cisco aaa coa and l4 redirect not working on csr 1000v

sololuke2013 — Mon, 11 Mar 2019 04:09:34 GMT

I try to configure a cisco CSR 1000V in VMvare having 4 interfaces to do DHCP session creation with AAA Radius CoA and L4 Redirec to a portal page using PBHK service.

This my full configuration used.

Here is my inspiration link and scenario :

http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa4.html

My COA work good, I used for testing radclient and changes the subscriber session from unauth to authenticated.

My issue is that the redirect to captive portal is not working and I don't know why?

Do I have to add AAA user profiles for l4 service on Radius server? What config should be added on Radius server ?

Can you please help me with config?

Here are parts from my config also:

! Last configuration change at 22:48:29 UTC Fri Nov 29 2013

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

service internal

no platform punt-keepalive disable-kernel-core

platform console virtual

hostname CISCO-CSR1000v

boot-start-marker

boot-end-marker

vrf definition Mgmt-intf

address-family ipv4

exit-address-family

address-family ipv6

exit-address-family

enable secret 5 XXXXXXXXXXXXXXXXXXXXXX

aaa new-model

aaa group server radius RAD-SRV-GRP

server 192.168.100.123 auth-port 1812 acct-port 1813

ip radius source-interface Loopback1

aaa authentication login RAD-ALL group RAD-SRV-GRP

aaa authorization network RAD-ALL group RAD-SRV-GRP

aaa authorization subscriber-service default local group RAD-SRV-GRP

aaa accounting network RAD-ALL

action-type start-stop

group RAD-SRV-GRP

aaa server radius dynamic-author

client 192.168.100.123

server-key cisco

port 3799

auth-type all

ignore session-key

ignore server-key

aaa session-id common

no ip source-route

no ip domain lookup

ip address-pool local

ip dhcp excluded-address 192.168.200.1

ip dhcp pool WiFi_DHCP_POOL1

network 192.168.200.0 255.255.255.0

dns-server 192.168.1.1

default-router 192.168.200.1

lease 0 0 30

class DHCP-WiFi-CL

ip dhcp class DHCP-WiFi-CL

subscriber service coa-rfc-compliant

subscriber service session-accounting

subscriber authorization enable

multilink bundle-name authenticated

username root privilege 15 password 0 rootpass

redundancy

mode none

redirect server-group CP-PORTAL

server ip 192.168.100.123 port 80

no ip tftp source-interface GigabitEthernet0

class-map type traffic match-any REDIRECT-MAP

match access-group input name REDIRECT-ACL-UP

class-map type traffic match-any OPENGARDEN-MAP

match access-group input name OPENGARDEN-ACL-UP

match access-group output name OPENGARDEN-ACL-DW

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

policy-map type service REDIRECT-SERV

class type traffic REDIRECT-MAP

redirect to ip 192.168.100.123 port 80

class type traffic default input

drop

policy-map type service OPENGARDEN-SERV

class type traffic OPENGARDEN-MAP

police input 1000000

police output 3000000

class type traffic default in-out

drop

policy-map type service PBHK-SERV

ip portbundle

policy-map type control WIFI-POL-1

class type control INIT-SESSION event timed-policy-expiry

10 service disconnect

class type control always event session-start

10 service-policy type service name PBHK-SERV

20 service-policy type service name REDIRECT-SERV

30 service-policy type service name OPENGARDEN-SERV

40 set-timer INIT-SESSION-TIMER 5

class type control always event account-logon

10 authenticate aaa list RAD-ALL

class type control always event service-start

10 service-policy type service unapply name PBHK-SERV

20 service-policy type service unapply name REDIRECT-SERV

30 service-policy type service unapply name OPENGARDEN-SERV

40 service-policy type service identifier service-name

class type control always event account-logoff

10 service disconnect delay 5

class type control always event service-stop

10 service-policy type service unapply identifier service-name

20 service-policy type service name PBHK-SERV

30 service-policy type service name REDIRECT-SERV

40 service-policy type service name OPENGARDEN-SERV

interface Loopback1

ip address 192.168.255.1 255.255.255.255

interface GigabitEthernet1

description "Internet_Interface"

ip address 192.168.1.28 255.255.255.0

negotiation auto

interface GigabitEthernet2

description "AP_Interface"

ip address 192.168.200.1 255.255.255.0

negotiation auto

service-policy type control WIFI-POL-1

ip subscriber routed

initiator unclassified ip-address

initiator dhcp

interface GigabitEthernet3

description "Radius-Portal_Interface"

ip address 192.168.100.131 255.255.255.0

negotiation auto

interface GigabitEthernet0

vrf forwarding Mgmt-intf

ip address 192.168.50.130 255.255.255.0

negotiation auto

virtual-service csr_mgmt

activate

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip access-list extended OPENGARDEN-ACL-DW

permit ip host 192.168.100.123 any

permit udp any eq domain any

ip access-list extended OPENGARDEN-ACL-UP

permit udp any any eq domain

permit tcp any host 192.168.100.123

ip access-list extended REDIRECT-ACL-UP

deny ip any host 192.168.100.123

permit tcp any any eq www

permit tcp any any eq 8080

permit tcp any any eq 443

ip portbundle

match access-list 101

source Loopback1

access-list 101 permit tcp any host 192.168.100.123

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 31 send nas-port-detail mac-only

radius-server attribute 31 remote-id

radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco

radius-server retransmit 5

radius-server timeout 10

radius-server key cisco

control-plane

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0

exec-timeout 30 0

transport input telnet

line vty 1

exec-timeout 30 0

length 0

transport input telnet

line vty 2 4

exec-timeout 30 0

transport input telnet

onep

end

Hello,

dhruv.ranparia1 — Thu, 10 Dec 2015 07:04:52 GMT

Hello,

Did you used External Portal ? and how do you identifies the session and generate CoA ? as i am got stuck at generation CoA from Portal with PBHK identifier

can you help get the session information to generate CoA.

topic Hello, in Network Access Control

cisco aaa coa and l4 redirect not working on csr 1000v

Hello,