Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4724
Views
0
Helpful
5
Replies

csr 1000v,Radius AAA with Coa, captive portal redirection, and DHCP

sololuke2013
Level 1
Level 1

‎11-29-2013 12:47 PM

Hi

I attached my full configuration used on CSR1000V to do AAA with an external radius server, external captive portal using COA. Also arhitecture attached.

Here is my inspiration link and scenario :

http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa4.html

My COA work good, I used for testing radclient and changes the subscriber session from unauth to authenticated.

My issue is that the redirect to captive portal is not working and I don't know why?

show subsecriber policy all looks good also.

Can you please help me with my config?

Here are parts from my config also:

aaa new-model

!

!

aaa group server radius RAD-SRV-GRP

server 192.168.100.123 auth-port 1812 acct-port 1813

ip radius source-interface Loopback1

!

aaa authentication login RAD-ALL group RAD-SRV-GRP

aaa authorization network RAD-ALL group RAD-SRV-GRP

aaa authorization subscriber-service default local group RAD-SRV-GRP

aaa accounting network RAD-ALL

action-type start-stop

group RAD-SRV-GRP

!

!

!

!

!

aaa server radius dynamic-author

client 192.168.100.123

server-key cisco

port 3799

auth-type all

ignore session-key

ignore server-key

!

aaa session-id common

ip dhcp excluded-address 192.168.200.1

!

ip dhcp pool WiFi_DHCP_POOL1

network 192.168.200.0 255.255.255.0

dns-server 192.168.1.1

default-router 192.168.200.1

lease 0 0 30

class DHCP-WiFi-CL

!

!

ip dhcp class DHCP-WiFi-CL

subscriber service coa-rfc-compliant

subscriber service session-accounting

subscriber authorization enable

class-map type traffic match-any REDIRECT-MAP

match access-group input name REDIRECT-ACL-UP

!

class-map type traffic match-any INTERNET-MAP

match access-group input name INTERNET-ACL-UP

match access-group output name INTERNET-ACL-DW

!

class-map type traffic match-any OPENGARDEN-MAP

match access-group input name OPENGARDEN-ACL-UP

match access-group output name OPENGARDEN-ACL-DW

!

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

!

policy-map type service REDIRECT-SERV

class type traffic REDIRECT-MAP

  redirect to ip 192.168.100.123 port 80

!

class type traffic default input

  drop

!

!

policy-map type service OPENGARDEN-SERV

class type traffic OPENGARDEN-MAP

  police input 1000000

  police output 3000000

!

class type traffic default in-out

  drop

!

!

policy-map type service INTERNET-SERV

class type traffic INTERNET-MAP

  timeout idle 300

  timeout absolute 3600

  police input 5000000

  police output 10000000

!

class type traffic default in-out

  drop

!

!

policy-map type service PBHK-SERV

ip portbundle

!

policy-map type control WIFI-POL-1

class type control INIT-SESSION event timed-policy-expiry

  10 service disconnect

!

class type control always event session-start

  10 service-policy type service name PBHK-SERV

  20 collect identifier mac-address

  30 authorize aaa list RAD-ALL identifier mac-address

  40 service-policy type service name REDIRECT-SERV

  50 service-policy type service name OPENGARDEN-SERV

  60 set-timer INIT-SESSION-TIMER 5

!

class type control always event account-logon

  10 authenticate aaa list RAD-ALL

!

class type control always event service-start

  10 service-policy type service unapply name PBHK-SERV

  20 service-policy type service unapply name REDIRECT-SERV

  30 service-policy type service unapply name OPENGARDEN-SERV

  40 service-policy type service identifier service-name

!

class type control always event account-logoff

  10 service disconnect delay 5

!

class type control always event service-stop

  10 service-policy type service unapply identifier service-name

  20 service-policy type service name PBHK-SERV

  30 service-policy type service name REDIRECT-SERV

  40 service-policy type service name OPENGARDEN-SERV

!

!

!

!

!

!

interface Loopback1

ip address 192.168.255.1 255.255.255.255

!

interface GigabitEthernet1

description "Internet_Interface"

ip address 192.168.1.28 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

description "AP_Interface"

ip address 192.168.200.1 255.255.255.0

negotiation auto

service-policy type control WIFI-POL-1

ip subscriber routed

  initiator unclassified ip-address

  initiator dhcp

!

interface GigabitEthernet3

description "Radius-Portal_Interface"

ip address 192.168.100.131 255.255.255.0

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

ip address 192.168.50.130 255.255.255.0

negotiation auto

!

!

virtual-service csr_mgmt

activate

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

ip access-list extended INTERNET-ACL-DW

permit ip any 192.168.200.0 0.0.0.255

ip access-list extended INTERNET-ACL-UP

permit ip any 192.168.200.0 0.0.0.255

ip access-list extended OPENGARDEN-ACL-DW

permit ip host 192.168.100.123 any

permit udp any eq domain any

ip access-list extended OPENGARDEN-ACL-UP

permit udp any any eq domain

permit tcp any host 192.168.100.123

ip access-list extended REDIRECT-ACL-UP

deny   ip any host 192.168.100.123

permit tcp any any eq www

permit tcp any any eq 8080

permit tcp any any eq 443

!

!

ip portbundle

match access-list 101

source Loopback1

!

access-list 101 permit tcp any host 192.168.100.123

!

!

