Hi
I try to configure a cisco CSR 1000V in VMvare having 4 interfaces to do DHCP session creation with AAA Radius CoA and L4 Redirec to a portal page using PBHK service.
This my full configuration used.
Here is my inspiration link and scenario :
http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa4.html
My COA work good, I used for testing radclient and changes the subscriber session from unauth to authenticated.
My issue is that the redirect to captive portal is not working and I don't know why?
Do I have to add AAA user profiles for l4 service on Radius server? What config should be added on Radius server ?
Can you please help me with config?
Here are parts from my config also:
!
! Last configuration change at 22:48:29 UTC Fri Nov 29 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CISCO-CSR1000v
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa group server radius RAD-SRV-GRP
server 192.168.100.123 auth-port 1812 acct-port 1813
ip radius source-interface Loopback1
!
aaa authentication login RAD-ALL group RAD-SRV-GRP
aaa authorization network RAD-ALL group RAD-SRV-GRP
aaa authorization subscriber-service default local group RAD-SRV-GRP
aaa accounting network RAD-ALL
action-type start-stop
group RAD-SRV-GRP
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.100.123
server-key cisco
port 3799
auth-type all
ignore session-key
ignore server-key
!
aaa session-id common
no ip source-route
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip address-pool local
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool WiFi_DHCP_POOL1
network 192.168.200.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.200.1
lease 0 0 30
class DHCP-WiFi-CL
!
!
ip dhcp class DHCP-WiFi-CL
!
!
!
!
!
!
!
!
!
subscriber service coa-rfc-compliant
subscriber service session-accounting
subscriber authorization enable
multilink bundle-name authenticated
!
!
!
username root privilege 15 password 0 rootpass
!
redundancy
mode none
redirect server-group CP-PORTAL
server ip 192.168.100.123 port 80
!
!
!
!
no ip tftp source-interface GigabitEthernet0
class-map type traffic match-any REDIRECT-MAP
match access-group input name REDIRECT-ACL-UP
!
class-map type traffic match-any OPENGARDEN-MAP
match access-group input name OPENGARDEN-ACL-UP
match access-group output name OPENGARDEN-ACL-DW
!
class-map type control match-all INIT-SESSION
match timer INIT-SESSION-TIMER
match authen-status unauthenticated
!
policy-map type service REDIRECT-SERV
class type traffic REDIRECT-MAP
redirect to ip 192.168.100.123 port 80
!
class type traffic default input
drop
!
!
policy-map type service OPENGARDEN-SERV
class type traffic OPENGARDEN-MAP
police input 1000000
police output 3000000
!
class type traffic default in-out
drop
!
!
policy-map type service PBHK-SERV
ip portbundle
!
policy-map type control WIFI-POL-1
class type control INIT-SESSION event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
10 service-policy type service name PBHK-SERV
20 service-policy type service name REDIRECT-SERV
30 service-policy type service name OPENGARDEN-SERV
40 set-timer INIT-SESSION-TIMER 5
!
class type control always event account-logon
10 authenticate aaa list RAD-ALL
!
class type control always event service-start
10 service-policy type service unapply name PBHK-SERV
20 service-policy type service unapply name REDIRECT-SERV
30 service-policy type service unapply name OPENGARDEN-SERV
40 service-policy type service identifier service-name
!
class type control always event account-logoff
10 service disconnect delay 5
!
class type control always event service-stop
10 service-policy type service unapply identifier service-name
20 service-policy type service name PBHK-SERV
30 service-policy type service name REDIRECT-SERV
40 service-policy type service name OPENGARDEN-SERV
!
!
!
!
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.255
!
interface GigabitEthernet1
description "Internet_Interface"
ip address 192.168.1.28 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber routed
initiator unclassified ip-address
initiator dhcp
!
interface GigabitEthernet3
description "Radius-Portal_Interface"
ip address 192.168.100.131 255.255.255.0
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.50.130 255.255.255.0
negotiation auto
!
!
virtual-service csr_mgmt
activate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended OPENGARDEN-ACL-DW
permit ip host 192.168.100.123 any
permit udp any eq domain any
ip access-list extended OPENGARDEN-ACL-UP
permit udp any any eq domain
permit tcp any host 192.168.100.123
ip access-list extended REDIRECT-ACL-UP
deny ip any host 192.168.100.123
permit tcp any any eq www
permit tcp any any eq 8080
permit tcp any any eq 443
!
!
ip portbundle
match access-list 101
source Loopback1
!
access-list 101 permit tcp any host 192.168.100.123
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 5
radius-server timeout 10
radius-server key cisco
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0
exec-timeout 30 0
transport input telnet
line vty 1
exec-timeout 30 0
length 0
transport input telnet
line vty 2 4
exec-timeout 30 0
transport input telnet
!
onep
!
end
