Cisco class Push L4redirect :
assume my user’s username is “mehdi”
user “mehdi” is a member of group “13”
i want to activate service “L4REDIRECT” for user “mehdi” so user “mehdi” will be redirected to web portal to pay the invoice
my web portal is 2.2.2.2 port 80 , dns will be work normally
Cisco 7206 VXR:
Cisco:
aaa new-model ! ! aaa authentication ppp hydra group radius aaa authorization network hydra group radius aaa accounting delay-start aaa accounting update periodic 1 aaa accounting network hydra action-type start-stop group radius ! ! ! ! ! aaa server radius dynamic-author client x.x.x.x server-key testing123 auth-type any ignore session-key ignore server-key ! aaa session-id unique clock timezone IRI 3 30 clock summer-time IRI recurring ! ! ! ! ! ! no ip domain lookup ip domain name test.com ip name-server 8.8.8.8 ip cef no ipv6 cef ! ! mpls label protocol ldp multilink bundle-name authenticated vpdn enable bba-group pppoe global virtual-template 1 vendor-tag remote-id service sessions max limit 30000 sessions per-vlan limit 30000 sessions auto cleanup ! ! interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.192 ip nat outside media-type rj45 speed auto duplex auto negotiation auto pppoe enable group global no cdp enable ! interface Virtual-Template1 mtu 1460 ip unnumbered GigabitEthernet0/1 ip nat inside ip tcp adjust-mss 1320 no logging event link-status peer default ip address pool DefaultPool ppp encrypt mppe auto ppp authentication pap hydra ppp authorization hydra ppp accounting hydra ppp timeout idle 3200 ! ip local pool DefaultPool 10.0.0.1 10.0.0.254 ip local pool FAILED-POOL 20.20.20.1 20.20.20.254 ip nat pool p1 x.x.x.x x.x.x.x netmask 255.255.255.252 ip nat inside source list 10 interface GigabitEthernet0/1 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 x.x.x.x ! ip access-list extended L4REDIRECT permit ip any any ip access-list extended LOCAL permit ip any 172.31.31.0 0.0.0.255 permit ip 172.31.31.0 0.0.0.255 any deny ip any any ip access-list extended all permit ip any any ip radius source-interface GigabitEthernet0/1 access-list 10 permit 10.0.0.0 0.0.0.255 access-list 10 permit 20.20.20.0 0.0.0.255 access-list 197 deny tcp any host 2.2.2.2 eq www access-list 197 permit tcp any any eq www access-list 197 deny udp any any eq domain access-list 197 permit ip any any no cdp run radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 8 include-in-access-req radius-server host x.x.x.x auth-port 1812 acct-port 1813 radius-server source-ports extended radius-server timeout 10 radius-server unique-ident 15 radius-server key testing123 radius-server vsa send accounting radius-server vsa send authentication
Freeradius:
select * from radcheck; id | username | attribute | op | value —--+------------+-----------------------+----+------------------------------------------------------------------ 12 | L4REDIRECT | Cleartext-Password | := | cisco 15 | mehdi | Cleartext-Password | := | 123 select * from radreply; id | username | attribute | op | value —--+------------+-----------------------+----+------------------------------------------------------------------ 143 | mehdi | Cisco-AVPair | += | subscriber:accounting-list=hydra | Cisco-ISG 144 | mehdi | Acct-Interim-Interval | = | 60 | Cisco-ISG 145 | mehdi | Cisco-Account-Info | += | AL4REDIRECT | Cisco-ISG 154 | mehdi | Cisco-AVpair | += | ip:addr-pool=FAILED-POOL | Cisco-ISG 63 | L4REDIRECT | Cisco-AVPair | += | ip:l4redirect=redirect list 197 to ip 