[GTER] BRAS - NE20
Juliano GigaNET
juliano at giganet.net.py
Fri Mar 15 15:12:57 -03 2019
Boa tarde, Galera.
Alguem poderia me dar uma maozinha para a configuracao de um NE20e-s2f
como concentrador PPPoE? Depois de muito penar .. consegui se conectar
com meu radius server. Ele ja retorna OK no login e senha .. mas o pppoe
nao conecta.
Vendo os logs no NE20 (que sao bem pouco instrutivos)
Are you sure to display some information? [Y/N]:y
-------------------------------------------------------------------
User name : 1
Domain name : giganet
User MAC : 6c3b-6bb9-645f
User access type : PPPoE
User interface : GigabitEthernet0/3/0.1
User access PeVlan/CeVlan : 1011/-
User IP address : -
User ID : 64
User authen state : Authened
User acct state : AcctIdle
User author state : AuthorIdle
User login time : 2019-03-15 23:11:48
Online fail reason : The RADIUS server does not reply with
Authentication ACK messages.
As configuracoes que fiz no NE20 sao:
#==============================================================================================================
radius-server group giganet
radius-server shared-key-cipher
%^%#UeV}@$M3t6u)pNH{e'l"'RFJ4rRj1Z$L(X3Le'9=%^%#
radius-server authentication 10.11.12.37 1812 weight 0
radius-server accounting 10.11.12.37 1813 weight 0
radius-server type plus11
radius-server timeout 10
undo radius-server user-name domain-included
radius-server traffic-unit mbyte
radius-attribute case-sensitive qos-profile-name
qos-profile DEDICADO-20M
car cir 21000 pir 21000 cbs 2100000 pbs 2100000 green pass yellow pass
red discard inbound
car cir 21000 pir 21000 cbs 2100000 pbs 2100000 green pass yellow pass
red discard outbound
ip pool pool1 bas local
gateway 100.64.128.1 255.255.128.0
section 0 100.64.128.2 100.64.255.254
dns-server 8.8.8.8
aaa
authentication-scheme radius
authentication-mode local radius
accounting-scheme radius
accounting send-update
domain giganet
authentication-scheme radius
accounting-scheme radius
radius-server group giganet
ip-pool pool1
interface Virtual-Template1
ppp authentication-mode auto
interface GigabitEthernet0/3/0.1
user-vlan 1011
pppoe-server bind Virtual-Template 1
bas
#
access-type layer2-subscriber default-domain authentication giganet
access-ip-limit 5000 user-type ppp
#
#
#==============================================================================================================
Este e o retorno do freeradius -X onde mostra que o login esta OK.
(593) Received Access-Request Id 8 from 45.170.131.22:1812 to
10.11.12.37:1812 length 284
(593) User-Name = "1"
(593) CHAP-Password = 0x01d38655f99905bb12e0e9c81a34d21ce2
(593) CHAP-Challenge = 0xa5b0f630d780f4e4c1c2bf0eaa340448
(593) NAS-Port = 3146739
(593) NAS-IP-Address = 45.170.131.22
(593) Service-Type = Framed-User
(593) Framed-Protocol = PPP
(593) Calling-Station-Id = "6c:3b:6b:b9:64:5f"
(593) NAS-Identifier = "BRAS-01"
(593) NAS-Port-Type = Ethernet
(593) NAS-Port-Id = "slot=0;subslot=3;port=0;vlanid=1011;"
(593) Acct-Session-Id = "BRAS-01003001011000002703ae002000"
(593) Connect-Info = "1000000000"
(593) Huawei-Startup-Stamp = 1552614479
(593) Huawei-IPHost-Addr = "255.255.255.255 6c:3b:6b:b9:64:5f"
(593) Huawei-Connect-ID = 8192
(593) Huawei-Domain-Name = "giganet"
(593) Huawei-User-Mac = "6c:3b:6b:b9:64:5f"
(593) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(593) authorize {
(593) policy filter_username {
(593) if (&User-Name) {
(593) if (&User-Name) -> TRUE
(593) if (&User-Name) {
(593) if (&User-Name =~ / /) {
(593) if (&User-Name =~ / /) -> FALSE
(593) if (&User-Name =~ /@[^@]*@/ ) {
(593) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(593) if (&User-Name =~ /\.\./ ) {
(593) if (&User-Name =~ /\.\./ ) -> FALSE
(593) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(593) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(593) if (&User-Name =~ /\.$/) {
(593) if (&User-Name =~ /\.$/) -> FALSE
(593) if (&User-Name =~ /@\./) {
(593) if (&User-Name =~ /@\./) -> FALSE
