assume my user’s username is “mehdi”

user “mehdi” is a member of group “13”

i want to activate service “L4REDIRECT” for user “mehdi” so user “mehdi” will be redirected to web portal to pay the invoice

my web portal is 2.2.2.2 port 80 , dns will be work normally

Cisco 7206 VXR:

Cisco:

 

aaa new-model
!
!
aaa authentication ppp hydra group radius
aaa authorization network hydra group radius
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network hydra
action-type start-stop
group radius
!
!
!
!
!
aaa server radius dynamic-author
client x.x.x.x server-key testing123
auth-type any
ignore session-key
ignore server-key
!
aaa session-id unique
clock timezone IRI 3 30
clock summer-time IRI recurring
!
!
!
!
!
!
no ip domain lookup
ip domain name test.com
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
mpls label protocol ldp
multilink bundle-name authenticated
vpdn enable
bba-group pppoe global
virtual-template 1
vendor-tag remote-id service
sessions max limit 30000
sessions per-vlan limit 30000
sessions auto cleanup
!
!
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.192
ip nat outside
media-type rj45
speed auto
duplex auto
negotiation auto
pppoe enable group global
no cdp enable
!
interface Virtual-Template1
mtu 1460
ip unnumbered GigabitEthernet0/1
ip nat inside
ip tcp adjust-mss 1320
no logging event link-status
peer default ip address pool DefaultPool
ppp encrypt mppe auto
ppp authentication pap hydra
ppp authorization hydra
ppp accounting hydra
ppp timeout idle 3200
!
ip local pool DefaultPool 10.0.0.1 10.0.0.254
ip local pool FAILED-POOL 20.20.20.1 20.20.20.254
ip nat pool p1 x.x.x.x x.x.x.x netmask 255.255.255.252
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended L4REDIRECT
permit ip any any
ip access-list extended LOCAL
permit ip any 172.31.31.0 0.0.0.255
permit ip 172.31.31.0 0.0.0.255 any
deny   ip any any
ip access-list extended all
permit ip any any
ip radius source-interface GigabitEthernet0/1
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 20.20.20.0 0.0.0.255
access-list 197 deny   tcp any host 2.2.2.2 eq www
access-list 197 permit tcp any any eq www
access-list 197 deny   udp any any eq domain
access-list 197 permit ip any any
no cdp run
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 8 include-in-access-req
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server source-ports extended
radius-server timeout 10
radius-server unique-ident 15
radius-server key testing123
radius-server vsa send accounting
radius-server vsa send authentication

 

Freeradius:

 

select * from radcheck;

id |  username  |       attribute       | op |                              value
—--+------------+-----------------------+----+------------------------------------------------------------------
12 | L4REDIRECT      | Cleartext-Password | := | cisco
15 | mehdi           | Cleartext-Password | := | 123

 


select * from radreply;

id |  username  |       attribute       | op |                              value
—--+------------+-----------------------+----+------------------------------------------------------------------
143 | mehdi        | Cisco-AVPair          | += | subscriber:accounting-list=hydra | Cisco-ISG
144 | mehdi        | Acct-Interim-Interval | =  | 60                               | Cisco-ISG
145 | mehdi        | Cisco-Account-Info    | += | AL4REDIRECT                      | Cisco-ISG
154 | mehdi        | Cisco-AVpair          | += | ip:addr-pool=FAILED-POOL         | Cisco-ISG
63 | L4REDIRECT | Cisco-AVPair          | += | ip:l4redirect=redirect list 197 to ip 2.2.2.2 port 80
51 | L4REDIRECT | Acct-Interim-Interval | =  | 60
52 | L4REDIRECT | Cisco-AVPair          | += | subscriber:accounting-list=hydra
55 | L4REDIRECT | Cisco-AVPair          | += | ip:traffic-class=output default drop
56 | L4REDIRECT | Cisco-AVPair          | += | ip:traffic-class=input default drop
58 | L4REDIRECT | Cisco-Service-Info    | += | QU;2097152;D;2097152
57 | L4REDIRECT | Cisco-Service-Info    | := | L4REDIRECT
54 | L4REDIRECT | Cisco-AVPair          | += | ip:traffic-class=input access-group name L4REDIRECT priority 15
53 | L4REDIRECT | Cisco-AVPair          | += | ip:traffic-class=output access-group name L4REDIRECT priority 15

Radius DEBUG:

 

 

rad_recv: Access-Request packet from host x.x.x.x port 21647, id=97, length=143
Framed-Protocol = PPP
User-Name = "mehdi"
User-Password = "123"
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = "0/0/1/0"
Cisco-AVPair = "client-mac-address=0026.1805.8749"
Service-Type = Framed-User
NAS-IP-Address = x.x.x.x
Acct-Session-Id = "0F00000000000399"

 

Sending Access-Accept of id 97 to x.x.x.x port 21647
Acct-Interim-Interval = 60
Cisco-Account-Info = "AL4REDIRECT"
Service-Type = Framed-User
Framed-Protocol = PPP
Idle-Timeout = 14400
Cisco-AVPair += "subscriber:accounting-list=hydra"
Cisco-AVPair += "ip:addr-pool=FAILED-POOL"

 

rad_recv: Access-Request packet from host x.x.x.x port 21647, id=98, length=142
User-Password = "cisco"
User-Name = "L4REDIRECT"
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = "0/0/1/0"
Cisco-AVPair = "client-mac-address=0026.1805.8749"
Service-Type = Outbound-User
NAS-IP-Address = x.x.x.x
Acct-Session-Id = "0F00000000000399"


Sending Access-Accept of id 98 to x.x.x.x port 21647
Acct-Interim-Interval = 60
Cisco-Service-Info += "L4REDIRECT"
Cisco-Service-Info += "QU;2097152;D;2097152"
Cisco-AVPair += "subscriber:accounting-list=hydra"
Cisco-AVPair += "ip:traffic-class=output access-group name L4REDIRECT priority 15"
Cisco-AVPair += "ip:traffic-class=input access-group name L4REDIRECT priority 15"
Cisco-AVPair += "ip:traffic-class=output default drop"
Cisco-AVPair += "ip:traffic-class=input default drop"
Cisco-AVPair += "ip:l4redirect=redirect list 197 to ip 2.2.2.2 port 80"

 

Cisco ASR:

hostname ASR1002
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication ppp hydra group radius
aaa authorization network hydra group radius
aaa authorization subscriber-service default local group radius
aaa authorization subscriber-service hydra local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network hydra
action-type start-stop
group radius
!
!
aaa nas port extended
!
!
!
aaa server radius dynamic-author
client x.x.x.x server-key testing123
auth-type any
ignore session-key
ignore server-key
!
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone IRI 3 30
clock summer-time IRI recurring
!
!
!
no ip domain lookup
ip domain name test.com
ip name-server 8.8.8.8
ip multicast-routing distributed
ip accounting-threshold 200000
!
!
!
!
!
subscriber authorization enable
!
mpls label protocol ldp
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username x.x.x.x privilege 15 password 0 x.x.x.x
!
redundancy
mode none
!
!
!
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe global
virtual-template 1
sessions max limit 64000
sessions per-vc limit 64000
sessions per-mac limit 64000
sessions per-vlan limit 64000 inner 64000
sessions auto cleanup
!
!
interface Loopback1
ip address x.x.x.x 255.255.255.255
ip nat outside
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.121
encapsulation dot1Q 121
pppoe enable group global
!
interface GigabitEthernet0/0/0.2009
encapsulation dot1Q 2009
ip address x.x.x.x 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
no ip address
shutdown
!
interface TenGigabitEthernet0/2/0
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
mtu 1460
ip unnumbered GigabitEthernet0/0/0.2009
no ip unreachables
no ip proxy-arp
ip nat inside
ip flow ingress
ip flow egress
ip tcp adjust-mss 1320
no logging event link-status
peer default ip address pool DefaultPool
keepalive 60
ppp authentication pap hydra
ppp authorization hydra
ppp accounting hydra
ppp ipcp dns 8.8.8.8
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip local pool DefaultPool 10.0.0.1 10.0.0.254
ip nat pool p1 x.x.x.x x.x.x.x netmask 255.255.255.252
ip nat outside source list 10 interface Loopback1 overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list extended L4REDIRECT
deny   tcp any host 2.2.2.2 eq www
deny   tcp host 2.2.2.2 any eq www
deny   udp any any eq domain
permit tcp any any eq www
deny   ip any any

