Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

ISG Redirect

ahmadrahem1798
Level 1
Level 1

‎01-20-2016 02:56 AM - edited ‎03-05-2019 03:09 AM

Hello Dears,

I am trying to apply redirect Layer 4 traffic  on cisco router asr 1004 by using cisco avpair attribute, the problem is when I receive the av pair attribute from the Radius server I cant connect as PPPOE user, we using free Radius.

here is the configuration.

.

.

Building configuration...

Current configuration : 4332 bytes
!
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname asr3
!
boot-start-marker
boot system bootflash:asr1000rp2-adventerprise.03.14.00.S.155-1.S-std.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 4 XXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
aaa user profile 144
!
aaa authentication login default local
aaa authentication enable default enable line
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update periodic 3
aaa accounting network default
action-type start-stop
group radius
!
!
!
!
!
aaa server radius dynamic-author
server-key XXXXX
auth-type any
!
aaa session-id common
!
!
!
!
!
!
!
!
!


no ip domain lookup

!
!
!
!
!
!
!
!
!
!
subscriber templating
virtual-profile virtual-template 1
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
spanning-tree extend system-id
!

!
redundancy
mode none
redirect server-group REDIRECT_NOPAY
server ip 192.168.255.34 port 80
!
!
!
cdp run
!
ip ftp source-interface GigabitEthernet0
ip tftp source-interface GigabitEthernet0
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group output 197
match access-group input 197
!
!

policy-map type service LOCAL_L4R
ip access-group 197 in
ip access-group 197 out
1 class type traffic CLASS-TO-REDIRECT
redirect to group REDIRECT_NOPAY
!
class type traffic default in-out
drop
!
!
!

!
!
!
!
!
!
!
bba-group pppoe global
virtual-template 1
vendor-tag circuit-id service
vendor-tag remote-id service
!
!
interface Loopback1
ip address 10.0.0.1 255.255.255.255
!
interface TenGigabitEthernet1/0/0
no ip address
cdp enable
hold-queue 240000 in
!
interface TenGigabitEthernet1/0/0.7
encapsulation dot1Q 7
ip address 192.168.90.10 255.255.255.252
!
interface TenGigabitEthernet1/0/0.9
encapsulation dot1Q 9
pppoe enable group global
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback1
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1420
no peer default ip address
ppp authentication pap chap
ppp ipcp dns 8.8.8.8
!
ip local pool vip 10.64.144.0 10.64.147.254
ip forward-protocol nd
!
no ip http server
ip route 0.0.0.0 0.0.0.0 192.168.90.9

!

!
access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 permit tcp any any eq 443
access-list 197 permit tcp any eq 443 any
access-list 197 deny ip any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 30 original-called-number
radius-server attribute 31 mac format unformatted
radius-server attribute 31 remote-id
radius-server attribute nas-port-id include remote-id plus vendor-class-id plus circuit-id
radius-server timeout 3
radius-server accounting system host-config
radius-server vsa send cisco-nas-port
!
radius server radius
address ipv4 192.168.3.10 auth-port 1812 acct-port 1813
key XXXX
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 5
timeout login response 300

!
!
end

if I disabled the av pair attribute fro the Radius the PPPOE user will connect. 

*Jan 20 01:49:57.093: RADIUS/ENCODE(00000049):Orig. component type = PPPoE
*Jan 20 01:49:57.093: RADIUS: DSL line rate attributes successfully added
*Jan 20 01:49:57.093: RADIUS(00000049): Config NAS IP: 0.0.0.0
*Jan 20 01:49:57.093: RADIUS(00000049): Config NAS IPv6: ::
*Jan 20 01:49:57.093: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
*Jan 20 01:49:57.093: RADIUS/ENCODE(00000049): acct_session_id: 63
*Jan 20 01:49:57.093: RADIUS(00000049): sending
*Jan 20 01:49:57.093: RADIUS/ENCODE: Best Local IP-Address 192.168.90.10 for Radius-Server 192.168.3.10
*Jan 20 01:49:57.093: RADIUS(00000049): Send Access-Request to 192.168.3.10:1812 id 1645/29, len 158
*Jan 20 01:49:57.093: RADIUS: authenticator D6 69 E1 3F F0 8F 79 3C - 9D 61 E9 B6 EC B1 24 21
*Jan 20 01:49:57.093: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Jan 20 01:49:57.093: RADIUS: User-Name [1] 7 "rafal"
*Jan 20 01:49:57.093: RADIUS: User-Password [2] 18 *
*Jan 20 01:49:57.093: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 20 01:49:57.093: RADIUS: Vendor, Cisco [26] 15
*Jan 20 01:49:57.093: RADIUS: cisco-nas-port [2] 9 "1/0/0/9"
*Jan 20 01:49:57.093: RADIUS: NAS-Port [5] 6 0
*Jan 20 01:49:57.093: RADIUS: NAS-Port-Id [87] 9 "1/0/0/9"
*Jan 20 01:49:57.093: RADIUS: Vendor, Cisco [26] 41
*Jan 20 01:49:57.093: RADIUS: Cisco AVpair [1] 35 "client-mac-address=000c.29e1.1d5c"
*Jan 20 01:49:57.093: RADIUS: Service-Type [6] 6 Framed [2]
*Jan 20 01:49:57.093: RADIUS: NAS-IP-Address [4] 6 192.168.90.10
*Jan 20 01:49:57.093: RADIUS: Acct-Session-Id [44] 18 "C0A85A0A0000003F"
*Jan 20 01:49:57.093: RADIUS(00000049): Sending a IPv4 Radius Packet
*Jan 20 01:49:57.093: RADIUS(00000049): Started 3 sec timeout
*Jan 20 01:49:57.254: RADIUS: Received from id 1645/29 192.168.3.10:1812, Access-Accept, len 122
*Jan 20 01:49:57.254: RADIUS: authenticator 8D 3F 7E 2A 10 F2 01 99 - ED 2F 8E 65 D8 87 D9 4F
*Jan 20 01:49:57.254: RADIUS: Session-Timeout [27] 6 126838689
*Jan 20 01:49:57.254: RADIUS: Service-Type [6] 6 Framed [2]
*Jan 20 01:49:57.254: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Jan 20 01:49:57.254: RADIUS: Framed-IP-Pool [88] 5 "vip"
*Jan 20 01:49:57.254: RADIUS: Vendor, Cisco [26] 79
*Jan 20 01:49:57.254: RADIUS: Cisco AVpair [1] 73 "ip:l4redirect=redirect to group REDIRECT_NOPAY duration 30 frequency 10"
*Jan 20 01:49:57.254: RADIUS(00000049): Received from id 1645/29
*Jan 20 01:49:57.259: RADIUS: Removing all radius source-int. pointing to Virtual-Access2.1

any can help ?

thanks 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Dan Lukes
VIP Alumni
VIP Alumni

‎01-20-2016 08:10 AM

Feedback forum is dedicated to other topics (see description for details). Moved to WAN, Routing and switching.

0 Helpful
Customers Also Viewed These Support Documents