)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Segment-Hdl = 4135 (00001027)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   AccIe-Hdl = 1006632971 (3C00000B)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   AAA-Id = 5884 (000016FC)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   SHDB-Handle = 2130706452 (7F000014)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Input Interface = "Port-channel1.1634"
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   IP-Address = *.*.133.11 (B063850B)
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]:   Unauth-User = "test"
*Aug 12 02:07:00.475: SSS PM [uid:11][7F70759389F0]: Account Command-Handler Policy invoke - Account-Logon
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE: Looking for a rule for event account-logon
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:  Intf CloneSrc Po1.1634: service-rule any: ISG
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:   Evaluate "ISG" for account-logon
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:    Not matched "ISG/ISG-IP-UNAUTH event timed-policy-expiry"
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:    Not matched "ISG/always event session-start"
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:    Not matched "ISG/always event session-restart"
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:    Matched "ISG/always event account-logon"
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE:    Matched "ISG/always event account-logon/10 authenticate aaa list RAD_SRV "
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: Start
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: SIP [Web-user-logon] can provide more keys
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: SIP [Web-user-logon] can provide more keys
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: Using AAA-Authen-Method-List RAD_SRV
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[0]: Need key Auth-User
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[1]: Start
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: RULE[1]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Event <need keys>, State: wait-for-events to need-init-keys
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Policy reply - Need More Keys
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: Need:
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: ask for authen status
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR:  request, Query Session Authenticated Status
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR: reply, Query Session Authenticated Status = no-record-found
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: IDMGR:   session NOT authenticated
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Event <idmgr didn't get keys>, State: need-init-keys to need-init-keys
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Asking client for more keys
*Aug 12 02:07:00.476: SSS PM [uid:11][7F70759389F0]: Policy reply - Need More Keys
*Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Entered Account logon call back
*Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Result Need More Keys
*Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Policy requested more keys
*Aug 12 02:07:00.476: CH-SSS: *.*.133.11 Got a method list name RAD_SRV
*Aug 12 02:07:00.476: CH-UTILS: *.*.133.11 Entered ch_add_framed_ip
*Aug 12 02:07:00.476: CH-UTILS: *.*.133.11 ch_add_framed_ip: adding framed ip:0xB0F3850B
*Aug 12 02:07:00.478: CH-MAIN: *.*.133.11 AAA authentication successful
*Aug 12 02:07:00.478: CH-MAIN: :*.*.133.11
*Aug 12 02:07:00.478: CH-MAIN:  reply, attr accounting-list
*Aug 12 02:07:00.478: CH-MAIN: *.*.133.11 Sending more keys request to PM
*Aug 12 02:07:00.478: CH-SSS: *.*.133.11 Sending a account logon request to PM
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Authen status update; is now "authen"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IDMGR: assert authen status "authen"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IDMGR:  send event Session Update
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: IDMGR:  with username "test"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Session activation: ok
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Updated key list:
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Restart = 1 (YES)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Protocol-Type = 4 (IP Access Protocol)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Media-Type = 2 (IP)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Switch-Id = 4134 (00001026)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Segment-Hdl = 4135 (00001027)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   AccIe-Hdl = 1006632971 (3C00000B)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   AAA-Id = 5884 (000016FC)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   SHDB-Handle = 2130706452 (7F000014)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Input Interface = "Port-channel1.1634"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   IP-Address = *.*.133.11 (B063850B)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Unauth-User = "test"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   IP-Address-VRF = IP *.*.133.11:0
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   source-ip-address = 7F2075486760
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Mac-Address = 0013.7400.0000
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Sign-Of-Life = 2 (00000002)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   IP-Session-Handle = 2550136844 (9800000C)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Circuit-id = "00040662000b"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Remote-id = "0006acf1dfafe720"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Vendor-Class-id = "MSFT 5.0"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Authen-Status = 0 (Authenticated)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Nasport = PPPoEoVLAN: slot 255 adapter 0 port 1 sub-interface 1634 IP 0.0.0.0 VPI 0 VCI 0 VLAN 1634
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Session-Handle = 4026531883 (F000002B)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   AAA-Authen-Method-List = "RAD_SRV"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   AAA-Attr-List = FE000BAB
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:     accounting-list      0   "ISG_ACC"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Access-Type = 12 (Web-user-logon)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Final = 1 (YES)
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]:   Auth-User = "test"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Account Command-Handler Policy invoke - Got More Keys
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Must apply config before continuing
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Handling Config Request from Client
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Event <got process config req>, State: need-init-keys to need-init-keys
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Handling Process Config
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Apply config request set to AAA list
Config:   accounting-list      0   "ISG_ACC"
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: Sending test request to AAA
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: SSS PM: Allocating per-user profile info
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: SSS PM: Add per-user profile info to policy context
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Root SIP DHCP
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]:  Enable IP parsing
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]:  Enable DHCP parsing
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]:  Enable IP-Interface parsing
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[0]: Snapshot captured in Active context
*Aug 12 02:07:00.478: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[0]: Active context created
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Event <make request>, state changed from idle to authorizing
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Active key set to Auth-User
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Authorizing key test
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Spoofed AAA reply sent for key test
*Aug 12 02:07:00.478: SSS AAA AUTHOR [uid:11]: Received an AAA pass
 Initial attr  accounting-list      0   "ISG_ACC"

@ququ · 12.08.2014, 15:10

Часть 2 (не влезло в лимит сообщения):