(593) } # if (&User-Name) = notfound
(593) } # policy filter_username = notfound
(593) [preprocess] = ok
(593) chap: &control:Auth-Type := CHAP
(593) [chap] = ok
(593) [mschap] = noop
(593) eap: No EAP-Message, not doing EAP
(593) [eap] = noop
(593) sql: EXPAND %{User-Name}
(593) sql: --> 1
(593) sql: SQL-User-Name set to '1'
rlm_sql (sql): Closing connection (592): Hit idle_timeout, was idle for
67 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (588): Hit idle_timeout, was idle for
67 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Reserved connection (590)
(593) sql: EXPAND SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(593) sql: --> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '1' ORDER BY id
(593) sql: Executing select query: SELECT id, username, attribute,
value, op FROM radcheck WHERE username = '1' ORDER BY id
(593) sql: User found in radcheck table
(593) sql: Conditional check items matched, merging assignment check items
(593) sql: Cleartext-Password := "wifi"
(593) sql: EXPAND SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(593) sql: --> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '1' ORDER BY id
(593) sql: Executing select query: SELECT id, username, attribute,
value, op FROM radreply WHERE username = '1' ORDER BY id
(593) sql: User found in radreply table, merging reply items
(593) sql: Huawei-Qos-Profile-Name := "DEDICADO-20M"
(593) sql: Framed-IP-Address := 45.170.130.200
(593) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(593) sql: --> SELECT groupname FROM radusergroup WHERE username =
'1' ORDER BY priority
(593) sql: Executing select query: SELECT groupname FROM radusergroup
WHERE username = '1' ORDER BY priority
(593) sql: User not found in any groups
rlm_sql (sql): Released connection (590)
Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (595), 1 of 24 pending
slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'c1giganet' on Localhost via UNIX
socket, server version 5.7.23-0ubuntu0.16.04.1, protocol version 10
(593) [sql] = ok
(593) [expiration] = noop
(593) [logintime] = noop
(593) pap: WARNING: Auth-Type already set. Not setting to PAP
(593) [pap] = noop
(593) } # authorize = ok
(593) Found Auth-Type = CHAP
(593) # Executing group from file /etc/freeradius/sites-enabled/default
(593) Auth-Type CHAP {
(593) chap: Comparing with "known good" Cleartext-Password
(593) chap: CHAP user "1" authenticated successfully
(593) [chap] = ok
(593) } # Auth-Type CHAP = ok
(593) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(593) post-auth {
(593) update {
(593) No attributes updated
(593) } # update = noop
(593) sql: EXPAND .query
(593) sql: --> .query
(593) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (593)
(593) sql: EXPAND %{User-Name}
(593) sql: --> 1
(593) sql: SQL-User-Name set to '1'
(593) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(593) sql: --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '1', '0x01d38655f99905bb12e0e9c81a34d21ce2',
'Access-Accept', '2019-03-15 15:08:51')
(593) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( '1', '0x01d38655f99905bb12e0e9c81a34d21ce2',
'Access-Accept', '2019-03-15 15:08:51')
(593) sql: SQL query returned: success
(593) sql: 1 record(s) updated
rlm_sql (sql): Released connection (593)
(593) [sql] = ok
(593) policy remove_reply_message_if_eap {
(593) if (&reply:EAP-Message && &reply:Reply-Message) {
(593) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(593) else {
(593) [noop] = noop
(593) } # else = noop
(593) } # policy remove_reply_message_if_eap = noop
(593) } # post-auth = ok
(593) Login OK: [1/<CHAP-Password>] (from client ne20 port 3146739 cli
6c:3b:6b:b9:64:5f)
(593) Sent Access-Accept Id 8 from 10.11.12.37:1812 to
45.170.131.22:1812 length 0
(593) Huawei-Qos-Profile-Name = "DEDICADO-20M"
(593) Framed-IP-Address = 45.170.130.200
(593) Finished request
Agradeço qualquer ajuda.
More information about the gter
mailing list