[GTER] BRAS - NE20

Juliano GigaNET juliano at giganet.net.py
Fri Mar 15 15:12:57 -03 2019


Boa tarde, Galera.

Alguem poderia me dar uma maozinha para a configuracao de um NE20e-s2f 
como concentrador PPPoE?  Depois de muito penar .. consegui se conectar 
com meu radius server. Ele ja retorna OK no login e senha .. mas o pppoe 
nao conecta.

Vendo os logs no NE20 (que sao bem pouco instrutivos)


Are you sure to display some information? [Y/N]:y
-------------------------------------------------------------------
   User name          : 1
   Domain name        : giganet
   User MAC           : 6c3b-6bb9-645f
   User access type   : PPPoE
   User interface     : GigabitEthernet0/3/0.1
   User access PeVlan/CeVlan    : 1011/-
   User IP address    : -
   User ID            : 64
   User authen state  : Authened
   User acct state    : AcctIdle
   User author state  : AuthorIdle
   User login time    : 2019-03-15 23:11:48
   Online fail reason : The RADIUS server does not reply with 
Authentication ACK messages.


As configuracoes que fiz no NE20 sao:


#==============================================================================================================

radius-server group giganet
  radius-server shared-key-cipher 
%^%#UeV}@$M3t6u)pNH{e'l"'RFJ4rRj1Z$L(X3Le'9=%^%#
  radius-server authentication 10.11.12.37 1812 weight 0
  radius-server accounting 10.11.12.37 1813 weight 0
  radius-server type plus11
  radius-server timeout 10
  undo radius-server user-name domain-included
  radius-server traffic-unit mbyte
  radius-attribute case-sensitive qos-profile-name


qos-profile DEDICADO-20M
  car cir 21000 pir 21000 cbs 2100000 pbs 2100000 green pass yellow pass 
red discard inbound
  car cir 21000 pir 21000 cbs 2100000 pbs 2100000 green pass yellow pass 
red discard outbound


ip pool pool1 bas local
  gateway 100.64.128.1 255.255.128.0
  section 0 100.64.128.2 100.64.255.254
  dns-server 8.8.8.8

aaa
   authentication-scheme radius
     authentication-mode local radius

   accounting-scheme radius
     accounting send-update

   domain giganet
     authentication-scheme radius
     accounting-scheme radius
     radius-server group giganet
     ip-pool pool1

interface Virtual-Template1
  ppp authentication-mode auto


interface GigabitEthernet0/3/0.1
  user-vlan 1011
  pppoe-server bind Virtual-Template 1
  bas
  #
   access-type layer2-subscriber default-domain authentication giganet
   access-ip-limit 5000 user-type ppp
  #
#

#==============================================================================================================