Кликните здесь для просмотра всего текста

Код

*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE: VRF Parsing routine:
  accounting-list      0   "ISG_ACC"
*Aug 12 02:07:00.479: SSS PM: VPDN is not enabled
*Aug 12 02:07:00.479: SSF[Peruser/Accounting]: AAA feature Accounting created, for Per-user configuration source
*Aug 12 02:07:00.479: Portbundle Hostkey: portbundle not configured on the router
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: SIP IP[7DD7550] parsed as Ignore
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: SIP IP[7E12A70] parsed as Ignore
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: SIP DHCP[7E12A70] parsed as Ignore
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Event <service not found>, state changed from authorizing to complete
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: No service authorization info found
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Active Handle present - C000000E
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Apply config handle [FE000BAB] now set to [1000BA5]
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Freeing Active Handle; SSS Policy Context Handle = 4200002C
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: ACTIVE HANDLE[2133]: Released active handle
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: PROFILE: store profile "test"
*Aug 12 02:07:00.479: SSS PM: PROFILE-DB: is profile "test" in DB
*Aug 12 02:07:00.479: SSS PM: PROFILE-DB:  Computed hash value = 912537302
*Aug 12 02:07:00.479: SSS PM: PROFILE-DB:  No, add new list
*Aug 12 02:07:00.479: SSS PM: PROFILE-DB:   create "test"
*Aug 12 02:07:00.479: SSS PM: PROFILE-DB:    create "test"/7F70759EBFF0 hdl 9E000B9B ref 1
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: PROFILE:  create 7F70759F0140, ref 1
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Event <free request>, state changed from complete to terminal
*Aug 12 02:07:00.479: SSS AAA AUTHOR [uid:11]: Cancel request
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Handling Author Not Found Event
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70778A10F0 Type: Accounting
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]:             : Config level: Per-user
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]:             : IDB type: Sub-if or not required
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]:             : 32 bytes:
SSS PM [uid:11][7F70759389F0]:             : Data: 000000 00 00 00 00 00 00 00 00  ........
SSS PM [uid:11][7F70759389F0]:             : Data: 000008 00 00 00 00 7F 70 75 3F  .....pu?
SSS PM [uid:11][7F70759389F0]:             : Data: 000010 C6 38 00 00 00 00 00 00  .8......
SSS PM [uid:11][7F70759389F0]:             : Data: 000018 00 00 00 00 00 00 00 00  ........
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Apply of config finished; returning
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Account Command-Handler Policy invoke - Got More Keys
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Access type Web-user-logon: final key
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: Start
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV
*Aug 12 02:07:00.479: SSS PM CCM:  Found SHDB handle 0x7F000014 for policy context 0x7F70759389F0
*Aug 12 02:07:00.479: SSS PM CCM:  [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7F70759389F0, action: AUTHENTICATE)
*Aug 12 02:07:00.479: SSS PM HA:  Dynsess not required shdb = 0x7F000014 spol_ctx = 0x7F70759389F0
*Aug 12 02:07:00.479: SSS PM CCM:  Set PM HA as not ready (session 0x7F000014) successfully
*Aug 12 02:07:00.479: SSS PM HA:  Adding an action (type AUTHENTICATE) into the PM HA queue
*Aug 12 02:07:00.479: SSS PM HA:  Setting current elem, from 0x7F707099B9F8 to 0x7F707099B868
*Aug 12 02:07:00.479: SSS PM CCM:  New bulk session (shdb 0x7F000014), ctx 0x7F70759389F0, dsess_hdl 0x0, AUTHENTICATE OK
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: Run action with no altered name
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: State: need-init-keys to initial-req
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[0]: Have key Auth-User
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[1]: Start
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[1]: ISG/always event account-logon/10 authenticate aaa list RAD_SRV
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[2]: Start
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: RULE[2]: ISG/always event account-logon/20 service-policy type service unapply name S_L4R
*Aug 12 02:07:00.479: SSS PM CCM:  Found SHDB handle 0x7F000014 for policy context 0x7F70759389F0
*Aug 12 02:07:00.479: SSS PM CCM:  [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7F70759389F0, action: UNAPPLY-SERVICE)
*Aug 12 02:07:00.479: SSS PM HA:  Dynsess not required shdb = 0x7F000014 spol_ctx = 0x7F70759389F0
*Aug 12 02:07:00.479: SSS PM CCM:  Set PM HA as not ready (session 0x7F000014) successfully
*Aug 12 02:07:00.479: SSS PM HA:  Adding an action (type UNAPPLY-SERVICE) into the PM HA queue
*Aug 12 02:07:00.479: SSS PM HA:  Setting current elem, from 0x7F707099B868 to 0x7F707099B7A0
*Aug 12 02:07:00.479: SSS PM CCM:  New bulk session (shdb 0x7F000014), ctx 0x7F70759389F0, dsess_hdl 0x0, UNAPPLY-SERVICE OK
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: State: initial-req to check-auth-needed
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: check-auth-needed to authorizing
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Handling AAA service Authorization
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: Sending AAA request for 'S_L4R'
*Aug 12 02:07:00.479: SVM [75000008/S_L4R]: already downloaded; sharing
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: service "S_L4R" in cache
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: Root SIP DHCP
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]:  Enable IP parsing
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]:  Enable DHCP parsing
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]:  Enable IP-Interface parsing
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: SIP IP[7DD7550] parsed as Ignore
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: SIP IP[7E12A70] parsed as Ignore
*Aug 12 02:07:00.479: SSS AAA AUTHOR [0]: SIP DHCP[7E12A70] parsed as Ignore
*Aug 12 02:07:00.479: SVM [75000008/S_L4R]: [4200002C]: client download ok
*Aug 12 02:07:00.479: SVM [75000008/S_L4R]: [SVM-to-client-msg:4200002C] locked 0->1
*Aug 12 02:07:00.479: SVM [75000008/S_L4R]: [PM-Download:4200002C] locked 0->1
*Aug 12 02:07:00.479: SSS PM [uid:11][7F70759389F0]: waiting for download response
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[2]: Downloading service "S_L4R"
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[3]: Start
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[3]: ISG/always event account-logon/20 service-policy type service unapply name S_L4R
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: authorizing to authorizing
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Action Ignore for <send auth>
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: SVM service download success
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: download completed for "S_L4R" version 1
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: alloc feature info
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: is a feature remove
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: [SVM-Feature-Info:7F7075649A20] locked 0->1
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: PROFILE: store profile "S_L4R"
*Aug 12 02:07:00.480: SSS PM: PROFILE-DB:   incremented ref "S_L4R"/7F70759EC050 hdl 7000096D ref 3
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: PROFILE:  create 7F70759F0118, ref 1
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: populated client
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: [PM-Download:4200002C] unlocked 1->0
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: [SVM-to-client-msg:4200002C] unlocked 1->0
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Author Not Found Event
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Feature info: 7F7075649A20 Type: Service Config
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : Config level: Service Profile
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : IDB type: Sub-if or not required
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : Is being removed
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : 16 bytes:
SSS PM [uid:11][7F70759389F0]:             : Data: 000000 00 00 75 00 00 08 00 00  ..u.....
SSS PM [uid:11][7F70759389F0]:             : Data: 000008 00 00 BF 00 00 2E 00 00  ........
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70778A10F0 Type: Accounting
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : Config level: Per-user
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : IDB type: Sub-if or not required
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]:             : 32 bytes:
SSS PM [uid:11][7F70759389F0]:             : Data: 000000 00 00 00 00 00 00 00 00  ........
SSS PM [uid:11][7F70759389F0]:             : Data: 000008 00 00 00 00 7F 70 75 3F  .....pu?
SSS PM [uid:11][7F70759389F0]:             : Data: 000010 C6 38 00 00 00 00 00 00  .8......
SSS PM [uid:11][7F70759389F0]:             : Data: 000018 00 00 00 00 00 00 00 00  ........
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Service ending
*Aug 12 02:07:00.480: SVM [75000008/S_L4R]: already downloaded; sharing
*Aug 12 02:07:00.480: SSS PM [7F7075937F40]: SERVICE [S_L4R]: Stop-pending request: Ok
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: SERVICE [S_L4R]: Sending Service logoff to DPM
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <srvf not found>, State: authorizing to check-auth-needed
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Next Authorization Check
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[0]: Continue
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[0]: ISG/always event account-logon/20 service-policy type service unapply name S_L4R
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: Continue
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: ISG/always event account-logon/30 service-policy type service name INET
*Aug 12 02:07:00.480: SSS PM CCM:  Found SHDB handle 0x7F000014 for policy context 0x7F70759389F0
*Aug 12 02:07:00.480: SSS PM CCM:  [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7F70759389F0, action: APPLY-SERVICE)
*Aug 12 02:07:00.480: SSS PM HA:  Dynsess not required shdb = 0x7F000014 spol_ctx = 0x7F70759389F0
*Aug 12 02:07:00.480: SSS PM CCM:  Set PM HA as not ready (session 0x7F000014) successfully
*Aug 12 02:07:00.480: SSS PM HA:  Adding an action (type APPLY-SERVICE) into the PM HA queue
*Aug 12 02:07:00.480: SSS PM HA:  Setting current elem, from 0x7F707099B7A0 to 0x7F707099B6D8
*Aug 12 02:07:00.480: SSS PM CCM:  New bulk session (shdb 0x7F000014), ctx 0x7F70759389F0, dsess_hdl 0x0, APPLY-SERVICE OK
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Create context 7F70759382D0
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: key lists to append are empty
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Authen status update; is now "unauthen"
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: IDMGR: assert authen status "unauthen"
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Authen status should not be updated from a child policy context
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Did not update authen status to IDMGR
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Updated NAS port for AAA ID 5884
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: IDMGR:  send event Session Update
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]: Updated key list:
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]:   Authen-Status = 1 (Unauthenticated)
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]:   Nasport = PPPoEoVLAN: slot 255 adapter 0 port 1 sub-interface 1634 IP 0.0.0.0 VPI 0 VCI 0 VLAN 1634
*Aug 12 02:07:00.480: SSS PM [7F70759382D0]:   Session-Handle = 4026531883 (F000002B)
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: This service INET is marked as not cancelled
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: check-auth-needed to authorizing
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling AAA service Authorization
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Sending AAA request for 'INET'
*Aug 12 02:07:00.480: SVM [32000005/INET]: already downloaded; sharing
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: service "INET" in cache
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: Root SIP DHCP
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]:  Enable IP parsing
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]:  Enable DHCP parsing
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]:  Enable IP-Interface parsing
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: SIP IP[7DD7550] parsed as Ignore
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: SIP IP[7E12A70] parsed as Ignore
*Aug 12 02:07:00.480: SSS AAA AUTHOR [0]: SIP DHCP[7E12A70] parsed as Ignore
*Aug 12 02:07:00.480: SVM [32000005/INET]: [4200002C]: client download ok
*Aug 12 02:07:00.480: SVM [32000005/INET]: [SVM-to-client-msg:4200002C] locked 0->1
*Aug 12 02:07:00.480: SVM [32000005/INET]: [PM-Download:4200002C] locked 0->1
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: waiting for download response
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[1]: Downloading service "INET"
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[2]: Continue
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: RULE[2]: ISG/always event account-logon/30 service-policy type service name INET
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Event <send auth>, State: authorizing to authorizing
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: Handling Action Ignore for <send auth>
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: SVM service download success
*Aug 12 02:07:00.480: SSS PM [uid:11][7F70759389F0]: download completed for "INET" version 1
*Aug 12 02:07:00.480: SVM [32000005/INET]: alloc feature info
*Aug 12 02:07:00.481: SVM [32000005/INET]: [SVM-Feature-Info:7F70756499F8] locked 0->1
*Aug 12 02:07:00.481: SVM [32000005/INET]: has Policy info
*Aug 12 02:07:00.481: SVM [32000005/INET]: [PM-Info:7F70759D1E68] locked 0->1
*Aug 12 02:07:00.481: SVM [32000005/INET]: has Policy info
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: PROFILE: store profile "INET"
*Aug 12 02:07:00.481: SSS PM: PROFILE-DB:   incremented ref "INET"/7F70759EBFC0 hdl 8B000266 ref 2
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: PROFILE:  create 7F70759F00F0, ref 1
*Aug 12 02:07:00.481: SVM [32000005/INET]: populated client
*Aug 12 02:07:00.481: SVM [32000005/INET]: [PM-Download:4200002C] unlocked 1->0
*Aug 12 02:07:00.481: SVM [32000005/INET]: [SVM-to-client-msg:4200002C] unlocked 1->0
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Handling Author Not Found Event
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Feature info: 7F7075649A20 Type: Service Config
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : Config level: Service Profile
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : IDB type: Sub-if or not required
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : Is being removed
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : 16 bytes:
SSS PM [uid:11][7F70759389F0]:             : Data: 000000 00 00 75 00 00 08 00 00  ..u.....
SSS PM [uid:11][7F70759389F0]:             : Data: 000008 00 00 BF 00 00 2E 00 00  ........
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70756499F8 Type: Service Config
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : Config level: Service Profile
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : IDB type: Sub-if or not required
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : 16 bytes:
SSS PM [uid:11][7F70759389F0]:             : Data: 000000 00 00 32 00 00 05 00 00  ..2.....
SSS PM [uid:11][7F70759389F0]:             : Data: 000008 00 00 93 00 00 2F 00 00  ...../..
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Feature info: 7F70778A10F0 Type: Accounting
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : Config level: Per-user
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : IDB type: Sub-if or not required
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]:             : 32 bytes:
SSS PM [uid:11][7F70759389F0]:             : Data: 000000 00 00 00 00 00 00 00 00  ........
SSS PM [uid:11][7F70759389F0]:             : Data: 000008 00 00 00 00 7F 70 75 3F  .....pu?
SSS PM [uid:11][7F70759389F0]:             : Data: 000010 C6 38 00 00 00 00 00 00  .8......
SSS PM [uid:11][7F70759389F0]:             : Data: 000018 00 00 00 00 00 00 00 00  ........
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Service starting
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: SERVICE [INET]: Parent 7F70759389F0 (same as session)
*Aug 12 02:07:00.481: SVM [32000005/INET]: [PM-Service:7F70759F4250] locked 0->1
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: SERVICE [INET]: Start-pending request: Ok
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Event <srvf not found>, State: authorizing to check-auth-needed
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: Handling Next Authorization Check
*Aug 12 02:07:00.481: SSS PM [uid:11][7F70759389F0]: RULE[0]: Continue
*Aug 12 02:08:00.534: Accounting[uid:11]: Collecting records for session accounting
*Aug 12 02:08:00.534: Accounting[uid:11]: Dynamic record gathering started for ctx 7F70778C1068
*Aug 12 02:08:00.534: Accounting[uid:11]: Control info records gathering started for ctx 7F70778C1068
*Aug 12 02:08:00.534: Accounting[uid:11]: Updating attribute: I0;38224
*Aug 12 02:08:00.534: Accounting[uid:11]: Updating attribute: O0;114379
*Aug 12 02:08:00.534: SSF: Accounting Start attribute request is for session
*Aug 12 02:08:00.534: SSF: Gathering attributes for flow 0
*Aug 12 02:08:00.534: SSF: No attributes found for flow features
*Aug 12 02:08:00.534: SSS PM [uid:11][7F70759389F0]: SERVICE: Adding Service attributes to start
*Aug 12 02:08:00.534: SSS PM [uid:11][7F70759389F0]: AUTOSERVICE: Services added to accounting ID 5884

