Monday, August 31, 2009

How to install SCABB snmp real time monitoring (SNMP RTM)

If you had installed SCABB (Service Control Aplication Broadband) or if you had read scabb end user guide you will be familiar with this topic. This is a tool for network admins to monitor their network using SNMP in real time. Refer to the cisco guide, the snmp tool that we will be used are MRTG (Multi Router Traffic Grapher) and RRD (Round Robin Database) tool. MRTG will collect snmp data from sce then generate html pages, rrd tool will store data using round robin database and then generate a graph. In my Lab environment I'm using my desktop with windowsxp, scabb v3.1.6 , sce 2020.

How it works :

These are the components that will be used to install SNMP RTM:
1. MRTG-2.1.5 - download from mrtg.org
2. rrdtool-1.2.15 - download from rrdtool.org
3. Active Perl 5.8 - search google.com and download
4. Apache2 - download from apache.org
5. sca_bb v3.1.6 - download from cisco.com
6. sca_bb utility - extracted from sca_bb v3.1.6
7. scabb_rtm_templates_v3.0.5A_b05 - download from cisco.com
8. firedaemon - search google.com and download
9. Java (jre) 1.4.2 - download from java.sun.com

- mrtg for collecting snmp
- rrd tool to store data
- Active perl for running mrtg
- Apache for running web server, cgi
- scabb v3.1.6 to get scabb utility
- scabb utility for generate mrtg cfg files
- scabb rtm template for generate cfg file refer to the template and sce configuration
- firedaemon for running scheduler
- java needs for running scabb utility

Getting started :
1. Install mrtg, perl, rrdtool in C:\
2. Install apache web-server C:\Program Files
3. Install firedaemon
4. Install java
5. Extract scabb v3.1.6, extract scabb util (bin & lib) to C:\
6. Extract scabb rtm template to C:\bin\
7. Create directory rtm-output in C:\bin\
8. Edit rtcmd.cfg file

#The absolute path to the RRD tool's execution files folder
#Use '\\' or '/' as path separator
rrdtool_bin_dir=C:/rrdtool-1.2.15/rrdtool/Release

#The absolute path where RTM files will be placed.
#This path will be used by MRTG to create and update the RRD files
#Note: path must not contain white spaces!
rtm_dir=C:/PROGRA~1/APACHE~1/Apache2.2/htdocs

#The absolute path to the MRTG bin folder.
#This path will be used to create file crontab.txt
mrtg_bin_dir=C:/mrtg-2.14.5/bin

#The SCE's community string
snmpCommunityString=public
rrdtool_bin_dir=C:/rrdtool-1.2.15/rrdtool/Release

9. Open command prompt, running this command "rtmcmd -S "ip_sce1;ipsce2" -U xxxxx -P xxxxx --pqb-sce=ip_sce1 --source-dir=/templates --dest-dir=/rtm-output -c ./rtmcmd.cfg

C:\bin\rtmcmd -S "ip_sce1;ipsce2" -U xxxxx -P xxxxx --pqb-sce=ip_sce1 --source-dir=/templates --dest-dir=/rtm-output -c ./rtmcmd.cfg
connecting to ip_sce1 ... done
retrieving service configuration from SCE ... done
disconnecting from device ... done
loading user configuration from file 'rtmcmd.cfg' ... done
processing templates from '\templates' to '\rtm-output' ... done
C:\bin>

10. Check rtm-output directory

C:\bin\rtm-output>dir
Volume in drive C has no label.
Volume Serial Number is C4C2-8BAA

Directory of C:\bin\rtm-output

08/31/2009 08:16 AM dir .
08/31/2009 08:16 AM dir ..
08/31/2009 10:30 AM 43 .htaccess
08/31/2009 10:30 AM 386 crontab-unix.txt
08/31/2009 10:30 AM 310 crontab-windows.txt
08/31/2009 08:16 AM dir mrtg-cfg
08/31/2009 08:16 AM dir sce_202.155.50.75
08/31/2009 08:16 AM dir sce_202.155.50.77
08/31/2009 08:16 AM dir static

11. Copy all file to C:\Program Files\Apache Software Foundation\Apache2.2\htdocs>
12. Edit httpd Apache configuration file and add this text :


Options Indexes FollowSymLinks ExecCGI
AllowOverride Indexes
Order allow,deny
Allow from all


13. Test mrtg and mrtg cfg file with this command :


C:\Perl\bin>perl.exe c:\mrtg-2.14.5\bin\mrtg "c:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce1_scabb_mrtg.cfg"


C:\Perl\bin>perl.exe c:\mrtg-2.14.5\bin\mrtg "c:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce1_scabb_mrtg.cfg"

If no error appear, you can check working directory a lot of rrd files has been generated.

14. Open firedaemon, add new service definition :

Shortname : sce1
Executable : C:\Perl\bin\wperl.exe
Working Dir :C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\sce_ip_sce1
Parameters : C:\mrtg-2.14.5\bin\mrtg "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce1_scabb_mrtg.cfg"


Start Service sce1

Shortname : sce2
Executable : C:\Perl\bin\wperl.exe
Working Dir :C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\sce_ip_sce2
Parameters : C:\mrtg-2.14.5\bin\mrtg "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce2_scabb_mrtg.cfg"

Start service sce2



15. Open web browser and type :

http://localhost/sce_ip_sce1/
http://localhost/sce_ip_sce2/

And finally you will see the following display in your browser :

Refference http://www.cisco.com/en/US/products/ps61/products_user_guide_book09186a0080843872.html
Posted by at 2 comments:
Labels: ,

Friday, August 14, 2009

Update protocol pack and signature using SCABB / SCE

Using Cisco SCE we can manage traffic per application based on protocol that supported by SCE Software. In my lab I use sce 2020, Software 3.1.6. My goal is I want to control or even block the subscribers traffic in accessing bandwidth consuming application such as peer to peer, flash youtube, flash yahoo, video google, http download etc.

First I applied the streaming service to the package and made some rule to control it, then I mapped the subscriber using SM to use that package. Somehow the rule was not working, user could still have an access to the video google, flash youtube etc. Than I checked the reporting in SCABB the user traffic is classified as a browsing. I was thinking that SCE cannot detect those protocol as a flash protocol that is define in its service configuration protocol. I checked at the cisco website than I found that I must upgrade the protocol pack of the existing software. This happen because of there are some of a new update to the protocol in internet, SCE must improve the capabilities in detecting and making classification to the new protocol and signature. The new update of protocol pack now is SCA BB Protocol Pack #17, it resolved some of caveat in the previous protocol pack, such as miss classifying protocol i.e yahoo login, flash etc.

 This is the new update protocol :
• Flash YouTube HD
• Flash YouTube Normal
• Yahoo General Login
• Sky Player - (Supported by 3.5.0 only)

and here is the guide :
1. Download SPQI at cisco.com
2. Extract the SPQI file 3.1.6 Protocol Pack #17 ZIP package
3. install the ProtocolPack using SCABB, right clik on sce, network navigator menu















4. Extract the script.txt file from the 3.1.6 Protocol Pack #17 ZIP package and upload to the SCE platform using FTP.

SCE2020#copy-passive ftp://user:pass@ip-address/script.txt script.txt

5. Open a CLI session in the SCE platform and navigate to the directory where the uploaded script.txt. Using admin user run the script run script.txt.