2.2.2.2 port 80 51 | L4REDIRECT | Acct-Interim-Interval | = | 60 52 | L4REDIRECT | Cisco-AVPair | += | subscriber:accounting-list=hydra 55 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=output default drop 56 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=input default drop 58 | L4REDIRECT | Cisco-Service-Info | += | QU;2097152;D;2097152 57 | L4REDIRECT | Cisco-Service-Info | := | L4REDIRECT 54 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=input access-group name L4REDIRECT priority 15 53 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=output access-group name L4REDIRECT priority 15
Radius DEBUG:
rad_recv: Access-Request packet from host x.x.x.x port 21647, id=97, length=143 Framed-Protocol = PPP User-Name = "mehdi" User-Password = "123" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/1/0" Cisco-AVPair = "client-mac-address=0026.1805.8749" Service-Type = Framed-User NAS-IP-Address = x.x.x.x Acct-Session-Id = "0F00000000000399" Sending Access-Accept of id 97 to x.x.x.x port 21647 Acct-Interim-Interval = 60 Cisco-Account-Info = "AL4REDIRECT" Service-Type = Framed-User Framed-Protocol = PPP Idle-Timeout = 14400 Cisco-AVPair += "subscriber:accounting-list=hydra" Cisco-AVPair += "ip:addr-pool=FAILED-POOL" rad_recv: Access-Request packet from host x.x.x.x port 21647, id=98, length=142 User-Password = "cisco" User-Name = "L4REDIRECT" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/1/0" Cisco-AVPair = "client-mac-address=0026.1805.8749" Service-Type = Outbound-User NAS-IP-Address = x.x.x.x Acct-Session-Id = "0F00000000000399" Sending Access-Accept of id 98 to x.x.x.x port 21647 Acct-Interim-Interval = 60 Cisco-Service-Info += "L4REDIRECT" Cisco-Service-Info += "QU;2097152;D;2097152" Cisco-AVPair += "subscriber:accounting-list=hydra" Cisco-AVPair += "ip:traffic-class=output access-group name L4REDIRECT priority 15" Cisco-AVPair += "ip:traffic-class=input access-group name L4REDIRECT priority 15" Cisco-AVPair += "ip:traffic-class=output default drop" Cisco-AVPair += "ip:traffic-class=input default drop" Cisco-AVPair += "ip:l4redirect=redirect list 197 to ip 2.2.2.2 port 80"
Cisco ASR:
hostname ASR1002 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! aaa new-model ! ! aaa authentication ppp hydra group radius aaa authorization network hydra group radius aaa authorization subscriber-service default local group radius aaa authorization subscriber-service hydra local aaa accounting delay-start aaa accounting update periodic 1 aaa accounting network hydra action-type start-stop group radius ! ! aaa nas port extended ! ! ! aaa server radius dynamic-author client x.x.x.x server-key testing123 auth-type any ignore session-key ignore server-key ! aaa session-id common aaa policy interface-config allow-subinterface clock timezone IRI 3 30 clock summer-time IRI recurring ! ! ! no ip domain lookup ip domain name test.com ip name-server 8.8.8.8 ip multicast-routing distributed ip accounting-threshold 200000 ! ! ! ! ! subscriber authorization enable ! mpls label protocol ldp multilink bundle-name authenticated vpdn enable ! vpdn-group 1 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username x.x.x.x privilege 15 password 0 x.x.x.x ! redundancy mode none ! ! ! ip tftp source-interface GigabitEthernet0 ip tftp blocksize 8192 ip ssh version 2 ! ! ! ! ! ! ! ! ! ! ! ! bba-group pppoe global virtual-template 1 sessions max limit 64000 sessions per-vc limit 64000 sessions per-mac limit 64000 sessions per-vlan