@ququ · 12.08.2014, 15:29

Перепроверился, сделал так:

Код

policy-map SUB-QOS-IN
 class class-default
  police cir 50000000
policy-map SUB-QOS-OUT
 class class-default
  police cir 50000000

policy-map type service SUB-QOS
  service-policy input SUB-QOS-IN
  service-policy output SUB-QOS-OUT

policy-map type control ISG
...
 class type control always event account-logon
  10 authenticate aaa list RAD_SRV
  20 service-policy type service unapply name S_L4R
  30 service-policy type service name INET
  40 service-policy type service name SUB-QOS

Работает:

Кликните здесь для просмотра всего текста

Код

*Aug 12 04:14:54.370: SSF[Peruser/Accounting]: AAA feature Accounting created, for Per-user configuration source
*Aug 12 04:14:54.370: Portbundle Hostkey: portbundle not configured on the router
*Aug 12 04:14:54.370: QoS Policy Map: Process Attr: sub-policy-In
*Aug 12 04:14:54.370: QoS Policy Map: Process Attr: sub-policy-Out
*Aug 12 04:14:54.370: SSF[SUB-QOS/QoS Policy Map]: AAA feature QoS Policy Map created, for Service Profile configuration source
*Aug 12 04:14:54.370: Portbundle Hostkey: portbundle not configured on the router
*Aug 12 04:14:54.370: SSF[uid:17:0.1]: Sending Apply Config Request to FM
*Aug 12 04:14:54.371: SSF[uid:17:0.1]: Received a config apply request from Session Manager for segment 7F707773DBC0
*Aug 12 04:14:54.371: SSF[INET/uid:17:0.1]: Apply Service Profile configured features from source(BC00000A)
*Aug 12 04:14:54.371: SSF[uid:17:0.1]: Request flow segment context to be created
*Aug 12 04:14:54.371: SSF[uid:17:0.1]: L2HW Segment init returned: Success
*Aug 12 04:14:54.371: SSF[INET/uid:17:20.21]: Apply Service Profile configured features from source(BC00000A)
*Aug 12 04:14:54.371: SSF[INET/uid:17:20.21]: Segment bound to a Service Profile configuration source Success
*Aug 12 04:14:54.371: SSF[SUB-QOS/uid:17:0.1]: Apply Service Profile configured features from source(C600000E)
*Aug 12 04:14:54.371: QoS Policy Map:
START:qos_cca_peruser_apply:target = 0x37000037, target_type = 4, cb = 0x7F706E71C9E8, dir = 0, sense = 1
*Aug 12 04:14:54.371: QoS Policy Map:
cb content:cb->username = , cb->class = 0,cb->parameterized_qos_policy = 0
*Aug 12 04:14:54.371: QoS Policy Map:
dir = 0, cb->qos_policy_map_name = SUB-QOS-IN
*Aug 12 04:14:54.371: QoS Policy Map: created cp context 0x7F70767B3438
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: install_l2hw 1, update_l2hw 0
 dir 0 status bits 0
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cp policy
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cb policy SUB-QOS-IN
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: swidb if_number is 23

*Aug 12 04:14:54.371: SSF: Feature IP protocol mask: V4 & V6
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: Success
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Install feature info request returned: Success
*Aug 12 04:14:54.371: SSF[uid:17/QoS Policy Map]: Adding inbound direction feature context to segment
*Aug 12 04:14:54.371: QoS Policy Map: notify install start: aaa 7322, shdb EC000020, dir 0, status 0
*Aug 12 04:14:54.371: QoS Policy Map: create policy_name 0x7F7077250350
*Aug 12 04:14:54.371: QoS Policy Map:
END:qos_cca_peruser_apply ret SSF_FEATURE_SUCCESS bits 0x40
*Aug 12 04:14:54.371: QoS Policy Map:
START:qos_cca_peruser_apply:target = 0x37000037, target_type = 4, cb = 0x7F706E71C9E8, dir = 1, sense = 1
*Aug 12 04:14:54.371: QoS Policy Map:
cb content:cb->username = , cb->class = 0,cb->parameterized_qos_policy = 0
*Aug 12 04:14:54.371: QoS Policy Map:
dir = 1, cb->qos_policy_map_name = SUB-QOS-OUT
*Aug 12 04:14:54.371: QoS Policy Map: START:qos_sss_acct_accuracy_handler:dir = 1, sense = 1
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: install_l2hw 0, update_l2hw 1
 dir 1 status bits 40
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cp policy
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: cb policy SUB-QOS-OUT
*Aug 12 04:14:54.371: QoS Policy Map[uid:17]: swidb if_number is 23