SCE2020-2#>script run script.txt


configure
interface LineCard 0

lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "Babelgum" value 23
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "babelgum" value 23
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "Deluge*" value 9
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "TVUPlayer*" value 24
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "PIPIPlayer" value 25
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "NateOn*" value 26
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "ed2k" value 6

lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*.babelgum.com" value 7
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*.vuze.com" value 8
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:channel2.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "co*:*.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:mb.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:pages.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*mail.google.com" value 11
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*skype.com" value 12
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*joost.com" value 13
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*googlevideo.com" value 1

lookup GT_LUT_HTTP_BASED_PROTOCOLS_URL overwrite-key /videoplayback*:* value 2
lookup GT_LUT_HTTP_BASED_PROTOCOLS_URL overwrite-key *:*.hash value 7

lookup GT_LUT_DestPortBasedProtocolsPostMultipleSig overwrite-key "0.6.0.22:0xffffffff" value 16777216

lookup GT_LUT_HTTP_SPLIT_INITIATEE_BASED_PROTOCOLS_Server overwrite-key "AIM*:*" value 7

tunable GT_PL_USE_OLD_BEHAVIORAL_DOWNLOAD value false
tunable PL_AGING_RTMP value 3000
tunable GT_PL_SKYPE_TCP_PRECEDE_PKTS_PAT_MAX value 180

tunable GT_PL_BEHAVIORAL_DOWNLOAD_MIN_AVG_PACKET_SIZE value 700
tunable GT_PL_BEHAVIORAL_DOWNLOAD_MAX_VOLUME_RATIO value 25
tunable GT_PL_BEHAVIORAL_DOWNLOAD_PACKET_DEVIATION_HI_VOL_FACTOR value 50

tunable GT_PL_WINNYP_NUMBER_OF_CHECKED_PACKETS value 5
tunable GT_PL_WINNYP_MAXIMAL_ALLOWED_DIRECTION_CHANGES value 5

tunable GT_QQMaxPacketsInSameDir value 7

exit
exit

copy running-config-application startup-config-application
Writing general configuration file to temporary location...
Removing old application configuration file...
Renaming temporary application configuration file with the final file's name...

SCE2020-1#>
The screenshoot result for successfully blocked youtube and google video.

youtube :




Google Video :



This is only the sample if you want to block google video or youtube, you can control any of protocol as long as is supported by protocol pack.
Posted by at 1 comment:
Labels: , , ,

Tuesday, August 4, 2009

ISG - SCE Integration using SCMP

ISG (Intelligent service Gateway) is a broadband agregation router to deliver service from service provider to the broadband subscriber. Using ISG we can control and implement dynamic policy to the subscriber such as turbo button (upgrade or downgrade speed), Parental control, Subscriber self-control using Captive Portal / Redirect Wallgarden Service and External-policy controll using CoA. For more advanced implementation is to implement ISG colaborative with SCE as a DPI (deep packet inspection) service control. Using SCE we can make some of different service levels for subscriber. We can control the subscriber trafic in the aplication layer (layer7) or we can use taffic shaping capabilites.

To integrate SCE and ISG we can use SCMP, it allows that isg and SCE to manage subscriber session and apply subscriber to particular service / profile dynamically intsead of using subscriber manager (SM) using SCABB application. External Portal / Walled garden can send a Coa packet (CoA RFC 3576) to ISG to change the user's service. In the isg policy we can define any package that will be sent using Coa to SCE include the GUID / user identity, next when the SCE accept the CoA, it will assign the package to this GUID.

I try to make a lab to implement this integration, using isg and sce 2020. Here is the diagram:

DIAGRAM :
-----------------------------------------------------------------------------------------------------------------



-----------------------------------------------------------------------------------------------------------------

ISG configuration :

ISGD2#
!
aaa attribute list coa
attribute type nas-ip-address 172.16.0.29
!
!
!
aaa server radius policy-device
key peditea
message-authenticator ignore
client 192.168.50.77 vrf vpn_internet key peditea
!


Verify the SCMP peer in the ISG:

ISGD2#sh subscriber policy peer all
EXTERNAL POLICY PEER Details:
=============================

Peer IP: 192.168.50.77
Conn ID: 11
Mode : PUSH
State : ACTIVE
Version: 2.0
Conn up time: 00:08:55
Conf keepalive: 100
Negotiated keepalive: 100
Time since last keepalive: 00:00:34
Inform owner on pull: TRUE
Total number of associated sessions: 1


CoA from ISG to SCE :

*Aug 4 06:16:27.582: RADIUS(00000000): Send CoA Request to 192.168.50.77:3799 id 1645/53, len 211
*Aug 4 06:16:27.582: RADIUS: authenticator C7 E2 B1 A2 F5 7B 13 65 - 98 05 83 9B A5 DF 5E CE
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 31 "session-guid=CA9B591E0000003C"
*Aug 4 06:16:27.582: RADIUS: NAS-Port [5] 6 60000
*Aug 4 06:16:27.582: RADIUS: NAS-Port-Id [87] 21 "nas-port:0/0/0/86/0"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 31 "subscriber:command=updateSess"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 32
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 26 "subscriber:policy-name=6"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 36
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 30 "subscriber:service-monitor=1"
*Aug 4 06:16:27.582: RADIUS: NAS-IP-Address [4] 6 172.16.0.29
*Aug 4 06:16:27.582: RADIUS: User-Name [1] 10 "fadlytea"
*Aug 4 06:16:27.582: RADIUS: Framed-IP-Address [8] 6 172.16.94.2
*Aug 4 06:16:27.586: RADIUS: Received from id 1645/53 192.168.50.77:3799, CoA Ack Response, len 63
*Aug 4 06:16:27.586: RADIUS: authenticator B8 00 27 53 E2 DF 79 28 - 82 30 38 3F 76 A9 85 06
*Aug 4 06:16:27.586: RADIUS: NAS-IP-Address [4] 6 192.168.50.77
*Aug 4 06:16:27.586: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.586: RADIUS: Cisco AVpair [1] 31 "session-guid=CA9B591E0000003C"

Verify the user session GUID:

ISGD2#sh subscriber policy peer all detail
EXTERNAL POLICY PEER Details:
=============================

Peer IP: 192.168.50.77
Conn ID: 11
Mode : PUSH
State : ACTIVE
Version: 2.0
Conn up time: 00:08:57
Conf keepalive: 100
Negotiated keepalive: 100
Time since last keepalive: 00:00:36
Inform owner on pull: TRUE
Total number of associated sessions: 1
Associated session details:
CA9B591E0000003C

ISGD2#


Verify SCMP peer in the SCE :




SCE2020-2#sh scmp all
SCMP Connection 'isg-dev2' status:
172.16.0.29 auth-port 1645 acct-port 1646
Connection state: Connected
Peer protocol-version: 2.0
Keep-alive interval: 100 seconds
Force single SCE: Yes
Send session start: Yes
Time connected: 9 minutes, 18 seconds




Verify subscriber session GUID mapping package in SCE :

SCE2020-2#SH interface LineCard 0 subscriber name CA9B591E0000003C
Subscriber 'CA9B591E0000003C' manager: isg-dev2
Subscriber 'CA9B591E0000003C' properties:
downVlinkId=0
monitor=1
new_classification_policy=0
packageId=6
QpLimit[0..17]=0*17,8
QpSet[0..17]=0*17,1
upVlinkId=0
Subscriber 'CA9B591E0000003C' read-only properties:
concurrentAttacksNumber=0
PV_QP_QuotaSetCounter[0..17]=0*18
PV_QP_QuotaUsageCounter[0..17]=0*18
PV_REP_nonReportedSessionsInTUR=0
P_aggPeriodType=5
P_blockReportCounter=0
P_endOfAggPeriodTimestamp=0
P_firstTimeParty=TRUE
P_localEndOfAggPeriodTimestamp=0
P_MibSubCounters16[0..31][0..1]=0*64
P_MibSubCounters32[0..31][0..1]=0*64
P_newParty=TRUE
p_numOfRedirections=0
P_partyCurrentDownVLink=0
P_partyCurrentPackage=6
P_partyCurrentUpVLink=0
P_partyGoOnlineTime=0
P_partyMonth=0
P_serviceReportedBitMap=0
Subscriber 'CA9B591E0000003C' mappings:
IP 172.16.94.2 - Expiration (sec): Unlimited
Subscriber 'CA9B591E0000003C' has 0 active sessions.
Aging disabled
SCE2020-2#


Posted by at No comments:
Labels: , , ,

Thursday, July 30, 2009

PPPOE and L2TP Multihop VPDN

There are many different technology in broadband access network, include DSL, cable , ethernet, wireless etc. PPPoe is commonly used by ADSL technology in ISP. L2tp is one of the most used protocol in broadband network, it is commonly used by operators or broadband access provider to extend their network to ISP as a wholesale.