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 31 send nas-port-detail mac-only

radius-server attribute 31 remote-id

radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco

radius-server retransmit 5

radius-server timeout 10

radius-server key cisco

!

Labels:
15371789-coa-captive-potal-csr1000v.txt.zip
16 KB
0 Helpful
5 Replies 5

AbdelGalil Farid
Level 1
Level 1

‎12-07-2013 02:44 AM

Hi luke;

According to your configuration and as i remember

the problem may be in your redirect command as follow

you configure redirect as 

!
policy-map type service REDIRECT-SERV
 class type traffic REDIRECT-MAP
  redirect to ip 192.168.100.123 port 80
 !

I suggest to replace 

      redirect to ip 192.168.100.123 port 80

with

     redirect to group REDIRECT_SERVER_NAME

And in global configuration you add 

     redirect server-group REDIRECT_SERVER_NAME
      server ip 192.168.100.123

Please Try and tell us ...

And tell me do you know the function of the follow commands and also why you use

As you didn't call them??!!!

!

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

!

BR

AbdelGalil

0 Helpful

sololuke2013
Level 1
Level 1
In response to AbdelGalil Farid

‎12-09-2013 12:54 PM

Hi AbdelGalil

I changed and used server group for redirect. Same thing.

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

Is used for Captive Portal to set the timer for unauthenticated users. Anyway I removed this but same behaviour.

This is the new full config

!

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

service internal

no platform punt-keepalive disable-kernel-core

platform console virtual

!

hostname CISCO-CSR1000v

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 ................

!

aaa new-model

!

!

aaa group server radius RAD-SRV-GROUP

server 192.168.100.123 auth-port 1812 acct-port 1813

ip radius source-interface Loopback1

!

aaa authentication login default none

aaa authentication login RAD-ALL group RAD-SRV-GROUP

aaa authorization network RAD-ALL group RAD-SRV-GROUP

aaa authorization subscriber-service default local group RAD-SRV-GROUP

aaa accounting delay-start

aaa accounting update periodic 5

aaa accounting network RAD-ALL

action-type start-stop

group RAD-SRV-GROUP

!

!

!

!

!

aaa server radius dynamic-author

client 192.168.100.123

server-key cisco

port 3799

auth-type all

ignore session-key

ignore server-key

!

aaa session-id common

no ip source-route

!

!

!

!

!

!

!

!

!

ip name-server 192.168.1.1

ip address-pool local

ip dhcp excluded-address 192.168.200.1

!

ip dhcp pool WiFi_DHCP_POOL1

network 192.168.200.0 255.255.255.0

dns-server 192.168.1.1

default-router 192.168.200.1

lease 0 0 30

class UNAUTH-DHCP

!

!

ip dhcp class UNAUTH-DHCP

!

!

!

!

!

!

!

!

!

subscriber service coa-rfc-compliant

subscriber authorization enable

service-policy type control WIFI-POL-1

multilink bundle-name authenticated

!

!

!

username root privilege 15 password 0 1 xxxxxxxxxx

!

redundancy

mode none

redirect server-group PORTAL-PAGE

server ip 192.168.2.123 port 80

!

!

!

!

ip tftp source-interface GigabitEthernet0

class-map type traffic match-any REDIRECT-MAP

match access-group output 197

match access-group input 197

!

class-map type traffic match-any OPENGARDEN-MAP

match access-group output 195

match access-group input 195

!

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

!

policy-map type service REDIRECT-SERV

ip access-group 197 in

ip access-group 197 out

1 class type traffic REDIRECT-MAP

  redirect to group PORTAL-PAGE

!

class type traffic default input

  drop

!

!

policy-map type service OPENGARDEN-SERV

class type traffic OPENGARDEN-MAP

  police input 96000 1000 1500

  police output 96000 1000 1500

!

class type traffic default in-out

  drop

!

!

policy-map type service PBHK-SERV

service local

ip portbundle

!

policy-map type control WIFI-POL-1

class type control INIT-SESSION event timed-policy-expiry

  10 service disconnect

!

class type control always event session-start

  2 service-policy type service name PBHK-SERV

  5 collect identifier mac-address

  10 authorize aaa list RAD-ALL password cisco identifier mac-address

  20 set-timer INIT-SESSION-TIMER 10

  30 service-policy type service name REDIRECT-SERV

  40 service-policy type service name OPENGARDEN-SERV

!

class type control always event account-logon

  2 service-policy type service unapply name PBHK-SERV

  10 authenticate aaa list RAD-ALL

  20 service-policy type service unapply name REDIRECT-SERV

  30 service-policy type service unapply name OPENGARDEN-SERV

!

class type control always event service-start

  2 service-policy type service unapply name PBHK-SERV

  10 service-policy type service unapply name REDIRECT-SERV

  20 service-policy type service unapply name OPENGARDEN-SERV

  30 service-policy type service identifier service-name

!

class type control always event account-logoff

  10 service disconnect delay 5

!

class type control always event service-stop

  1 service-policy type service unapply identifier service-name

  10 service-policy type service unapply identifier service-name

  12 service-policy type service unapply name PBHK-SERV

  20 service-policy type service name REDIRECT-SERV

  30 service-policy type service name OPENGARDEN-SERV

!

!

!

!

!

