С Radius сервера не работают vsa атрибутыНа Radius:
cisco-avpair:=ip:addr-pool=102На Cisco:
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
peer default ip address pool PPPoE1
ppp authentication pap chap x-AUTH
!
access-list 102 permit icmp any host 81.x.xxx.xxx echo
access-list 102 permit icmp any host 81.x.xxx.xxx echo-reply
access-list 102 deny icmp any any
Помогите разобраться!Не могу никак понять в чём же дело. Может IOS не та 124-23 или настройки на Сisco 7301 не те сделал.
Может NAT мешает или с interface Loopback0 не будет работать.
Подключаюсь VPN клиентом через винду. Ping идёт.
Если ACL 102 повешать на interface Virtual-Template1 то пингует по правилам, как и надо, а вот с Радиуса не хочет. Пробывал разные атрибуты.interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
peer default ip address pool PPPoE1
ppp authentication pap chap x-AUTHip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authenticationВот debug radius:
Jul 13 13:21:54.926: RADIUS/ENCODE(000001EF):Orig. component type = VPDN
Jul 13 13:21:54.926: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Jul 13 13:21:54.926: RADIUS/ENCODE(000001EF): acct_session_id: 690
Jul 13 13:21:54.926: RADIUS(000001EF): sending
Jul 13 13:21:54.926: RADIUS(000001EF): Send Access-Request to 10.141.1.1:1812 id 1645/45, len 151
Jul 13 13:21:54.926: RADIUS: authenticator 3A 18 8A 84 2A 11 98 52 - 63 C7 10 BD 11 8B 41 3D
Jul 13 13:21:54.926: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 13:21:54.926: RADIUS: User-Name [1] 8 "180174"
Jul 13 13:21:54.926: RADIUS: CHAP-Password [3] 19 *
Jul 13 13:21:54.926: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 13 13:21:54.926: RADIUS: Vendor, Cisco [26] 23
Jul 13 13:21:54.926: RADIUS: cisco-nas-port [2] 17 "Uniq-Sess-ID330"
Jul 13 13:21:54.926: RADIUS: NAS-Port [5] 6 330
Jul 13 13:21:54.926: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID330"
Jul 13 13:21:54.926: RADIUS: Service-Type [6] 6 Framed [2]
Jul 13 13:21:54.926: RADIUS: NAS-IP-Address [4] 6 10.141.1.249
Jul 13 13:21:54.926: RADIUS: Acct-Session-Id [44] 18 "0A8D01F9000002B2"
Jul 13 13:21:54.926: RADIUS: Nas-Identifier [32] 10 "ciscoISG"
Jul 13 13:21:54.926: RADIUS: Event-Timestamp [55] 6 1247491314
Jul 13 13:21:54.938: RADIUS: Received from id 1645/45 10.141.1.1:1812, Access-Accept, len 56
Jul 13 13:21:54.938: RADIUS: authenticator 06 9B 0C 10 BC 90 FA 4C - 71 69 F4 FA 3B A9 96 22
Jul 13 13:21:54.938: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 13:21:54.938: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
Jul 13 13:21:54.938: RADIUS: Vendor, Cisco [26] 24
Jul 13 13:21:54.938: RADIUS: Cisco AVpair [1] 18 "ip:addr-pool=102"
Jul 13 13:21:54.938: RADIUS(000001EF): Received from id 1645/45
Jul 13 13:21:54.946: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up
Jul 13 13:21:54.946: RADIUS/ENCODE(000001EF):Orig. component type = VPDN
Jul 13 13:21:54.946: RADIUS(000001EF): sending
Jul 13 13:21:54.946: RADIUS(000001EF): Send Accounting-Request to 10.141.1.1:1813 id 1646/160, len 219
Jul 13 13:21:54.946: RADIUS: authenticator 8C 30 75 ED 2E E6 0C F9 - 19 7B BA 1B 50 C0 4D FD
Jul 13 13:21:54.946: RADIUS: Acct-Session-Id [44] 18 "0A8D01F9000002B2"
Jul 13 13:21:54.946: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jul 13 13:21:54.946: RADIUS: Tunnel-Server-Endpoi[67] 14 "10.141.1.249"
Jul 13 13:21:54.946: RADIUS: Tunnel-Client-Endpoi[66] 14 "10.141.1.140"
Jul 13 13:21:54.946: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jul 13 13:21:54.946: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 13:21:54.946: RADIUS: User-Name [1] 8 "180174"
Jul 13 13:21:54.946: RADIUS: Vendor, Cisco [26] 32
Jul 13 13:21:54.946: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
Jul 13 13:21:54.946: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Jul 13 13:21:54.946: RADIUS: Acct-Status-Type [40] 6 Start [1]
Jul 13 13:21:54.946: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 13 13:21:54.946: RADIUS: Vendor, Cisco [26] 23
Jul 13 13:21:54.946: RADIUS: cisco-nas-port [2] 17 "Uniq-Sess-ID330"
Jul 13 13:21:54.946: RADIUS: NAS-Port [5] 6 330
Jul 13 13:21:54.946: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID330"
Jul 13 13:21:54.946: RADIUS: Service-Type [6] 6 Framed [2]
Jul 13 13:21:54.946: RADIUS: NAS-IP-Address [4] 6 10.141.1.249
Jul 13 13:21:54.946: RADIUS: Event-Timestamp [55] 6 1247491314
Jul 13 13:21:54.946: RADIUS: Nas-Identifier [32] 10 "ciscoISG"
Jul 13 13:21:54.946: RADIUS: Acct-Delay-Time [41] 6 0
Jul 13 13:21:54.950: RADIUS/ENCODE(000001EF):Orig. component type = VPDN
Jul 13 13:21:54.950: RADIUS(000001EF): sending
Jul 13 13:21:54.950: RADIUS(000001EF): Send Accounting-Request to 10.141.1.1:1813 id 1646/161, len 258
Jul 13 13:21:54.950: RADIUS: authenticator 88 57 3D 11 B2 BD 04 F9 - 00 06 8A C9 58 11 24 74
Jul 13 13:21:54.950: RADIUS: Acct-Session-Id [44] 18 "0A8D01F9000002B2"
Jul 13 13:21:54.950: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jul 13 13:21:54.950: RADIUS: Tunnel-Server-Endpoi[67] 14 "10.141.1.249"
Jul 13 13:21:54.950: RADIUS: Tunnel-Client-Endpoi[66] 14 "10.141.1.140"
Jul 13 13:21:54.950: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jul 13 13:21:54.950: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 13:21:54.950: RADIUS: Framed-IP-Address [8] 6 192.168.1.2
Jul 13 13:21:54.950: RADIUS: User-Name [1] 8 "180174"
Jul 13 13:21:54.950: RADIUS: Vendor, Cisco [26] 35
Jul 13 13:21:54.950: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Jul 13 13:21:54.950: RADIUS: Acct-Session-Time [46] 6 0
Jul 13 13:21:54.950: RADIUS: Acct-Input-Octets [42] 6 106
Jul 13 13:21:54.950: RADIUS: Acct-Output-Octets [43] 6 108
Jul 13 13:21:54.950: RADIUS: Acct-Input-Packets [47] 6 5
Jul 13 13:21:54.950: RADIUS: Acct-Output-Packets [48] 6 6
Jul 13 13:21:54.950: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Jul 13 13:21:54.950: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
Jul 13 13:21:54.950: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 13 13:21:54.950: RADIUS: Vendor, Cisco [26] 23
Jul 13 13:21:54.950: RADIUS: cisco-nas-port [2] 17 "Uniq-Sess-ID330"
Jul 13 13:21:54.950: RADIUS: NAS-Port [5] 6 330
Jul 13 13:21:54.950: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID330"
Jul 13 13:21:54.950: RADIUS: Service-Type [6] 6 Framed [2]
Jul 13 13:21:54.950: RADIUS: NAS-IP-Address [4] 6 10.141.1.249
Jul 13 13:21:54.950: RADIUS: Event-Timestamp [55] 6 1247491314
Jul 13 13:21:54.950: RADIUS: Nas-Identifier [32] 10 "ciscoISG"
Jul 13 13:21:54.950: RADIUS: Acct-Delay-Time [41] 6 0
Jul 13 13:21:54.958: RADIUS: Received from id 1646/160 10.141.1.1:1813, Accounting-response, len 20
Jul 13 13:21:54.958: RADIUS: authenticator 74 A2 86 B3 15 DF 41 95 - A2 97 3A F8 D9 46 10 BA
Jul 13 13:21:54.970: RADIUS: Received from id 1646/161 10.141.1.1:1813, Accounting-response, len 20
Jul 13 13:21:54.970: RADIUS: authenticator 9A 6F 4C 8E E3 3A 4E 3A - 7E 14 33 26 F6 7F 24 2B
Jul 13 13:21:55.946: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
>[оверквотинг удален]
>interface Virtual-Template1
> ip unnumbered Loopback0
> ip nat inside
> ip virtual-reassembly
> peer default ip address pool PPPoE1
> ppp authentication pap chap x-AUTH
>!