I tried to make basic concept and configuration about how to implement them. For PC, i'm using windowsXP as a pppoe client, cisco 2600 as lac (vpn-server), 7200 as lns (isg-dev2), 7200 as lns-2 (isg2-jtpd) for terminating ppp session from pc


pc will connect with pppoe using a user with domain @imm.com, vpn-server will accept pppoe request and forward and L2TP based on domain to lns (ISG-DEV2). lns than forward the ppp using l2tp multihop to lns-2 based on multihop lac hostname. lns-2 then will terminate the ppp and give the user ip adress.




DIAGRAM :





CONFIGURATION :

1. pppoe :

VPN-SERVER#

!
vpdn-group pppoe
accept-dialin
protocol pppoe
virtual-template 15
lcp renegotiation always
!


2. VPDN Tunnel Switching :

VPN-SERVER#
!
vpdn search-order domain
!
vpdn-group 1
request-dialin
protocol l2tp
domain imm.com
initiate-to ip 11.0.0.1
local name lac
no source vpdn-template
l2tp tunnel password peditea
!

ISGDEV2#

vpdn-group multihop-in
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname lac
local name lns-multi
l2tp tunnel password 0 peditea

3. VPDN MULTIHOP (L2TP)

ISGDEV2#
!
vpdn multihop
vpdn search-order multihop-hostname
!
vpdn-group multihop
request-dialin
protocol l2tp
multihop hostname lac
initiate-to ip 192.168.89.6
local name lns-multi
l2tp tunnel password 0 peditea
!

ISG-JTPD#
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname lns-multi
local name lns-server
l2tp tunnel password 0 peditea
!

VERIFYING :



VPN_SERVER#sh vpdn

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name State Remote Address Port Sessions VPDN Group
3402 65399 lns-multi est 11.0.0.1 1701 1 1

LocID RemID TunID Intf Username State Last Chg Uniq ID
964 33172 3402 SSS Circuit -imm@imm.com est 00:00:14 344


ISGDEV2#sh vpdn tunnel

L2TP Tunnel Information Total tunnels 2 sessions 2

LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
30787 61466 lns-server est 192.168.89.6 1 multihop
65399 3402 lac est 11.0.0.2 1 multihop-in


ISG2-JTPD#sh vpdn


L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/
VPDN Group
61466 30787 lns-multi est 192.168.89.3 1701 1 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
8 10696 61466 -imm@imm.com, Vi3 est 00:01:03 491


Reference : http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_understanding_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1049344
Posted by at No comments:
Labels: , , ,

Wednesday, July 29, 2009

Point-to-Point Protocol over Ethernet - using windows & cisco

PPPOE is a network protocol for encapsulation ppp in ethernet network. It is one of dial technology beside pptp and L2TP. It is usually used in adsl network, subcriber can access internet provider using user's credential (username and password) . PPPOE works in layer 2 network meanwhile PPTP work in Layer 3.

What I want to show you is the basic configuration using windows as a pppoe client and cisco 2600 as a pppoe server.

Here is the diagram :

-----------------------------------------------------------------------------------------------------------------


-----------------------------------------------------------------------------------------------------------------

1. Create Virtual-Template :

VPN_SERVER(config)# interface Virtual-Template1
VPN_SERVER(config-if)# ip unnumbered FastEthernet0/1.81
VPN_SERVER(config-if)# ip tcp adjust-mss 1460

2. Enable vpdn and making vpdn-group :

VPN_SERVER(config)# vpdn enable
VPN_SERVER(config)# vpdn-group pppoe
VPN_SERVER(config-vpdn)# accept-dialin
VPN_SERVER(config-vpdn-acc-in)# protocol pppoe
VPN_SERVER(config-vpdn-acc-in)# virtual-template 1
VPN_SERVER(config-vpdn-acc-in)# exit
VPN_SERVER(config-vpdn)# lcp renegotiation always

3. Configure authentication & ip address pool :

Enable AAA and method-list :

VPN_SERVER(config)# aaa new-model
VPN_SERVER(config)# aaa authentication ppp default local
VPN_SERVER(config)# aaa authorization network default local

Create Username :

VPN_SERVER(config)# username fadly password 0 cisco

Create Ip pool :

VPN_SERVER(config)# ip local pool vpn_sce 192.168.100.1 192.168.100.100

Enable ppp authentication and assign pool :

VPN_SERVER(config)# interface Virtual-Template1
VPN_SERVER(config-if)# peer default ip address pool vpn_sce
VPN_SERVER(config-if)# ppp authentication pap chap

4. Enable pppoe in interface :

VPN_SERVER(config)# interface FastEthernet0/0
VPN_SERVER(config-if)# ip address 172.16.0.11 255.255.128.0 secondary
VPN_SERVER(config-if)# pppoe enable

5. Create pppoe client and Dial from windows XP :


























































6. Verify the pppoe session :

VPN_SERVER#sh user
Line User Host(s) Idle Location
* 66 vty 0 fadly idle 00:00:00 172.16.0.134

Interface User Mode Idle Peer Address
Vi1.1 fadly PPPoE 00:00:00 192.168.100.5

VPN_SERVER#


VPN_SERVER#sh vpdn

PPPoE Tunnel and Session Information Total tunnels 1 sessions 1

PPPoE Session Information
UID SID RemMAC OIntf Intf Session
LocMAC VASt state
278 841 0090.f55d.6dbc Fa0/0 Vi1.1 CNCT_PTA
000d.bd6c.3fc0 UP


VPN_SERVER#

VPN_SERVER#sh sss session
Current SSS Information: Total sessions 1

Uniq ID Type State Service Identifier Last Chg
278 PPPoE/PPP connected Local Term fadly 00:04:18


it is very straight forward :)
Posted by at No comments:
Labels: , ,

Tuesday, July 28, 2009

Basic PIX firewall configuration

This is the basic pix firewall configuration and concept

Firewall is networking device that can protect unauthorized internet users from accessing private network. it has the concept of inside / private network and outside / internet by assigning security level. The outside has a security level of 0 and inside has a security level of 100. Meaning that traffic from lower security level interface will not pass higher security level interface. We can modifiy the rule to make the traffic flow from outside interface to inside interface.


Diagram :



Basic Configuration

1. Set the hostname :

pixfirewall# configure terminal
pixfirewall(config)#hostname pix-jtpd


2. Set the password :

Login password :
pix-jtpd(config)# password cisco

Enable password :
pix-jtpd(config)# enable password cisco

3. Verifiying security level :

pix-jtpd# show nameif
Interface Name Security
Ethernet0 outside 0
Ethernet1 inside 100
pix-jtpd#

4. Set ip address :

interface Ethernet0
nameif outside
security-level 0
ip address 192.168.78.182 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.78.186 255.255.255.252

Verify interface ip address :

pix-jtpd# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.78.182 YES manual up up
Ethernet1 192.168.78.186 YES manual up up
pix-jtpd#

Ping back to back ip address :

pix-jtpd# ping 192.168.78.181
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.181, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pix-jtpd# ping 192.168.78.185
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.185, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pix-jtpd#

5. Configure default route

pix-jtpd(config)# route outside 0.0.0.0 0.0.0.0 192.168.78.181 1

pix-jtpd# show ip route
C 192.168.78.180 255.255.255.252 is directly connected, outside
C 192.168.78.184 255.255.255.252 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.78.181, outside
pix-jtpd#

6. Configuring NAT and define subscriber network :

a. Set ip address to name :
pix-jtpd(config)# name 192.168.32.0 subscriber

b. Set subscriber route :
route inside chat-subs 255.255.255.0 192.168.78.185 1

c. Setting nat :
inside network :
pix-jtpd(config)# nat (inside) 1 chat-subs 255.255.255.0
pix-jtpd(config)# nat (inside) 1 192.168.78.184 255.255.255.252

global network :
global (outside) 1 192.168.78.188 netmask 255.255.255.255

NOTE : must configure route from PE to global (outside)

d. Veryfiy nat is working :

pix-jtpd# sh xlate
94 in use, 3299 most used
PAT Global 192.168.78.188(1095) Local 192.168.32.30(2182)
PAT Global 192.168.78.188(1053) Local 192.168.32.30(59266)
PAT Global 192.168.78.188(1052) Local 192.168.32.30(65524)
PAT Global 192.168.78.188(1051) Local 192.168.32.30(50954)

7. Making Rule / Access-list

Setting ACL :

pix-jtpd(config)# access-list acl_grp extended permit icmp any any
pix-jtpd(config)# access-list acl_grp extended permit tcp any any
pix-jtpd(config)# access-list acl_grp extended permit ip any any

Apply to the interface :

pix-jtpd(config)# access-group acl_grp in interface outside
pix-jtpd(config)# access-group acl_grp in interface inside

Have a good try :D
Posted by at No comments:
Labels: , ,

Dhcp Fixed Address

Some hosts will required fixed ip address, such as : web server, printer etc. Host which require fixed ip address need to be mapped with its mac-address. This is sample configuration of dhcp server :

root@fadly-desktop:~# vi /etc/dhcp3/dhcpd.conf

host fadly {
hardware ethernet 00:90:F5:5D:6D:BC;
fixed-address 192.168.78.206;
}

subnet 192.168.78.204 netmask 255.255.255.252 {
option broadcast-address 192.168.78.207;
option routers 192.168.78.205;
option subnet-mask 255.255.255.252;
}

option domain-name 202.155.0.10;
Posted by at No comments:
Labels: , ,

Friday, July 17, 2009

Cisco - Linux Dhcp-relay setting

This is the configuration of router as dhcp-relay and linux as dhcp server

Diagram :
----------------------------------------------------------------------------------------------------------------------------------------


----------------------------------------------------------------------------------------------------------------------------------------

1. Interface configuration :

!
interface GigabitEthernet0/0.11
description ### Test Internet ###
encapsulation dot1Q 11
ip dhcp relay information trusted
ip dhcp relay information option vpn-id none
ip vrf forwarding vpn_internet
ip address 192.168.78.201 255.255.255.252
ip helper-address 192.168.78.198
end

----------------------------------------------------------------------------------------------------------------------------------------

Config note :

ip dhcp relay information trusted

Usage Guidelines

By default, if the gateway address is set to all zeros in the DHCP packet and the relay information option is already present in the packet, the Cisco IOS DHCP relay agent will discard the packet. If the ip dhcp relay information trusted command is configured on an interface, the Cisco IOS DHCP relay agent will not discard the packet even if the gateway address is set to all zeros. Instead, the received DHCPDISCOVER or DHCPREQUEST messages will be forwarded to the addresses configured by the ip helper-address command as in normal DHCP relay operation.


ip dhcp relay information option vpn-id

To enable the system to insert VPN suboptions into the DHCP relay agent information option in forwarded BOOTREQUEST messages to a DHCP server and set the gateway address to the outgoing interface toward the DHCP server, use the ip dhcp relay information option vpn-id command in interface configuration mode. To remove the configuration, use the no form of this command.

refference : http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_dhc2.html#wp1012293

2. Edit dhcp configuration :

root@desktop:# vi /etc/dhcp3/dhcpd.conf

ddns-update-style none;

default-lease-time 600;
max-lease-time 7200;

#authoritative;

log-facility local7;

option subnet-mask 255.255.255.252;
option broadcast-address 192.168.78.203;
option routers 192.168.78.201;

subnet 192.168.78.200 netmask 255.255.255.252 {
range 192.168.78.202;
}


3. Checking log :

Jul 15 18:17:22 -desktop dhcpd: DHCPDISCOVER from 00:0a:e4:36:03:a0 via 192.168.78.201
Jul 15 18:17:23 -desktop dhcpd: DHCPOFFER on 192.168.78.202 to 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via 192.168.78.201
Jul 15 18:17:23 -desktop dhcpd: DHCPREQUEST for 192.168.78.202 (192.168.78.198) from 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via 192.168.78.201
Jul 15 18:17:23 -desktop dhcpd: DHCPACK on 192.168.78.202 to 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via 192.168.78.201
Jul 15 18:17:25 -desktop dhcpd: DHCPREQUEST for 192.168.78.202 from 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via eth1
Jul 15 18:17:25 -desktop dhcpd: DHCPACK on 192.168.78.202 to 00:0a:e4:36:03:a0 (LENOVO-2EB43090) via eth1

Have a good try.. :)
Posted by at No comments:
Labels: ,

Wednesday, July 15, 2009

Dynamips Dynagen Tutorial

(First ): Download dynagen at http://dynagen.org

Go to download menu, you will be redirected to http://sourceforge.net
Go to Dynagen source / Linux : click dynagen-0.11.0.tar.gz
Point your mouse to use direct link, right click then copy link location, http://downloads.sourceforge.net/sourceforge/dyna-gen/dynagen-0.11.0.tar.gz?use_mirror=nchc

Download from Linux terminal :
root@desktop:~# wget http://downloads.sourceforge.net/sourceforge/dyna-gen/dynagen-0.11.0.tar.gz?use_mirror=nchc


(Second) : Create directory & extract tarball

Create Directory : root@desktop:~# mkdir /home/dynamips
Move source file to dynamips folder : root@desktop:~# mv dynagen-0.11.0.tar.gz /home/dynamips
Extract tarball : root@desktop:~# tar zxvf dynagen-0.11.0.tar.gz
Go to folder : root@desktop:~# cd /home/dynamips/dynagen-0.11.0
Check README file :root@desktop:/home/dynamips/dynagen-0.11.0#more README.txt
----------------------------------------------------------------------------------------------------------------------------------------

This version of Dynagen requires at least version 0.2.8-RC1 of Dynamips

----------------------------------------------------------------------------------------------------------------------------------------

(Third) : Download dynamips that is match to dynagen requirement

Go to http://www.ipflow.utc.fr/blog/
point your mouse to this link 0.2.8-RC2 binary for Linux x86 platforms, right click and copy link location
http://www.ipflow.utc.fr/dynamips/dynamips-0.2.8-RC2-x86.bin

Download from Linux terminal :
root@desktop:/home/dynamips/dynagen-0.11.0# wget http://www.ipflow.utc.fr/dynamips/dynamips-0.2.8-RC2-x86.bin

Change privilege :
root@desktop:/home/dynamips/dynagen-0.11.0# chmod 777 dynamips-0.2.8-RC2-x86.bin


(Fourth) : Create Symlink (Symbolic link)
Go to folder : cd /usr/bin
symlink using alias for dynamips program : /usr/bin# ln -s /home/dynamips/dynagen-0.11.0/dynamips-0.2.8-RC2-x86.bin dynamips
symlink using alias for dynagen program : /usr/bin# ln -s /home/dynamips/dynagen-0.11.0/dynagen dynagen


(Fifth) : Download, Extract & Copy IOS image
Download IOS (I will not tell you how to get the IOS)
extract the IOS to make router boot up faster than ziped IOS
Create directory to store IOS :
root@desktop:/home/dynamips/dynagen-0.11.0# mkdir Images
navigate to folder : cd Images
copy IOS file : cp /home/C7200-K9.BIN C7200-K9.BIN

(Sixth) : Running Sample Lab
Go to sample labs .net file : root@desktop: cd /home/dynamips/dynagen-0.11.0/sample_labs/simple1#
Edit simple1.net : vi sample1.net
----------------------------------------------------------------------------------------------------------------------------------------
[localhost]

[[7200]]
# image = \Program Files\Dynamips\images\c7200-jk9o3s-mz.124-7a.image
# On Linux / Unix use forward slashes:
image = /home/dynamips/dynagen-0.11.0/Images/C7200-K9.BIN
npe = npe-400
ram = 160

[[ROUTER R1]]
s1/0 = R2 s1/0

[[router R2]]
# No need to specify an adapter here, it is taken care of
# by the interface specification under Router R1


# R1 s1/0 ----- R2 s1/0

----------------------------------------------------------------------------------------------------------------------------------------

(Seventh) : Run dynamips instance 7200 in background (&)

root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# dynamips -H 7200 &
[1] 7267
root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# Cisco Router Simulation Platform (version 0.2.8-RC2-x86)
Copyright (c) 2005-2007 Christophe Fillot.
Build date: Oct 2 2008 01:17:18

ILT: loaded table "mips64j" from cache.
ILT: loaded table "mips64e" from cache.
ILT: loaded table "ppc32j" from cache.
ILT: loaded table "ppc32e" from cache.
Hypervisor TCP control server started (port 7200).