!

interface Loopback1

ip address 192.168.255.1 255.255.255.255

!

interface GigabitEthernet1

description "Internet_Interface"

ip address 192.168.1.253 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

description "AP_Interface"

ip address 192.168.200.1 255.255.255.0

negotiation auto

service-policy type control WIFI-POL-1

ip subscriber l2-connected

  initiator unclassified mac-address

  initiator dhcp

!

interface GigabitEthernet3

description "Radius-Portal_Interface"

ip address 192.168.100.131 255.255.255.0

negotiation auto

!

interface GigabitEthernet4

ip address 192.168.2.100 255.255.255.0

ip portbundle outside

negotiation auto

!

interface GigabitEthernet0

description "PORTAL"

vrf forwarding Mgmt-intf

ip address 192.168.50.130 255.255.255.0

negotiation auto

!

!

virtual-service csr_mgmt

activate

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

ip portbundle

length 5

match access-list 101

source Loopback1

!

logging trap debugging

access-list 101 permit ip any any

access-list 195 permit ip any any

access-list 196 permit ip any any

access-list 197 permit tcp any any eq www

access-list 197 permit tcp any eq www any

access-list 197 deny   ip any any

!

!

!

radius-server attribute 44 include-in-access-req default-vrf

radius-server attribute 44 extend-with-addr

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 55 access-request include

radius-server attribute 31 mac format unformatted

radius-server attribute 31 send nas-port-detail mac-only

radius-server attribute 31 remote-id

radius-server host 192.168.100.123 auth-port 1812 acct-port 1813 key cisco

radius-server retransmit 5

radius-server timeout 10

radius-server key cisco

!

!

control-plane

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0

exec-timeout 30 0

transport input telnet

line vty 1

exec-timeout 30 0

length 0

transport input telnet

line vty 2 4

exec-timeout 30 0

transport input telnet

!

onep

!

end

LOG attached.

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Root SIP DHCP

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]:  Enable IP parsing

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]:  Enable DHCP parsing

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]:  Enable IP-Interface parsing

*Dec  6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[0]: Snapshot captured in Active context

*Dec  6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[0]: Active context created

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Event , state changed from idle to authorizing

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Active key set to Apply-Service

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Authorizing key OPENGARDEN-SERV

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Set authorization profile type to service

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: AAA request sent for key OPENGARDEN-SERV

*Dec  6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: Downloading service "OPENGARDEN-SERV"

*Dec  6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: RULE[2]: Continue

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Received an AAA pass

Initial attr  password             0  

Initial attr  username             0   "OPENGARDEN-SERV"

Initial attr  traffic-class        0   "output access-group 195"

Initial attr  traffic-class        0   "input access-group 195"

Initial attr  ssg-service-info     0   "QU;96000;1000;1500;D;96000;1000;1500"

Initial attr  traffic-class        0   "input default drop"

Initial attr  traffic-class        0   "output default drop"

*Dec  6 20:56:56.917: SSS AAA AUTHOR [uid:172]: Could not parse AAA interim interval

*Dec  6 20:56:56.917: SSS PM: PARAMETERIZED-QoS: QOS parameters

*Dec  6 20:56:56.917: SSS PM [uid:172][7FAF8F61AAA8]: RULE: VRF Parsing routine:

  password             0  

  username             0   "OPENGARDEN-SERV"

  traffic-class        0   "output access-group 195"

  traffic-class        0   "input access-group 195"

  ssg-service-info     0   "QU;96000;1000;1500;D;96000;1000;1500"

  traffic-class        0   "input default drop"

  traffic-class        0   "output default drop"

*Dec  6 20:56:56.917: SSS PM: VPDN is not enabled

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: Set class ids: 484.485

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Feature

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP Root parser not installed

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP IP-Interface parser not installed

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP IP[2672EF0] parsed as Ignore

*Dec  6 20:56:56.918: IPSUB: Invalid magic 0xFADEDEAF in IP session 0x7FAF3761C8E8

*Dec  6 20:56:56.918: IPSUB-VRFSET: Entered allocate feature info

*Dec  6 20:56:56.918: IPSUB-VRFSET: Allocated sg vrfset info 0x7FAF37CB1160

*Dec  6 20:56:56.918: IPSUB-VRFSET: Freeing the sg vrfset info 0x7FAF37CB1160

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP IP[2687F00] parsed as Ignore

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SIP DHCP[2672EF0] parsed as Ignore

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Event , state changed from authorizing to complete

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: No service authorization info found

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Active Handle present - FE000189

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Attr list is NULL, apply config handle [0] not reset

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Freeing Active Handle; SSS Policy Context Handle = 8500030F

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: ACTIVE HANDLE[989]: Released active handle

*Dec  6 20:56:56.918: SSS PM [7FAF8F619C68]: Create context 7FAF8F619C68

*Dec  6 20:56:56.918: SSS PM: PROFILE-DB: is profile "OPENGARDEN-SERV" in DB

*Dec  6 20:56:56.918: SSS PM: PROFILE-DB:  Computed hash value = 1769598160

*Dec  6 20:56:56.918: SSS PM: PROFILE-DB:  No, add new list

*Dec  6 20:56:56.918: SSS PM: PROFILE-DB:   create "OPENGARDEN-SERV"

*Dec  6 20:56:56.918: SSS PM: PROFILE-DB:    create "OPENGARDEN-SERV"/7FAF37CB32A8 hdl F1000358 ref 1

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: downloaded first version

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: SVM download for "OPENGARDEN-SERV" ok

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [8500030F]: client download ok