>access-list 102 permit icmp any host 81.x.xxx.xxx echo
>access-list 102 permit icmp any host 81.x.xxx.xxx echo-reply
>access-list 102 deny icmp any anyНасколько я понял, вы пытаетесь навесить 102 ACL на Virtual-Access из vsa ?
Если так, то вы передаете не то значение атрибута..."ip:inacl[#number]={standardACL | extendedACL}"—Upstream access control list (ACL). Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the subscriber.
# "ip:outacl[#number]={standardACL | extendedACL}"—Downstream ACL. Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the subscriber.
* number—Identifies the access list. If a profile includes multiple inacl or outacl attributes, the attributes are downloaded and executed according to the order implied by number.
* standardACL—A Cisco IOS standard ACL.
* extendedACL—A Cisco IOS extended ACL.
>[оверквотинг удален]
>or an extended ACL to be applied to downstream traffic going
>to the subscriber.
>
> * number—Identifies the access list. If a profile
>includes multiple inacl or outacl attributes, the attributes are downloaded and
>executed according to the order implied by number.
>
> * standardACL—A Cisco IOS standard ACL.
>
> * extendedACL—A Cisco IOS extended ACL.там опечатка вместо:
На Radius: cisco-avpair:=ip:addr-pool=102
надо
На Radius:
cisco-avpair+=ip:outacl#1=deny icmp any any
cisco-avpair+=ip:inacl#2=deny icmp any anyхотябы так
чтобы ping-а небыло никуда
Но всеравно неработаетвот debug radius:
Jul 13 16:13:26.177: %ENVM-4-RPSFAIL: Power Supply may have a failed channel
Jul 13 16:13:27.553: RADIUS: acct-timeout for E32F8D4 now 30, acct-jitter -1, acct-delay-time (at E32F9FD) now 29
Jul 13 16:13:27.553: RADIUS: no sg in radius-timers: ctx 0x651C6A34 sg 0x0000
Jul 13 16:13:27.553: RADIUS: Retransmit to (10.141.1.1:1812,1813) for id 1646/244
Jul 13 16:13:30.369: RADIUS/ENCODE(000001F9):Orig. component type = VPDN
Jul 13 16:13:30.369: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Jul 13 16:13:30.369: RADIUS/ENCODE(000001F9): acct_session_id: 707
Jul 13 16:13:30.369: RADIUS(000001F9): sending
Jul 13 16:13:30.369: RADIUS(000001F9): Send Access-Request to 10.141.1.1:1812 id 1645/52, len 151
Jul 13 16:13:30.369: RADIUS: authenticator 30 E3 AA 90 EB 99 BC C2 - 63 C7 10 BD DA F8 45 B9
Jul 13 16:13:30.369: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 16:13:30.369: RADIUS: User-Name [1] 8 "180174"
Jul 13 16:13:30.369: RADIUS: CHAP-Password [3] 19 *
Jul 13 16:13:30.369: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 13 16:13:30.369: RADIUS: Vendor, Cisco [26] 23
Jul 13 16:13:30.369: RADIUS: cisco-nas-port [2] 17 "Uniq-Sess-ID337"
Jul 13 16:13:30.369: RADIUS: NAS-Port [5] 6 337
Jul 13 16:13:30.369: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID337"
Jul 13 16:13:30.369: RADIUS: Service-Type [6] 6 Framed [2]
Jul 13 16:13:30.369: RADIUS: NAS-IP-Address [4] 6 10.141.1.249
Jul 13 16:13:30.369: RADIUS: Acct-Session-Id [44] 18 "0A8D01F9000002C3"
Jul 13 16:13:30.369: RADIUS: Nas-Identifier [32] 10 "ciscoISG"
Jul 13 16:13:30.369: RADIUS: Event-Timestamp [55] 6 1247501610
Jul 13 16:13:30.381: RADIUS: Received from id 1645/52 10.141.1.1:1812, Access-Accept, len 107
Jul 13 16:13:30.381: RADIUS: authenticator E0 7D F0 6A AB 76 22 3B - 6F E9 92 2B 22 A2 2B 2A
Jul 13 16:13:30.381: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 16:13:30.381: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
Jul 13 16:13:30.381: RADIUS: Vendor, Cisco [26] 37
Jul 13 16:13:30.381: RADIUS: Cisco AVpair [1] 31 "ip:inacl#2= deny icmp any any"
Jul 13 16:13:30.381: RADIUS: Vendor, Cisco [26] 38
Jul 13 16:13:30.381: RADIUS: Cisco AVpair [1] 32 "ip:outacl#1= deny icmp any any"
Jul 13 16:13:30.381: RADIUS(000001F9): Received from id 1645/52
Jul 13 16:13:30.401: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up
Jul 13 16:13:30.401: RADIUS/ENCODE(000001F9):Orig. component type = VPDN
Jul 13 16:13:30.401: RADIUS(000001F9): sending
Jul 13 16:13:30.401: RADIUS(000001F9): Send Accounting-Request to 10.141.1.1:1813 id 1646/245, len 219
Jul 13 16:13:30.401: RADIUS: authenticator E2 0E 6E 23 25 0B 04 32 - 08 92 3A C8 7B 32 DD B6
Jul 13 16:13:30.401: RADIUS: Acct-Session-Id [44] 18 "0A8D01F9000002C3"
Jul 13 16:13:30.401: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jul 13 16:13:30.401: RADIUS: Tunnel-Server-Endpoi[67] 14 "10.141.1.249"
Jul 13 16:13:30.401: RADIUS: Tunnel-Client-Endpoi[66] 14 "10.141.1.140"
Jul 13 16:13:30.401: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jul 13 16:13:30.401: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 16:13:30.401: RADIUS: User-Name [1] 8 "180174"
Jul 13 16:13:30.401: RADIUS: Vendor, Cisco [26] 32
Jul 13 16:13:30.401: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
Jul 13 16:13:30.401: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Jul 13 16:13:30.401: RADIUS: Acct-Status-Type [40] 6 Start [1]
Jul 13 16:13:30.401: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 13 16:13:30.401: RADIUS: Vendor, Cisco [26] 23
Jul 13 16:13:30.401: RADIUS: cisco-nas-port [2] 17 "Uniq-Sess-ID337"
Jul 13 16:13:30.401: RADIUS: NAS-Port [5] 6 337
Jul 13 16:13:30.401: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID337"
Jul 13 16:13:30.401: RADIUS: Service-Type [6] 6 Framed [2]
Jul 13 16:13:30.401: RADIUS: NAS-IP-Address [4] 6 10.141.1.249
Jul 13 16:13:30.401: RADIUS: Event-Timestamp [55] 6 1247501610
Jul 13 16:13:30.401: RADIUS: Nas-Identifier [32] 10 "ciscoISG"
Jul 13 16:13:30.401: RADIUS: Acct-Delay-Time [41] 6 0
Jul 13 16:13:30.405: RADIUS/ENCODE(000001F9):Orig. component type = VPDN
Jul 13 16:13:30.405: RADIUS(000001F9): sending
Jul 13 16:13:30.405: RADIUS(000001F9): Send Accounting-Request to 10.141.1.1:1813 id 1646/246, len 258
Jul 13 16:13:30.405: RADIUS: authenticator 02 F2 18 CF 30 21 BA 76 - CB CF 68 9C 42 08 9E 1B