(Eighth) : Run Dynagen simple1.net
root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1#dynagen simple1.net

Dynagen management console for Dynamips and Pemuwrapper 0.11.0
Copyright (c) 2005-2007 Greg Anuzelli, contributions Pavel Skovajsa

=> list
Name Type State Server Console
R1 7200 running localhost:7200 2000
R2 7200 running localhost:7200 2001
=>

(Ninth) : Access / Telnet R1 & R2

----------------------------------------------------------------------------------------------------------------------------------------
root@desktop:~# telnet localhost 2000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connected to Dynamips VM "R1" (ID 0, type c7200) - Console port

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int serial 1/0
R1(config-if)#no shutdown

----------------------------------------------------------------------------------------------------------------------------------------

root@desktop:~# telnet localhost 2001
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connected to Dynamips VM "R2" (ID 1, type c7200) - Console port

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int serial 1/0
R2(config-if)#no shutdown

----------------------------------------------------------------------------------------------------------------------------------------

R1#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
R2 Ser 1/0 15 R 7206VXR Ser 1/0

----------------------------------------------------------------------------------------------------------------------------------------

R2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
R1 Ser 1/0 158 R 7206VXR Ser 1/0

----------------------------------------------------------------------------------------------------------------------------------------
Set ip address :

R1(config)#int ser 1/0
R1(config-if)#ip add 10.1.0.1 255.255.255.0

R2(config)#int ser 1/0
R2(config-if)#ip add 10.1.0.2 255.255.255.0
R2(config-if)#

Ping : R1 to R2

R1#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

(Tenth) : Turn off the router, Stop dynagen and dynamips

Turn off the router :

=>
=> stop R1
C7200 'R1': stopping simulation.
100-VM 'R1' stopped
=> stop R2
100-VM 'R2' stopped
C7200 'R2': stopping simulation.
=>

Stop Dynagen simple1.net

Exit dynagen :
=> exit
Exiting...
Shutdown in progress...
Shutdown completed

Stop dynamips :

root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# ps -ax |grep dynamips
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
7267 pts/0 Sl 39:08 dynamips -H 7200
7699 pts/0 R+ 0:00 grep dynamips

root@desktop:/home/dynamips/dynagen-0.11.0/sample_labs/simple1# kill -9 7267


To optimize your pc, you have to set the idle-pc. idle-pc depend on IOS, to get the value use this step :

=> idlepc get R1
Please wait while gathering statistics...

Please wait while gathering statistics...
Done. Suggested idling PC:
0x608c5bc8 (count=48)
0x608c5bcc (count=35)
0x608463cc (count=59)
0x60847050 (count=71)
Restart the emulator with "--idle-pc=0x608c5bc8" (for example)
1: 0x608c5bc8 [48]
2: 0x608c5bcc [35]
* 3: 0x608463cc [59]
4: 0x60847050 [71]


Edit simple1.net : vi sample1.net


[localhost]

[[7200]]
# image = \Program Files\Dynamips\images\c7200-jk9o3s-mz.124-7a.image
# On Linux / Unix use forward slashes:
image = /home/dynamips/dynagen-0.11.0/Images/C7200-K9.BIN
npe = npe-400
ram = 160
idlepc = 0x608463cc

Save file

simple1#dynagen simple1.net

=> idlepc show R1
R1 has an idlepc value of: 0x608463cc
=> idlepc show R2
R2 has an idlepc value of: 0x608463cc
=>

Have a good try ;)

here is the usefull link to try dynamips and dynagen from iementor
http://www.iementor.com/Introduction_to_Dynamips.pdf
Posted by at No comments:
Labels: , , ,

Monday, April 13, 2009

Nas port equal to Zero (Nas-port = 0)

Nas-Port is one of the radius attribute that can be used for identifying user both of in the Router or in the radius server.

I'm using IOS SB and 7200 VXR for the router, it can be configured to send Nas-Port attribute or not. If you don't want to send it, you just configure the router like this :


Diagram : PC ----L3 ISG ----- INTERNET

|---- PORTAL

|---- RADIUS

-----------------------------------------------------------------------------------------------------------------

Configuration :

ISG-L4R(config)#aaa group server radius AAA
ISG-L4R(config-sg-radius)#attribute nas-port ?
format Set the format of the NAS-Port attribute
none Don't send nas-port attribute
ISG-L4R(config-sg-radius)#attribute nas-port none

The debug result will be like this :

(1). User login from Website :

006675: Apr 13 14:52:44 WIB: RADIUS: COA received from id 105 20.0.92.156:32775, CoA Request, len 93
006676: Apr 13 14:52:44 WIB: RADIUS/DECODE: VSA external len != internal + VSA hdr

(2). Nas-port is being disable :

006677: Apr 13 14:52:44 WIB: RADIUS/ENCODE(00000D42):Orig. component type = IEDGE_IP_SIP
006678: Apr 13 14:52:44 WIB: RADIUS/ENCODE: NAS PORT sending disabled
006679: Apr 13 14:52:44 WIB: RADIUS(00000D42): Config NAS IP: 10.0.4.101
006680: Apr 13 14:52:44 WIB: RADIUS/ENCODE(00000D42): acct_session_id: 3447
006681: Apr 13 14:52:44 WIB: RADIUS(00000D42): Config NAS IP: 10.0.4.101

(3). Login Request to Radius :

006682: Apr 13 14:52:44 WIB: RADIUS(00000D42): sending
006683: Apr 13 14:52:44 WIB: RADIUS(00000D42): Send Access-Request to 10.0.100.29:1645 id 1645/150, len 109
006684: Apr 13 14:52:44 WIB: RADIUS: authenticator C0 6E 4D 8F 2E 5B 9B 17 - 89 90 06 DE 9F C4 CB B2
006685: Apr 13 14:52:44 WIB: RADIUS: Framed-IP-Address [8] 6 30.0.74.1
006686: Apr 13 14:52:44 WIB: RADIUS: User-Name [1] 11 "pedi128k"
006687: Apr 13 14:52:44 WIB: RADIUS: User-Password [2] 18 *
006688: Apr 13 14:52:44 WIB: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
006689: Apr 13 14:52:44 WIB: RADIUS: NAS-Port-Id [87] 11 "0/0/3/806"
006690: Apr 13 14:52:44 WIB: RADIUS: Service-Type [6] 6 Login [1]
006691: Apr 13 14:52:44 WIB: RADIUS: NAS-IP-Address [4] 6 10.0.4.101
006692: Apr 13 14:52:44 WIB: RADIUS: Acct-Session-Id [44] 10 "00000D77"
006693: Apr 13 14:52:44 WIB: RADIUS: Nas-Identifier [32] 9 "ISG-L4R"
006694: Apr 13 14:52:44 WIB: RADIUS: Event-Timestamp [55] 6 1239609164

(4). Received response from Radius :

006695: Apr 13 14:52:45 WIB: RADIUS: Received from id 1645/150 10.0.100.29:1645, Access-Accept, len 94
006696: Apr 13 14:52:45 WIB: RADIUS: authenticator 28 0C 18 47 8A E5 4E 9C - 45 7F B6 21 70 E0 A3 F0
006697: Apr 13 14:52:45 WIB: RADIUS: Class [25] 50
006698: Apr 13 14:52:45 WIB: RADIUS: 53 42 52 2D 43 4C 20 44 4E 3D 22 63 61 62 6C 65 [SBR-CL DN="pedi]
006699: Apr 13 14:52:45 WIB: RADIUS: 31 32 38 6B 22 20 41 54 3D 22 32 30 30 22 20 55 [128k" AT="200" U]
006700: Apr 13 14:52:45 WIB: RADIUS: 53 3D 22 22 20 53 49 3D 22 32 31 35 32 32 22 00 [ S="" SI="21522"]
006701: Apr 13 14:52:45 WIB: RADIUS: Vendor, Unknown [26] 12
006702: Apr 13 14:52:45 WIB: RADIUS: Unsupported [2] 6
006703: Apr 13 14:52:45 WIB: RADIUS: 00 00 00 01
006704: Apr 13 14:52:45 WIB: RADIUS: Session-Timeout [27] 6 86400
006705: Apr 13 14:52:45 WIB: RADIUS: Idle-Timeout [28] 6 300
006706: Apr 13 14:52:45 WIB: RADIUS(00000D42): Received from id 1645/150
006707: Apr 13 14:52:45 WIB: RADIUS/ENCODE(00000D42):Orig. component type = IEDGE_IP_SIP
006708: Apr 13 14:52:45 WIB: RADIUS: AAA Unsupported Attr: timeout [371] 4 86400
006709: Apr 13 14:52:45 WIB: RADIUS: AAA Unsupported Attr: idletime [123] 4 300

