<MACADDR> Cleartext-Password := <MACADDR>
# Имя пользователя
User-Name = <USER_NAME>,
# Максимальное время жизни сессии
Session-Timeout = <SECONDS>,
# Максимальное время жизни сесиии при бездействии пользователя
Idle-Timeout = <SECONDS>,
# Время на обновление статистики по сессии
Acct-Interim-Interval = <SECONDS>,
# Имя сервиса для сессии (A - сервис включен, N - сервис выключен)
Cisco-Account-Info = "{A|N}<SERVICE_NAME>"
<SERVICE_NAME> Cleartext-Password := <MACADDR>
# Соответствует имени class-map в настройках ESR
Cisco-AVPair = "subscriber:traffic-class=<CLASS_MAP>",
# Действие, которое применяет ESR к трафику (permit, deny, redirect)
Cisco-AVPair = "subscriber:filter-default-action=<ACTION>",
# Возможность прохождения IP потоков (enabled-uplink, enabled-downlink, enabled, disabled)
Cisco-AVPair = "subscriber:flow-status=<STATUS>"
В файл clients.conf нужно добавить подсеть, в которой находится ESR:
client ESR {
ipaddr = <SUBNET>
secret = <RADIUS_KEY>
}
radius-server host <IP_ADDRESS>
key ascii-text <RADIUS_KEY>
exit
aaa radius-profile bras_radius
radius-server host <IP_ADDRESS>
exit
das-server das
key ascii-text <RADIUS_KEY>
exit
aaa das-profile bras_das
das-server das
exit
ip access-list extended user_acl
rule 1
action permit
enable
exit
exit
subscriber-control
aaa das-profile bras_das
aaa sessions-radius-profile bras_radius
nas-ip-address <IP_ADDRESS>
session mac-authentication
default-service default-action redirect <URL>
exit
enable
exit
service-subscriber-control {object-group <NAME> | any}
location <L2LOCATION>
"00-00-00-33-96-3D" Cleartext-Password := "00-00-00-33-96-3D"
User-Name = "Bras_user",
Session-Timeout = 259200,
Idle-Timeout = 259200,
Cisco-AVPair += "subscriber:policer-rate-in=1000",
Cisco-AVPair += "subscriber:policer-rate-out=1000",
Cisco-AVPair += "subscriber:policer-burst-in=188",
Cisco-AVPair += "subscriber:policer-burst-out=188",
Cisco-Account-Info = "AINTERNET"
INTERNET Cleartext-Password := "INTERNET"
User-Name = "INTERNET",
Cisco-AVPair = "subscriber:traffic-class=INTERNET",
Cisco-AVPair += "subscriber:filter-default-action=permit"
configure
object-group url defaultserv
url http://eltex.nsk.ru
url http://ya.ru
url https://ya.ru
exit
radius-server host 192.168.16.54
key ascii-text encrypted 8CB5107EA7005AFF
source-address 192.168.16.140
exit
aaa radius-profile bras_radius
radius-server host 192.168.16.54
exit
aaa radius-profile bras_radius_servers
radius-server host 192.168.16.54
exit
das-server das
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa das-profile bras_das
das-server das
exit
vlan 10
exit
ip access-list extended BYPASS
rule 1
action permit
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match destination-port 53
enable
exit
rule 3
exit
exit
ip access-list extended INTERNET
rule 1
action permit
enable
exit
exit
ip access-list extended WELCOME
rule 10
action permit
match protocol tcp
match destination-port 443
enable
exit
rule 20
action permit
match protocol tcp
match destination-port 8443
enable
exit
rule 30
action permit
match protocol tcp
match destination-port 80
enable
exit
rule 40
action permit
match protocol tcp
match destination-port 8080
enable
exit
exit
subscriber-control
aaa das-profile bras_das
aaa sessions-radius-profile bras_radius
aaa services-radius-profile bras_radius_servers
nas-ip-address 192.168.16.140
session mac-authentication
bypass-traffic-acl BYPASS
default-service
class-map BYPASS
filter-name local defaultserv
filter-action permit
default-action redirect http://192.168.16.54/eltex_portal
session-timeout 121
exit
enable
exit
bridge 10
vlan 10
ip firewall disable
ip address 10.10.0.1/16
ip helper-address 192.168.16.54
service-subscriber-control any
location USER
protected-ports
protected-ports exclude vlan
enable
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 192.168.16.140/23
exit
interface gigabitethernet 1/0/3.10
bridge-group 10
ip firewall disable
exit
interface gigabitethernet 1/0/4
ip firewall disable
ip address 30.30.30.2/24
exit
interface tengigabitethernet 1/0/1
ip firewall disable
exit
interface tengigabitethernet 1/0/1.10
bridge-group 10
exit
interface tengigabitethernet 1/0/1.20
ip firewall disable
ip address 20.20.20.1/24
exit
interface tengigabitethernet 1/0/1.30
bridge-group 10
exit
interface tengigabitethernet 1/0/1.40
bridge-group 10
exit
nat source
ruleset factory
to interface gigabitethernet 1/0/2
rule 10
description "replace 'source ip' by outgoing interface ip address"
match source-address any
action source-nat interface
enable
exit
exit
ip route 0.0.0.0/0 192.168.16.145
ip telnet server
|