ip access-list extended all
permit ip any any
!
ip radius source-interface Loopback1
access-list 10 permit 10.0.0.0 0.0.0.255
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf lower-case
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server source-ports extended
radius-server retransmit 2
radius-server timeout 3
radius-server unique-ident 22
radius-server key testing123
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
!
control-plane
!
!
!
!
!
line con 0
privilege level 15
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password x.x.x.x
login authentication local
transport input ssh
line vty 5 15
privilege level 15
password x.x.x.x
login authentication local
transport input ssh
!
!
end

 

radius :

 

select * from radgroupreply;
id  | groupname |       attribute       | op |                                                   value
-----+-----------+-----------------------+----+-----------------------------------------------------------------------------------------------------------+-----------------------------
219 | 18        | Idle-Timeout          | =  | 14400
220 | 18        | Framed-Protocol       | =  | PPP
221 | 18        | Service-Type          | =  | Framed-User
226 | 18        | Cisco-AVPair          | += | subscriber:accounting-list=hydra
227 | 18        | Acct-Interim-Interval | =  | 60
228 | 18        | Cisco-Account-Info    | += | AL4REDIRECT
232 | 18        | Cisco-Account-Info    | += | AISG_p8_all_2M_2M

 

 

select * from  radreply;
id  |     username     |       attribute       | op |                              value
-----+------------------+-----------------------+----+------------------------------------------------------------------
90 | mehdi            | Framed-IP-Address     | =  | 10.0.0.1
82 | L4REDIRECT       | Acct-Interim-Interval | =  | 60
87 | L4REDIRECT       | Cisco-AVPair          | += | ip:traffic-class=input default drop
86 | L4REDIRECT       | Cisco-AVPair          | += | ip:traffic-class=output default drop
83 | L4REDIRECT       | Cisco-AVPair          | += | subscriber:accounting-list=hydra
89 | L4REDIRECT       | Cisco-Service-Info    | += | QU;2097152;D;2097152
85 | L4REDIRECT       | Cisco-AVPair          | += | ip:traffic-class=input access-group name L4REDIRECT priority 15
84 | L4REDIRECT       | Cisco-AVPair          | += | ip:traffic-class=output access-group name L4REDIRECT priority 15
88 | L4REDIRECT       | Cisco-Service-Info    | := | IL4REDIRECT
96 | L4REDIRECT       | Cisco-AVPair          | += | ip:l4redirect=redirect to ip 2.2.2.2 port 80
97 | ISG_p8_all_2M_2M | Acct-Interim-Interval | =  | 60
98 | ISG_p8_all_2M_2M | Cisco-AVPair          | += | subscriber:accounting-list=hydra
99 | ISG_p8_all_2M_2M | Cisco-AVPair          | += | ip:traffic-class=output access-group name all priority 15
100 | ISG_p8_all_2M_2M | Cisco-AVPair          | += | ip:traffic-class=input access-group name all priority 15
101 | ISG_p8_all_2M_2M | Cisco-AVPair          | += | ip:traffic-class=output default drop
102 | ISG_p8_all_2M_2M | Cisco-AVPair          | += | ip:traffic-class=input default drop
103 | ISG_p8_all_2M_2M | Cisco-Service-Info    | := | IISG_p8_all_2M_2M
104 | ISG_p8_all_2M_2M | Cisco-Service-Info    | += | QU;2097152;D;2097152