(6). Ack response to Portal :

006710: Apr 13 14:52:45 WIB: RADIUS(00000D42): sending
006711: Apr 13 14:52:45 WIB: RADIUS(00000D42): Send CoA Ack Response to 20.0.92.156:32775 id 105, len 70
006712: Apr 13 14:52:45 WIB: RADIUS: authenticator 55 36 45 5F 9E 23 1E 37 - 0E 07 E7 29 2B FD 0B 16
006713: Apr 13 14:52:45 WIB: RADIUS: Vendor, Cisco [26] 18
006714: Apr 13 14:52:45 WIB: RADIUS: ssg-command-code [252] 12
006715: Apr 13 14:52:45 WIB: RADIUS: 01 63 61 62 6C 65 31 32 38 6B [Account-Log-On pedi128k]
006716: Apr 13 14:52:45 WIB: RADIUS: Vendor, Cisco [26] 20
006717: Apr 13 14:52:45 WIB: RADIUS: ssg-account-info [250] 14 "S30.0.74.1"
006718: Apr 13 14:52:45 WIB: RADIUS: Session-Timeout [27] 6 86400
006719: Apr 13 14:52:45 WIB: RADIUS: Idle-Timeout [28] 6 300
006720: Apr 13 14:52:45 WIB: RADIUS/ENCODE(00000D42):Orig. component type = IEDGE_IP_SIP
006721: Apr 13 14:52:45 WIB: RADIUS/ENCODE: NAS PORT sending disabled
006722: Apr 13 14:52:45 WIB: RADIUS(00000D42): Config NAS IP: 10.0.4.101
006723: Apr 13 14:52:45 WIB: RADIUS(00000D42): Config NAS IP: 10.0.4.101

(7). Sending Accounting Request :

006724: Apr 13 14:52:45 WIB: RADIUS(00000D42): sending
006725: Apr 13 14:52:45 WIB: RADIUS(00000D42): Send Accounting-Request to 10.0.100.29:1646 id 1646/64, len 206
006726: Apr 13 14:52:45 WIB: RADIUS: authenticator D4 A8 64 DC B7 6B 89 1B - C9 D8 3B AF 45 53 03 0D
006727: Apr 13 14:52:45 WIB: RADIUS: Acct-Session-Id [44] 10 "00000D79"
006728: Apr 13 14:52:45 WIB: RADIUS: Framed-Protocol [7] 6 PPP [1]
006729: Apr 13 14:52:45 WIB: RADIUS: Vendor, Cisco [26] 13
006730: Apr 13 14:52:45 WIB: RADIUS: ssg-service-info [251] 7 "NINET"
006731: Apr 13 14:52:45 WIB: RADIUS: Vendor, Cisco [26] 34
006732: Apr 13 14:52:45 WIB: RADIUS: Cisco AVpair [1] 28 "parent-session-id=00000D77"
006733: Apr 13 14:52:45 WIB: RADIUS: User-Name [1] 11 "pedi128k"
006734: Apr 13 14:52:45 WIB: RADIUS: Acct-Status-Type [40] 6 Start [1]
006735: Apr 13 14:52:45 WIB: RADIUS: Framed-IP-Address [8] 6 30.0.74.1
006736: Apr 13 14:52:45 WIB: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
006737: Apr 13 14:52:45 WIB: RADIUS: NAS-Port-Id [87] 11 "0/0/3/806"
006738: Apr 13 14:52:45 WIB: RADIUS: Class [25] 50
006739: Apr 13 14:52:45 WIB: RADIUS: 53 42 52 2D 43 4C 20 44 4E 3D 22 63 61 62 6C 65 [SBR-CL DN="pedi]
006740: Apr 13 14:52:45 WIB: RADIUS: 31 32 38 6B 22 20 41 54 3D 22 32 30 30 22 20 55 [128k" AT="200" U]
006741: Apr 13 14:52:45 WIB: RADIUS: 53 3D 22 22 20 53 49 3D 22 32 31 35 32 32 22 00 [ S="" SI="21522"]
006742: Apr 13 14:52:45 WIB: RADIUS: Service-Type [6] 6 Framed [2]
006743: Apr 13 14:52:45 WIB: RADIUS: NAS-IP-Address [4] 6 10.0.4.101
006744: Apr 13 14:52:45 WIB: RADIUS: Event-Timestamp [55] 6 1239609165
006745: Apr 13 14:52:45 WIB: RADIUS: Nas-Identifier [32] 9 "ISG-L4R"
006746: Apr 13 14:52:45 WIB: RADIUS: Acct-Delay-Time [41] 6 0

(8). Received accounting response from Radius :

006747: Apr 13 14:52:45 WIB: RADIUS: Received from id 1646/64 10.0.100.29:1646, Accounting-response, len 20

In the above debug output you can see that there are no Nas-Port send in the user authentication and accounting. It because Nas-Port sending is being disabled.

-----------------------------------------------------------------------------------------------------------------
In this topology I use ip routed session scenario, in this scenario we can see Router (ISG) is sending the Nas-Port value equal to zero.

Here is the sample debug of nas port equal to zero :

(1). Sending Authentication request to Radius :

001672: Apr 13 12:33:27 WIB: RADIUS(00000A4B): Send Access-Request to 10.0.100.29:1645 id 1645/60, len 116
001673: Apr 13 12:33:27 WIB: RADIUS: authenticator 0A 4D 6D A0 9A 89 A0 E8 - 2D 70 65 89 25 90 2F 3A
001674: Apr 13 12:33:27 WIB: RADIUS: Framed-IP-Address [8] 6 30.0.74.1
001675: Apr 13 12:33:27 WIB: RADIUS: User-Name [1] 12 "pedi1024k"
001676: Apr 13 12:33:27 WIB: RADIUS: User-Password [2] 18 *
001677: Apr 13 12:33:27 WIB: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
001678: Apr 13 12:33:27 WIB: RADIUS: NAS-Port [5] 6 0
001679: Apr 13 12:33:27 WIB: RADIUS: NAS-Port-Id [87] 11 "0/0/3/806"
001680: Apr 13 12:33:27 WIB: RADIUS: Service-Type [6] 6 Login [1]
001681: Apr 13 12:33:27 WIB: RADIUS: NAS-IP-Address [4] 6 10.0.4.101
001682: Apr 13 12:33:27 WIB: RADIUS: Acct-Session-Id [44] 10 "00000A4B"
001683: Apr 13 12:33:27 WIB: RADIUS: Nas-Identifier [32] 9 "ISG-L4R"
001684: Apr 13 12:33:27 WIB: RADIUS: Event-Timestamp [55] 6 1239600807

(2). Received Authentication Response from Radius :

001685: Apr 13 12:33:27 WIB: RADIUS: Received from id 1645/60 10.0.100.29:1645, Access-Accept, len 95
001686: Apr 13 12:33:27 WIB: RADIUS: authenticator 95 38 A5 67 3E 35 7A B2 - 50 AE 7B F8 2B 0B B3 64
001687: Apr 13 12:33:27 WIB: RADIUS: Class [25] 51
001688: Apr 13 12:33:27 WIB: RADIUS: 53 42 52 2D 43 4C 20 44 4E 3D 22 63 61 62 6C 65 [SBR-CL DN="pedi]
001689: Apr 13 12:33:27 WIB: RADIUS: 31 30 32 34 6B 22 20 41 54 3D 22 32 30 30 22 20 [1024k" AT="200" ]
001690: Apr 13 12:33:27 WIB: RADIUS: 55 53 3D 22 22 20 53 49 3D 22 32 31 34 38 32 22 [US="" SI="21482"]
001691: Apr 13 12:33:27 WIB: RADIUS: 00
001692: Apr 13 12:33:27 WIB: RADIUS: Vendor, Unknown [26] 12
001693: Apr 13 12:33:27 WIB: RADIUS: Unsupported [2] 6
001694: Apr 13 12:33:27 WIB: RADIUS: 00 00 00 01
001695: Apr 13 12:33:27 WIB: RADIUS: Session-Timeout [27] 6 86400
001696: Apr 13 12:33:27 WIB: RADIUS: Idle-Timeout [28] 6 300
001697: Apr 13 12:33:27 WIB: RADIUS(00000A4B): Received from id 1645/60
001698: Apr 13 12:33:27 WIB: RADIUS/ENCODE(00000A4B):Orig. component type = IEDGE_IP_SIP
001699: Apr 13 12:33:27 WIB: RADIUS: AAA Unsupported Attr: timeout [371] 4 86400
001700: Apr 13 12:33:27 WIB: RADIUS: AAA Unsupported Attr: idletime [123] 4 300

(3) Sending Ack response to portal :

001701: Apr 13 12:33:27 WIB: RADIUS(00000A4B): sending
001702: Apr 13 12:33:27 WIB: RADIUS(00000A4B): Send CoA Ack Response to 20.0.92.156:32775 id 44, len 71
001703: Apr 13 12:33:27 WIB: RADIUS: authenticator 67 B9 4E 33 4C D6 D9 B3 - 7B D4 95 75 6B AF F0 95
001704: Apr 13 12:33:27 WIB: RADIUS: Vendor, Cisco [26] 19
001705: Apr 13 12:33:27 WIB: RADIUS: ssg-command-code [252] 13
001706: Apr 13 12:33:27 WIB: RADIUS: 01 63 61 62 6C 65 31 30 32 34 6B [Account-Log-On cable1024k]
001707: Apr 13 12:33:27 WIB: RADIUS: Vendor, Cisco [26] 20
001708: Apr 13 12:33:27 WIB: RADIUS: ssg-account-info [250] 14 "S30.0.74.1"
001709: Apr 13 12:33:27 WIB: RADIUS: Session-Timeout [27] 6 86400
001710: Apr 13 12:33:27 WIB: RADIUS: Idle-Timeout [28] 6 300
001711: Apr 13 12:33:27 WIB: RADIUS/ENCODE(00000A4B):Orig. component type = IEDGE_IP_SIP
001712: Apr 13 12:33:27 WIB: RADIUS(00000A4B): Config NAS IP: 10.0.4.101
001713: Apr 13 12:33:27 WIB: RADIUS(00000A4B): Config NAS IP: 10.0.4.101


(4). Sending Accounting request to Radius :

001714: Apr 13 12:33:27 WIB: RADIUS(00000A4B): sending
001715: Apr 13 12:33:27 WIB: RADIUS(00000A4B): Send Accounting-Request to 10.0.100.29:1646 id 1646/11, len 214
001716: Apr 13 12:33:27 WIB: RADIUS: authenticator 2C 90 A8 7A 46 99 3C 70 - BE 6D F7 25 21 19 4F C9
001717: Apr 13 12:33:27 WIB: RADIUS: Acct-Session-Id [44] 10 "00000A4F"
001718: Apr 13 12:33:27 WIB: RADIUS: Framed-Protocol [7] 6 PPP [1]
001719: Apr 13 12:33:27 WIB: RADIUS: Vendor, Cisco [26] 13
001720: Apr 13 12:33:27 WIB: RADIUS: ssg-service-info [251] 7 "NINET"
001721: Apr 13 12:33:27 WIB: RADIUS: Vendor, Cisco [26] 34
001722: Apr 13 12:33:27 WIB: RADIUS: Cisco AVpair [1] 28 "parent-session-id=00000A4B"
001723: Apr 13 12:33:27 WIB: RADIUS: User-Name [1] 12 "pedi1024k"
001724: Apr 13 12:33:27 WIB: RADIUS: Acct-Status-Type [40] 6 Start [1]
001725: Apr 13 12:33:27 WIB: RADIUS: Framed-IP-Address [8] 6 30.0.74.1
001726: Apr 13 12:33:27 WIB: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
001727: Apr 13 12:33:27 WIB: RADIUS: NAS-Port [5] 6 0
001728: Apr 13 12:33:27 WIB: RADIUS: NAS-Port-Id [87] 11 "0/0/3/806"
001729: Apr 13 12:33:27 WIB: RADIUS: Class [25] 51
001730: Apr 13 12:33:27 WIB: RADIUS: 53 42 52 2D 43 4C 20 44 4E 3D 22 63 61 62 6C 65 [SBR-CL DN="pedi]
001731: Apr 13 12:33:27 WIB: RADIUS: 31 30 32 34 6B 22 20 41 54 3D 22 32 30 30 22 20 [1024k" AT="200" ]
001732: Apr 13 12:33:27 WIB: RADIUS: 55 53 3D 22 22 20 53 49 3D 22 32 31 34 38 32 22 [US="" SI="21482"]
001733: Apr 13 12:33:27 WIB: RADIUS: 00
001734: Apr 13 12:33:27 WIB: RADIUS: Service-Type [6] 6 Framed [2]
001735: Apr 13 12:33:27 WIB: RADIUS: NAS-IP-Address [4] 6 10.0.4.101
001736: Apr 13 12:33:27 WIB: RADIUS: Event-Timestamp [55] 6 1239600807
001737: Apr 13 12:33:27 WIB: RADIUS: Nas-Identifier [32] 9 "ISG-L4R"
001738: Apr 13 12:33:27 WIB: RADIUS: Acct-Delay-Time [41] 6 0


(4). Received Accounting Response from Radius :

001739: Apr 13 12:33:28 WIB: RADIUS: Received from id 1646/11 10.0.100.29:1646, Accounting-response, len 20

-----------------------------------------------------------------------------------------------------------------

And if you want to make nas-port not equal to zero, you can use extended Nas-port support.

Configuration :

aaa group server radius AAA
server 10.0.100.29 auth-port 1645 acct-port 1646
ip radius source-interface GigabitEthernet0/3.806
attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
deadtime 10

and the result will be like this :

(1). User login at portal :

007259: Apr 13 15:07:39 WIB: RADIUS: COA received from id 122 20.0.92.156:32775, CoA Request, len 95
007260: Apr 13 15:07:39 WIB: RADIUS/DECODE: VSA external len != internal + VSA hdr
007261: Apr 13 15:07:39 WIB: RADIUS/ENCODE(00000D81):Orig. component type = IEDGE_IP_SIP
007262: Apr 13 15:07:39 WIB: RADIUS: Format E value 0xDBD for character U with bitmask 0xFFFFFFFF
007263: Apr 13 15:07:39 WIB: RADIUS: Format E port 0xDBD with bit 32 processed
007264: Apr 13 15:07:39 WIB: RADIUS(00000D81): Config NAS IP: 10.0.4.101
007265: Apr 13 15:07:39 WIB: RADIUS/ENCODE(00000D81): acct_session_id: 3517
007266: Apr 13 15:07:39 WIB: RADIUS(00000D81): Config NAS IP: 10.0.4.101
007267: Apr 13 15:07:39 WIB: RADIUS(00000D81): sending

(2). Sending Authentication Request to Radius :

007268: Apr 13 15:07:39 WIB: RADIUS(00000D81): Send Access-Request to 10.0.100.29:1645 id 1645/158, len 116
007269: Apr 13 15:07:39 WIB: RADIUS: authenticator 89 50 7C 69 43 3C D1 EE - 65 30 C4 22 B1 6A 38 65
007270: Apr 13 15:07:39 WIB: RADIUS: Framed-IP-Address [8] 6 30.0.74.3
007271: Apr 13 15:07:39 WIB: RADIUS: User-Name [1] 12 "pedi1024k"
007272: Apr 13 15:07:39 WIB: RADIUS: User-Password [2] 18 *
007273: Apr 13 15:07:39 WIB: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
007274: Apr 13 15:07:39 WIB: RADIUS: NAS-Port [5] 6 3517
007275: Apr 13 15:07:39 WIB: RADIUS: NAS-Port-Id [87] 11 "0/0/3/806"
007276: Apr 13 15:07:39 WIB: RADIUS: Service-Type [6] 6 Login [1]
007277: Apr 13 15:07:39 WIB: RADIUS: NAS-IP-Address [4] 6 10.0.4.101
007278: Apr 13 15:07:39 WIB: RADIUS: Acct-Session-Id [44] 10 "00000DBD"
007279: Apr 13 15:07:39 WIB: RADIUS: Nas-Identifier [32] 9 "ISG-L4R"
007280: Apr 13 15:07:39 WIB: RADIUS: Event-Timestamp [55] 6 1239610059

