05-08-2018 06:49 AM - edited 03-01-2019 02:04 PM
Hi all,
I'm trying to implement the Cisco ISG framework for the aggregation of the IPoE sessions by many FTTCab customers.
When the client startup, the ISG intercept the DHCP discovery message, ask to RADIUS for the authorization and, if It's ok, returns to ISG a DHCP class for the assignment of an IP address. Otherwise, the service is denied. All comes good.
Now, I'm trying to implement a sort of redirection to a web portal in the event of RADIUS TIMEOUT, so to give a communication of ongoing trouble to the customers. Obviously, I need to assign first an IP address to the client and then redirect the traffic to the portal. This is my problem... I'm not find how to achieve this. Following is my configuration.
aaa group server radius ISG_SRV server name ISG_RAD_SRV1 ip radius source-interface GigabitEthernet2 attribute nas-port format d ! aaa authentication login IPOE_SUB group ISG_SRV aaa authorization network IPOE_SUB local group ISG_SRV aaa accounting network IPOE_SUB start-stop group ISG_SRV ! ip dhcp excluded-address 192.168.105.1 192.168.105.30 ! ip dhcp pool DHCP_RELAY01 relay source 192.168.222.0 255.255.254.0 class RELAY_IPOE relay target 10.0.0.101 giaddr 192.168.222.1 ! ip dhcp pool DHCP_RELAY02 relay source 192.168.232.0 255.255.248.0 class RELAY_VOIP relay target 10.0.0.101 giaddr 192.168.232.1 ! ip dhcp pool DHCP_RELAY03 relay source 172.16.185.0 255.255.255.0 class RELAY_RAGANET relay target 10.0.0.101 giaddr 172.16.185.1 ! ip dhcp pool DHCP_RELAY04 relay source 172.25.134.0 255.255.255.0 class RELAY_BUSINESS relay target 10.0.0.101 giaddr 172.25.134.1 ! ip dhcp pool DHCP_L4R network 192.168.105.0 255.255.255.0 default-router 192.168.105.1 dns-server 8.8.8.8 8.8.4.4 lease 0 0 30 class L4R-CLASS ! ! ip dhcp class RELAY_IPOE ! ip dhcp class RELAY_VOIP ! ip dhcp class RELAY_RAGANET ! ip dhcp class RELAY_BUSINESS ! ip dhcp class L4R-CLASS ! redirect server-group GROUP-TO-RDT server ip 10.0.0.102 port 80 ! class-map type traffic match-any CLASS-TO-REDIRECT match access-group input name ACL-RDT-TRAFFIC match access-group output name ACL-RDT-TRAFFIC ! class-map type control match-all IPOE_UNAUTH match authen-status unauthenticated match timer UNAUTH_TIMER ! policy-map type service PM-DHCP-L4R classname L4R-CLASS ! policy-map type service PM-RDT-SVC 5 class type traffic CLASS-TO-REDIRECT redirect to group GROUP-TO-RDT ! class type traffic default input drop ! ! policy-map type control PM_IPOE class type control IPOE_UNAUTH event timed-policy-expiry 5 service disconnect ! class type control always event session-start 5 authorize aaa list IPOE_SUB password ciscopwd identifier nas-port 10 set-timer UNAUTH_TIMER 3 ! class type control always event access-reject 5 service deny ! class type control always event session-restart 5 authorize aaa list IPOE_SUB password ciscopwd identifier nas-port 10 set-timer UNAUTH_TIMER 3 ! ! class type control always event radius-timeout 10 service-policy type service name PM-DHCP-L4R 20 service-policy type service name PM-RDT-SVC ! ! interface GigabitEthernet1.105 description IPOE SUBSCRIBERS SESS_AGGR encapsulation dot1Q 105 second-dot1q 1001-2000 ip dhcp relay information option-insert ip dhcp relay information policy-action replace ip address 172.16.185.1 255.255.255.0 secondary ip address 172.25.134.1 255.255.255.0 secondary ip address 192.168.232.1 255.255.248.0 secondary ip address 192.168.105.1 255.255.255.0 secondary ip address 192.168.222.1 255.255.254.0 service-policy type control PM_IPOE ip subscriber l2-connected initiator dhcp class-aware ! interface GigabitEthernet2 description to ISP SERVER FARM ip dhcp relay information trusted ip address 10.0.0.1 255.255.255.0 negotiation auto ! ip access-list extended ACL-RDT-TRAFFIC permit tcp any any eq www permit tcp any eq www any permit tcp any any eq 443 permit tcp any eq 443 any ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 6 on-for-login-auth radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute nas-port format d radius-server attribute 31 send nas-port-detail mac-only radius-server dead-criteria tries 3 radius-server retransmit 5 radius-server deadtime 15 ! radius server ISG_RAD_SRV1 address ipv4 10.0.0.100 auth-port 1812 acct-port 1813 timeout 3 retransmit 5 key isg.cisco ! end
I've tried to debug with the command "debug subscriber event", "debug subscriber aaa authorization event", "debug subscriber policy event" and son on... the problem seems to be related to client authorization. But I'm not understand where I'm wrong.
Hope someone can help me.
Best regards
Alberto
05-30-2018 07:15 AM
More then one hundred views without an idea... :-(
So let's try changing the perspective. We have a lot of FTTCab customers l2-connected. When all systems works fine, at the client startup, ISG intercept the DHCP discover, ask to RADIUS and if the authorization is ok, returns in the Access-Accept message a DHCP classname for the address assignment, otherwise (Access-Reject) session will be disconnected.
Now suppose the RADIUS server is down or unreachable... client startup, sends a DHCP discover, ISG intercept the request, ask to RADIUS, but no response will be received. This trigger the ISG "radius-timeout" event (confirmed from the show policy-map control command, too). So, now, what can we do to assign an IP address to the customer and ensure anyway the internet access???
My idea is to use a service policy map, activated by a control policy, and assign a DHCP classname to the customer. But this one doesn't works, and I'm not understanding why. So any idea is welcome.
Thanks all in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: