Настройка взаимодействия агента RADIUS с маршрутизатором Cisco 2811

В данной инструкции приведен пример настройки сетевого агента RADIUS(LBarcd) и маршрутизатора Cisco 2811.

Ниже, приведен пример конфигурационного файла Cisco 2811:

aaa new-model
    aaa authentication ppp default group radius
    aaa authorization exec default local
    aaa authorization network default group radius
    aaa accounting delay-start
    aaa accounting update periodic 1
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius

bba-group pppoe global
    virtual-template 1
    sessions max limit 10
    sessions per-mac limit 1
    sessions auto cleanup

interface Loopback1
    ip address 10.10.10.10 255.255.255.255

interface FastEthernet0/0
    description --To local--
    ip address 192.168.11.241 255.255.254.0
    ip broadcast-address 192.168.11.255
    no ip redirects
    no ip unreachables
    ip virtual-reassembly
    no ip mroute-cache
    duplex auto
    speed auto
    pppoe enable group global
    no cdp enable
    arp timeout 240

interface Virtual-Template1
description LocalPPPoE
mtu 1492
ip unnumbered Loopback1
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly max-fragments 64 max-reassemblies 128
no logging event link-status
ppp authentication chap ms-chap callin
ppp ipcp dns 192.168.11.1 8.8.8.8

ip radius source-interface FastEthernet0/0

radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute nas-port format d
radius-server dead-criteria time 120
radius-server host 192.168.10.138 auth-port 1812 acct-port 1813 key 7 04490A0206345F5D0C1A17120653545C72
radius-server retransmit 5

radius-server timeout 10
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication

На рисунке 1 показаны настройки агента RADIUS.

192.168.10.138:1812 – порт авторизации.

192.168.10.138:1813 – порт аккаунтинга.

lanbilling

Рисунок 1

Далее необходимо добавить сервер доступа с IP-адресом 192.168.11.241, с ключом доступа PASSword$ и добавить сети для динамической выдачи (Рис. 2).

lanbilling

Рисунок 2

В словаре RADIUS-атрибутов произвести следующие настройки - к NAS-серверу привязать дополнительный RADIUS-атрибут - Cisco-AVPair (Рис. 3).

lanbilling

Рисунок 3

Далее атрибуты необходимо привязать к сопоставимой скорости (Рис.4 и Рис. 5).

Исходящий шейпер:

lanbilling

Рисунок 4

Входящий шейпер:

lanbilling

Рисунок 5

Логи RADIUS-агента в момент авторизации:

20.06.2012 17:14:27 VERBOSE     0x454ee940      [PreProcessPacket:152]  >=>=>=>=>=>=>=> Auth Packet received from 192.168.11.241, size: 175 >=>=>=>=>=>=>=>
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:30]  Authenticator: 1717f4d1ded0df9ff5248deb738cd6d6
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Unknown VSA 1, vendor Cisco, value: "client-mac-address=0001.020a.1a3b"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'Framed-Protocol', value: "1"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'User-Name', value: "01021970"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'CHAP-Password', value: "01f891453767f4c948b627de2f8f4833ac"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'NAS-Port-Type', value: "5"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'NAS-Port', value: "0"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'NAS-Port-Id', value: "808398895"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'Service-Type', value: "2"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'NAS-IP-Address', value: "192.168.11.241"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'Acct-Session-Id', value: "0/0/0/0_C0A80BF100000019"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [ParseBody:37]  Attribute 'NAS-Identifier', value: "R2811.netsol.local"
20.06.2012 17:14:27 DEBUG       0x454ee940      [RunAuthRequest:481]    check second [], [192.168.11.241]
20.06.2012 17:14:27 DEBUG       0x454ee940      [AuthenticateFromDB:429]        Start authenticate from database for login '01021970'
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT v.vg_id, v.pass FROM vgroups v JOIN tarifs t ON t.tar_id=v.tar_id JOIN agreements a ON a.agrm_id=v.agrm_id WHERE v.archive=0 AND  v.template=0 AND v.id='1' AND v.login=BINARY('01021970')
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT t.tar_id, t.dynamic_rent, t.traff_type FROM tarifs t JOIN vgroups v USING (tar_id) WHERE v.vg_id = '468'
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT c.cat_idx, c.uuid, c.enabled, c.includes, c.above, u.cat_idx, l.c_limit_in, l.c_limit_out FROM categories c LEFT JOIN climits l ON l.vg_id = '468' AND c_date = GET_C_DATE( 0, NOW() ) AND l.tar_id = c.tar_id AND l.cat_idx = c.cat_idx LEFT JOIN custom_services u ON u.vg_id = '468' AND u.tar_id = '140' AND u.cat_idx = c.cat_idx WHERE c.tar_id = '140' AND c.archive = '0'
20.06.2012 17:14:27 DEBUG       0x454ee940      [AddService:227]        Service cat_idx=0 enabled=1 service= includes=1 above=0.000000 user_cat=<> lim_in=0 lim_out=0
20.06.2012 17:14:27 VERBOSE     0x454ee940      [AddService:240]        User vg_id = 468 spend traffic 0 of 1048576 (service 1162708544)
20.06.2012 17:14:27 DEBUG       0x454ee940      [AuthenticateFromDB:435]        Auth ISG ok
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT v.blocked, v.login, v.pass, v.current_shape, t.type, t.act_block, t.tar_id, a.balance+a.credit, if(v.max_sessions > 1, v.max_sessions, 1) max_sessions FROM vgroups v JOIN tarifs t ON t.tar_id=v.tar_id JOIN agreements a ON a.agrm_id=v.agrm_id WHERE v.archive=0 AND v.template=0 AND v.vg_id='468'
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT `ani_id` FROM `radblacklog` `r` LEFT JOIN `gr_staff` `g` ON `g`.`group_id`=`r`.`group_id` LEFT JOIN `vgroups` `v` ON `v`.`vg_id`=r.`vg_id` OR `v`.`tar_id`=`r`.`tar_id`WHERE `r`.`nas_id`='3' AND (`r`.`ani`='__empty__' OR `r`.`ani` IS NULL) AND (`r`.`vg_id`='468' OR `r`.`vg_id` IS NULL) AND (`g`.`vg_id`='468' OR `g`.`vg_id` IS NULL) AND (`v`.`tar_id`=`r`.`tar_id` OR `r`.`tar_id` IS NULL) LIMIT 1
20.06.2012 17:14:27 VERBOSE     0x454ee940      [CheckBlackList:659]    ANI '' (User '01021970') is clean
20.06.2012 17:14:27 VERBOSE     0x454ee940      [AuthenticateFromDB:544]        User '01021970' (vg_id = 468)
20.06.2012 17:14:27 VERBOSE     0x454ee940      [AuthenticateFromDB:590]        User: '01021970', Remulate mode, unlimited session timeout (864000)
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT sess_ani, direction FROM sessionsradius WHERE vg_id=468
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT t.segment, t.mask, m.record_id FROM staff t JOIN segments s ON t.segment_id = s.record_id LEFT JOIN mac_staff m ON m.record_id = t.record_id WHERE t.vg_id=468 AND s.guest=0 AND s.nas_id IN (-1,0,3) AND (m.mac = '' OR m.mac IS NULL) ORDER BY (m.mac IS NULL), t.segment = '0' DESC, s.nas_id DESC
20.06.2012 17:14:27 VERBOSE     0x454ee940      [GetClientIPAddr:1396]  Client IP/Netmask: 172.16.3.102/255.255.255.255, ANI: ""
20.06.2012 17:14:27 INFO        0x454ee940      [RunAuthRequest:674]    Access-Accept, <01021970> [468], Session-Id 0/0/0/0_C0A80BF100000019
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:677]    =============== Output attributes dump: ===============
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:741]    Attribute 'Session-Timeout', value: "864000"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:747]    Attribute 'Service-Type', value: "2"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:753]    Attribute 'Framed-Protocol', value: "1"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:762]    Attribute 'Framed-IP-Address', value: "172.16.3.102"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:764]    Attribute 'Framed-IP-Netmask', value: "255.255.255.255"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:770]    Attribute 'Class', value: "00000468"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [RunAuthRequest:823]    Attribute 'Acct-Interim-Interval', value: "60"
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT group_id FROM rnas r JOIN device_groups_members m USING (device_id) WHERE r.nas_id = 3
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT `d`.`radius_type`, `d`.`vendor`, `d`.`tagged`, `d`.`name`, `d`.`value_type`, `a`.`tag`, `a`.`value` FROM `radius_attrs` `a` JOIN  `dictionary` `d` ON `a`.`attr_id` = `d`.`record_id` JOIN ((SELECT `a`.`record_id` FROM `radius_attrs` `a` WHERE `a`.`shape` = '8888' OR `a`.`vg_id` = '468') UNION (SELECT `a`.`record_id` FROM `radius_attrs`  `a` JOIN `gr_staff` `g` USING (`group_id`) WHERE `g`.`vg_id` = '468') UNION (SELECT `a`.`record_id` FROM `radius_attrs` `a` WHERE `a`.`tar_id` = '140' AND `a`.`cat_idx` IS NULL) UNION (SELECT record_id FROM  radius_attrs WHERE id = 2 AND ( (nas_id = 3) OR (nas_id IS NULL) ) AND group_id IS NULL AND vg_id IS NULL AND tar_id IS NULL AND cat_idx IS NULL AND shape IS NULL AND service IS NULL)) `t` ON `t`.`record_id ` = `a`.`record_id`WHERE `a`.`radius_code` = '2' AND `a`.`id` = '2' AND (`a`.`nas_id` = '3' OR (`a`.`nas_id` IS NULL))
20.06.2012 17:14:27 VERBOSE     0x454ee940      [AddAttrs:566]  Unknown VSA 1, vendor Cisco, value: "lcp:interface-config=rate-limit input 256000 48000 96000 conform-action transmit exceed-action drop"
20.06.2012 17:14:27 VERBOSE     0x454ee940      [AddAttrs:566]  Unknown VSA 1, vendor Cisco, value: "lcp:interface-config=rate-limit input 256000 48000 96000 conform-action transmit exceed-action drop"
20.06.2012 17:14:27 DEBUG       0x454ee940      [do_sql_query:350]      SELECT `d`.`radius_type`, `d`.`vendor`, `d`.`tagged`, `d`.`name`, `d`.`value_type`, `a`.`tag`, `a`.`value` FROM `radius_attrs` `a` JOIN  `dictionary` `d` ON `a`.`attr_id` = `d`.`record_id` JOIN categories c ON c.tar_id = '140' AND c.cat_idx = '0' AND c.uuid = a.service AND a.service_for_list = '1' WHERE `a`.`radius_code` = '2' AND `a`.`id` = '2' AND (`a`.`nas_id` = '3' OR `a`.`nas_id` IS NULL)

После проведенных настроек, со стороны Cisco на виртуальном интерфейсе будет назначен rate-limit:

R2811#sh interface Virtual-Access3 rate-limit
Virtual-Access3
  Input
    matches: all traffic
      params:  256000 bps, 48000 limit, 96000 extended limit
      conformed 22 packets, 1696 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 292ms ago, current burst: 0 bytes
      last cleared 00:00:21 ago, conformed 0 bps, exceeded 0 bps

  Output
    matches: all traffic
      params:  256000 bps, 48000 limit, 96000 extended limit
      conformed 0 packets, 0 bytes; action: transmit
      exceeded 0 packets, 0 bytes; action: drop
      last packet: 368338648ms ago, current burst: 0 bytes
      last cleared 00:00:21 ago, conformed 0 bps, exceeded 0 bps