(3). Received Response from Radius :

007281: Apr 13 15:07:39 WIB: RADIUS: Received from id 1645/158 10.0.100.29:1645, Access-Accept, len 95
007282: Apr 13 15:07:39 WIB: RADIUS: authenticator E3 22 CC 82 6E 49 F3 20 - 9C 20 5E CE 7D B9 EF 45
007283: Apr 13 15:07:39 WIB: RADIUS: Class [25] 51
007284: Apr 13 15:07:39 WIB: RADIUS: 53 42 52 2D 43 4C 20 44 4E 3D 22 63 61 62 6C 65 [SBR-CL DN="pedi]
007285: Apr 13 15:07:39 WIB: RADIUS: 31 30 32 34 6B 22 20 41 54 3D 22 32 30 30 22 20 [1024k" AT="200" ]
007286: Apr 13 15:07:39 WIB: RADIUS: 55 53 3D 22 22 20 53 49 3D 22 32 31 35 32 35 22 [US="" SI="21525"]
007287: Apr 13 15:07:39 WIB: RADIUS: 00
007288: Apr 13 15:07:39 WIB: RADIUS: Vendor, Unknown [26] 12
007289: Apr 13 15:07:39 WIB: RADIUS: Unsupported [2] 6
007290: Apr 13 15:07:39 WIB: RADIUS: 00 00 00 01
007291: Apr 13 15:07:39 WIB: RADIUS: Session-Timeout [27] 6 86400
007292: Apr 13 15:07:39 WIB: RADIUS: Idle-Timeout [28] 6 300
007293: Apr 13 15:07:39 WIB: RADIUS(00000D81): Received from id 1645/158
007294: Apr 13 15:07:39 WIB: RADIUS/ENCODE(00000D81):Orig. component type = IEDGE_IP_SIP
007295: Apr 13 15:07:39 WIB: RADIUS: AAA Unsupported Attr: timeout [371] 4 86400
007296: Apr 13 15:07:39 WIB: RADIUS: AAA Unsupported Attr: idletime [123] 4 300

(4). Sending Ack response to portal :

007297: Apr 13 15:07:39 WIB: RADIUS(00000D81): sending
007298: Apr 13 15:07:39 WIB: RADIUS(00000D81): Send CoA Ack Response to 20.0.92.156:32775 id 122, len 71
007299: Apr 13 15:07:39 WIB: RADIUS: authenticator D0 0B D7 83 04 4F 32 6A - 87 17 3C 62 0D 1E 25 64
007300: Apr 13 15:07:39 WIB: RADIUS: Vendor, Cisco [26] 19
007301: Apr 13 15:07:39 WIB: RADIUS: ssg-command-code [252] 13
007302: Apr 13 15:07:39 WIB: RADIUS: 01 63 61 62 6C 65 31 30 32 34 6B [Account-Log-On pedi1024k]
007303: Apr 13 15:07:39 WIB: RADIUS: Vendor, Cisco [26] 20
007304: Apr 13 15:07:39 WIB: RADIUS: ssg-account-info [250] 14 "S30.0.74.3"
007305: Apr 13 15:07:39 WIB: RADIUS: Session-Timeout [27] 6 86400
007306: Apr 13 15:07:39 WIB: RADIUS: Idle-Timeout [28] 6 300
007307: Apr 13 15:07:39 WIB: RADIUS/ENCODE(00000D81):Orig. component type = IEDGE_IP_SIP
007308: Apr 13 15:07:39 WIB: RADIUS: Format E value 0xDBD for character U with bitmask 0xFFFFFFFF
007309: Apr 13 15:07:39 WIB: RADIUS: Format E port 0xDBD with bit 32 processed
007310: Apr 13 15:07:39 WIB: RADIUS(00000D81): Config NAS IP: 10.0.4.101
007311: Apr 13 15:07:39 WIB: RADIUS(00000D81): Config NAS IP: 10.0.4.101
007312: Apr 13 15:07:39 WIB: RADIUS(00000D81): sending

(5). Sending Accounting Request to Radius :

007313: Apr 13 15:07:39 WIB: RADIUS(00000D81): Send Accounting-Request to 10.0.100.29:1646 id 1646/72, len 214
007314: Apr 13 15:07:39 WIB: RADIUS: authenticator 0B 51 C5 1E 61 E2 2F 15 - E2 8A 31 51 10 86 5E 63
007315: Apr 13 15:07:39 WIB: RADIUS: Acct-Session-Id [44] 10 "00000DBF"
007316: Apr 13 15:07:39 WIB: RADIUS: Framed-Protocol [7] 6 PPP [1]
007317: Apr 13 15:07:39 WIB: RADIUS: Vendor, Cisco [26] 13
007318: Apr 13 15:07:39 WIB: RADIUS: ssg-service-info [251] 7 "NINET"
007319: Apr 13 15:07:39 WIB: RADIUS: Vendor, Cisco [26] 34
007320: Apr 13 15:07:39 WIB: RADIUS: Cisco AVpair [1] 28 "parent-session-id=00000DBD"
007321: Apr 13 15:07:39 WIB: RADIUS: User-Name [1] 12 "pedi1024k"
007322: Apr 13 15:07:39 WIB: RADIUS: Acct-Status-Type [40] 6 Start [1]
007323: Apr 13 15:07:39 WIB: RADIUS: Framed-IP-Address [8] 6 30.0.74.3
007324: Apr 13 15:07:39 WIB: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
007325: Apr 13 15:07:39 WIB: RADIUS: NAS-Port [5] 6 3517
007326: Apr 13 15:07:39 WIB: RADIUS: NAS-Port-Id [87] 11 "0/0/3/806"
007327: Apr 13 15:07:39 WIB: RADIUS: Class [25] 51
007328: Apr 13 15:07:39 WIB: RADIUS: 53 42 52 2D 43 4C 20 44 4E 3D 22 63 61 62 6C 65 [SBR-CL DN="pedi]
007329: Apr 13 15:07:39 WIB: RADIUS: 31 30 32 34 6B 22 20 41 54 3D 22 32 30 30 22 20 [1024k" AT="200" ]
007330: Apr 13 15:07:39 WIB: RADIUS: 55 53 3D 22 22 20 53 49 3D 22 32 31 35 32 35 22 [US="" SI="21525"]
007331: Apr 13 15:07:39 WIB: RADIUS: 00
007332: Apr 13 15:07:39 WIB: RADIUS: Service-Type [6] 6 Framed [2]
007333: Apr 13 15:07:39 WIB: RADIUS: NAS-IP-Address [4] 6 10.0.4.101
007334: Apr 13 15:07:39 WIB: RADIUS: Event-Timestamp [55] 6 1239610059
007335: Apr 13 15:07:39 WIB: RADIUS: Nas-Identifier [32] 9 "ISG-L4R"
007336: Apr 13 15:07:39 WIB: RADIUS: Acct-Delay-Time [41] 6 0

(6). Received Accounting Response from Radius :

007337: Apr 13 15:07:39 WIB: RADIUS: Received from id 1646/72 10.0.100.29:1646, Accounting-response, len 20



In the above configuration is using format 'e' Nas-Port, format e is customized instead of format a to c, it is developed because not all off format are supported in the new cisco platform.

What i'm using in the configruration for the format nas-port is session id "U"

Radius-server attribute nas-port format

Session ID

U


The value of session-id (hexadecimal) is converted to nas-port value (decimal)

Here is the result :
 007320: Apr 13 15:07:39 WIB: RADIUS: Cisco AVpair [1] 28 "parent-session-id=00000DBD"

Ox 00000DBD = 3517


You can find the detail from this cisco site

http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/rd_naspt.html
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)