*Aug 12 04:14:54.371: QoS Policy Map: create callback context 0x7F7077AB8CD8; total allocated 1
*Aug 12 04:14:54.371: QoS Policy Map: CoA update on 0x1C9A, status bits 0x49.
*Aug 12 04:14:54.371: SSF: Feature IP protocol mask: V4 & V6
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: Success
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Update feature info request returned: Success
*Aug 12 04:14:54.371: SSF[uid:17/QoS Policy Map]: Adding outbound direction feature context to segment
*Aug 12 04:14:54.371: QoS Policy Map: create policy_name 0x7F7077250148
*Aug 12 04:14:54.371: QoS Policy Map:
END:qos_cca_peruser_apply ret SSF_FEATURE_PENDING bits 0x49
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: This feature has returned pending: mask = 2
*Aug 12 04:14:54.371: SSF[SUB-QOS/uid:17:0.1]: Segment bound to a Service Profile configuration source Pending
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Set feature handle [2042], ref_cnt [1]
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Install feature returned: Ready
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free.
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Update feature returned: Ready
*Aug 12 04:14:54.371: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free.
*Aug 12 04:14:54.371: SSF[uid:17:0.1]: L2HW Activate features returned: Success
*Aug 12 04:14:54.371: SSF[uid:17/QoS]: Installing inbound feature on Layer 3 IP switching path, IP-SIP segment
*Aug 12 04:14:54.393: SSF[uid:17/QoS]: Installing outbound feature on Layer 3 IP switching path, IP-SIP segment
*Aug 12 04:14:54.393: QoS Policy Map: START:qos_peruser_ssf_event_handler
*Aug 12 04:14:54.393: QoS Policy Map: QoS Peruser - Rxed msg 3 from DP status_bits 49->49, policymap SUB-QOS-IN
*Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install service on context 0x7F70767B3438
*Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install Success: policy-map SUB-QOS-IN
*Aug 12 04:14:54.393: QoS Policy Map: notify install success: aaa 7322, shdb EC000020, dir 0, status 40
*Aug 12 04:14:54.393: SSF: Feature IP protocol mask: V4 & V6
*Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: No change
*Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Update feature info request returned: Success
*Aug 12 04:14:54.393: QoS Policy Map: END:qos_peruser_ssf_event_handler
*Aug 12 04:14:54.393: QoS Policy Map: START:qos_peruser_ssf_event_handler
*Aug 12 04:14:54.393: QoS Policy Map: QoS Peruser - Rxed msg 3 from DP status_bits 9->1, policymap SUB-QOS-OUT
*Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install service on context 0x7F70767B3438
*Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Install Success: policy-map SUB-QOS-OUT
*Aug 12 04:14:54.393: QoS Policy Map: notify install success: aaa 7322, shdb EC000020, dir 1, status 0
*Aug 12 04:14:54.393: SSF: Feature IP protocol mask: V4 & V6
*Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW IC bind feature returned: No change
*Aug 12 04:14:54.393: SSF[uid:17:0.1/QoS Policy Map]: L2HW InQ Update feature info request returned: Success
*Aug 12 04:14:54.393: QoS Policy Map[uid:17]: Qos peruser conditional queue setup for aaa id 0x1C9A
*Aug 12 04:14:54.393: QoS Policy Map: END:qos_peruser_ssf_event_handler
*Aug 12 04:14:54.394: SSF: Processing feature done event
*Aug 12 04:14:54.394: QoS Policy Map: START:qos_peruser_feature_callback
*Aug 12 04:14:54.394: QoS Policy Map: f_cbctxt 0x7F7077AB8CD8 cp_context 0x7F70767B3438 coa_callback 7F7077AB8CD8
*Aug 12 04:14:54.394: QoS Policy Map: status bits 0x21 reply type 3
*Aug 12 04:14:54.394: QoS Policy Map: END:qos_peruser_feature_callback resp 0
*Aug 12 04:14:54.394: SSF[uid:17:0.1]: Continue feature apply, response Success
*Aug 12 04:14:54.394: SSF: Feature callback return Success
*Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: Unsetting feature pending flag.
*Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: Feature apply continue: pending mask = 0x0
*Aug 12 04:14:54.394: SSF[INET/uid:17:0.1]: Apply Service Profile configured features from source(BC00000A)
*Aug 12 04:14:54.394: SSF[INET/uid:17:20.21]: Config source Service Profile is already applied to this session, ignoring apply request
*Aug 12 04:14:54.394: SSF[SUB-QOS/uid:17:0.1]: Config source Service Profile is already applied to this session, ignoring apply request
*Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Update feature returned: Ready
*Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free.
*Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Update feature returned: Ready
*Aug 12 04:14:54.394: SSF[uid:17:0.1/QoS Policy Map]: L2HW Queued feature info free.
*Aug 12 04:14:54.394: SSF[uid:17:0.1]: L2HW Activate features returned: Success
*Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27]: Unbind flow segment notify.  IETF 0/0 ASCEND 0/0 cause
*Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27/L4 Redirect]: Removing feature on segment
*Aug 12 04:14:54.394: L4 Redirect: Remove inbound direction from Service Profile configuration
*Aug 12 04:14:54.394: L4 Redirect: Updating (remove) L4R feature context
*Aug 12 04:14:54.394: SSF[uid:17:26.27/L4 Redirect]: L2HW IC bind feature returned: Success
*Aug 12 04:14:54.394: SSF[uid:17:0.1/L4 Redirect]: L2HW InQ Update feature info request returned: Success
*Aug 12 04:14:54.394: SSF[uid:17/L4 Redirect]: Stop timer
*Aug 12 04:14:54.394: L4 Redirect: Deleted L4R rule context
*Aug 12 04:14:54.394: L4 Redirect: Removing L4R feature context with no remaining rules
*Aug 12 04:14:54.394: SSF[uid:17/L4 Redirect]: Removing inbound direction feature context from segment
*Aug 12 04:14:54.394: L4 Redirect: Deleted L4R feature context
*Aug 12 04:14:54.394: SSF[uid:17/L4 Redirect]: Removing outbound direction feature context from segment
*Aug 12 04:14:54.394: L4 Redirect: Deleted L4R feature context
*Aug 12 04:14:54.394: L4 Redirect: Templated session L4R freeing parent outbound
*Aug 12 04:14:54.394: SSF: Removed feature in inbound direction: Success
*Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27/L4 Redirect]: Successfully removed feature on segment
*Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27]: Disassociated segment from Service Profile configuration source, Success
*Aug 12 04:14:54.394: SSF[S_L4R/uid:17:26.27]: Unbind flow segment from configuration source, Success
*Aug 12 04:14:54.394: SSF[uid:17:0.1/L4 Redirect]: L2HW Queued feature info free.
*Aug 12 04:14:54.394: SSF[uid:17:0.1]: L2HW Clear queued feature events returned: Success
*Aug 12 04:14:54.394: SSF[uid:17:26.27]: Request flow segment context to be released
*Aug 12 04:14:54.394: SSF[uid:17:26.27]: Deleting flow segment context
*Aug 12 04:14:54.394: SSF[Peruser/uid:17:0.1]: Apply Per-user configured features from source(EE00000A)
*Aug 12 04:14:54.394: SSF[Peruser/uid:17:0.1/Accounting]: Applying feature on segment
...
Порезано

При этом в фичах так же пусто, но появился раздел qos-policy-map:

Кликните здесь для просмотра всего текста

Код

Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCPv4, UID: 17, State: authen, Identity: test
IPv4 Address: 176.99.133.11
Session Up-time: 00:05:48, Last Changed: 00:04:59
Switch-ID: 4158

Policy information:
  Context 7F70759389F0: Handle 1B000046
  AAA_id 00001C9A: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    accounting-list      0   "ISG_ACC"
  Downloaded User profile, including services:
    accounting-list      0   "ISG_ACC"
    sub-qos-policy-in    0   "SUB-QOS-IN"
    sub-qos-policy-out   0   "SUB-QOS-OUT"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "input access-group name INT_IN priority 50"
    username             0   "SUB-QOS"
    sub-policy-In        0   "SUB-QOS-IN"
    sub-policy-Out       0   "SUB-QOS-OUT"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: SUB-QOS, 3 references
        password             0   <hidden>
        username             0   "SUB-QOS"
        sub-policy-In        0   "SUB-QOS-IN"
        sub-policy-Out       0   "SUB-QOS-OUT"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        sub-qos-policy-in    0   "SUB-QOS-IN"
        sub-qos-policy-out   0   "SUB-QOS-OUT"
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "input access-group name INT_IN priority 50"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Unapplied) (Service)
      Profile name: S_L4R, 4 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 194.187.205.249 port 9002"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys
      Profile name: test, 2 references
        accounting-list      0   "ISG_ACC"
    Access-type: DHCP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: S_L4R, 4 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 194.187.205.249 port 9002"
    Access-type: DHCP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: OPEN_GARDEN, 3 references
        password             0   <hidden>
        username             0   "OPEN_GARDEN"
        traffic-class        0   "input access-group name OPENGARDEN_IN priority 250"
        traffic-class        0   "output access-group name OPENGARDEN_OUT priority 250"
        traffic-class        0   "input default drop"
        traffic-class        0   "output default drop"
  Active services associated with session:
    name "SUB-QOS"
    name "INET"
    name "OPEN_GARDEN", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map ISG
      condition always event session-restart
        1 service-policy type service name OPEN_GARDEN
        5 set-timer UNAUTH-TIMER 5
        10 service-policy type service name S_L4R
    subscriber rule-map ISG
      condition always event account-logon
        10 authenticate aaa list RAD_SRV
        20 service-policy type service unapply name S_L4R
        30 service-policy type service name INET
        40 service-policy type service name SUB-QOS
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry
        subscriber condition-map match-all ISG-IP-UNAUTH
          match identifier timer UNAUTH-TIMER [TRUE]
          match identifier authen-status unauthenticated [FALSE]
    subscriber rule-map ISG
      condition ISG-IP-UNAUTH event timed-policy-expiry

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    55293      58737370               0    Match Any
1           Out   66921      61782972               0    Match Any
6           In    22         1395                   250  Match ACL OPENGARDEN_IN
7           Out   106        14130                  250  Match ACL OPENGARDEN_OUT
20          In    55060      58722263               50   Match ACL INT_IN
21          Out   66786      61767350               50   Match ACL INT_OUT
4294967294  In    106        6781                   -    Drop
4294967295  Out   29         1492                   -    Drop

Template Id : 4

Features:

QoS Policy Map:
Class-id    Dir   Policy Name Source
0           In    SUB-QOS-IN  SUB-QOS
1           Out   SUB-QOS-OUT SUB-QOS

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   54472      57886842              Peruser
1          Out  66082      60718986              Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:05:48     -               OPEN_GARDEN
SVC   00:04:59     -               INET
USR   00:04:59     -               Peruser
SVC   00:04:59     -               SUB-QOS
INT   00:05:48     -               Port-channel1.1634

Чувствую что оно где-то рядом, но не могу уловить направление. =)

@ququ · 12.08.2014, 18:28

Нащупал.

