01-27-2016 02:40 AM - edited 03-01-2019 02:58 PM
Hi,
I found problem about redirect web on ASR1002 . I want to pppoe client redirect web ( lock billing ). Now if client can access web via ip address ,such as 8.8.8.8 it working . but if access via domain name (google.com) not working. My Configuration is below.
AAA
Cisco-AVpair += ip:l4redirect=redirect to group WIFI-PORTAL
BRAS
aaa group server radius Broadband
server xxx auth-port 1645 acct-port 0
server xxx auth-port 0 acct-port 1646
!
aaa authentication login userauthen local
aaa authentication ppp PPPOE group Broadband
aaa authorization network PPPOE group Broadband
aaa authorization network groupauthor local
aaa authorization subscriber-service default local group Broadband
aaa accounting delay-start
aaa accounting network PPPOE
action-type start-stop
group Broadband
!
aaa accounting connection PPPOE
action-type start-stop
group Broadband
!
aaa accounting system default start-stop group pppoe
ip name-server xxx
ip name-server xxx
redirect server-group WIFI-PORTAL
server ip xxx port 80
class-map type traffic match-any LK
match access-group input 180
!
policy-map type service PBHK
ip portbundle
!
policy-map type service LK_REDIRECT
service local
class type traffic LK
redirect to group WIFI-PORTAL
ip local pool pass_authen xxxx yyyy
ip local pool bad_authen xxxx yyyy
access-list 180 deny ip any host web portal
access-list 180 permit tcp any any eq domain
access-list 180 permit udp any any eq domain
access-list 180 permit tcp any any eq www
access-list 180 permit tcp any any eq 8080
access-list 180 permit tcp any any eq 443
access-list 180 permit udp any any eq 443
access-list 180 deny ip any any
Test_Bras#sh redirect translations
Source IP/port Destination IP/port Server IP/port Prot
10.10.0.101 22760 8.8.8.8 53 xxx.56.141 53 UDP
10.10.0.101 32771 8.8.8.8 53 xxx.56.141 53 UDP
10.10.0.101 52380 8.8.8.8 80 xxx.56.1411 80 TCP
10.10.0.101 52381 8.8.8.8 80 xxx.56.141 80 TCP
10.10.0.101 52382 8.8.8.8 80 xxx.56.141 80 TCP
10.10.0.101 52383 8.8.8.8 80 xxx.56.141 80 TCP
10.10.0.101 52384 8.8.8.8 80 xxx.56.141 80 TCP
10.10.0.101 52410 xxxxxx.237.21 80 xxx.56.141 80 TCP
10.10.0.101 52411 xxxxxx.237.21 80 xxx.56.141 80 TCP
10.10.0.101 57248 8.8.4.4 53 xxx.56.141 53 UDP
Total Number of Translations: 10
01-27-2016 05:11 AM
Hi,
Looking at the snippet of the config provided I would say the issue is most likely caused by the fact that you are matching DNS traffic in the ACL used in the redirect service. That means, DNS traffic will be redirected to group WIFI-PORTAL which points to "server ip xxx port 80". Unless that server is able to reply to DNS requests on that port, most likely the DNS query is failing, hence you are not able to resolve the domain name.
Regards.
01-28-2016 12:30 AM
Thank you Mr.Manuel Rodriguez
I want to know about command "Cisco-AVpair += ip:l4redirect=redirect to group WIFI-PORTAL"
on Radius Server . It correct, Right?. and Where to applies policy-map ?
I found problem ACL not active.
01-28-2016 03:12 AM
Hi,
L4 redirect feature must be applied using a traffic class service.
According to the config provided, service 'LK_REDIRECT' is a traffic class service (using input traffic class 'LK' which matches ACL 180) which is also applying redirect feature ('redirect to group WIFI-PORTAL').
I want to know about command "Cisco-AVpair += ip:l4redirect=redirect to group WIFI-PORTAL"on Radius Server . It correct, Right?. and Where to applies policy-map ?
That VSA is used to apply L4 redirect feature. It should be used in a radius profile used for service definition (in case services are defined in radius and not locally in ISG config).