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [SVM-to-client-msg:8500030F] locked 0->1

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [AAA-Download:7FAF37E758E8] unlocked 1->0

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Event , state changed from complete to terminal

*Dec  6 20:56:56.918: SSS AAA AUTHOR [uid:172]: Cancel request

*Dec  6 20:56:56.918: SSS PM [7FAF8F619C68]: Destroy context 7FAF8F619C68

*Dec  6 20:56:56.918: SSS PM: [PARAMETERIZED-QoS]: In removed_from_rbpl_ctx_temp_hold for policy handle[84000315

*Dec  6 20:56:56.918: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [84000315], nothing to return

*Dec  6 20:56:56.918: CH-UTILS: Invalid command handle

*Dec  6 20:56:56.918: SSS PM [7FAF8F619C68]: PROFILE: destroy all config

*Dec  6 20:56:56.918: SSS PM [7FAF8F619C68]: SSS PM: destroy all user profile info from policy context

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: SVM service download success

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: download completed for "OPENGARDEN-SERV" version 1

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: alloc feature info

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [SVM-Feature-Info:7FAF373D5C80] locked 0->1

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: has Policy info

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [PM-Info:7FAF8F64DB40] locked 0->1

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: has Policy info

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: PROFILE: store profile "OPENGARDEN-SERV"

*Dec  6 20:56:56.918: SSS PM: PROFILE-DB:   incremented ref "OPENGARDEN-SERV"/7FAF37CB32A8 hdl F1000358 ref 2

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: PROFILE:  create 7FAF8F65A260, ref 1

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: populated client

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [PM-Download:8500030F] unlocked 1->0

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [SVM-to-client-msg:8500030F] unlocked 1->0

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Handling Author Not Found Event

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Feature info: 7FAF373D5CC0 Type: Service Config

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : Config level: Service Profile

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : IDB type: Sub-if or not required

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : 16 bytes:

SSS PM [uid:172][7FAF8F61AAA8]:             : Data: 000000 00 00 A3 00 01 46 00 00  .....f..

SSS PM [uid:172][7FAF8F61AAA8]:             : Data: 000008 00 00 A7 00 03 10 00 00  ........

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Feature info: 7FAF373D5CA0 Type: Service Config

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : Config level: Service Profile

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : IDB type: Sub-if or not required

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : 16 bytes:

SSS PM [uid:172][7FAF8F61AAA8]:             : Data: 000000 00 00 94 00 01 47 00 00  .....g..

SSS PM [uid:172][7FAF8F61AAA8]:             : Data: 000008 00 00 31 00 03 12 00 00  ..1.....

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Feature info: 7FAF373D5C80 Type: Service Config

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : Config level: Service Profile

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : IDB type: Sub-if or not required

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]:             : 16 bytes:

SSS PM [uid:172][7FAF8F61AAA8]:             : Data: 000000 00 00 D2 00 01 48 00 00  .....h..

SSS PM [uid:172][7FAF8F61AAA8]:             : Data: 000008 00 00 69 00 03 14 00 00  ..i.....

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Service starting

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Parent 7FAF8F61AAA8 (same as session)

*Dec  6 20:56:56.918: SVM [D2000148/OPENGARDEN-SERV]: [PM-Service:7FAF37CB5378] locked 0->1

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Start-pending request: Ok

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Event , State: authorizing to check-auth-needed

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Handling Next Authorization Check

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[0]: Continue

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[0]: WIFI-POL-1/always event session-start/40 service-policy type service name OPENGARDEN-SERV

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[0]: No more actions to run

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: Continue

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: WIFI-POL-1/always event session-start/40 service-policy type service name OPENGARDEN-SERV

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: State: check-auth-needed to initial-req

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[1]: Using previously offered directive Local Terminate

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[2]: Continue

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE[2]: WIFI-POL-1/always event session-start/40 service-policy type service name OPENGARDEN-SERV

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Event , State: initial-req to wait-for-events

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Handling Service Direction

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Plumbing proposed by default, not FSP

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Plumbing proposed by default, not FSP

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE: Looking for a rule for event session-service-found

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE:  Intf CloneSrc Gi2: service-rule any: WIFI-POL-1

*Dec  6 20:56:56.918: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   Evaluate "WIFI-POL-1" for session-service-found

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event session-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logon"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logoff"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-stop"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   No match for "WIFI-POL-1"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:  Intf AccessIE Gi2: service-rule any: WIFI-POL-1

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   Evaluate "WIFI-POL-1" for session-service-found

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event session-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logon"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logoff"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-stop"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   No match for "WIFI-POL-1"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:  Intf InputI/f Gi2: service-rule any: WIFI-POL-1

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   Evaluate "WIFI-POL-1" for session-service-found

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event session-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logon"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logoff"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-stop"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   No match for "WIFI-POL-1"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:  Glob: service-rule any: WIFI-POL-1

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   Evaluate "WIFI-POL-1" for session-service-found

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/INIT-SESSION event timed-policy-expiry"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event session-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logon"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-start"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event account-logoff"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:    Wrong type "WIFI-POL-1/always event service-stop"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: RULE:   No match for "WIFI-POL-1"

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: Plumbing proposed by default, not FSP

*Dec  6 20:56:56.919: SSS PM [uid:172][7FAF8F61AAA8]: Policy reply - Local Terminate