Таблица radreply должна выглядеть так:

Код

+----+----------+--------------+----+---------------------------------------------------------------+
| id | username | attribute    | op | value                                                         |
+----+----------+--------------+----+---------------------------------------------------------------+
| 15 | INET     | Cisco-AVPair | += | ip:traffic-class=input access-group name INT_IN priority 50   |
| 16 | INET     | Cisco-AVPair | += | ip:traffic-class=output access-group name INT_OUT priority 50 |
| 17 | INET     | Cisco-AVPair | += | ip:traffic-class=in default drop                              |
| 18 | INET     | Cisco-AVPair | += | ip:traffic-class=out default drop                             |
| 19 | test     | Cisco-AVPair | += | ip:sub-qos-policy-in=SUB-QOS10-IN                             |
| 20 | test     | Cisco-AVPair | += | ip:sub-qos-policy-out=SUB-QOS10-OUT                           |
| 26 | test     | Cisco-AVPair | += | subscriber:accounting-list=ISG_ACC                            |
+----+----------+--------------+----+---------------------------------------------------------------+

Обратите внимание на username, в районе sub-qos-policy.

Клиент при этом выглядит так:

Кликните здесь для просмотра всего текста

Код

Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCPv4, UID: 30, State: authen, Identity: test
IPv4 Address: 176.99.133.11
Session Up-time: 00:02:55, Last Changed: 00:02:52
Switch-ID: 4213

Policy information:
  Context 7F70759389F0: Handle 1E000086
  AAA_id 00001EFB: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    sub-qos-policy-in    0   "SUB-QOS10-IN"
    sub-qos-policy-out   0   "SUB-QOS10-OUT"
    accounting-list      0   "ISG_ACC"
  Downloaded User profile, including services:
    username             0   "OPEN_GARDEN"
    sub-qos-policy-in    0   "SUB-QOS10-IN"
    sub-qos-policy-out   0   "SUB-QOS10-OUT"
    accounting-list      0   "ISG_ACC"
    traffic-class        0   "in default drop"
    traffic-class        0   "out default drop"
    traffic-class        0   "output access-group name INT_OUT priority 50"
    traffic-class        0   "input access-group name INT_IN priority 50"
  Config history for session (recent to oldest):
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Service)
      Profile name: INET, 3 references
        sub-qos-policy-in    0   "SUB-QOS-IN"
        sub-qos-policy-out   0   "SUB-QOS-OUT"
        traffic-class        0   "in default drop"
        traffic-class        0   "out default drop"
        traffic-class        0   "output access-group name INT_OUT priority 50"
        traffic-class        0   "input access-group name INT_IN priority 50"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys (Unapplied) (Service)
      Profile name: S_L4R, 4 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 194.187.205.249 port 9002"
    Access-type: Web-user-logon Client: Account Command-Handler
     Policy event: Got More Keys
      Profile name: test, 2 references
        sub-qos-policy-in    0   "SUB-QOS10-IN"
        sub-qos-policy-out   0   "SUB-QOS10-OUT"
        accounting-list      0   "ISG_ACC"
    Access-type: DHCP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: S_L4R, 4 references
        password             0   <hidden>
        username             0   "S_L4R"
        traffic-class        0   "input access-group name ACL_IN_L4R priority 250"
        l4redirect           0   "redirect to ip 194.187.205.249 port 9002"
    Access-type: DHCP Client: SM
     Policy event: Service Selection Request (Service)
      Profile name: OPEN_GARDEN, 3 references
        password             0   <hidden>
        username             0   "OPEN_GARDEN"
        traffic-class        0   "input access-group name OPENGARDEN_IN priority 250"
        traffic-class        0   "output access-group name OPENGARDEN_OUT priority 250"
        traffic-class        0   "input default drop"
        traffic-class        0   "output default drop"
  Active services associated with session:
    name "INET"
    name "OPEN_GARDEN", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map ISG
      condition always event session-restart
        1 service-policy type service name OPEN_GARDEN
        5 set-timer UNAUTH-TIMER 5
        10 service-policy type service name S_L4R
    subscriber rule-map ISG
      condition always event account-logon
        10 authenticate aaa list RAD_SRV
        20 service-policy type service unapply name S_L4R
        30 service-policy type service name INET

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    12908      13220477               0    Match Any
1           Out   14669      13694406               0    Match Any
6           In    6          367                    250  Match ACL OPENGARDEN_IN
7           Out   26         3094                   250  Match ACL OPENGARDEN_OUT
20          In    12888      13217434               50   Match ACL INT_IN
21          Out   14677      13707574               50   Match ACL INT_OUT
4294967294  In    0          0                      -    Drop
4294967295  Out   1          43                     -    Drop

Template Id : 4

Features:

QoS Policy Map:
Class-id    Dir   Policy Name   Source
0           In    SUB-QOS10-IN  Peruser
1           Out   SUB-QOS10-OUT Peruser

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   12158      12126567              Peruser
1          Out  13845      12461036              Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:02:55     -               OPEN_GARDEN
SVC   00:02:52     -               INET
USR   00:02:52     -               Peruser
INT   00:02:55     -               Port-channel1.1634

И оно работает.
При вот так описанных сервисах:

Код

policy-map SUB-QOS-IN
 class class-default
  police cir 50000000
policy-map SUB-QOS10-OUT
 class class-default
  police cir 10000000
policy-map SUB-QOS10-IN
 class class-default
  police cir 10000000
policy-map SUB-QOS-OUT
 class class-default
  police cir 50000000

переключая их в базе, клиент получает требуемую скорость.

Благодарю за подсказки и общую идею, пойду копать дальше.

Jabbson · 12.08.2014, 21:20 **[ТС]**

ququ, всегда пожалуйста.

P.S. насчет нашего с вами разговора - вся идея была сделать полисинг под-сервисом, назначаемым в контексте тарифного плана, а не каждому субскрайберу индивидуально. Накопаете еще чего интересного или просто захотите поделиться своим проектом в конечном итоге - было бы здорово и наверняка поможет кому-то еще в будущем.

@ququ · 13.08.2014, 13:46

Только заметил: в исходном сообщении, тоже нет следов подключенного пользователю qos. Так что грабли были запланированы.

Jabbson · 13.08.2014, 14:37 **[ТС]**

Не по теме:

Абсолютно верно))) не мог же я взять и все карты открыть)

Jabbson · 15.08.2014, 17:16 **[ТС]**

Возвращаясь к нашим баранам. Передавать полисинг можно вот так:

Код

mysql> select * from radius.radcheck;
+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
|  1 | test     | Cleartext-Password | := | test  |
|  2 | INET4    | Cleartext-Password | := | cisco |
+----+----------+--------------------+----+-------+
2 rows in set (0.00 sec)

mysql> select * from radius.radreply;
+----+----------+--------------------+----+---------------------------------------------------------------+
| id | username | attribute          | op | value                                                         |
+----+----------+--------------------+----+---------------------------------------------------------------+
|  1 | test     | Cisco-AVPair       | += | subscriber:accounting-list=ISG_ACC                            |
|  2 | INET4    | Cisco-Service-Info | += | QU;1000000;D;1000000                                          |
|  4 | INET4    | Cisco-AVPair       | += | ip:traffic-class=in default drop                              |
|  5 | INET4    | Cisco-AVPair       | += | ip:traffic-class=out default drop                             |
|  6 | INET4    | Cisco-AVPair       | += | ip:traffic-class=output access-group name INT_OUT priority 50 |
|  7 | INET4    | Cisco-AVPair       | += | ip:traffic-class=input access-group name INT_IN priority 50   |
+----+----------+--------------------+----+---------------------------------------------------------------+
6 rows in set (0.00 sec)

mysql>

Код

R1#show subscriber service name INET4 detailed 
  Service "INET4":
    Version 1:
      SVM ID                : 1E000009
      Class Id  In: 00000018
      Class Id Out: 00000019
      Locked by             : SVM-Printer            [1]
      Locked by             : PM-Service             [1]
      Locked by             : PM-Info                [1]
      Locked by             : FM-Bind                [1]
      Locked by             : Sbscr-Template         [1]
      Profile               : 7FC8856A45C0
        Profile name: INET4, 3 references 
          ssg-service-info     0   "QU;1000000;D;1000000"
          traffic-class        0   "in default drop"
          traffic-class        0   "out default drop"
          traffic-class        0   "output access-group name INT_OUT priority 50"
          traffic-class        0   "input access-group name INT_IN priority 50"

Current Subscriber Information using service "INET4"
Total sessions: 1

Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session

Uniq ID Interface    State    Service     Up-time  TC Ct. Identifier
60      DHCPv4       authen   Lterm       00:06:40 2      test

Код

R1#show subscriber session detail | b Policing:   
Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
18         In   1000000     187500        375000       INET4
19         Out  1000000     187500        375000       INET4

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:07:49     -               OPEN_GARDEN
SVC   00:07:27     -               INET4
USR   00:07:27     -               Peruser
INT   00:07:49     -               GigabitEthernet1

@ququ · 09.10.2014, 19:07

И снова здравствуйте. =)

Есть задачка, стерминировать на этой же железке некоторое количество pppoe абонентов.