I found problem ACL not active.
I do not understand this? Could you please provide details on what do you mean by this?
Regards.
01-28-2016 06:34 AM
Hi,
Now I configured command Cisco-AVpair += ip:l4redirect=redirect to group WIFI-PORTAL on radius and traffic class service however can't redirect web portal via domain name . My configured (radius+ISG) is correct right?
01-28-2016 06:41 AM
Hi,
Now I configured command Cisco-AVpair += ip:l4redirect=redirect to group WIFI-PORTAL on radius and traffic class service however can't redirect web portal via domain name . My configured (radius+ISG) is correct right?
I do not understand the question. What do you mean by:
My configured (radius+ISG) is correct right?
What is the status of the session when you look at 'show subscriber session uid X detail' for a session which should be redirected? Is the redirect feature installed in the session?
Can you still redirect when you use IP address instead of domain name? If yes, did you review the ACL used for L4 redirection traffic class?
Regards.
01-28-2016 07:15 PM
Hi
The following is output from the show redirect translations command .
redirect when use IP address only.
Test_Bras#sh redirect translations
Source IP/port Destination IP/port Server IP/port Prot
192.168.1.33 49166 203.146.237.21 80 203.146.56.141 80 TCP
192.168.1.33 49167 8.8.8.8 80 203.146.56.141 80 TCP
192.168.1.33 49168 8.8.8.8 80 203.146.56.141 80 TCP
203.172.99.254 32774 203.146.237.237 53 203.146.56.141 80 UDP
Total Number of Translations: 4
Test_Bras#sh sss ses uid 268
Unique Session ID: 268
Identifier: testcas177_36@adsl.cslox.com
SIP subscriber access type(s): PPPoE/PPP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:01:00, Last Changed: 00:01:00
Interface: Virtual-Access2.1
Policy information:
Authentication status: authen
Session inbound features:
Feature: Layer 4 Redirect
Rule Cfg Definition
#1 USR Redirect to group WIFI-PORTAL
Session outbound features:
Feature: PPP Idle Timeout
Timeout value is 4200000
Idle time is 00:00:20
Non-datapath features:
Feature: IP Config
Peer IP Address: 0.0.0.0 (F/F)
Address Pool: pass_authen (F)
Unnumbered Intf: [None]
Feature: Session Timeout
Timeout value is 36000 seconds
Time remaining is 09:58:59
Configuration sources associated with this session:
Interface: Virtual-Template1, Active Time = 00:01:00
Test_Bras#
02-01-2016 12:34 AM
Hi,
I'm afraid that doesn't really clarify what I asked:
======== From previous post ====================
I do not understand the question. What do you mean by:
My configured (radius+ISG) is correct right?
What is the status of the session when you look at 'show subscriber session uid X detail' for a session which should be redirected? Is the redirect feature installed in the session?
Can you still redirect when you use IP address instead of domain name? If yes, did you review the ACL used for L4 redirection traffic class?
Regards.
02-02-2016 09:16 PM
Hi.
Now I can't use domain name redirect.
I think policy-map don't apply with redirect group.
Tell me my mistake Please.
redirect server-group REDIRECT_NOPAY
server ip 203.146.56.141 port 80
class-map type traffic match-any RDR_CLASS
match access-group input name ACL_RDR_IN
match access-group output name ACL_RDR_IN
policy-map type service RDR-SRV
100 class type traffic RDR_CLASS
redirect to group REDIRECT_NOPAY
ip access-list extended ACL_RDR_IN
deny ip any host ip dns
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit ip any any
02-09-2016 01:00 AM
Hi,
I'm sorry but I do not understand the question.
What do you mean by "Now I can't use domain name redirect."? Do you mean redirection doesn't work when you try to access portal using URL? I see you deny traffic to DNS on the ACL for L4R. However, is there another service to allow that traffic? What do you see if you use wireshark in your client when DNS is trying to resolve? Do you see response?
Also, as I asked before, what is the status of the session when you look at 'show subscriber session uid X detail' for a session which should be redirected?
06-28-2018 09:33 PM
Struggled with this for ages this is what finally worked for me.