limit 64000 inner 64000 sessions auto cleanup ! ! interface Loopback1 ip address x.x.x.x 255.255.255.255 ip nat outside ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/0.121 encapsulation dot1Q 121 pppoe enable group global ! interface GigabitEthernet0/0/0.2009 encapsulation dot1Q 2009 ip address x.x.x.x 255.255.255.252 ip nat outside ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface TenGigabitEthernet0/1/0 no ip address shutdown ! interface TenGigabitEthernet0/2/0 no ip address shutdown ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface Virtual-Template1 mtu 1460 ip unnumbered GigabitEthernet0/0/0.2009 no ip unreachables no ip proxy-arp ip nat inside ip flow ingress ip flow egress ip tcp adjust-mss 1320 no logging event link-status peer default ip address pool DefaultPool keepalive 60 ppp authentication pap hydra ppp authorization hydra ppp accounting hydra ppp ipcp dns 8.8.8.8 ! ip route 0.0.0.0 0.0.0.0 x.x.x.x ! ip local pool DefaultPool 10.0.0.1 10.0.0.254 ip nat pool p1 x.x.x.x x.x.x.x netmask 255.255.255.252 ip nat outside source list 10 interface Loopback1 overload ip forward-protocol nd ! no ip http server no ip http secure-server ! ip access-list extended L4REDIRECT deny tcp any host 2.2.2.2 eq www deny tcp host 2.2.2.2 any eq www deny udp any any eq domain permit tcp any any eq www deny ip any any ip access-list extended all permit ip any any ! ip radius source-interface Loopback1 access-list 10 permit 10.0.0.0 0.0.0.255 ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf lower-case radius-server host x.x.x.x auth-port 1812 acct-port 1813 radius-server source-ports extended radius-server retransmit 2 radius-server timeout 3 radius-server unique-ident 22 radius-server key testing123 radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication ! ! control-plane ! ! ! ! ! line con 0 privilege level 15 stopbits 1 line aux 0 stopbits 1 line vty 0 4 privilege level 15 password x.x.x.x login authentication local transport input ssh line vty 5 15 privilege level 15 password x.x.x.x login authentication local transport input ssh ! ! end
radius :
select * from radgroupreply; id | groupname | attribute | op | value -----+-----------+-----------------------+----+-----------------------------------------------------------------------------------------------------------+----------------------------- 219 | 18 | Idle-Timeout | = | 14400 220 | 18 | Framed-Protocol | = | PPP 221 | 18 | Service-Type | = | Framed-User 226 | 18 | Cisco-AVPair | += | subscriber:accounting-list=hydra 227 | 18 | Acct-Interim-Interval | = | 60 228 | 18 | Cisco-Account-Info | += | AL4REDIRECT 232 | 18 | Cisco-Account-Info | += | AISG_p8_all_2M_2M
select * from radreply; id | username | attribute | op | value -----+------------------+-----------------------+----+------------------------------------------------------------------ 90 | mehdi | Framed-IP-Address | = | 10.0.0.1 82 | L4REDIRECT | Acct-Interim-Interval | = | 60 87 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=input default drop 86 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=output default drop 83 | L4REDIRECT | Cisco-AVPair | += | subscriber:accounting-list=hydra 89 | L4REDIRECT | Cisco-Service-Info | += | QU;2097152;D;2097152 85 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=input access-group name L4REDIRECT priority 15 84 | L4REDIRECT | Cisco-AVPair | += | ip:traffic-class=output access-group name L4REDIRECT priority 15 88 | L4REDIRECT | Cisco-Service-Info | := | IL4REDIRECT 96 | L4REDIRECT | Cisco-AVPair | += | ip:l4redirect=redirect to ip 2.2.2.2 port 80 97 | ISG_p8_all_2M_2M | Acct-Interim-Interval | = | 60 98 | ISG_p8_all_2M_2M | Cisco-AVPair | += | subscriber:accounting-list=hydra 99 | ISG_p8_all_2M_2M | Cisco-AVPair | += | ip:traffic-class=output access-group name all priority 15 100 | ISG_p8_all_2M_2M | Cisco-AVPair | += | ip:traffic-class=input access-group name all priority 15 101 | ISG_p8_all_2M_2M | Cisco-AVPair | += | ip:traffic-class=output default drop 102 | ISG_p8_all_2M_2M | Cisco-AVPair | += | ip:traffic-class=input default drop 103 | ISG_p8_all_2M_2M | Cisco-Service-Info | := | IISG_p8_all_2M_2M 104 | ISG_p8_all_2M_2M | Cisco-Service-Info | += | QU;2097152;D;2097152
Radius DEBUG:
rad_recv: Access-Request packet from host x.x.x.x port 21666, id=85, length=205 Framed-Protocol = PPP User-Name = "mehdi" User-Password = "x.x.x.x" NAS-Port-Type = Virtual Cisco-NAS-Port = "0/0/0/121" NAS-Port = 0 NAS-Port-Id = "0/0/0/121" Cisco-AVPair = "client-mac-address=e48d.8c44.26d0" Service-Type = Framed-User NAS-IP-Address = x.x.x.x Acct-Session-Id = "160000000000417B" NAS-Identifier = "ASR" Sending Access-Accept of id 85 to x.x.x.x port 21666 Service-Type = Framed-User Acct-Interim-Interval = 60 Idle-Timeout = 14400 Framed-Protocol = PPP Framed-IP-Address = 10.0.0.1 Cisco-Account-Info += "AL4REDIRECT" Cisco-Account-Info += "AISG_p8_all_2M_2M" Cisco-AVPair = "subscriber:accounting-list=hydra" rad_recv: Access-Request packet from host x.x.x.x port 21666, id=86, length=210 User-Password = "cisco" User-Name = "ISG_p8_all_2M_2M" NAS-Port-Type = Virtual Cisco-NAS-Port = "0/0/0/121" NAS-Port = 0 NAS-Port-Id = "0/0/0/121" Cisco-AVPair = "client-mac-address=e48d.8c44.26d0" Service-Type = Outbound-User NAS-IP-Address = x.x.x.x Acct-Session-Id = "160000000000417B" NAS-Identifier = "ASR" Sending Access-Accept of id 86 to x.x.x.x port 21666 Cisco-Service-Info += "IISG_p8_all_2M_2M" Cisco-Service-Info += "QU;2097152;D;2097152" Acct-Interim-Interval = 60 Cisco-AVPair += "subscriber:accounting-list=hydra" Cisco-AVPair += "ip:traffic-class=output access-group name all priority 15" Cisco-AVPair += "ip:traffic-class=input access-group name all priority 15" Cisco-AVPair += "ip:traffic-class=output default drop" Cisco-AVPair += "ip:traffic-class=input default drop" rad_recv: Access-Request packet from host x.x.x.x port 21666, id=87, length=204 User-Password = "cisco" User-Name = "L4REDIRECT" NAS-Port-Type = Virtual Cisco-NAS-Port = "0/0/0/121" NAS-Port = 0 NAS-Port-Id = "0/0/0/121" Cisco-AVPair = "client-mac-address=e48d.8c44.26d0" Service-Type = Outbound-User NAS-IP-Address = x.x.x.x Acct-Session-Id = "160000000000417B" NAS-Identifier = "ASR" Sending Access-Accept of id 87 to x.x.x.x port 21666 Cisco-Service-Info += "IL4REDIRECT" Cisco-Service-Info += "QU;2097152;D;2097152" Acct-Interim-Interval = 60 Cisco-AVPair += "subscriber:accounting-list=hydra" Cisco-AVPair += "ip:traffic-class=output access-group name L4REDIRECT priority 15" Cisco-AVPair += "ip:traffic-class=input access-group name L4REDIRECT priority 15" Cisco-AVPair += "ip:traffic-class=output default drop" Cisco-AVPair += "ip:traffic-class=input default drop" Cisco-AVPair += "ip:l4redirect=redirect to ip 2.2.2.2 port 80"
By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com telegram:http://t.me/mehdi_sadighian
TAG: cisco,asr,asr1k,asr 1000,asr1002,asr1002x,7206,7206vxr,7200,freeradius ,ISG,L4redirect,L4 redirect, class push