Конфиг вышеописанный, плюс кусок pppoe:

Кликните здесь для просмотра всего текста

vpdn enable
!
vpdn-group pppoe
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
bba-group pppoe global
virtual-template 1
sessions max limit 3000
sessions per-vlan limit 1000
sessions auto cleanup
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback1
no ip proxy-arp
ip nat inside
ip flow egress
ip policy route-map rm_user_dump
no peer default ip address
ppp authentication chap pap ms-chap ms-chap-v2 callin RAD_SRV
ppp authorization RAD_SRV
ppp ipcp dns 10.10.205.226 10.10.204.254

interface Port-channel1.384
description v384
encapsulation dot1Q 384
ip access-group malware-filter in
pppoe enable group global

Сервисы всё так же прописаны локально:

Кликните здесь для просмотра всего текста

class-map type traffic match-any TC_L4R
match access-group input name ACL_IN_L4R
!
class-map type traffic match-any OPEN_GARDEN
match access-group input name OPENGARDEN_IN
match access-group output name OPENGARDEN_OUT

policy-map type service S_L4R
50 class type traffic TC_L4R
redirect to ip 10.10.205.249 port 80
!
!
policy-map type service OPEN_GARDEN
250 class type traffic OPEN_GARDEN
!
class type traffic default in-out
drop
!

AAA:

Кликните здесь для просмотра всего текста

aaa authentication login default local
aaa authentication login RAD_SRV group RAD_SRV
aaa authentication ppp default group RAD_SRV
aaa authentication ppp RAD_SRV group RAD_SRV
aaa authorization exec default local
aaa authorization network default group RAD_SRV
aaa authorization network RAD_SRV group RAD_SRV
aaa accounting delay-start
aaa accounting jitter maximum 0
aaa accounting commands 0 default none
aaa accounting commands 1 default none
aaa accounting commands 15 default none
aaa accounting network default start-stop group RAD_SRV
aaa accounting network ISG_ACC start-stop group RAD_SRV

Проблема в следующем:
При работе по dhcp, сервисы успешно навешиваются при подключении, включаются-отключаются через CoA.
При работе по pppoe, сервисы подключаются только до тех пор, пока есть сессия dhcp с этими подключенными сервисами.

Как только dhcp сессия (плюс все pppoe сессии с этими сервисами) протухают, кошка начинает ломиться за сервисами на радиус.

Обращение при навешенных сервисах:
Сервис прописан локально, навешен одному из клиентов:

Кликните здесь для просмотра всего текста

*Aug 27 09:01:06.003: SVM [49000025/S_L4R]: already downloaded; sharing
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: service "S_L4R" in cache
*Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Root SIP PPPoE
*Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable PPPoE parsing
*Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable PPP parsing
*Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable Web-service-logon parsing
*Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [BD0001B4]: client download ok
*Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [SVM-to-client-msg:BD0001B4] locked 0->1
*Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [PM-Download:BD0001B4] locked 0->1
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: waiting for download response
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[0]: Downloading service "S_L4R"
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[1]: Start
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[1]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: Event <send auth>, State: authorizing to authorizing
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: Handling Action Ignore for <send auth>
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: SVM service download success
*Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: download completed for "S_L4R" version 1

Сервис прописан локально, никому не навешен:

Кликните здесь для просмотра всего текста

*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: service "L4R_NOMONEY" not in cache; needs download
*Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: allocated version 1
*Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [A40001AC]: client queued
*Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [PM-Download:A40001AC] locked 0->1
*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: download required
*Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [AAA-Download:7F45E6051018] locked 0->1
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Authorization:Fetching method list from SIP:Web-service-logon
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: using named author method list "RAD_SRV"
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Root SIP PPPoE
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable PPPoE parsing
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable PPP parsing
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable Web-service-logon parsing
*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: ACTIVE HANDLE[0]: Snapshot captured in Active context
*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: ACTIVE HANDLE[0]: Active context created
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Event <make request>, state changed from idle to authorizing
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Active key set to Apply-Service
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Authorizing key L4R_NOMONEY
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Set authorization profile type to service
*Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: AAA request sent for key L4R_NOMONEY
*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: RULE[0]: Downloading service "L4R_NOMONEY"
*Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: RULE[1]: Start
*Aug 27 08:55:38.559: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Aug 27 08:55:38.560: RADIUS/ENCODE: Skip encoding 0 length AAA attribute formatted-clid
*Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IPv6: ::
*Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Aug 27 08:55:38.560: RADIUS(00000000): sending
*Aug 27 08:55:38.560: RADIUS/ENCODE: Best Local IP-Address 10.10.204.57 for Radius-Server 10.10.128.27
*Aug 27 08:55:38.560: RADIUS: nas-port-id(87) is not found in the request
*Aug 27 08:55:38.560: RADIUS(00000000): Send Access-Request to 10.10.128.27:1812 id 1645/216, len 89
*Aug 27 08:55:38.560: RADIUS: authenticator 22 BC 3F B9 65 8F FF B1 - F5 0C EC D5 5C F8 9F BF
*Aug 27 08:55:38.560: RADIUS: User-Password [2] 18 *
*Aug 27 08:55:38.560: RADIUS: User-Name [1] 13 "L4R_NOMONEY"
*Aug 27 08:55:38.560: RADIUS: Service-Type [6] 6 Outbound [5]
*Aug 27 08:55:38.560: RADIUS: NAS-IP-Address [4] 6 10.10.204.57
*Aug 27 08:55:38.560: RADIUS: Nas-Identifier [32] 20 "ASR1002-X.testnet.ru"
*Aug 27 08:55:38.560: RADIUS: Event-Timestamp [55] 6 1409129738
*Aug 27 08:55:38.560: RADIUS(00000000): Sending a IPv4 Radius Packet
*Aug 27 08:55:38.560: RADIUS(00000000): Started 3 sec timeout
*Aug 27 08:55:39.601: RADIUS: Received from id 1645/216 10.10.128.27:1812, Access-Reject, len 20
*Aug 27 08:55:39.601: RADIUS: authenticator D5 A5 84 08 C7 9C 83 05 - 8E 0D 1F FD B5 01 95 35
*Aug 27 08:55:39.601: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
*Aug 27 08:55:39.601: RADIUS(00000000): Received from id 1645/216
*Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: Received an AAA failure
*Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: Event <service not found>, state changed from authorizing to complete
*Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: No service authorization info found

aaa authorization network default local не помогло.

Куда бы ещё покопать?
Понятно что во имя революции можно отдавать сервисы радиусом, но хотелось бы понять почему оно не работает локально.

@ququ · 13.10.2014, 15:07

Сам спросил - сам ответил: aaa authorization subscriber-service default local

@ququ · 16.10.2015, 14:41

И снова здравствуйте. =)

Неспешно завожу вторую железку, попутно вычищая косяки накопившиеся на первой.

Косяк вылезший в двух предыдущих сообщениях так и не исправлен, симптомы те же.

<вытер кучу дебага - пока писал разобрался окончательно>

Ключевое - два момента:

Код

aaa authorization subscriber-service default local

и второе:

Код

interface Virtual-Template1
...
ppp authentication chap pap ms-chap ms-chap-v2 callin RAD_SRV
ppp authorization RAD_SRV <- этой строки быть не должно!
ppp ipcp dns 10.10.205.226 10.10.204.254

Есть ещё эпичный косяк связанный с работой dhcp-relay + Opt82 в режиме QinQ, но это видимо стоит отдельной ветки.

Jabbson 5898 / 3355 / 1035 Регистрация: 03.11.2009 Сообщений: 10,003
	11.08.2014, 19:40 [ТС]	7
	Для ответа, хотелось бы посмотреть полный вывод show subscriber session detailed на момент когда пользователь уже стабилен и получил что нужно, а также конфиг ISG. 0

