>Попробуйте использовать group server radius. Например,
>
>aaa group server radius group1
> server 1.1.1.1 auth-port 1645 acct-port 1646
> server 2.2.2.2 auth-port 1645 acct-port 1646
>
>aaa accounting connection h323 start-stop group group1
>
>или одновременно, accounting
>
>aaa group server radius group1
> server 1.1.1.1 auth-port 1645 acct-port 1646
>aaa group server radius group2
> server 2.2.2.2 auth-port 1645 acct-port 1646
>aaa accounting connection h323 start-stop broadcast group group1 group group2
Добрый день, попробовал оба способа,
но авторизация всегда проходит только если "учетная запись" есть на ПЕРВОМ сервере,
если я подключаюсь с "учетной записью" ВТОРОГО сервера, то не проходит.
|
|
# первый сервер
aaa group server radius freeradius
server 172.22.3.151 auth-port 1812 acct-port 1813
!
# второй сервер
aaa group server radius freeradius_1
server 172.22.3.158 auth-port 1812 acct-port 1813
|
|
если поменять местами
|
aaa authentication ppp method1 group freeradius group freeradius_1
|
radius-server host 172.22.3.151 auth-port 1812 acct-port 1813 timeout 3 retransmit 10 key test15
radius-server host 172.22.3.158 auth-port 1812 acct-port 1813 timeout 3 retransmit 10 key testing15
|
на
|
aaa authentication ppp method1 group freeradius_1 group freeradius
|
radius-server host 172.22.3.158 auth-port 1812 acct-port 1813 timeout 3 retransmit 10 key testing15
radius-server host 172.22.3.151 auth-port 1812 acct-port 1813 timeout 3 retransmit 10 key test15
тогда авторизация "Учетной записи" ВТОРОГО сервера проходит, а вот "Учетная запись" ПЕРВОГО сервера не проходит авторизацию
После некоторый манипуляция, я пришел к выводу, что моя cisco не может делать авторизацию на двух RADIUS-серверах.
а пакеты accounting получают оба сервера.
Вот конфиг cisco AS5300
5300#sh runn
Building configuration...
Current configuration : 3053 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname 5300
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$EXAD$w/PXGfFqqIXO8O5cCaeL2/
enable password testkey
!
spe 1/0 2/9
firmware location mica-modem-pw.2.9.2.0.bin
!
!
resource-pool disable
!
modem-pool Pool1
pool-range 1-30
called-number 541531 max-conn 30
!
aaa new-model
!
!
aaa group server radius freeradius
server 172.22.3.151 auth-port 1812 acct-port 1813
!
aaa group server radius freeradius_1
server 172.22.3.158 auth-port 1812 acct-port 1813
!
aaa authentication ppp method1 group freeradius group freeradius_1
aaa accounting update periodic 1
aaa accounting network method1 start-stop broadcast group freeradius group freeradius_1
aaa accounting connection method1 start-stop broadcast group freeradius group freeradius_1
aaa session-id common
ip subnet-zero
ip name-server x.x.x.150
!
!
isdn switch-type primary-net5
!
!
!
!
!
!
!
!
!
!
username cisco password 0 ciscopassword
!
!
controller E1 0
framing NO-CRC4
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
shutdown
clock source line secondary 1
!
controller E1 2
shutdown
clock source line secondary 2
!
controller E1 3
shutdown
clock source line secondary 3
!
controller E1 4
shutdown
clock source line secondary 4
!
controller E1 5
shutdown
clock source line secondary 5
!
controller E1 6
shutdown
clock source line secondary 6
!
controller E1 7
shutdown
clock source line secondary 7
!
!
interface Ethernet0
ip address 172.22.3.152 255.255.255.224
!
interface Serial0
no ip address
shutdown
clock rate 2015232
no fair-queue
!
interface Serial1
no ip address
shutdown
clock rate 2015232
no fair-queue
!
interface Serial2
no ip address
shutdown
clock rate 2015232
no fair-queue
!
interface Serial3
no ip address
shutdown
clock rate 2015232
no fair-queue
!
interface Serial0:15
no ip address
isdn switch-type primary-net5
isdn incoming-voice modem
no cdp enable
!
interface FastEthernet0
ip address x.x.x.x 255.255.255.x
duplex auto
speed auto
no cdp enable
!
interface Group-Async1
ip unnumbered FastEthernet0
encapsulation ppp
async mode interactive
peer default ip address pool dialup
ppp authentication chap ms-chap method1
ppp authorization method1
ppp accounting method1
group-range 1 30
!
ip local pool dialup x.x.x.32 x.x.x.63
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.17
ip route 172.22.0.0 255.255.0.0 172.22.2.2
no ip http server
!
!
ip radius source-interface Ethernet0
dialer-list 1 protocol ip permit
!
!
radius-server host 172.22.3.151 auth-port 1812 acct-port 1813 timeout 3 retransmit 10 key test15
radius-server host 172.22.3.158 auth-port 1812 acct-port 1813 timeout 3 retransmit 10 key testing15
!
!
!
!
line con 0
logging synchronous
line 1 30
modem InOut
modem autoconfigure type mica
transport input all
autoselect ppp
line 31 240
line aux 0
line vty 0 4
password testkey
!
scheduler interval 1000
end