Jul 13 16:13:30.405: RADIUS: Acct-Session-Id [44] 18 "0A8D01F9000002C3"
Jul 13 16:13:30.405: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jul 13 16:13:30.405: RADIUS: Tunnel-Server-Endpoi[67] 14 "10.141.1.249"
Jul 13 16:13:30.405: RADIUS: Tunnel-Client-Endpoi[66] 14 "10.141.1.140"
Jul 13 16:13:30.405: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jul 13 16:13:30.405: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 13 16:13:30.405: RADIUS: Framed-IP-Address [8] 6 192.168.1.2
Jul 13 16:13:30.405: RADIUS: User-Name [1] 8 "180174"
Jul 13 16:13:30.405: RADIUS: Vendor, Cisco [26] 35
Jul 13 16:13:30.405: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Jul 13 16:13:30.405: RADIUS: Acct-Session-Time [46] 6 0
Jul 13 16:13:30.405: RADIUS: Acct-Input-Octets [42] 6 106
Jul 13 16:13:30.405: RADIUS: Acct-Output-Octets [43] 6 108
Jul 13 16:13:30.405: RADIUS: Acct-Input-Packets [47] 6 5
Jul 13 16:13:30.405: RADIUS: Acct-Output-Packets [48] 6 6
Jul 13 16:13:30.405: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Jul 13 16:13:30.405: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
Jul 13 16:13:30.405: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 13 16:13:30.405: RADIUS: Vendor, Cisco [26] 23
Jul 13 16:13:30.405: RADIUS: cisco-nas-port [2] 17 "Uniq-Sess-ID337"
Jul 13 16:13:30.405: RADIUS: NAS-Port [5] 6 337
Jul 13 16:13:30.405: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID337"
Jul 13 16:13:30.405: RADIUS: Service-Type [6] 6 Framed [2]
Jul 13 16:13:30.405: RADIUS: NAS-IP-Address [4] 6 10.141.1.249
Jul 13 16:13:30.405: RADIUS: Event-Timestamp [55] 6 1247501610
Jul 13 16:13:30.405: RADIUS: Nas-Identifier [32] 10 "ciscoISG"
Jul 13 16:13:30.405: RADIUS: Acct-Delay-Time [41] 6 0
Jul 13 16:13:30.413: RADIUS: Received from id 1646/245 10.141.1.1:1813, Accounting-response, len 20
Jul 13 16:13:30.413: RADIUS: authenticator 9A 8E 5A F2 3F 96 07 34 - F0 1E 3B BE DB 57 22 56
Jul 13 16:13:30.421: RADIUS: Received from id 1646/246 10.141.1.1:1813, Accounting-response, len 20
Jul 13 16:13:30.421: RADIUS: authenticator BB 1D 1E 31 D4 CC 3D 7F - 31 29 F4 9D 85 6F B1 B5
Jul 13 16:13:31.401: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
Jul 13 16:13:36.745: RADIUS: acct-timeout for E005434 now 175, acct-jitter 0, acct-delay-time (at E00555D) now 175
Jul 13 16:13:36.745: RADIUS: no sg in radius-timers: ctx 0x6527DDA4 sg 0x0000
Jul 13 16:13:36.745: RADIUS: No response from (10.141.1.1:1812,1813) for id 1646/243
Jul 13 16:13:36.745: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jul 13 16:13:36.745: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Вообще с Радиуса не работает vsa атрибуты.
>Вообще с Радиуса не работает vsa атрибуты.Читайте мой пост внимательно... Я там привел выдержку из руководства... В атрибуте указывается НОМЕР ACL, а не сами правила.
>>Вообще с Радиуса не работает vsa атрибуты.
>
>Читайте мой пост внимательно... Я там привел выдержку из руководства... В атрибуте
>указывается НОМЕР ACL, а не сами правила.Хотя нет... Не прав я. Почитал внимательно, да, можно передавать сами правила...
А что говорит sh ip int тот_virtual_access_который_создается ?
>>>Вообще с Радиуса не работает vsa атрибуты.
>>
>>Читайте мой пост внимательно... Я там привел выдержку из руководства... В атрибуте
>>указывается НОМЕР ACL, а не сами правила.
>
>Хотя нет... Не прав я. Почитал внимательно, да, можно передавать сами правила...
>
>А что говорит sh ip int тот_virtual_access_который_создается ?ciscoISG#sh ip int Virtual-Access 3
Virtual-Access3 is up, line protocol is up
Interface is unnumbered. Using address of Loopback0 (192.168.1.1)
Broadcast address is 255.255.255.255
Peer address is 192.168.1.2
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP Feature Fast switching turbo vector
IP Feature CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Я уже как только не пробовал эти правила создавать.
Всё одно и тоже.
Причём если написать на самом интерфейсе Virtual-Template1
ip access-group 102 inто в все заработает
>>Вообще с Радиуса не работает vsa атрибуты.
>
>Читайте мой пост внимательно... Я там привел выдержку из руководства... В атрибуте
>указывается НОМЕР ACL, а не сами правила.cisco-avpair:=ip:inacl=102
не работает это правило, т.к. пингует не только 81.x.xxx.xxx
access-list 102 permit icmp any host 81.x.xxx.xxx echo
access-list 102 permit icmp any host 81.x.xxx.xxx echo-reply
access-list 102 deny icmp any any
>[оверквотинг удален]
>>Читайте мой пост внимательно... Я там привел выдержку из руководства... В атрибуте
>>указывается НОМЕР ACL, а не сами правила.
>
>cisco-avpair:=ip:inacl=102
>
>не работает это правило, т.к. пингует не только 81.x.xxx.xxx
>
>access-list 102 permit icmp any host 81.x.xxx.xxx echo
>access-list 102 permit icmp any host 81.x.xxx.xxx echo-reply
>access-list 102 deny icmp any anyТеперь правильно написал?
Могу debug предоставить если надо.
Проблема остается открытой.
>[оверквотинг удален]
>>
>>не работает это правило, т.к. пингует не только 81.x.xxx.xxx
>>
>>access-list 102 permit icmp any host 81.x.xxx.xxx echo
>>access-list 102 permit icmp any host 81.x.xxx.xxx echo-reply
>>access-list 102 deny icmp any any
>
>Теперь правильно написал?
>Могу debug предоставить если надо.
>Проблема остается открытой.Может не применяеться правило из-за того что у меня nat и там есть правило?
ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255или радиус не на том интерфейсе:
ip radius source-interface GigabitEthernet0/0
!
interface GigabitEthernet0/0
description PPTP clients
ip address 10.141.1.249 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no negotiation auto
pppoe enable group global
no mop enabled
!
Уже не знаю что и подумать.
>[оверквотинг удален]
> ip nat inside
> ip virtual-reassembly
> duplex auto
> speed auto
> media-type rj45
> no negotiation auto
> pppoe enable group global
> no mop enabled
>!
>Уже не знаю что и подумать.NAT точно не при чем... Может просто у Radius сервера нет словаря атрибутов Cisco ?
>[оверквотинг удален]
>> speed auto
>> media-type rj45
>> no negotiation auto
>> pppoe enable group global
>> no mop enabled
>>!
>>Уже не знаю что и подумать.
>
>NAT точно не при чем... Может просто у Radius сервера нет словаря
>атрибутов CiscoСловарь атрибутов есть, это таблица dictonary,
и там есть атрибут cisco-avpair.Может надо писать не в таблицу radreply: cisco-avpair:=ip:inacl=102
Вопрос остается открытым:
Почему Радиус не передает vsa атрибуты или Cisco не применяет их?
УРА! УРА! УРА!Атрибуты начали применяться на interface Virtual-Template1
после добавления туда ppp authorization X-AUTH