@ququ 0 / 0 / 0 Регистрация: 11.08.2014 Сообщений: 10
	11.08.2014, 20:55	8
	Переписал конфиг с нуля, по исходному сообщению. Полный конфиг: Кликните здесь для просмотра всего текста service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service unsupported-transceiver no platform punt-keepalive disable-kernel-core ! hostname ASR1002-X ! boot-start-marker boot-end-marker ! aqm-register-fnf ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! aaa new-model ! ! aaa group server radius RAD_SRV server name RAD_SRV1 load-balance method least-outstanding batch-size 1 ignore-preferred-server ! aaa authentication login default local aaa authentication login RAD_SRV group RAD_SRV aaa authorization exec default local aaa authorization network default group RAD_SRV aaa authorization subscriber-service default local group RAD_SRV aaa accounting delay-start aaa accounting jitter maximum 0 aaa accounting update periodic 1 aaa accounting commands 0 default none aaa accounting commands 1 default none aaa accounting commands 15 default none aaa accounting network default start-stop group RAD_SRV aaa accounting network ISG_ACC start-stop group RAD_SRV ! aaa nas port extended ! ! ! aaa server radius dynamic-author client ..128.27 server-key 7 070D282F4D06 client ..205.229 server-key 7 00081A150754 auth-type any ignore session-key ignore server-key ! aaa session-id common ! ! ! ! ! ! ! ip domain name testnet.ru ip name-server ..205.226 ip name-server ..205.254 ip dhcp relay information policy keep ip dhcp relay information trust-all ! ! ! ! ! ! ! ! ! ! subscriber redundancy dynamic periodic-update interval 15 subscriber service multiple-accept subscriber service session-accounting subscriber service accounting interim-interval 1 subscriber templating subscriber authorization enable ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! redundancy mode none ! ! ! ! ! ! ip tftp source-interface GigabitEthernet0 ip ssh authentication-retries 2 ip ssh version 2 class-map type traffic match-any TC_L4R match access-group input name ACL_IN_L4R ! class-map type traffic match-any OPEN_GARDEN match access-group input name OPENGARDEN_IN match access-group output name OPENGARDEN_OUT ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service S_L4R 250 class type traffic TC_L4R redirect to ip ..205.249 port 9002 ! ! policy-map type service OPEN_GARDEN 250 class type traffic OPEN_GARDEN ! class type traffic default in-out drop ! ! policy-map type control ISG class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event session-start 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R ! class type control always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R ! class type control always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET ! class type control always event account-logoff 10 service-policy type service unapply name INET ! ! ! policy-map SUB-QOS-IN class class-default police cir 100000 policy-map SUB-QOS-OUT class class-default police cir 100000 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 description main unnumbered source interface ip address ..133.1 255.255.255.0 ! interface Loopback1 description ip nat pool ip address ..29.129 255.255.255.224 ! interface Port-channel1 ip address ..204.57 255.255.255.224 ip nat outside ip ospf mtu-ignore negotiation auto ! interface Port-channel1.102 description management vlan encapsulation dot1Q 102 ip address 10.140.2.9 255.255.255.0 ! interface Port-channel1.1634 encapsulation dot1Q 1634 ip unnumbered Loopback0 ip helper-address ..128.28 ip nat inside ip flow egress service-policy type control ISG ip subscriber l2-connected initiator dhcp ! interface GigabitEthernet0/0/0 no ip address negotiation auto channel-group 1 mode passive ! interface GigabitEthernet0/0/1 no ip address negotiation auto channel-group 1 mode passive ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/4 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/5 no ip address shutdown negotiation auto ! interface TenGigabitEthernet0/1/0 no ip address shutdown ! interface TenGigabitEthernet0/2/0 no ip address shutdown ! interface TenGigabitEthernet0/3/0 no ip address shutdown ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! router ospf 1 router-id ..204.57 redistribute connected subnets network ..204.32 0.0.0.31 area 0.0.0.0 ! ip nat settings mode cgn no ip nat settings support mapping outside ip nat pool main_nat_pool ..29.128 ..29.159 netmask 255.255.255.224 ip nat inside source list NAT_RULES pool main_nat_pool overload ip forward-protocol nd ! ip flow-export destination ..205.229 5096 no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 ..204.35 ! ip access-list extended ACL_IN_L4R permit tcp any any eq www permit tcp any any eq 443 ip access-list extended INT_IN permit ip any any ip access-list extended INT_OUT permit ip any any ip access-list extended NAT_RULES deny ip 10.97.0.0 0.0.255.255 ..204.0 0.0.3.255 deny ip 10.97.0.0 0.0.255.255 ..24.0 0.0.7.255 deny ip 10.97.0.0 0.0.255.255 ..128.0 0.0.127.255 deny ip 10.97.0.0 0.0.255.255 10.0.0.0 0.255.255.255 deny ip 10.97.0.0 0.0.255.255 172.16.0.0 0.15.255.255 permit ip 10.97.0.0 0.0.255.255 any ip access-list extended OPENGARDEN_IN permit ip any host ..205.229 permit ip any host ..205.249 permit ip any host ..204.254 permit ip any host ..205.226 ip access-list extended OPENGARDEN_OUT permit ip host ..205.229 any permit ip host ..205.249 any permit ip host ..204.254 any permit ip host ..205.226 any ! ! snmp-server community public RO ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 30 original-called-number no radius-server attribute nas-port radius-server attribute 31 mac format ietf radius-server attribute 31 send nas-port-detail mac-only radius-server retransmit 2 radius-server timeout 3 radius-server key 7 13061E210803 ! radius server RAD_SRV1 address ipv4 ..128.27 auth-port 1812 acct-port 1813 key 7 06100625494114181412 ! ! control-plane ! ! ! ! ! ! ! ! ! alias exec shs show subscriber session alias exec cls clear subscriber session all ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport input ssh ! ! end select * from radreply (полностью идентично оригиналу): Кликните здесь для просмотра всего текста +----+----------+--------------+----+---------------------------------------------------------------+ \| id \| username \| attribute \| op \| value \| +----+----------+--------------+----+---------------------------------------------------------------+ \| 1 \| INET \| Cisco-AVPair \| += \| ip:sub-qos-policy-in=SUB-QOS-IN \| \| 2 \| INET \| Cisco-AVPair \| += \| ip:sub-qos-policy-out=SUB-QOS-OUT \| \| 3 \| INET \| Cisco-AVPair \| += \| ip:traffic-class=in default drop \| \| 4 \| INET \| Cisco-AVPair \| += \| ip:traffic-class=out default drop \| \| 5 \| INET \| Cisco-AVPair \| += \| ip:traffic-class=output access-group name INT_OUT priority 50 \| \| 6 \| INET \| Cisco-AVPair \| += \| ip:traffic-class=input access-group name INT_IN priority 50 \| \| 7 \| test \| Cisco-AVPair \| += \| subscriber:accounting-list=ISG_ACC \| +----+----------+--------------+----+---------------------------------------------------------------+ show subscriber session detailed Кликните здесь для просмотра всего текста Код Current Subscriber Information: Total sessions 1 -------------------------------------------------- Type: DHCPv4, UID: 2, State: authen, Identity: test IPv4 Address: ..133.11 Session Up-time: 00:05:12, Last Changed: 00:03:59 Switch-ID: 4097 Policy information: Context 7F70759389F0: Handle D2000006 AAA_id 0000000E: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: accounting-list 0 "ISG_ACC" Downloaded User profile, including services: username 0 "OPEN_GARDEN" accounting-list 0 "ISG_ACC" sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Config history for session (recent to oldest): Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Service) Profile name: INET, 3 references sub-qos-policy-in 0 "SUB-QOS-IN" sub-qos-policy-out 0 "SUB-QOS-OUT" traffic-class 0 "in default drop" traffic-class 0 "out default drop" traffic-class 0 "output access-group name INT_OUT priority 50" traffic-class 0 "input access-group name INT_IN priority 50" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys (Unapplied) (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip ..205.249 port 9002" Access-type: Web-user-logon Client: Account Command-Handler Policy event: Got More Keys Profile name: test, 2 references accounting-list 0 "ISG_ACC" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: S_L4R, 4 references password 0 <hidden> username 0 "S_L4R" traffic-class 0 "input access-group name ACL_IN_L4R priority 250" l4redirect 0 "redirect to ip ..205.249 port 9002" Access-type: DHCP Client: SM Policy event: Service Selection Request (Service) Profile name: OPEN_GARDEN, 3 references password 0 <hidden> username 0 "OPEN_GARDEN" traffic-class 0 "input access-group name OPENGARDEN_IN priority 250" traffic-class 0 "output access-group name OPENGARDEN_OUT priority 250" traffic-class 0 "input default drop" traffic-class 0 "output default drop" Active services associated with session: name "INET" name "OPEN_GARDEN", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG condition always event session-restart 1 service-policy type service name OPEN_GARDEN 5 set-timer UNAUTH-TIMER 5 10 service-policy type service name S_L4R subscriber rule-map ISG condition always event account-logon 10 authenticate aaa list RAD_SRV 20 service-policy type service unapply name S_L4R 30 service-policy type service name INET subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry subscriber condition-map match-all ISG-IP-UNAUTH match identifier timer UNAUTH-TIMER [TRUE] match identifier authen-status unauthenticated [FALSE] subscriber rule-map ISG condition ISG-IP-UNAUTH event timed-policy-expiry Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 1415 146164 0 Match Any 1 Out 926 251376 0 Match Any 6 In 37 2400 250 Match ACL OPENGARDEN_IN 7 Out 174 23754 250 Match ACL OPENGARDEN_OUT 10 In 989 113236 50 Match ACL INT_IN 11 Out 747 227290 50 Match ACL INT_OUT 4294967294 In 214 16589 - Drop 4294967295 Out 5 332 - Drop Template Id : 2 Features: Accounting: Class-id Dir Packets Bytes Source 0 In 972 112374 Peruser 1 Out 741 226996 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:05:12 - OPEN_GARDEN SVC 00:03:59 - INET USR 00:03:59 - Peruser INT 00:05:12 - Port-channel1.1634 0

Jabbson 5898 / 3355 / 1035 Регистрация: 03.11.2009 Сообщений: 10,003
	12.08.2014, 11:10 [ТС]	9
	show subscriber session feature qos-peruser show policy-map interface скорее всего там ничего не будет, потому что Код Features: сделайте debug subscriber feature all - скорее всего там будет причина. 0