*Dec  6 20:56:56.919: SSS MGR [uid:172]: Event policy-start-service, state changed from authorizing to connecting-service

*Dec  6 20:56:56.919: SSS MGR [uid:172]: Event policy-or-mgr-need-more-keys, state changed from connecting-service to sm-needs-more-keys

*Dec  6 20:56:58.923: IPSUB_DP: [Gi2:I:PROC:000c.2986.2791] Packet classified, results = 0x40

*Dec  6 20:56:58.923: IPSUB_DP: [Gi2:I:PROC:000c.2986.2791] Rx driver allowing IP routing

*Dec  6 20:56:58.923: Session found in sip common DB for mac 000c.2986.2791

*Dec  6 20:56:58.923: Session found in sip common DB for mac 000c.2986.2791

*Dec  6 20:56:58.923: IPSUB: IPSUB: Sent self message 0

*Dec  6 20:56:58.924: SSS MGR [uid:172]: Event client-got-more-keys, state changed from sm-needs-more-keys to connecting-service

*Dec  6 20:56:58.924: SSS MGR [uid:172]: Event service-connected, state changed from connecting-service to provisioning-client

*Dec  6 20:56:58.924: SSS MGR [uid:172]: Event client-updated, state changed from provisioning-client to installing-config

*Dec  6 20:56:58.924: SVM [A3000146/PBHK-SERV]: [FM-Bind:05000116] locked 0->1

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [PBHK-SERV]: Bind notify: Ok

*Dec  6 20:56:58.924: SVM [94000147/REDIRECT-SERV]: [FM-Bind:05000116] locked 0->1

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [REDIRECT-SERV]: Bind notify: Ok

*Dec  6 20:56:58.924: SVM [D2000148/OPENGARDEN-SERV]: [FM-Bind:05000116] locked 0->1

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Bind notify: Ok

*Dec  6 20:56:58.924: SVM [A3000146/PBHK-SERV]: [SVM-Feature-Info:7FAF373D5CC0] unlocked 1->0

*Dec  6 20:56:58.924: SVM [94000147/REDIRECT-SERV]: [SVM-Feature-Info:7FAF373D5CA0] unlocked 1->0

*Dec  6 20:56:58.924: SVM [D2000148/OPENGARDEN-SERV]: [SVM-Feature-Info:7FAF373D5C80] unlocked 1->0

*Dec  6 20:56:58.924: SSS MGR [uid:172]: Event feature-success, state changed from installing-config to connected

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Username key not found in set domain key API

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Username key not found in set domain key API

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Updated key list:

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Protocol-Type = 4 (IP Access Protocol)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Media-Type = 2 (IP)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   SHDB-Handle = 0 (00000000)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Input Interface = "GigabitEthernet2"

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   IP-Address = 192.168.200.37 (C0A8C825)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   IP-Address-VRF = IP 192.168.200.37:0

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   source-ip-address = 7FAF37B3AF28

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Mac-Address = 000c.2986.2791

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Sign-Of-Life = 2 (00000002)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Final = 1 (YES)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   IP-Session-Handle = 3053453370 (B600003A)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Access-Type = 15 (IP)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Remote-id = "020a0000c0a8c80100000000"

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Vendor-Class-id = "MSFT 5.0"

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Converted-Session = 0 (NO)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Authen-Status = 1 (Unauthenticated)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Nasport = PPPoEoE: slot 0 adapter 0 port 0 IP 0.0.0.0 VPI 0 VCI 0 VLAN 0

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]:   Session-Handle = 83886358 (05000116)

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SM Policy invoke - Apply Config Success

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Access type IP: final key

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Apply config handle is INVALID;

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Per-user merge to the parent is not possible, thus ignored

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Child and parent context are same

*Dec  6 20:56:58.924: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [8500030F], returning compatible

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Event , State: wait-for-events to wait-for-events

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: Handling Apply Config; SUCCESS

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: session start done

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Complete-Pending

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: service start

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Assert

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "OPENGARDEN-SERV"

*Dec  6 20:56:58.924: SVM [D2000148/OPENGARDEN-SERV]: already downloaded; sharing

*Dec  6 20:56:58.924: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: assert authen status "unauthen"

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Update

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "OPENGARDEN-SERV"

*Dec  6 20:56:58.925: SVM [D2000148/OPENGARDEN-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: update service

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Update

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "OPENGARDEN-SERV"

*Dec  6 20:56:58.925: SVM [D2000148/OPENGARDEN-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [OPENGARDEN-SERV]: Started

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [REDIRECT-SERV]: Complete-Pending

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: service start

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Assert

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "REDIRECT-SERV"

*Dec  6 20:56:58.925: SVM [94000147/REDIRECT-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: assert authen status "unauthen"

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Update

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "REDIRECT-SERV"

*Dec  6 20:56:58.925: SVM [94000147/REDIRECT-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: update service

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Update

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "REDIRECT-SERV"

*Dec  6 20:56:58.925: SVM [94000147/REDIRECT-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [REDIRECT-SERV]: Started

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [PBHK-SERV]: Complete-Pending

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: service start

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Assert

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "PBHK-SERV"

*Dec  6 20:56:58.925: SVM [A3000146/PBHK-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: assert authen status "unauthen"

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Update

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "PBHK-SERV"

*Dec  6 20:56:58.925: SVM [A3000146/PBHK-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR: update service

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  send event Service Update

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: IDMGR:  with service name "PBHK-SERV"

*Dec  6 20:56:58.925: SVM [A3000146/PBHK-SERV]: already downloaded; sharing

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: SERVICE [PBHK-SERV]: Started

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: no callback for callback north

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: Null client block; Can't update RP

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: Client block is NULL in get client block with handle 8500030F

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: No pending events to process

*Dec  6 20:56:58.925: SSS PM [uid:172][7FAF8F61AAA8]: No pending eventst

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Entered allocate feature info

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Allocated sg vrfset info 0x7FAF37CB1160

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Applying SG VRFSET info

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Context not present, creating context

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Entered the sg vrfset context alloc

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Returning the sg vrfset context 0x7FAF37DFABE8

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Filling the context from vrfset_info

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] SG VRFSET apply succeeded

*Dec  6 20:56:58.925: IPSUB-VRFSET: [uid:172] Freeing the sg vrfset info 0x7FAF37CB1160

*Dec  6 20:56:58.925: IPSUB-ROUTE: [uid:172] Checking whether routes to be inserted/removed: Context Present 0 context 0x0        

*Dec  6 20:56:58.925: IPSUB-ROUTE: [uid:172] Context not present, creating context fixup reqd 1

*Dec  6 20:56:58.925: IPSUB-ROUTE: [uid:172] Entered the sg subrte context alloc

*Dec  6 20:56:58.925: IPSUB-ROUTE: [uid:172] Returning the sg subrte context 0x7FAF8F7CDED0

*Dec  6 20:56:58.925: IPSUB-ROUTE: [uid:172] Installed ARP entry [DFL]: 192.168.200.37

*Dec  6 20:56:58.926: IPSUB-ROUTE: [uid:172] Added Fib Prefix [DFL]: 192.168.200.37/255.255.255.255

*Dec  6 20:56:58.926: IPSUB-ROUTE: [uid:172] Route[DFL]: 192.168.200.37  idb 7FAF349BA7F8, Action: No Need to Add Route L2_con 1 msi 0

*Dec  6 20:56:58.926: IPSUB-ROUTE: [uid:172] Both IP addresses and VRF are same, no need to add route

*Dec  6 20:56:58.926: IPSUB_DP: [uid:0] Setup event for session (session hdl 0)

*Dec  6 20:56:58.926: IPSUB_DP: [uid:0] Insert new entry for mac 000c.2986.2791

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Added upstream entry into the classifier

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] MAC = 000c.2986.2791

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Added downstream entry into the classifier

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] VRF = DFL, IP = 192.168.200.37, MASK = 255.255.255.255

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Session setup successful

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Event setup-session, state changed from idle to established

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Sent update msg to the control plane

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Activate event for session

*Dec  6 20:56:58.926: IPSUB_DP: [uid:172] Event activate-session, state changed from established to connected

*Dec  6 20:56:58.926: Received Session UP event for mac 000c.2986.2791

*Dec  6 20:56:58.926: Session found in sip common DB for mac 000c.2986.2791

*Dec  6 20:56:58.926: Deleting mac 000c.2986.2791 from SIP common DB

*Dec  6 20:56:58.926: Deleted mac 000c.2986.2791 from SIP common DB

*Dec  6 20:56:59.005: IPSUB:

*Dec  6 20:56:59.005:  arhrd 0x1 arpro 0x800 arhln 6 arpln 4 opcode 1 ipspro C0A8C825 iptpro C0A8C825

*Dec  6 20:56:59.005: IPSUB: ipshdw 000c.2986.2791 ipthdw 0000.0000.0000 is bcast 0 is zero add 1

*Dec  6 20:56:59.862: IPSUB:

*Dec  6 20:56:59.862:  arhrd 0x1 arpro 0x800 arhln 6 arpln 4 opcode 1 ipspro C0A8C825 iptpro C0A8C825

*Dec  6 20:56:59.862: IPSUB: ipshdw 000c.2986.2791 ipthdw 0000.0000.0000 is bcast 0 is zero add 1

*Dec  6 20:57:00.862: IPSUB:

*Dec  6 20:57:00.862:  arhrd 0x1 arpro 0x800 arhln 6 arpln 4 opcode 1 ipspro C0A8C825 iptpro C0A8C825

*Dec  6 20:57:00.862: IPSUB: ipshdw 000c.2986.2791 ipthdw 0000.0000.0000 is bcast 0 is zero add 1

*Dec  6 20:57:01.915: IPSUB:

0 Helpful

AbdelGalil Farid
Level 1
Level 1

‎12-09-2013 02:17 PM

Hello luke;

I hope you doing well.

Sorry for you i forget to request the all configuration.

I want you to check the follow:-

The port bundle should be the same between ISG and AAA

If you can ping the portal from the ISG.

And i found some conflict from cisco configuration guide.

ACL not configure in the redirect service but in the open garden

policy-map type service REDIRECT-SERV
no ip access-group 197 in   
no ip access-group 197 out 

Re-configure open garden by add ACL

policy-map type service OPENGARDEN-SERV
1 class type traffic ACL_TRAFFIC 
end
conf t
class-map type traffic match-any ACL_TRAFFIC
 match access-group output name ACL_TRAFFIC_OUT
 match access-group input name ACL_TRAFFIC_IN
ip access-list extended ACL_TRAFFIC_OUT
  permit ip any host 192.168.100.123
ip access-list extended ACL_TRAFFIC_IN
 permit ip host 192.168.100.123 any

ping the portal again

Now it will work ISA.

Can you tell me why you using MAC & IP as identifier to the session ??!!

interface GigabitEthernet2
description "AP_Interface"
ip address 192.168.200.1 255.255.255.0
negotiation auto
service-policy type control WIFI-POL-1
ip subscriber l2-connected
  initiator unclassified mac-address
  initiator dhcp

Best Regards

AbdelGalil Farid

0 Helpful

sololuke2013
Level 1
Level 1
In response to AbdelGalil Farid

‎12-10-2013 02:13 AM

Hi,

I try to see why users are not redirected to portal.... Ping to portal works, all semms to be right.

Config changed but same issue with the redirect:

class-map type traffic match-any ACL_TRAFFIC

match access-group output name ACL_TRAFFIC_OUT

match access-group input name ACL_TRAFFIC_IN

!

class-map type traffic match-any OPENGARDEN-MAP

match access-group output 195

match access-group input 195

!

class-map type traffic match-any REDIRECT-MAP

match access-group output 197

match access-group input 197

!

class-map type control match-all INIT-SESSION

match timer INIT-SESSION-TIMER

match authen-status unauthenticated

!

policy-map type service REDIRECT-SERV

1 class type traffic ACL_TRAFFIC

  redirect to group PORTAL-PAGE

!

class type traffic default input

  drop

!

!

policy-map type service OPENGARDEN-SERV

class type traffic OPENGARDEN-MAP

  police input 96000 1000 1500

  police output 96000 1000 1500

!

class type traffic default in-out

  drop

!

!

policy-map type service PBHK-SERV

service local

ip portbundle

!

policy-map type control WIFI-POL-1

class type control INIT-SESSION event timed-policy-expiry

  10 service disconnect

!

class type control always event session-start

  2 service-policy type service name PBHK-SERV

  5 collect identifier mac-address

  10 authorize aaa list CAR-ALL password cisco identifier mac-address

  20 set-timer INIT-SESSION-TIMER 10

  30 service-policy type service name REDIRECT-SERV

  40 service-policy type service name OPENGARDEN-SERV

!

class type control always event account-logon

  2 service-policy type service unapply name PBHK-SERV

  10 authenticate aaa list CAR-ALL

  20 service-policy type service unapply name REDIRECT-SERV

  30 service-policy type service unapply name OPENGARDEN-SERV

!

class type control always event service-start

  2 service-policy type service unapply name PBHK-SERV

  10 service-policy type service unapply name REDIRECT-SERV

  20 service-policy type service unapply name OPENGARDEN-SERV

  30 service-policy type service identifier service-name

!

class type control always event account-logoff

  10 service disconnect delay 5

!

class type control always event service-stop

  1 service-policy type service unapply identifier service-name

  10 service-policy type service unapply identifier service-name

  12 service-policy type service unapply name PBHK-SERV

  20 service-policy type service name REDIRECT-SERV

  30 service-policy type service name OPENGARDEN-SERV

!

!

!

!

!

!

interface Loopback1

ip address 192.168.255.1 255.255.255.255

!

interface GigabitEthernet1

description "Internet_Interface"

ip address 192.168.1.253 255.255.255.0

negotiation auto

!

interface GigabitEthernet2

description "AP_Interface"

ip address 192.168.200.1 255.255.255.0

ip portbundle outside

negotiation auto

service-policy type control WIFI-POL-1

ip subscriber l2-connected

  initiator unclassified mac-address

  initiator dhcp

!

interface GigabitEthernet3

description "Radius-Portal_Interface"

ip address 192.168.100.131 255.255.255.0

negotiation auto

!

Current Subscriber Information: Total sessions 1

--------------------------------------------------

Type: DHCPv4, UID: 19, State: unauthen, Identity: 192.168.200.4

IPv4 Address: 192.168.200.4

Session Up-time: 00:02:28, Last Changed: 00:02:30

Switch-ID: 4148

Policy information:

  Authentication status: unauthen

  Active services associated with session:

    name "OPENGARDEN-SERV", applied before account logon

    name "REDIRECT-SERV", applied before account logon

    name "PBHK-SERV", applied before account logon

  Rules, actions and conditions executed:

    subscriber rule-map WIFI-POL-1

      condition always event session-start

        2 service-policy type service name PBHK-SERV

        5 collect identifier mac-address

        10 authorize aaa list CAR-ALL identifier mac-address

        20 set-timer INIT-SESSION-TIMER 10

        30 service-policy type service name REDIRECT-SERV

        40 service-policy type service name OPENGARDEN-SERV

Classifiers:

Class-id    Dir   Packets    Bytes                  Pri.  Definition

0           In    12         1152                   0    Match Any

1           Out   0          0                      0    Match Any

30          In    0          0                      1    Match ACL ACL_TRAFFIC_IN

31          Out   0          0                      1    Match ACL ACL_TRAFFIC_OUT

32          In    12         1152                   0    Match ACL 195

33          Out   0          0                      0    Match ACL 195

4294967294  In    0          0                      -    Drop

4294967295  Out   0          0                      -    Drop

Features:

L4 Redirect:

Class-id   Rule cfg  Definition                               Source

30         #1   SVC  to group PORTAL-PAGE                     REDIRECT-SERV

Policing:

Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source

32         In   96000       1000          1500         OPENGARDEN-SERV

33         Out  96000       1000          1500         OPENGARDEN-SERV

Portbundle Hostkey:

Class-id   IP address     Bundle Number Source

0          192.168.255.1  39            PBHK-SERV

Configuration Sources:

Type  Active Time  AAA Service ID  Name

SVC   00:02:28     -               REDIRECT-SERV

SVC   00:02:28     -               OPENGARDEN-SERV

USR   00:02:28     -               Peruser

SVC   00:02:28     -               PBHK-SERV

INT   00:02:28     -               GigabitEthernet2

Ping from win:

Pinging 192.168.100.123 with 32 bytes of data:

Reply from 192.168.100.123: bytes=32 time=1ms TTL=63

Reply from 192.168.100.123: bytes=32 time<1ms TTL=63

Reply from 192.168.100.123: bytes=32 time<1ms TTL=63

Reply from 192.168.100.123: bytes=32 time<1ms TTL=63

Ping from CISCO:

CISCO-CSR1000v#ping 192.168.100.123

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.123, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Current Subscriber Information: Total sessions 1

--------------------------------------------------

Type: DHCPv4, UID: 19, State: unauthen, Identity: 192.168.200.4

IPv4 Address: 192.168.200.4

Session Up-time: 00:05:57, Last Changed: 00:05:59

Switch-ID: 4148

Policy information:

  Context 7F3800E968E8: Handle 4A00003D

  AAA_id 00000026: Flow_handle 0

  Authentication status: unauthen

  Downloaded User profile, including services:

    sss-service          0   6 [local-termination]

    portbundle           0   "enable"

    l4redirect           0   "redirect to group PORTAL-PAGE"

    username             0   "OPENGARDEN-SERV"

    traffic-class        0   "output access-group 195"

    traffic-class        0   "input access-group 195"

    ssg-service-info     0   "QU;96000;1000;1500;D;96000;1000;1500"

    traffic-class        0   "input default drop"

    traffic-class        0   "output default drop"

  Config history for session (recent to oldest):

    Access-type: DHCP Client: SM

     Policy event: Service Selection Request (Service)

      Profile name: OPENGARDEN-SERV, 3 references

        password             0  

        username             0   "OPENGARDEN-SERV"

        traffic-class        0   "output access-group 195"

        traffic-class        0   "input access-group 195"

        ssg-service-info     0   "QU;96000;1000;1500;D;96000;1000;1500"

        traffic-class        0   "input default drop"

        traffic-class        0   "output default drop"

    Access-type: DHCP Client: SM

     Policy event: Service Selection Request (Service)

      Profile name: REDIRECT-SERV, 3 references

        password             0  

        username             0   "REDIRECT-SERV"

        traffic-class        0   "input default drop"

        traffic-class        0   "output access-group name ACL_TRAFFIC_OUT priority 1"

        traffic-class        0   "input access-group name ACL_TRAFFIC_IN priority 1"

        l4redirect           0   "redirect to group PORTAL-PAGE"

    Access-type: DHCP Client: SM

     Policy event: Service Selection Request (Service)

      Profile name: PBHK-SERV, 3 references

        password             0  

        username             0   "PBHK-SERV"

        sss-service          0   6 [local-termination]

        portbundle           0   "enable"

  Active services associated with session:

    name "OPENGARDEN-SERV", applied before account logon

    name "REDIRECT-SERV", applied before account logon

    name "PBHK-SERV", applied before account logon

  Rules, actions and conditions executed:

    subscriber rule-map WIFI-POL-1

      condition always event session-start

        2 service-policy type service name PBHK-SERV

        5 collect identifier mac-address

        10 authorize aaa list CAR-ALL identifier mac-address

        20 set-timer INIT-SESSION-TIMER 10

        30 service-policy type service name REDIRECT-SERV

        40 service-policy type service name OPENGARDEN-SERV

Classifiers:

Class-id    Dir   Packets    Bytes                  Pri.  Definition

0           In    12         1152                   0    Match Any

1           Out   0          0                      0    Match Any

30          In    0          0                      1    Match ACL ACL_TRAFFIC_IN

31          Out   0          0                      1    Match ACL ACL_TRAFFIC_OUT

32          In    12         1152                   0    Match ACL 195

33          Out   0          0                      0    Match ACL 195

4294967294  In    0          0                      -    Drop

4294967295  Out   0          0                      -    Drop

Features:

L4 Redirect:

Class-id   Rule cfg  Definition                               Source

30         #1   SVC  to group PORTAL-PAGE                     REDIRECT-SERV

Policing:

Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source

32         In   96000       1000          1500         OPENGARDEN-SERV

33         Out  96000       1000          1500         OPENGARDEN-SERV

Portbundle Hostkey:

Class-id   IP address     Bundle Number Source

0          192.168.255.1  39            PBHK-SERV

Configuration Sources:

Type  Active Time  AAA Service ID  Name

SVC   00:05:57     -               REDIRECT-SERV

SVC   00:05:57     -               OPENGARDEN-SERV

USR   00:05:57     -               Peruser

SVC   00:05:57     -               PBHK-SERV

INT   00:05:57     -               GigabitEthernet2

0 Helpful

robert.srery
Level 1
Level 1

‎06-09-2014 08:48 PM

You are missing ip portbundle outside command on your upstream interfaces pointing towards the captive portal

This command (common configuration error) is required if you are using PBHK. 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card