Перейти до

Cisco ISG авторизирует пользователя, но не поднимает сессию

Minotaur

Автор: Minotaur,
в Маршрутизатор L3

 Share Подписчики 1

Рекомендованные сообщения

Minotaur

Minotaur 35

Опубликовано:
Опубликовано:

Приветствую!

 

Коллеги, кто-то сталкивался с таким поведением ISG? Сессия инициируется по DHCP Discover, срабатывает событие session-start, пользователь успешно авторизируется через Radius, Radius отдает имя сервиса...и сессия не поднимается.

Поднимается она позже только после того, как от пользователя приедет первый пакет и вызовет ивент session-restart.

 

Конфигурация очень простая:

aaa new-model
!
!
aaa group server radius ISG-RADIUS
server-private 178.214.192.2 auth-port 1812 acct-port 1813 key 7 08344E580F120315
ip radius source-interface Loopback0
!
subscriber authorization enable
!
aaa authentication login DHCP-BRAS group ISG-RADIUS
aaa authorization network DHCP-BRAS group ISG-RADIUS
aaa authorization subscriber-service default local
!
!
class-map type traffic match-any cmt-Any-Traffic
match access-group input name acl-Any
match access-group output name acl-Any
!
policy-map type service pms-1M
class type traffic cmt-Any-Traffic
 police input 1000000 187500 375000
 police output 1000000 187500 375000
!
policy-map type control DHCP-Subscriber
class type control always event session-start
 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator #
!
class type control always event session-restart
 10 authorize aaa list DHCP-BRAS identifier mac-address
!
!
interface GigabitEthernet0/2.33
encapsulation dot1Q 33
ip dhcp relay information trusted
ip address 178.214.200.1 255.255.255.0
ip helper-address 178.214.192.2
ip directed-broadcast
arp timeout 60
service-policy type control DHCP-Subscriber
ip subscriber l2-connected
 initiator dhcp class-aware

 

Дебаг выглядит следуюшим образом:

bras1-gdr.ki#show debugging
Subscriber Service Switch/Policy rules:
 Subscriber Service Switch policy rules errors debugging is on
 Subscriber Service Switch policy rules events debugging is on

 

Клиент отсылает DHCP DISCOVER и на ISG возникает ивент session-start:

*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE:	Matched "DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#cir"
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Using author method AAA service
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Have key combo_keys
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Using key combo_keys
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[1]: Start
*Feb  6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: VRF Parsing routine:
 keepalive			"protocol ARP"
 service-type		 5 [Outbound]
 ssg-account-info	 "Apms-1M"

 

Т.е. радиус ответил Access-Accept'ом с тремя параметрами, включая имя сервиса. Дебаг продолжается:

 

 

*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE: Looking for a rule for event service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:11:31.900: SSS PM [12BB34B8]: RULE:  Glob: service-rule any: None
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: Author finished
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: TAL authorization succesful, stop
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: Give default directive
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[3]: Continue
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[3]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:11:31.904: SSS PM [uid:983][12BB34B8]: RULE: VRF Parsing routine:
 username			 "pms-1M"
 clid-mac-addr		00 07 E9 0A 75 B2
 password			 <hidden>
 traffic-class		"output access-group name acl-Any"
 traffic-class		"input access-group name acl-Any"
 ssg-service-info	 "QU;1000000;187500;375000;D;1000000;187500;375000"
*Feb  6 18:11:31.904: SSS PM [uid:983][12BB34B8]: RULE: VRF Check: session logging off or not VRF dependent

 

Все. Сессии нет.

 

Когда клиент пускает например один исходящий ICMP-пакет, дебаг едет дальше, стартуя с ивента session-restart:

*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-restart
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-restart
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE:	Matched "DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address"
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Start
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Using author method AAA service
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Have key combo_keys
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Using key combo_keys
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[1]: Start
*Feb  6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE: VRF Parsing routine:
 keepalive			"protocol ARP"
 service-type		 5 [Outbound]
 ssg-account-info	 "Apms-1M"
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE: Looking for a rule for event service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:   Evaluate "DHCP-Subscriber" for service-start
*Feb  6 18:18:18.682: SSS PM [12BB34B8]: RULE:  Glob: service-rule any: None
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: Continue
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: Author finished
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[1]: Continue
*Feb  6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[1]: TAL authorization succesful, stop
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: Continue
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: Give default directive
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[3]: Continue
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[3]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-default-service
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:   Evaluate "DHCP-Subscriber" for session-service-found
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE:  Glob: service-rule any: None
*Feb  6 18:18:18.686: SSS PM [uid:989][12BB34B8]: RULE: VRF Parsing routine:
 username			 "pms-1M"
 clid-mac-addr		00 07 E9 0A 75 B2
 password			 <hidden>
 traffic-class		"output access-group name acl-Any"
 traffic-class		"input access-group name acl-Any"
 ssg-service-info	 "QU;1000000;187500;375000;D;1000000;187500;375000"
*Feb  6 18:18:18.690: SSS PM [uid:989][12BB34B8]: RULE: VRF Check: session logging off or not VRF dependent
*Feb  6 18:18:18.698: SSS PM [uid:989][12BB3658]: RULE: VRF Parsing routine:
 clid-mac-addr		00 07 E9 0A 75 B2
 addr				 178.214.200.2
 netmask			  255.255.255.255
 config-source-dpm	True

 

После этого сессия отлично поднимается.

Я уже сломал мозг, но не могу понять чем отличается происходящее в session-start от происходящего в session-restart, и почему первый не поднимает сессию...

Ссылка на сообщение
Поделиться на других сайтах

Создайте аккаунт или войдите в него для комментирования

Вы должны быть пользователем, чтобы оставить комментарий

Создать аккаунт

Зарегистрируйтесь для получения аккаунта. Это просто!

Зарегистрировать аккаунт

Вхід

Уже зарегистрированы? Войдите здесь.

Войти сейчас
 Share
Подписчики 1
Перейти до переліку тем

  • Зараз на сторінці   0 користувачів

    Немає користувачів, що переглядають цю сторінку.

×
×
  • Створити нове...