Вы просматриваете старую версию данной страницы. Смотрите текущую версию.
Сравнить с текущим |
просмотр истории страницы
Интеграция заключается в следующих шагах:
- Настройка сервисов / политик / профилей на оборудовании
- Настройка скрипта event_inc.sh на Ideco ACP для пересылки нужных команд
- Создание и настройка RADIUS-атрибутов в тарифах для пользователей
Внимание!
Все предоставленные примеры не обязательно являются рабочими, использовать их для настройки своего оборудования без понимания принципа действия не рекомендуется.
Примеры предоставлены исключительно для понимания принципов работы Ideco ACP с сторонним оборудованием.
Настройка оборудования (Cisco 7204 с модулем ISG)
class-map type traffic match-any Redir_to_web match access-group input 101 ! class-map type traffic match-any to_Portal match access-group input 103 ! class-map type traffic match-any Redirect_DNS match access-group input 104 ! class-map type control match-all USER_DROP match authen-status unauthenticated match timer 5Min ! class-map match-all NOT_SHAPE_TRF match access-group 130 policy-map type service NOMONEY class type traffic Redir_to_web redirect to group REDIRECT ! policy-map type service L4REDIRECT_to_DNS class type traffic Redirect_DNS redirect to group REDIRECT_DNS ! policy-map type service L4REDIRECT-ATT class type traffic to_Portal redirect to group REDIRECT class type traffic default input drop ! policy-map type service 512k_DEF service-policy input 512IN service-policy output 512OUT ! policy-map type control RULEISG class type control USER_DROP event timed-policy-expiry 1 service disconnect class type control always event quota-depleted 1 set-param drop-traffic FALSE class type control always event session-start 1 authorize aaa list ISG password cisco identifier source-ip-address 2 service-policy type service name L4REDIRECT_to_DNS 3 service-policy type service name L4REDIRECT-ATT 4 set-timer 5Min 5 class type control always event credit-exhausted 1 service-policy type service name NOMONEY class type control always event service-failed 1 service-policy type service name 512k_DEF 2 log-session-state class type control always event service-stop 1 service-policy type service unapply identifier service-name 2 service-policy type service name 512k_DEF ! policy-map 2000kOUT class NOT_SHAPE_TRF police cir 2000000 bc 375000 be 750000 conform-action transmit exceed-action drop violate-action drop policy-map 2200kIN class NOT_SHAPE_TRF police cir 2200000 bc 412500 be 825000 conform-action transmit exceed-action drop violate-action drop policy-map 300kOUT class NOT_SHAPE_TRF police cir 300000 bc 56250 be 112500 conform-action transmit exceed-action drop violate-action drop policy-map 8000kIN class NOT_SHAPE_TRF police cir 8000000 bc 1500000 be 3000000 conform-action transmit exceed-action drop violate-action drop policy-map 1000kOUT class NOT_SHAPE_TRF police cir 1000000 bc 187500 be 375000 conform-action transmit exceed-action drop violate-action drop policy-map 500kIN class NOT_SHAPE_TRF police cir 500000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop policy-map 1100kIN class NOT_SHAPE_TRF police cir 1100000 bc 206250 be 412500 conform-action transmit exceed-action drop violate-action drop policy-map 3000kOUT class NOT_SHAPE_TRF police cir 3000000 bc 562500 be 1125000 conform-action transmit exceed-action drop violate-action drop policy-map 8000kOUT class NOT_SHAPE_TRF police cir 8000000 bc 1500000 be 3000000 conform-action transmit exceed-action drop violate-action drop policy-map 1024IN class class-default police cir 1024000 bc 192000 be 384000 conform-action transmit exceed-action drop violate-action drop policy-map 600kOUT class NOT_SHAPE_TRF police cir 600000 bc 112500 be 225000 conform-action transmit exceed-action drop violate-action drop policy-map 3000kIN class NOT_SHAPE_TRF police cir 3000000 bc 562500 be 1125000 conform-action transmit exceed-action drop violate-action drop policy-map 50kIN class NOT_SHAPE_TRF police cir 50000 bc 9375 be 18750 conform-action transmit exceed-action drop violate-action drop policy-map 512OUT class class-default police cir 512000 bc 96000 be 192000 conform-action transmit exceed-action drop violate-action drop policy-map 2000kIN class NOT_SHAPE_TRF police cir 2000000 bc 375000 be 750000 conform-action transmit exceed-action drop violate-action drop policy-map 4000kIN class NOT_SHAPE_TRF police cir 4000000 bc 750000 be 1500000 conform-action transmit exceed-action drop violate-action drop policy-map 300kIN class NOT_SHAPE_TRF police cir 300000 bc 56250 be 112500 conform-action transmit exceed-action drop violate-action drop policy-map 256IN class class-default police cir 256000 bc 48000 be 96000 conform-action transmit exceed-action drop violate-action drop policy-map 256OUT class class-default police cir 256000 bc 48000 be 96000 conform-action transmit exceed-action drop violate-action drop policy-map 1500kIN