Building configuration... Building configuration... Current configuration : 4657 bytes ! ! Last configuration change at 20:48:59 UTC Mon Jan 15 2007 by cisco ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname Cisco-BRAS ! boot-start-marker boot-end-marker ! ! enable secret 5 ********* ! aaa new-model ! ! aaa group server radius hydra server 192.168.0.100 auth-port 1812 acct-port 1813 ! aaa authentication ppp hydra group hydra aaa authorization prepaid hydra group hydra aaa authorization network hydra group hydra aaa authorization subscriber-service hydra local group hydra aaa accounting delay-start aaa accounting update periodic 1 aaa accounting network hydra start-stop group hydra ! aaa nas port extended ! ! ! aaa server radius dynamic-author client 192.168.0.100 server-key cisco auth-type any ignore session-key ! aaa session-id unique ! ! ! ! ! ! ip domain name msadighian.com ip cef no ipv6 cef ! subscriber feature prepaid HYDRA threshold time 0 seconds threshold volume 0 bytes interim-interval 1 minutes method-list author hydra method-list accounting hydra password cisco ! subscriber authorization enable multilink bundle-name authenticated vpdn enable ! vpdn-group 1 ! ! ! ! ! ! ! ! username **** password 0 **** username **** password 0 **** redirect server-group BILLING server ip 87.234.11.2 port 80 ! ! ! ! ! ! ip ssh version 2 class-map type traffic match-any OPENGARDEN match access-group input name OPENGARDEN match access-group output name OPENGARDEN ! class-map type traffic match-any L4-REDIRECT match access-group input name L4-REDIRECT ! class-map type traffic match-any L4 ! class-map type traffic match-any INTERNAL match access-group input name INTERNAL match access-group output name INTERNAL ! class-map type traffic match-any INTERNET match access-group input name INTERNET match access-group output name INTERNET ! policy-map type service INTERNET__1024 10 class type traffic INTERNET prepaid config HYDRA police input 1024000 1024000 1024000 police output 1024000 1024000 1024000 ! class type traffic default in-out drop ! ! policy-map type service INTERNAL__2048 9 class type traffic INTERNAL prepaid config HYDRA police input 2048000 2048000 2048000 police output 2048000 2048000 2048000 ! class type traffic default in-out drop ! ! policy-map type service L4-REDIRECT__Unlimited 99 class type traffic L4-REDIRECT redirect to group BILLING ! class type traffic default in-out drop ! ! policy-map type service OPENGARDEN__Unlimited 100 class type traffic OPENGARDEN ! class type traffic default in-out drop ! ! ! ! policy-map type control ISG class type control always event session-start 1 authenticate aaa list hydra ! ! ! ! ! ! ! ! ! ! bba-group pppoe global virtual-template 1 sessions auto cleanup ! ! interface Loopback0 no ip address ! interface GigabitEthernet0/1 description internet-side ip address 192.168.0.20 255.255.255.0 media-type rj45 speed auto duplex auto negotiation auto ! interface FastEthernet0/2 no ip address shutdown speed auto duplex auto ! interface GigabitEthernet0/2 description user-side no ip address media-type rj45 speed auto duplex auto negotiation auto pppoe enable group global ! interface GigabitEthernet0/3 no ip address shutdown media-type rj45 speed auto duplex auto negotiation auto ! interface Virtual-Template1 mtu 1460 ip unnumbered GigabitEthernet0/1 ip tcp adjust-mss 1320 no logging event link-status peer default ip address pool DefaultPool ppp encrypt mppe auto ppp authentication chap pap hydra ppp authorization hydra ppp accounting hydra ppp ipcp dns 8.8.8.8 service-policy type control ISG ! ip local pool DefaultPool 10.0.0.1 10.0.0.254 ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.0.1 ! ip access-list extended INTERNAL permit ip host 8.8.8.8 any permit ip any host 8.8.8.8 ip access-list extended INTERNET permit ip any any ip access-list extended L4-REDIRECT deny tcp any host 87.234.11.2 deny tcp host 87.234.11.2 any permit tcp any any eq www ip access-list extended OPENGARDEN permit tcp any any eq www permit tcp any eq www any permit udp any any eq domain permit udp any eq domain any ! ip radius source-interface GigabitEthernet0/1 ! ! radius-server host 192.168.0.100 auth-port 1812 acct-port 1813 radius-server key cisco ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport input all line vty 5 15 transport input all ! ! end
Note:
1-Any traffic class other than INTERNET, should have higher priority than INTERNET class.
example:
9 class type traffic INTERNAL
10 class type traffic INTERNET
INTERNAL has higher priority than INTERNET.
2-policy-map type service INTERNET__1024: this name: “INTERNET__1024” should be the same as what radius sends to Router. example:
radius:
Cisco-Account-Info += “AINTERNET__1024”
OR
ssg-account-info += “AINTERNET__1024”
Router:
policy-map type service INTERNET__1024
10 class type traffic INTERNET
prepaid config HYDRA
police input 1024000 1024000 1024000
police output 1024000 1024000 1024000
!
class type traffic default in-out
drop
L4REDIRECT EXAMPLE:
RASIUS:
Sending Access-Accept of id 19 to 192.168.0.20 port 1645 Service-Type = Framed-User Framed-Protocol = PPP Idle-Timeout = 14400 Cisco-AVPair = "subscriber:accounting-list=hydra" Cisco-Account-Info += "AL4-REDIRECT__Unlimited" Cisco-Account-Info += "AOPENGARDEN__Unlimited"
Router:
show redirect translations Unlimited number of L4 Redirect allowed per session Prot Destination IP/Port Server IP/Port TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 134.0.216.147 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 TCP 13.82.28.61 80 87.234.11.2 80 Total Number of Translations: 23 Highest number of L4 Redirect: 23 by session with source IP 10.0.0.2
By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com telegram:http://t.me/mehdi_sadighian
TAG: Cisco ISG, ISG prepaid, Cisco Bras ISG Prepaid, 7206,asr, 7200, asr1002, asr 1000