 

Radius DEBUG:

 

 

rad_recv: Access-Request packet from host x.x.x.x port 21666, id=85, length=205
Framed-Protocol = PPP
User-Name = "mehdi"
User-Password = "x.x.x.x"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/0/121"
NAS-Port = 0
NAS-Port-Id = "0/0/0/121"
Cisco-AVPair = "client-mac-address=e48d.8c44.26d0"
Service-Type = Framed-User
NAS-IP-Address = x.x.x.x
Acct-Session-Id = "160000000000417B"
NAS-Identifier = "ASR"

Sending Access-Accept of id 85 to x.x.x.x port 21666
Service-Type = Framed-User
Acct-Interim-Interval = 60
Idle-Timeout = 14400
Framed-Protocol = PPP
Framed-IP-Address = 10.0.0.1
Cisco-Account-Info += "AL4REDIRECT"
Cisco-Account-Info += "AISG_p8_all_2M_2M"
Cisco-AVPair = "subscriber:accounting-list=hydra"

rad_recv: Access-Request packet from host x.x.x.x port 21666, id=86, length=210
User-Password = "cisco"
User-Name = "ISG_p8_all_2M_2M"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/0/121"
NAS-Port = 0
NAS-Port-Id = "0/0/0/121"
Cisco-AVPair = "client-mac-address=e48d.8c44.26d0"
Service-Type = Outbound-User
NAS-IP-Address = x.x.x.x
Acct-Session-Id = "160000000000417B"
NAS-Identifier = "ASR"

Sending Access-Accept of id 86 to x.x.x.x port 21666
Cisco-Service-Info += "IISG_p8_all_2M_2M"
Cisco-Service-Info += "QU;2097152;D;2097152"
Acct-Interim-Interval = 60
Cisco-AVPair += "subscriber:accounting-list=hydra"
Cisco-AVPair += "ip:traffic-class=output access-group name all priority 15"
Cisco-AVPair += "ip:traffic-class=input access-group name all priority 15"
Cisco-AVPair += "ip:traffic-class=output default drop"
Cisco-AVPair += "ip:traffic-class=input default drop"

rad_recv: Access-Request packet from host x.x.x.x port 21666, id=87, length=204
User-Password = "cisco"
User-Name = "L4REDIRECT"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/0/121"
NAS-Port = 0
NAS-Port-Id = "0/0/0/121"
Cisco-AVPair = "client-mac-address=e48d.8c44.26d0"
Service-Type = Outbound-User
NAS-IP-Address = x.x.x.x
Acct-Session-Id = "160000000000417B"
NAS-Identifier = "ASR"

Sending Access-Accept of id 87 to x.x.x.x port 21666
Cisco-Service-Info += "IL4REDIRECT"
Cisco-Service-Info += "QU;2097152;D;2097152"
Acct-Interim-Interval = 60
Cisco-AVPair += "subscriber:accounting-list=hydra"
Cisco-AVPair += "ip:traffic-class=output access-group name L4REDIRECT priority 15"
Cisco-AVPair += "ip:traffic-class=input access-group name L4REDIRECT priority 15"
Cisco-AVPair += "ip:traffic-class=output default drop"
Cisco-AVPair += "ip:traffic-class=input default drop"
Cisco-AVPair += "ip:l4redirect=redirect to ip 2.2.2.2 port 80"

 

By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com telegram:http://t.me/mehdi_sadighian
TAG: cisco,asr,asr1k,asr 1000,asr1002,asr1002x,7206,7206vxr,7200,freeradius ,ISG,L4redirect,L4 redirect