12-05-2013 11:39 AM - edited 03-10-2019 09:09 PM
Hi
I try to configure a cisco CSR 1000V in VMvare having 4 interfaces to do DHCP session creation with AAA Radius CoA and L4 Redirec to a portal page using PBHK service.
This my full configuration used.
Here is my inspiration link and scenario :
http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa4.html
My COA work good, I used for testing radclient and changes the subscriber session from unauth to authenticated.
My issue is that the redirect to captive portal is not working and I don't know why?
Do I have to add AAA user profiles for l4 service on Radius server? What config should be added on Radius server ?
Can you please help me with config?
Here are parts from my config also:
!
! Last configuration change at 22:48:29 UTC Fri Nov 29 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CISCO-CSR1000v
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa group server radius RAD-SRV-GRP
server 192.168.100.123 auth-port 1812 acct-port 1813
ip radius source-interface Loopback1
!
aaa authentication login RAD-ALL group RAD-SRV-GRP
aaa authorization network RAD-ALL group RAD-SRV-GRP
aaa authorization subscriber-service default local group RAD-SRV-GRP
aaa accounting network RAD-ALL
action-type start-stop
group RAD-SRV-GRP
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.100.123
server-key cisco
port 3799
auth-type all
ignore session-key
ignore server-key
!
aaa session-id common
no ip source-route
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip address-pool local
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool WiFi_DHCP_POOL1
network 192.168.200.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.200.1
lease 0 0 30
class DHCP-WiFi-CL
!
!
ip dhcp class DHCP-WiFi-CL
!
!
!
!
!
!
!
!
!
subscriber service coa-rfc-compliant
subscriber service session-accounting
subscriber authorization enable
multilink bundle-name authenticated
!
!
!
username root privilege 15 password 0 rootpass
!
redundancy
mode none
redirect server-group CP-PORTAL
server ip 192.168.100.123 port 80
!
!
!
!
no ip tftp source-interface GigabitEthernet0
class-map type traffic match-any REDIRECT-MAP
match access-group input name REDIRECT-ACL-UP
!
class-map type traffic match-any OPENGARDEN-MAP
match access-group input name OPENGARDEN-ACL-UP
match access-group output name OPENGARDEN-ACL-DW
!
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
!
policy-map type service REDIRECT-SERV
class type traffic REDIRECT-MAP
redirect to ip 192.168.100.123 port 80
!
class type traffic default input
drop
!
!
policy-map type service OPENGARDEN-SERV
class type traffic OPENGARDEN-MAP
police input 1000000
police output 3000000
!
class type traffic default in-out
drop
!
!
policy-map type service PBHK-SERV
ip portbundle
!
policy-map type control WIFI-POL-1
class type control INIT-SESSION event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
10 service-policy type service name PBHK-SERV
20 service-policy type service name REDIRECT-SERV
30 service-policy type service name OPENGARDEN-SERV
40 set-timer INIT-SESSION-TIMER 5
!
class type control always event account-logon
10 authenticate aaa list RAD-ALL
!
class type control always event service-start
10 service-policy type service unapply name PBHK-SERV
20 service-policy type service unapply name REDIRECT-SERV
30 service-policy type service unapply name OPENGARDEN-SERV
40 service-policy type service identifier service-name
!
class type control always event account-logoff
10 service disconnect delay 5
!
class type control always event service-stop
10 service-policy type service unapply identifier service-name
20 service-policy type service name PBHK-SERV
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
!
!
!
!
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.255
!
interface GigabitEthernet1
description "Internet_Interface"
ip address 192.168.1.28 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber routed
initiator unclassified ip-address
initiator dhcp
!
interface GigabitEthernet3
description "Radius-Portal_Interface"
ip address 192.168.100.131 255.255.255.0
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.50.130 255.255.255.0
negotiation auto
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended OPENGARDEN-ACL-DW
permit ip host 192.168.100.123 any
permit udp any eq domain any
ip access-list extended OPENGARDEN-ACL-UP
permit udp any any eq domain
permit tcp any host 192.168.100.123
ip access-list extended REDIRECT-ACL-UP
deny ip any host 192.168.100.123
permit tcp any any eq www
permit tcp any any eq 8080
permit tcp any any eq 443
!
!
ip portbundle
match access-list 101
source Loopback1
!
access-list 101 permit tcp any host 192.168.100.123
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 5
radius-server timeout 10
radius-server key cisco
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0
exec-timeout 30 0
transport input telnet
line vty 1
exec-timeout 30 0
length 0
transport input telnet
line vty 2 4
exec-timeout 30 0
transport input telnet
!
onep
!
end
12-09-2015 11:04 PM
Hello,
Did you used External Portal ? and how do you identifies the session and generate CoA ? as i am got stuck at generation CoA from Portal with PBHK identifier
can you help get the session information to generate CoA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide