HI Xander

Thank You for answer.  I wish it support shortly.
 

Hi, All

We decided a similar problem using ABF feature.

ABF merely provides an ability to "redirect" the packet to a next hop that is not defined by the routing table. it doesn't change the packet contents in the routing headers for that matter.

Another option of PBR allows you to set the packet headers to different values, like the dest ip. This is useful as it overcomes a limitation of ABF whereby the next hop might follow the routing table and not force it in the direct where you want it to go. Setting the new dest ip via PBR allows for "natural" routing through the network to the changed destination in case you want to redirect a DNS request to a different server.

HTTP redirect, as implemented for subscribers allows you to intercept the HTTP request and provide a "template" redirect to the browser, this works quite nicely, but doesn't interact with secure/HTTPS too nicely. it has the ability to send the subscriber's original UTL in the request as per CSCug63470

retaining the mac or ip is currently not there, but can be added if needed.

However you can also use COA session query to see the source ip of the packet, query on that via COA towards the BNG to get the subscriber parameters like that?

cheers!

xander

Hi.

"HTTP redirect, as implemented for subscribers allows you to intercept the HTTP request and provide a "template" redirect to the browser, this works quite nicely"

Yes but in this case we save the original client request? Please the example settings if not difficult.

Xander, I need help? What's the quickest way to receive services on a client session?

Now I use telnet, I tried the API/XML, but the speed is the same.

the original URL request is preserved in xr530 via a POST variable in the url string sent to the redirect server. This is implemented via CSCug63470.

To see all services on a session, you want to look at CSCuc45110 which is in 531.

Examples (COA session query first and a http redirect with url preservation)

Bring up subscriber with basic templates and authentication, apply a service template as part of policy-map event and query session using CoA session with 
different identifies.

RP/0/RSP0/CPU0:520-UIT-BNG#sh subscriber session all detail internal
Interface:                Bundle-Ether4.1.pppoe4
Circuit ID:               Unknown
Remote ID:                Unknown
Type:                     PPPoE:PTA
IPv4 State:               Up, Mon Oct 27 11:11:54 2014
IPv4 Address:             10.0.0.5, VRF: default
IPv4 Up helpers:          0x00000020 {PPP}
IPv4 Up requestors:       0x00000020 {PPP}
IPv6 State:               Down, Mon Oct 27 11:11:54 2014
Mac Address:              0000.6404.0102
Account-Session Id:       00000006
Nas-Port:                 Unknown
User name:                user1@domain.com
Formatted User name:      unknown
Client User name:         unknown
Outer VLAN ID:            1
Subscriber Label:         0x00000043
Created:                  Mon Oct 27 11:11:52 2014
State:                    Activated
Authentication:           authenticated
Authorization:            unauthorized
Ifhandle:                 0x000007a0
Session History ID:       1
Access-interface:         Bundle-Ether4.1
SRG Flags:                0x00000000
Policy Executed:

  event Session-Start match-all [at Mon Oct 27 11:11:52 2014]
    class type control subscriber PTA_CLASS0 do-all [Succeeded]
      1 activate dynamic-template PPP_PTA_TEMPLATE [cerr: No error][aaa: Success]
  event Session-Activate match-all [at Mon Oct 27 11:11:52 2014]
    class type control subscriber class-default do-until-failure [Succeeded]
      2 authenticate aaa list default [cerr: No error][aaa: Success]
      3 activate dynamic-template S3 [cerr: No error][aaa: Success]
Session Accounting:
  Acct-Session-Id:          00000006
  Method-list:              default
  Accounting started:       Mon Oct 27 11:11:54 2014
  Interim accounting:       On, interval 20 mins
    Last successful update: Mon Oct 27 14:31:55 2014
    Next update in:         00:16:57 (dhms)
    Last update sent:       Mon Oct 27 14:31:55 2014
    Updates sent:           10
    Updates accepted:       10
    Updates rejected:       0
    Update send failures:   0
Service Accounting:         S3
  Acct-Session-Id:          00000007
  Method-list:              default
  Accounting started:       Mon Oct 27 11:11:54 2014
  Interim accounting:       On, interval 20 mins
    Last successful update: Mon Oct 27 14:31:55 2014
    Next update in:         00:16:57 (dhms)
    Last update sent:       Mon Oct 27 14:31:55 2014
    Updates sent:           10
    Updates accepted:       10
    Updates rejected:       0
    Update send failures:   0
Last COA request received: unavailable
User Profile received from AAA:
 Attribute List: 0x1000eee4
1:  service-type    len=  4  value= Framed
2:  ipv6-route      len=  9  value= ::/0 :: 1
Services:
  Name        : PPP_PTA_TEMPLATE
  Service-ID  : 0x4000002
  Type        : Template
  Status      : Applied
-------------------------
  Name        : S3
  Service-ID  : 0x4000005
  Type        : Template
  Status      : Applied
-------------------------
[Last IPv6 down]
Disconnect Reason:        PPP NCP FSM finished
Disconnect Cause:         AAA_DISC_CAUSE_DEFAULT (0)
Abort Cause:              AAA_AV_ABORT_CAUSE_PPP_NO_NCP (30)
Terminate Cause:          AAA_AV_TERMINATE_CAUSE_USER_ERROR (17)
Disconnect called by:     ppp_ma
[Event History]
   Oct 27 11:11:54.240 SUBDB produce done [many]
   Oct 27 11:11:54.240 IPv6 Down
   Oct 27 11:11:54.240 IPv4 Up

query using acct sess id:
==================
Received response ID 214, code 44, length = 196
        Cisco-AVPair = "service-name=PPP_PTA_TEMPLATE"
        Cisco-AVPair = "service-name=S3"
        Service-Type = Framed-User
        Framed-IPv6-Route = "::/0 :: 1"
        Cisco-AVPair = "client-mac-address=0000.6404.0102"
        Acct-Session-Id = "00000006"
        NAS-Port-Id = "0/0/4/1"
        Cisco-NAS-Port = "0/0/4/1"
        User-Name = "user1@domain.com"
        Framed-IP-Address = 10.0.0.5

configuration:

policy-map type pbr PBR_POLICY
 class type traffic OPEN-GARDEN 
  transmit
 !
 class type traffic HTTP-REDIRECT-TO 
  http-redirect http://www.newsite.org
 !
 class type traffic class-default 
  drop
 !
 end-policy-map

DEBUGS:
LC/0/0/CPU0:Oct  6 16:13:01.032 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Redirected TCP SYN.
LC/0/0/CPU0:Oct  6 16:13:01.034 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Dropping ACK with no payload.
LC/0/0/CPU0:Oct  6 16:13:01.035 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Received HTTP ver:1.1, URL:/page1, redirect to:http://www.newsite.org
LC/0/0/CPU0:Oct  6 16:13:01.035 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): HTTP header content: (Host: testmenow.com^M User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:32.0) Gecko/20100101 Firefox/32.0^M Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M Accept-Language: en-US,en;q=0.5^M Accept-Encoding: gzip, deflate^M Connection: keep-alive^M ^M )
LC/0/0/CPU0:Oct  6 16:13:01.035 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Host locator perserved (testmenow.com)
LC/0/0/CPU0:Oct  6 16:13:01.035 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Redirected HTTP request
LC/0/0/CPU0:Oct  6 16:13:01.037 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Redirected TCP FIN.
LC/0/0/CPU0:Oct  6 16:13:01.039 : pbr_ea[286]: PBR HTTPR (rsi_tbl:0xe0000000)(40.1.1.1)ClassID(1): Dropping ACK with no payload.