This is on an ASR1006
Cisco IOS XE Software, Version 03.16.07b.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.5(3)S7b, RELEASE SOFTWARE (fc1)
For the aaa method used for authorization for subscriber-service, I set it to local :-
aaa authorization subscriber-service LAB local
ip access-list extended RED-DNS
permit udp any any eq domain
class-map type traffic match-any RED-DNS
match access-group input name RED-DNS
!
!
policy-map type service RED-DNS
class type traffic RED-DNS
redirect to ip 8.8.8.8 port 53
!
!
policy-map type control RED-DNS
class type control always event session-start
1 service-policy type service name RED-DNS
!
class type control always event account-logon
1 service-policy type service name RED-DNS
!
!
!
Activate via Radius Access-Accept
radius av-pair sent :-
Cisco-Account-Info = "ARED-DNS"
Note the A infront of policy name
defined in dictionary as :-
VENDORATTR 9 Cisco-Account-Info 250 string
Activate via Radius CoA
radclient -f coa-user5 x.x.x.x:3799 coa XXXXXXX
coa-user5
=============================================================
Packet-Type=43
Packet-Dst-Port=3799
Acct-Session-Id="00201135"
User-Name="user5@rs1.com"
cisco-avpair="subscriber:command=activate-service"
cisco-avpair="subscriber:service-name=RED-DNS"
=============================================================
and on BNG
show subscriber session username user5@rs1.com detailed
Type: PPPoE, UID: 1715, State: authen, Identity: user5@rs1.com
IPv4 Address: 105.209.112.34
Session Up-time: 00:00:34, Last Changed: 00:00:34
Interface: Virtual-Access2.1
Switch-ID: 1061294
Policy information:
Context 7F177DBE80F0: HanVENDORATTR 9 Cisco-Account-Info 250 stringdle 7E000898
AAA_id 0029B668: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
service-type 0 2 [Framed]
Framed-Protocol 0 1 [PPP]
ssg-account-info 0 "ARED-DNS"
ip-unnumbered 0 "Loopback0"
addr-pool 0 "poolgpon"
Downloaded User profile, including services:
service-type 0 2 [Framed]
Framed-Protocol 0 1 [PPP]
ssg-account-info 0 "ARED-DNS"
ip-unnumbered 0 "Loopback0"
addr-pool 0 "poolgpon"
username 0 "RED-DNS"
traffic-class 0 "input access-group name RED-DNS"
l4redirect 0 "redirect to ip 8.8.8.8 port 53"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Process Config Connecting (Service)
Profile name: RED-DNS, 3 references
password 0 <hidden>
username 0 "RED-DNS"
traffic-class 0 "input access-group name RED-DNS"
l4redirect 0 "redirect to ip 8.8.8.8 port 53"
Access-type: PPP Client: SM
Policy event: Process Config Connecting
Profile name: user5@rs1.com, 2 references
service-type 0 2 [Framed]
Framed-Protocol 0 1 [PPP]
ssg-account-info 0 "ARED-DNS"
ip-unnumbered 0 "Loopback0"
addr-pool 0 "poolgpon"
Active services associated with session:
name "RED-DNS"
Rules, actions and conditions executed:
subscriber rule-map default-internal-rule
condition always event service-start
1 service-policy type service identifier service-name
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 206 16682 0 Match Any
1 Out 44 7861 0 Match Any
4 In 10 641 0 Match ACL RED-DNS
Features:
IP Config:
M=Mandatory, T=Tag, Mp=Mandatory pool
Flags Peer IP Address Pool Name Interface
0.0.0.0 poolgpon Lo0
:: [None] [None]
L4 VENDORATTR 9 Cisco-Account-Info 250 stringRedirect:
Class-id Rule cfg Definition Source
4 #1 SVC to ip 8.8.8.8 port 53 RED-DNS
Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:00:35 - RED-DNS
USR 00:00:35 - Peruser
INT 00:00:35 - Virtual-Template5
RB-BNG-2.ZA# show redirect translations
Prot Destination IP/Port Server IP/Port
UDP 192.168.7.7 53 8.8.8.8 53
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide