...
Без форматирования |
---|
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 10
description "users"
security-zone users
ip firewall disable
ip address 192.168.132.1/22
ip helper-address 100.123.0.2
protected-ports local
enable
exit
interface gigabitethernet 1/0/1.3500
description "UpLink"
security-zone untrusted
ip address 172.31.240.3/29
exit
interface gigabitethernet 1/0/1.2300
description "mgmt"
security-zone trusted
ip firewall disable
ip address 100.123.0.176/24
exit
interface gigabitethernet 1/0/1.2336
bridge-group 10
exit
interface gigabitethernet 1/0/1.2337
bridge-group 10
exit
ip dhcp-relay
ip route 0.0.0.0/0 172.31.240.1
ip telnet server
ip ssh server |
...
2) Настраиваем взаимодействие с радиус сервером:
Предупреждение | |||||||
---|---|---|---|---|---|---|---|
Если используется резервирование SoftWLC и сервис Eltex-PCRF работает кластере - необходимо в конфигурации ESR настроить взаимодействие для каждого сервиса по его реальному адресу и указать оба инстанса в настройке aaa radius-profile! Использовать VRRP адрес для взаимодействие нельзя!
|
Без форматирования |
---|
object-group network SoftWLC ip address-range 100.123.0.2 exit radius-server timeout 10 radius-server retransmit 5 radius-server host 100.123.0.2 key ascii-text testing123 timeout 11 priority 20 source-address 100.123.0.176 auth-port 31812 acct-port 31813 retransmit 10 dead-interval 10 exit aaa radius-profile PCRF radius-server host 100.123.0.2 exit das-server COA key ascii-text testing123 port 3799 clients object-group SoftWLC exit aaa das-profile COA das-server COA exit |
...
4.1) Далее добавляем необходимые настройки BRAS на интерфейсе клиентов, настройки bridge при этом примут вид:
Без форматирования |
---|
object-group network bras_users ip address-range 192.168.132.2-192.168.135.254 exit bridge 10 description "users" security-zone users ip firewall disable ip address 192.168.132.1/22 ip helper-address 100.123.0.2 service-subscriber-control object-group bras_users location data10 protected-ports local enable exit |
Примечание |
---|
Обратим внимание на настройку "service-subscriber-control object-group bras_users" - мы указали, что авторизацию будут проходить только пользователи, имеющие адреса из диапазона, указанного в группе bras_users. Это необходимо для того, что бы обеспечить беспрепятственное прохождение трафика с адреса bridge 10 и широковещательного трафика подсети. Вместо нее можно использовать настройку "service-subscriber-control any", которая заблокирует прохождение любого трафика до прохождения авторизации. |
...
Без форматирования |
---|
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service dns
port-range 53
exit
object-group service redirect
port-range 3128-3131
exit
object-group network users
ip prefix 192.168.132.0/22
exit
object-group network SoftWLC
ip address-range 100.123.0.2
exit
object-group network bras_users
ip address-range 192.168.132.2-192.168.135.254
exit
radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
key ascii-text testing123
timeout 11
priority 20
source-address 100.123.0.176
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
ip access-list extended WELCOME
rule 1
action permit
match protocol tcp
match destination-port 443
enable
exit
rule 2
action permit
match protocol tcp
match destination-port 8443
enable
exit
rule 3
action permit
match protocol tcp
match destination-port 80
enable
exit
rule 4
action permit
match protocol tcp
match destination-port 8080
enable
exit
exit
ip access-list extended INTERNET
rule 1
action permit
enable
exit
exit
ip access-list extended unauthUSER
rule 1
action permit
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match destination-port 53
enable
exit
exit
subscriber-control filters-server-url http://100.123.0.2:7070/filters/file
subscriber-control
aaa das-profile COA
aaa sessions-radius-profile PCRF
aaa services-radius-profile PCRF
nas-ip-address 100.123.0.176
session mac-authentication
bypass-traffic-acl unauthUSER
default-service
class-map unauthUSER
filter-name remote gosuslugi
filter-action permit
default-action redirect http://100.123.0.2:8080/eltex_portal/
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro
snmp-server host 100.123.0.2
source-address 100.123.0.176
exit
bridge 10
description "users"
security-zone users
ip address 192.168.132.1/22
ip helper-address 100.123.0.2
service-subscriber-control object-group bras_users
location data10
protected-ports local
enable
exit
interface gigabitethernet 1/0/1.3500
description "UpLink"
security-zone untrusted
ip address 172.31.240.3/29
exit
interface gigabitethernet 1/0/1.2300
description "mgmt"
security-zone trusted
ip address 100.123.0.176/24
exit
interface gigabitethernet 1/0/1.2336
bridge-group 10
exit
interface gigabitethernet 1/0/1.2337
bridge-group 10
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
enable
exit
exit
security zone-pair trusted users
rule 1
action permit
enable
exit
exit
security zone-pair users self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol tcp
match destination-port redirect
enable
exit
exit
security zone-pair users trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
nat source
pool nat_addr
ip address-range 172.31.240.3
exit
ruleset nat_source
to zone untrusted
rule 1
match source-address users
action source-nat pool nat_addr
enable
exit
exit
exit
ip dhcp-relay
ip route 0.0.0.0/0 172.31.240.1
ip telnet server
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit |
...