Jabbson 5898 / 3355 / 1035 Регистрация: 03.11.2009 Сообщений: 10,003
	12.08.2014, 21:20 [ТС]	14
	ququ, всегда пожалуйста. P.S. насчет нашего с вами разговора - вся идея была сделать полисинг под-сервисом, назначаемым в контексте тарифного плана, а не каждому субскрайберу индивидуально. Накопаете еще чего интересного или просто захотите поделиться своим проектом в конечном итоге - было бы здорово и наверняка поможет кому-то еще в будущем. 0

@ququ 0 / 0 / 0 Регистрация: 11.08.2014 Сообщений: 10
	13.08.2014, 13:46	15
	Только заметил: в исходном сообщении, тоже нет следов подключенного пользователю qos. Так что грабли были запланированы. 0

Jabbson
	13.08.2014, 14:37 [ТС] #16
	Не по теме: Абсолютно верно))) не мог же я взять и все карты открыть) 0

@ququ 0 / 0 / 0 Регистрация: 11.08.2014 Сообщений: 10
	09.10.2014, 19:07	18
	И снова здравствуйте. =) Есть задачка, стерминировать на этой же железке некоторое количество pppoe абонентов. Конфиг вышеописанный, плюс кусок pppoe: Кликните здесь для просмотра всего текста vpdn enable ! vpdn-group pppoe ! Default L2TP VPDN group ! Default PPTP VPDN group accept-dialin protocol any virtual-template 1 bba-group pppoe global virtual-template 1 sessions max limit 3000 sessions per-vlan limit 1000 sessions auto cleanup interface Virtual-Template1 mtu 1492 ip unnumbered Loopback1 no ip proxy-arp ip nat inside ip flow egress ip policy route-map rm_user_dump no peer default ip address ppp authentication chap pap ms-chap ms-chap-v2 callin RAD_SRV ppp authorization RAD_SRV ppp ipcp dns 10.10.205.226 10.10.204.254 interface Port-channel1.384 description v384 encapsulation dot1Q 384 ip access-group malware-filter in pppoe enable group global Сервисы всё так же прописаны локально: Кликните здесь для просмотра всего текста class-map type traffic match-any TC_L4R match access-group input name ACL_IN_L4R ! class-map type traffic match-any OPEN_GARDEN match access-group input name OPENGARDEN_IN match access-group output name OPENGARDEN_OUT policy-map type service S_L4R 50 class type traffic TC_L4R redirect to ip 10.10.205.249 port 80 ! ! policy-map type service OPEN_GARDEN 250 class type traffic OPEN_GARDEN ! class type traffic default in-out drop ! AAA: Кликните здесь для просмотра всего текста aaa authentication login default local aaa authentication login RAD_SRV group RAD_SRV aaa authentication ppp default group RAD_SRV aaa authentication ppp RAD_SRV group RAD_SRV aaa authorization exec default local aaa authorization network default group RAD_SRV aaa authorization network RAD_SRV group RAD_SRV aaa accounting delay-start aaa accounting jitter maximum 0 aaa accounting commands 0 default none aaa accounting commands 1 default none aaa accounting commands 15 default none aaa accounting network default start-stop group RAD_SRV aaa accounting network ISG_ACC start-stop group RAD_SRV Проблема в следующем: При работе по dhcp, сервисы успешно навешиваются при подключении, включаются-отключаются через CoA. При работе по pppoe, сервисы подключаются только до тех пор, пока есть сессия dhcp с этими подключенными сервисами. Как только dhcp сессия (плюс все pppoe сессии с этими сервисами) протухают, кошка начинает ломиться за сервисами на радиус. Обращение при навешенных сервисах: Сервис прописан локально, навешен одному из клиентов: Кликните здесь для просмотра всего текста Aug 27 09:01:06.003: SVM [49000025/S_L4R]: already downloaded; sharing Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: service "S_L4R" in cache Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Root SIP PPPoE Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable PPPoE parsing Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable PPP parsing Aug 27 09:01:06.003: SSS AAA AUTHOR [0]: Enable Web-service-logon parsing Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [BD0001B4]: client download ok Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [SVM-to-client-msg:BD0001B4] locked 0->1 Aug 27 09:01:06.003: SVM [49000025/S_L4R]: [PM-Download:BD0001B4] locked 0->1 Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: waiting for download response Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[0]: Downloading service "S_L4R" Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[1]: Start Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: RULE[1]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: Event <send auth>, State: authorizing to authorizing Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: Handling Action Ignore for <send auth> Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: SVM service download success Aug 27 09:01:06.003: SSS PM [uid:184][7F45E793E950]: download completed for "S_L4R" version 1 Сервис прописан локально, никому не навешен: Кликните здесь для просмотра всего текста Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: service "L4R_NOMONEY" not in cache; needs download Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: allocated version 1 Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [A40001AC]: client queued Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [PM-Download:A40001AC] locked 0->1 Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: download required Aug 27 08:55:38.559: SVM [39000034/L4R_NOMONEY]: [AAA-Download:7F45E6051018] locked 0->1 Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Authorization:Fetching method list from SIP:Web-service-logon Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: using named author method list "RAD_SRV" Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Root SIP PPPoE Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable PPPoE parsing Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable PPP parsing Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Enable Web-service-logon parsing Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: ACTIVE HANDLE[0]: Snapshot captured in Active context Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: ACTIVE HANDLE[0]: Active context created Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Event <make request>, state changed from idle to authorizing Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Active key set to Apply-Service Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Authorizing key L4R_NOMONEY Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: Set authorization profile type to service Aug 27 08:55:38.559: SSS AAA AUTHOR [uid:181]: AAA request sent for key L4R_NOMONEY Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: RULE[0]: Downloading service "L4R_NOMONEY" Aug 27 08:55:38.559: SSS PM [uid:181][7F45E793DEA0]: RULE[1]: Start Aug 27 08:55:38.559: RADIUS/ENCODE(00000000):Orig. component type = Invalid Aug 27 08:55:38.560: RADIUS/ENCODE: Skip encoding 0 length AAA attribute formatted-clid Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IP: 0.0.0.0 Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IPv6: :: Aug 27 08:55:38.560: RADIUS(00000000): Config NAS IP: 0.0.0.0 Aug 27 08:55:38.560: RADIUS(00000000): sending Aug 27 08:55:38.560: RADIUS/ENCODE: Best Local IP-Address 10.10.204.57 for Radius-Server 10.10.128.27 Aug 27 08:55:38.560: RADIUS: nas-port-id(87) is not found in the request Aug 27 08:55:38.560: RADIUS(00000000): Send Access-Request to 10.10.128.27:1812 id 1645/216, len 89 Aug 27 08:55:38.560: RADIUS: authenticator 22 BC 3F B9 65 8F FF B1 - F5 0C EC D5 5C F8 9F BF Aug 27 08:55:38.560: RADIUS: User-Password [2] 18 Aug 27 08:55:38.560: RADIUS: User-Name [1] 13 "L4R_NOMONEY" Aug 27 08:55:38.560: RADIUS: Service-Type [6] 6 Outbound [5] Aug 27 08:55:38.560: RADIUS: NAS-IP-Address [4] 6 10.10.204.57 Aug 27 08:55:38.560: RADIUS: Nas-Identifier [32] 20 "ASR1002-X.testnet.ru" Aug 27 08:55:38.560: RADIUS: Event-Timestamp [55] 6 1409129738 Aug 27 08:55:38.560: RADIUS(00000000): Sending a IPv4 Radius Packet Aug 27 08:55:38.560: RADIUS(00000000): Started 3 sec timeout Aug 27 08:55:39.601: RADIUS: Received from id 1645/216 10.10.128.27:1812, Access-Reject, len 20 Aug 27 08:55:39.601: RADIUS: authenticator D5 A5 84 08 C7 9C 83 05 - 8E 0D 1F FD B5 01 95 35 Aug 27 08:55:39.601: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded Aug 27 08:55:39.601: RADIUS(00000000): Received from id 1645/216 Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: Received an AAA failure Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: Event <service not found>, state changed from authorizing to complete Aug 27 08:55:39.601: SSS AAA AUTHOR [uid:181]: No service authorization info found aaa authorization network default local не помогло. Куда бы ещё покопать? Понятно что во имя революции можно отдавать сервисы радиусом, но хотелось бы понять почему оно не работает локально. 0

@ququ 0 / 0 / 0 Регистрация: 11.08.2014 Сообщений: 10
	13.10.2014, 15:07	19
	Сам спросил - сам ответил: aaa authorization subscriber-service default local 0

@ququ 0 / 0 / 0 Регистрация: 11.08.2014 Сообщений: 10
	16.10.2015, 14:41	20
	И снова здравствуйте. =) Неспешно завожу вторую железку, попутно вычищая косяки накопившиеся на первой. Косяк вылезший в двух предыдущих сообщениях так и не исправлен, симптомы те же. <вытер кучу дебага - пока писал разобрался окончательно> Ключевое - два момента: Код aaa authorization subscriber-service default local и второе: Код interface Virtual-Template1 ... ppp authentication chap pap ms-chap ms-chap-v2 callin RAD_SRV ppp authorization RAD_SRV <- этой строки быть не должно! ppp ipcp dns 10.10.205.226 10.10.204.254 Есть ещё эпичный косяк связанный с работой dhcp-relay + Opt82 в режиме QinQ, но это видимо стоит отдельной ветки. 0