NEW URL DISPLAYED IN USERS BROWSER:
http://www.newsite.org/?url=testmenow.com/page1

Thank you very much! Please give the command/request? Example:

echo -e "Acct-Session-Id=\""000202f7"\", cisco-avpair=\""subscriber:command=session-query"\"" |

but

I have 

Error-Cause = Invalid-Request
Reply-Message = "Invalid iEdge command in CoA attribute list"

Make sure you have 531 minimally for this functionality and then the avpair for that is:

Cisco-avpair += 'subscriber:command=account-status-query'

xander

Hello Xander.

Is it possible that HTTP portal can get "Acct-Session-id" with the help of "account status-query" if portal would know the source Ip address of subscriber?

Once BNG redirects subscriber to the portal, how can the portal understand who this user is? According to CSCuc45110 it should be fixed, but still there is no information about "command=account-status-query" usage in 5.3.x guide

(http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-3/bng/configuration/guide/b-bng-cg53xasr9k/b-bng-cg53xasr9k_appendix_01010.html#concept_95D2BD0C7E7D4354892C91613D25A8AD). There are only three possible commands:

command=account-logon
command=account-logoff
command=account-update

hi petr,

yes that should be possible with a COA session query operation.

session query is implemented in XR 5.3.1

here is an example:

Received response ID 205, code 44, length = 196
        Cisco-AVPair = "service-name=PPP_PTA_TEMPLATE"
        Cisco-AVPair = "service-name=S3"
        Service-Type = Framed-User
        Framed-IPv6-Route = "::/0 :: 1"
        Cisco-AVPair = "client-mac-address=0000.6404.0102"
        Acct-Session-Id = "00000001"
        NAS-Port-Id = "0/0/4/1"
        Cisco-NAS-Port = "0/0/4/1"
        User-Name = "user1@domain.com"
        Framed-IP-Address = 10.0.0.2

COA request profile:
Framed-IP-Address = 10.0.0.2,  << subscriber key
Cisco-avpair = 'subscriber:command=account-status-query' << subcriber coa command
xander

Thanks.  

Super!

One more question. Can I use  a vrf-id in addition  to the subscriber key if  HTTP portal resides in different  vrf or there are identical subscribers' ip addresses in different vrfs. I can get vrf-id  as a result of checking  the HTTP request  from BNG.

Petr

hey petr, yeah if you provide framed-ip-address we by default look up the user in the global routing table. if the user is in a vrf, then both the vrf-id avpair and the framed-ip address need to be provided to lookup the user.

just a thought: since a user cannot do a vrf transfer (unlike IOS), it may be better to put an ACL on the user to restrict any access outside the portal, but keep the portal in the same vrf as the user would normally be.

That way if the user succeeds the account logon from the portal, you only need to remove the ACL and redirect to provide the user normal access.

cheers

xander

Hey Xander.

Thanks for remark.

But my cases is slightly different.

1)We have Parent control service on ISG platform where users come to the box in a global table but then (after logon) are moved to separate vrf.

2) For IPoE users (WiFi) we use separate vrf from the beginning of session. 

And  my idea was to use one portal for all sorts of users and to use specially constructed http-redirect to portal  "http-redirect 200:http://1.2.3.4/bgn_source_ip/subs_vrf/script.pl"   where bng_source_ip  -- ip address of new BNG(a9k),  subs_vrf -- source vrf for user.

After parsing http-get request portal is able to know the source vrf and ip address of  the BNG  and can get account session id for further use.

But I wonder now if it is possible to move users that came in global vrf to an another vrf at the logon stage? (as you said  user cannot do a vrf transfer on A9k )  

Regards,

Petr

hi petr! yeah that is the thing, the vrf can't be changed once the user is brought up. to change vrf, like config, the address needs to be removed (and reconfigued), this will close IPCP or release the binding.

You could possibly put the portal in a "leaky" vrf, and import both the routes from both subscriber groups/pools. this way there is connectivity from either vrf towards the portal. This method would work if you dont have overlapping ip's between the 2 vrf/services and you could use the source ip (which dont need to be embedded in the url btw, since we can look at the received ip header on the portal) to look up the vrf based on some "static mapping"?

cheers!

xander