Este e o retorno do freeradius -X onde mostra que o login esta OK.
(593) Received Access-Request Id 8 from 45.170.131.22:1812 to 
10.11.12.37:1812 length 284
(593)   User-Name = "1"
(593)   CHAP-Password = 0x01d38655f99905bb12e0e9c81a34d21ce2
(593)   CHAP-Challenge = 0xa5b0f630d780f4e4c1c2bf0eaa340448
(593)   NAS-Port = 3146739
(593)   NAS-IP-Address = 45.170.131.22
(593)   Service-Type = Framed-User
(593)   Framed-Protocol = PPP
(593)   Calling-Station-Id = "6c:3b:6b:b9:64:5f"
(593)   NAS-Identifier = "BRAS-01"
(593)   NAS-Port-Type = Ethernet
(593)   NAS-Port-Id = "slot=0;subslot=3;port=0;vlanid=1011;"
(593)   Acct-Session-Id = "BRAS-01003001011000002703ae002000"
(593)   Connect-Info = "1000000000"
(593)   Huawei-Startup-Stamp = 1552614479
(593)   Huawei-IPHost-Addr = "255.255.255.255 6c:3b:6b:b9:64:5f"
(593)   Huawei-Connect-ID = 8192
(593)   Huawei-Domain-Name = "giganet"
(593)   Huawei-User-Mac = "6c:3b:6b:b9:64:5f"
(593) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(593)   authorize {
(593)     policy filter_username {
(593)       if (&User-Name) {
(593)       if (&User-Name)  -> TRUE
(593)       if (&User-Name)  {
(593)         if (&User-Name =~ / /) {
(593)         if (&User-Name =~ / /)  -> FALSE
(593)         if (&User-Name =~ /@[^@]*@/ ) {
(593)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(593)         if (&User-Name =~ /\.\./ ) {
(593)         if (&User-Name =~ /\.\./ )  -> FALSE
(593)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(593)         if ((&User-Name =~ /@/) && (&User-Name !~ 
/@(.+)\.(.+)$/))   -> FALSE
(593)         if (&User-Name =~ /\.$/)  {
(593)         if (&User-Name =~ /\.$/)   -> FALSE
(593)         if (&User-Name =~ /@\./)  {
(593)         if (&User-Name =~ /@\./)   -> FALSE
(593)       } # if (&User-Name)  = notfound
(593)     } # policy filter_username = notfound
(593)     [preprocess] = ok
(593) chap:   &control:Auth-Type := CHAP
(593)     [chap] = ok
(593)     [mschap] = noop
(593) eap: No EAP-Message, not doing EAP
(593)     [eap] = noop
(593) sql: EXPAND %{User-Name}
(593) sql:    --> 1
(593) sql: SQL-User-Name set to '1'
rlm_sql (sql): Closing connection (592): Hit idle_timeout, was idle for 
67 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (588): Hit idle_timeout, was idle for 
67 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Reserved connection (590)
(593) sql: EXPAND SELECT id, username, attribute, value, op FROM 
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(593) sql:    --> SELECT id, username, attribute, value, op FROM 
radcheck WHERE username = '1' ORDER BY id
(593) sql: Executing select query: SELECT id, username, attribute, 
value, op FROM radcheck WHERE username = '1' ORDER BY id
(593) sql: User found in radcheck table
(593) sql: Conditional check items matched, merging assignment check items
(593) sql:   Cleartext-Password := "wifi"
(593) sql: EXPAND SELECT id, username, attribute, value, op FROM 
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(593) sql:    --> SELECT id, username, attribute, value, op FROM 
radreply WHERE username = '1' ORDER BY id
(593) sql: Executing select query: SELECT id, username, attribute, 
value, op FROM radreply WHERE username = '1' ORDER BY id
(593) sql: User found in radreply table, merging reply items
(593) sql:   Huawei-Qos-Profile-Name := "DEDICADO-20M"
(593) sql:   Framed-IP-Address := 45.170.130.200
(593) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = 
'%{SQL-User-Name}' ORDER BY priority
(593) sql:    --> SELECT groupname FROM radusergroup WHERE username = 
'1' ORDER BY priority
(593) sql: Executing select query: SELECT groupname FROM radusergroup 
WHERE username = '1' ORDER BY priority
(593) sql: User not found in any groups
rlm_sql (sql): Released connection (590)
Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (595), 1 of 24 pending 
slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'c1giganet' on Localhost via UNIX 
socket, server version 5.7.23-0ubuntu0.16.04.1, protocol version 10
(593)     [sql] = ok
(593)     [expiration] = noop
(593)     [logintime] = noop
(593) pap: WARNING: Auth-Type already set.  Not setting to PAP
(593)     [pap] = noop
(593)   } # authorize = ok
(593) Found Auth-Type = CHAP
(593) # Executing group from file /etc/freeradius/sites-enabled/default
(593)   Auth-Type CHAP {
(593) chap: Comparing with "known good" Cleartext-Password
(593) chap: CHAP user "1" authenticated successfully
(593)     [chap] = ok
(593)   } # Auth-Type CHAP = ok
(593) # Executing section post-auth from file 
/etc/freeradius/sites-enabled/default
(593)   post-auth {
(593)     update {
(593)       No attributes updated
(593)     } # update = noop
(593) sql: EXPAND .query
(593) sql:    --> .query
(593) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (593)
(593) sql: EXPAND %{User-Name}
(593) sql:    --> 1
(593) sql: SQL-User-Name set to '1'
(593) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, 
authdate) VALUES ( '%{SQL-User-Name}', 
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(593) sql:    --> INSERT INTO radpostauth (username, pass, reply, 
authdate) VALUES ( '1', '0x01d38655f99905bb12e0e9c81a34d21ce2', 
'Access-Accept', '2019-03-15 15:08:51')
(593) sql: Executing query: INSERT INTO radpostauth (username, pass, 
reply, authdate) VALUES ( '1', '0x01d38655f99905bb12e0e9c81a34d21ce2', 
'Access-Accept', '2019-03-15 15:08:51')
(593) sql: SQL query returned: success
(593) sql: 1 record(s) updated
rlm_sql (sql): Released connection (593)
(593)     [sql] = ok
(593)     policy remove_reply_message_if_eap {
(593)       if (&reply:EAP-Message && &reply:Reply-Message) {
(593)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(593)       else {
(593)         [noop] = noop
(593)       } # else = noop
(593)     } # policy remove_reply_message_if_eap = noop
(593)   } # post-auth = ok
(593) Login OK: [1/<CHAP-Password>] (from client ne20 port 3146739 cli 
6c:3b:6b:b9:64:5f)
(593) Sent Access-Accept Id 8 from 10.11.12.37:1812 to 
45.170.131.22:1812 length 0
(593)   Huawei-Qos-Profile-Name = "DEDICADO-20M"
(593)   Framed-IP-Address = 45.170.130.200
(593) Finished request



Agradeço qualquer ajuda.






More information about the gter mailing list