FreeRADIUS › Users

RE: Service-Logon

Classic

List

Threaded

8 messages Options

Jay Kuhne (jkuhne)

RE: Service-Logon

Hello,

I am attempting to "COA Service-Logon" with Radclient and cisco av-pair attributes.

I can perform other COA like tagged ACL or Named but so far not service-logon

Local ACL "IN_ACL_NAMED_v4_2" is on my ISG gateway (Cisco ASR1k).

Have this cmd which I understand allows radius to define the policy.

aaa authorization subscriber-service default group RADIUS_GROUP

Syntax I am using for Radclient/coa to existing session: (Have tried without Outbound-User as well)
Acct-Session-Id="000003EE"
Service-Type += Outbound-User
cisco-avpair="subscriber:command=activate-service"
cisco-avpair="subscriber:service-name=v4_POLICY"
cisco-avpair="ip:inacl=IN_ACL_NAMED_v4_2"

Am seeing the following on the gateway: "COA: Message Authenticator missing or failed decode"

Could someone verify my syntax and give any suggestions?
Do I need to actually define/configure "v4_POLICY" anywhere?

Jay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jay Kuhne (jkuhne)

RE: Service-Logon

Do I need to define the service that I am referencing "v4_POLICY" elsewhere in freeradius?

For example in a .conf file?

Thanks,
Jay

-----Original Message-----
From: freeradius-users-bounces+jkuhne=[hidden email] [mailto:freeradius-users-bounces+jkuhne=[hidden email]] On Behalf Of Jay Kuhne (jkuhne)
Sent: Friday, October 08, 2010 5:53 AM
To: [hidden email]
Subject: RE: Service-Logon

Hello,

I am attempting to "COA Service-Logon" with Radclient and cisco av-pair attributes.

I can perform other COA like tagged ACL or Named but so far not service-logon

Local ACL "IN_ACL_NAMED_v4_2" is on my ISG gateway (Cisco ASR1k).

Have this cmd which I understand allows radius to define the policy.

aaa authorization subscriber-service default group RADIUS_GROUP

Syntax I am using for Radclient/coa to existing session: (Have tried without Outbound-User as well)
Acct-Session-Id="000003EE"
Service-Type += Outbound-User
cisco-avpair="subscriber:command=activate-service"
cisco-avpair="subscriber:service-name=v4_POLICY"
cisco-avpair="ip:inacl=IN_ACL_NAMED_v4_2"

Am seeing the following on the gateway: "COA: Message Authenticator missing or failed decode"

Could someone verify my syntax and give any suggestions?
Do I need to actually define/configure "v4_POLICY" anywhere?

Jay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok-2

Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Do I need to define the service that I am referencing "v4_POLICY" elsewhere in freeradius?

No. You're sending that to the NAS. The NAS interprets it.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jay Kuhne (jkuhne)

RE: Service-Logon

Hi Alan,

Thanks for the reply. Does it need to be configured on the NAS or the
NAS accepts Radius is telling it "this is the policy to use"

For Cisco ASR1K IOS-XE NAS, I understand the following command is
needed to tell NAS to accept RADIUS policy vs. looking local.

"aaa authorization subscriber-service default group RADIUS_GROUP"

Any other thoughts on what I might be doing incorrectly?

At the moment I execute the following with "coa" being the filename for
contents below:
ssh -x -l root erbu-freerad-10 /usr/local/bin/radclient -x -t 20 -n 30
-c 1 -p 30 -f /usr/local/etc/raddb/coa 5.28.6.10:1700 coa cisco

Acct-Session-Id="000003EE"
Service-Type += Outbound-User
cisco-avpair="subscriber:command=activate-service"
cisco-avpair="subscriber:service-name=ACL_NAMED_ POLICY"
cisco-avpair="ip:inacl=IN_ACL_NAMED_v6_2"

Thanks again,
Jay

# NAS Config:
aaa new-model
!
!
aaa group server radius RADIUS_GROUP
server-private 5.28.21.99 non-standard key cisco
ip vrf forwarding Mgmt-intf
!
aaa authentication login default none
aaa authentication ppp default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa authorization subscriber-service default group RADIUS_GROUP
!
!
!
!
aaa server radius dynamic-author
client 5.28.21.99 vrf Mgmt-intf
server-key cisco
auth-type any
!

-----Original Message-----
From: freeradius-users-bounces+jkuhne=[hidden email]
[mailto:freeradius-users-bounces+jkuhne=[hidden email]]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 2:52 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Do I need to define the service that I am referencing "v4_POLICY"
elsewhere in freeradius?

No. You're sending that to the NAS. The NAS interprets it.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok-2

Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply. Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

No idea. The only goal in RADIUS is to get the "right" contents to
the NAS. We document how to put things in the packet. The NAS
documents what it needs in the packet.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jay Kuhne (jkuhne)

RE: Service-Logon

Hi Alan,

Thank you, this helps. Will have another go at debugging from the NAS
side.
I'll post back once I get it working.
Jay

-----Original Message-----
From: freeradius-users-bounces+jkuhne=[hidden email]
[mailto:freeradius-users-bounces+jkuhne=[hidden email]]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 7:51 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply. Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

No idea. The only goal in RADIUS is to get the "right" contents to
the NAS. We document how to put things in the packet. The NAS
documents what it needs in the packet.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jay Kuhne (jkuhne)

RE: Service-Logon

In reply to this post by Alan DeKok-2

One step closer by reverse-engineering a TAC example... but still not
quite working

# "users" file - initial bring up
jkuhne1@asr_5_61 Cleartext-Password := "hello1"
Service-Type += Framed-User,
Framed-Protocol += PPP,
Cisco-Account-Info += "NAMED_ACL_SERVICE",
Framed-IPv6-Prefix += "0015:0000:0000:0000:0000:0000:0000:0000/64",
cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
cisco-avpair += "ipv6:inacl#2=permit tcp 1::1/64 any eq 50001",
Fall-Through = no

DEFAULT Prefix == "NAMED_ACL_SERVICE"
Service-Type += Outbound-User,
cisco-avpair += "ipv6:inacl=IN_ACL_NAMED_v6_2"

#Able to see it on NAS
asr05#sh aaa service-profiles
<etc...>
1000> Service Name: asr_5_61
1001> Service Name: NAMED_ACL_SERVICE

# attempting COA
User-Name += "jkuhne1@asr_5_61"
Acct-Session-Id="000003EE"
cisco-avpair += "subscriber:command=activate-service"
cisco-avpair += "subscriber:service-name=NAMED_ACL_SERVICE"

# Radius Debug:
Oct 11 14:11:37.838: COA: 5.28.21.99 request queued
Oct 11 14:11:37.838: RADIUS: authenticator 43 98 88 99 AE 20 8E CA - DE
91 37 88 E8 74 93 D8
Oct 11 14:11:37.838: RADIUS: User-Name [1] 18
"jkuhne1@asr_5_61"
Oct 11 14:11:37.838: RADIUS: Acct-Session-Id [44] 10 "000003EE"
Oct 11 14:11:37.838: RADIUS: Vendor, Cisco [26] 43
Oct 11 14:11:37.838: RADIUS: Cisco AVpair [1] 37
"subscriber:command=activate-service"
Oct 11 14:11:37.838: RADIUS: Vendor, Cisco [26] 49
Oct 11 14:11:37.838: RADIUS: Cisco AVpair [1] 43
"subscriber:service-name=NAMED_ACL_SERVICE"
Oct 11 14:11:37.838: COA: Message Authenticator missing or failed decode

I can do COA successfully for tagged or named ACLs defined directly, so
overall feel it is a syntax issue.

Any suggestions appreciated.
Jay

-----Original Message-----
From: freeradius-users-bounces+jkuhne=[hidden email]
[mailto:freeradius-users-bounces+jkuhne=[hidden email]]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 7:51 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply. Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

No idea. The only goal in RADIUS is to get the "right" contents to
the NAS. We document how to put things in the packet. The NAS
documents what it needs in the packet.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jay Kuhne (jkuhne)

RE: Service-Logon

In reply to this post by Alan DeKok-2

Hi Alan and all,

This is just a follow-up, here is the config which works for
Service-Logon with Cisco AVP.

The "A" vs "N" in front of the service name determines whether service
is applied at bring-up (AutoLogon) or applied via COA afterwards

tester1@asr_domain1 Cleartext-Password := "hello1"
Service-Type += Framed-User,
Framed-Protocol += PPP,
Cisco-Account-Info += "ASERVICE_USR1",
Cisco-Account-Info += "NSERVICE_USR1_NET",
Framed-IPv6-Prefix += "0015:0000:0000:0000:0000:0000:0000:0000/64",
Fall-Through = no

SERVICE_USR1 Cleartext-Password := "cisco"
Service-Type += Outbound-User,
cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
cisco-avpair += "ipv6:inacl#2=permit tcp 1::1/64 any eq 50001",
cisco-avpair += "ipv6:inacl#3=permit tcp any 2001:0DB8:bb00:1::/64
eq 23",
cisco-avpair += "ipv6:inacl#4=permit ipv6 any 2003:1:2::0/48",
cisco-avpair += "ipv6:inacl#5=permit udp any eq 546 any eq 547",
cisco-avpair += "ipv6:outacl#1=permit ipv6 any 15::0/64",
cisco-avpair += "ipv6:outacl#2=permit tcp any 1::1/64 eq 50001",
cisco-avpair += "ipv6:outacl#3=permit tcp 2001:0DB8:bb00:1::/64 any
eq 23",
cisco-avpair += "ipv6:outacl#4=permit ipv6 2003:1:2::0/48 any",
cisco-avpair += "ipv6:outacl#5=permit udp any eq 546 any eq 547",

SERVICE_USR1_NET Cleartext-Password := "cisco"
Service-Type += Outbound-User,
cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
cisco-avpair += "ipv6:inacl#2=permit tcp 1::1/64 any eq 50002",

COA service activation is simply the following with Radclient

User-Name += "tester@asr_domain1"
Service-Type += Outbound-User
Acct-Session-Id="000003F5"
cisco-avpair += "subscriber:command=deactivate-service"
cisco-avpair += "subscriber:service-name=SERVICE_USR1_NET"

Cheers,
Jay

-----Original Message-----
From: freeradius-users-bounces+jkuhne=[hidden email]
[mailto:freeradius-users-bounces+jkuhne=[hidden email]]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 7:51 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply. Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

No idea. The only goal in RADIUS is to get the "right" contents to
the NAS. We document how to put things in the packet. The NAS
documents what it needs in the packet.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html