class NOT_SHAPE_TRF police cir 1500000 bc 281250 be 562500 conform-action transmit exceed-action drop violate-action drop policy-map 1024OUT class class-default police cir 1024000 bc 192000 be 384000 conform-action transmit exceed-action drop violate-action drop policy-map 600kIN class NOT_SHAPE_TRF police cir 600000 bc 112500 be 225000 conform-action transmit exceed-action drop violate-action drop policy-map 1100kOUT class NOT_SHAPE_TRF police cir 1100000 bc 206250 be 412500 conform-action transmit exceed-action drop violate-action drop policy-map 512IN class class-default police cir 512000 bc 96000 be 192000 conform-action transmit exceed-action drop violate-action drop policy-map 1000kIN class NOT_SHAPE_TRF police cir 1000000 bc 187500 be 375000 conform-action transmit exceed-action drop violate-action drop policy-map 2500kOUT class NOT_SHAPE_TRF police cir 2500000 bc 468750 be 937500 conform-action transmit exceed-action drop violate-action drop policy-map 50kOUT class NOT_SHAPE_TRF police cir 50000 bc 9375 be 18750 conform-action transmit exceed-action drop violate-action drop policy-map 2200kOUT class NOT_SHAPE_TRF police cir 2200000 bc 412500 be 825000 conform-action transmit exceed-action drop violate-action drop policy-map 150kOUT class NOT_SHAPE_TRF police cir 150000 bc 28125 be 56250 conform-action transmit exceed-action drop violate-action drop policy-map 2500kIN class NOT_SHAPE_TRF police cir 2500000 bc 468750 be 937500 conform-action transmit exceed-action drop violate-action drop policy-map 500kOUT class NOT_SHAPE_TRF police cir 500000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop policy-map 4000kOUT class NOT_SHAPE_TRF police cir 4000000 bc 750000 be 1500000 conform-action transmit exceed-action drop violate-action drop policy-map 150kIN class NOT_SHAPE_TRF police cir 150000 bc 28125 be 56250 conform-action transmit exceed-action drop violate-action drop policy-map 1500kOUT class NOT_SHAPE_TRF police cir 1500000 bc 281250 be 562500 conform-action transmit exceed-action drop violate-action drop
Примеры команд для event_inc.sh
Команды для диагностики сервисов и профилей на Cisco (нужны только для первоначальной настройки).
#TODO nas_passwd вместо статики
repaidReauthReason 9, 253 Control-Info QR1 echo "User-Name=\"$ip_addr\",cisco-avpair=\"subscriber:command=service-status-query\",cisco-avpair+=\"subscriber:service-name=PREPAID_INT2200\",Cisco-Account-Info=\"S$ip_addr\"" | radclient -x $nas_ip:1700 coa 1234 echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",cisco-avpair=\"subscriber:command=profile-status-query\"" | radclient -x $nas_ip:1700 coa 1234 echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",cisco-avpair=\"subscriber:command=account-profile-status-query\"" | radclient -x $nas_ip:1700 coa 1234
Смена скорости с помощью смены сервиса
echo "User-Name=\"$ip\",Cisco-Account-Info=\"S$ip\",cisco-avpair+=\"subscriber:service-name=NOMONEY\",cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa 1234
Редирект с помощью смены сервиса
echo "User-Name=\"$ip\",Cisco-Account-Info=\"S$ip\",cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa 1234
Пример event_inc.sh
/usr/bin/selfkiller -30:TERM -50:KILL & disown -a LOG_LEVEL=ALL SENDER=$1; shift EVENT=$1; shift DATA=$@ for VAR in $DATA; do [[ "$VAR" = *"="* ]] && eval ${VAR%%=*}=\'${VAR#*=}\' done LOG INFO "$SENDER $EVENT $DATA" case "$EVENT" in "balance_negative") LOG INFO "event type: $EVENT $DATA" echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",cisco-avpair+=\"subscriber:command=deactivate-service\"" | radclient -x $nas_ip:1700 coa $radius_secret echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa $radius_secret ;; "balance_positive") LOG INFO "event type: $EVENT $DATA" sendsms "ГородТелеком%20доступ%20разрешен" ;; "login") echo "User-Name=\"$login\",cisco-avpair=\"subscriber:command=account-logon\",Cisco-Account-Info=\"S$ip\",Idle-Timeout=200" | radclient -x $nas_ip:1700 coa $radius_secret ;; LOG INFO "event type: $EVENT $DATA" ;; "logout") LOG INFO "event type: $EVENT $DATA" # неправильно # echo "User-Name=\"$login\",cisco-avpair=\"subscriber:command=account-logoff\",Cisco-Account-Info=\"S$ip\",Idle-Timeout=200" | radclient -x $nas_ip:1700 coa $radius_secret # правильно echo "User-Name=\"$login\",Cisco-Account-Info=\"S$ip\" | radclient -x $nas_ip:1700 disconnect $radius_secret ;; "period_closed") LOG INFO "event type: $EVENT $DATA" ;; "user_data_changed") LOG INFO "event type: $EVENT $DATA" ;; "rate_set" ) echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$IP_ADDR\",cisco-avpair+=\"subscriber:service-name=${ceil_in}k_def\",cisco-avpair+=\"subscriber:command=deactivate-service\"" | radclient -x $nas_ip:1700 coa $radius_secret echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$IP_ADDR\",cisco-avpair+=\"subscriber:service-name=${ceil_in}k_def\",cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa $radius_secret ;; *) : ;; esac