Интеграция заключается в следующих шагах:
# Настройка сервисов / политик / профилей на оборудовании
# Настройка скрипта event_inc.sh на Ideco ACP для пересылки нужных команд
# Создание и настройка RADIUS-атрибутов в тарифах для пользователей
h2. Внимание\!
Все предоставленные примеры не обязательно являются рабочими, использовать их для настройки своего оборудования без понимания принципа действия не рекомендуется.
Примеры предоставлены исключительно для понимания принципов работы Ideco ACP с сторонним оборудованием.
h2. Настройка оборудования (Cisco 7204 с модулем ISG)
{code}
class-map type traffic match-any Redir_to_web
match access-group input 101
!
class-map type traffic match-any to_Portal
match access-group input 103
!
class-map type traffic match-any Redirect_DNS
match access-group input 104
!
class-map type control match-all USER_DROP
match authen-status unauthenticated
match timer 5Min
!
class-map match-all NOT_SHAPE_TRF
match access-group 130
policy-map type service NOMONEY
class type traffic Redir_to_web
redirect to group REDIRECT
!
policy-map type service L4REDIRECT_to_DNS
class type traffic Redirect_DNS
redirect to group REDIRECT_DNS
!
policy-map type service L4REDIRECT-ATT
class type traffic to_Portal
redirect to group REDIRECT
class type traffic default input
drop
!
policy-map type service 512k_DEF
service-policy input 512IN
service-policy output 512OUT
!
policy-map type service DEF1000
service-policy input IN1000
service-policy output OUT1000
!
policy-map type service DEF1500
service-policy input IN1500
service-policy output OUT1500
!
policy-map type service DEF2000
service-policy input DEF2000
service-policy output DEF2000
!
policy-map type control RULEISG
class type control USER_DROP event timed-policy-expiry
1 service disconnect
class type control always event quota-depleted
1 set-param drop-traffic FALSE
class type control always event session-start
1 authorize aaa list ISG password cisco identifier source-ip-address
2 service-policy type service name L4REDIRECT_to_DNS
3 service-policy type service name L4REDIRECT-ATT
4 set-timer 5Min 5
class type control always event credit-exhausted
1 service-policy type service name NOMONEY
class type control always event service-failed
1 service-policy type service name 512k_DEF
2 log-session-state
class type control always event service-stop
1 service-policy type service unapply identifier service-name
2 service-policy type service name 512k_DEF
!
policy-map IN2000
class NOT_SHAPE_TRF
police cir 2000000 bc 375000 be 750000 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT2000
class NOT_SHAPE_TRF
police cir 2000000 bc 375000 be 750000 conform-action transmit exceed-action drop violate-action drop
!
policy-map IN1500
class NOT_SHAPE_TRF
police cir 1500000 bc 281250 be 562500 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT1500
class NOT_SHAPE_TRF
police cir 1500000 bc 281250 be 562500 conform-action transmit exceed-action drop violate-action drop
!
policy-map IN1000
class NOT_SHAPE_TRF
police cir 1000000 bc 187500 be 375000 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT1000
class NOT_SHAPE_TRF
police cir 1000000 bc 187500 be 375000 conform-action transmit exceed-action drop violate-action drop
{code}
h2. Примеры команд для event_inc.sh
h3. Команды для диагностики сервисов и профилей на Cisco (нужны только для первоначальной настройки).
\#TODO nas_passwd вместо статики
{code}
echo "User-Name=\"$ip_addr\",cisco-avpair=\"subscriber:command=service-status-query\",\
cisco-avpair+=\"subscriber:service-name=PREPAID_INT2200\",\
Cisco-Account-Info=\"S$ip_addr\"" | radclient -x $nas_ip:1700 coa 1234
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair=\"subscriber:command=profile-status-query\"" | \
radclient -x $nas_ip:1700 coa $radius_secret
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair=\"subscriber:command=account-profile-status-query\"" | \
radclient -x $nas_ip:1700 coa 1234
{code}
h3. Смена скорости с помощью смены сервиса
{code}
echo "User-Name=\"$ip\",Cisco-Account-Info=\"S$ip\",cisco-avpair+=\"subscriber:service-name=NOMONEY\",\
cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa 1234
{code}
h3. Редирект с помощью смены сервиса
{code}
echo "User-Name=\"$ip\",Cisco-Account-Info=\"S$ip\",cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",\
cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa 1234
{code}
h3. Пример event_inc.sh
{code}
/usr/bin/selfkiller -30:TERM -50:KILL & disown -a
LOG_LEVEL=ALL
SENDER=$1; shift
EVENT=$1; shift
DATA=$@
for VAR in $DATA; do
[[ "$VAR" = *"="* ]] && eval ${VAR%%=*}=\'${VAR#*=}\'
done
LOG INFO "$SENDER $EVENT $DATA"
case "$EVENT" in
"balance_negative")
LOG INFO "event type: $EVENT $DATA"
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",\
cisco-avpair+=\"subscriber:command=deactivate-service\"" | \
radclient -x $nas_ip:1700 coa $radius_secret
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",\
cisco-avpair+=\"subscriber:command=activate-service\"" | \
radclient -x $nas_ip:1700 coa $radius_secret
;;
"balance_positive")
LOG INFO "event type: $EVENT $DATA"
sendsms "ГородТелеком%20доступ%20разрешен"
;;
"login")
echo "User-Name=\"$login\",cisco-avpair=\"subscriber:command=account-logon\",Cisco-Account-Info=\"S$ip\",Idle-Timeout=200" | radclient -x $nas_ip:1700 coa $radius_secret
;;
"logout")
LOG INFO "event type: $EVENT $DATA"
# неправильно
# echo "User-Name=\"$login\",cisco-avpair=\"subscriber:command=account-logoff\",Cisco-Account-Info=\"S$ip\",Idle-Timeout=200" | radclient -x $nas_ip:1700 coa $radius_secret
# правильно
echo "User-Name=\"$login\",Cisco-Account-Info=\"S$ip\" | radclient -x $nas_ip:1700 disconnect $radius_secret
;;
period_closed | user_data_changed )
LOG INFO "event type: $EVENT $DATA"
;;
"rate_set" )
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$IP_ADDR\",\
cisco-avpair+=\"subscriber:service-name=DEF${ceil_in}\",\
cisco-avpair+=\"subscriber:command=deactivate-service\" | \
radclient -x $nas_ip:1700 coa $radius_secret
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$IP_ADDR\",\
cisco-avpair+=\"subscriber:service-name=DEF${ceil_in}\",\
cisco-avpair+=\"subscriber:command=activate-service\" | \
radclient -x $nas_ip:1700 coa $radius_secret
;;
*)
:
;;
esac
{code}
# Настройка сервисов / политик / профилей на оборудовании
# Настройка скрипта event_inc.sh на Ideco ACP для пересылки нужных команд
# Создание и настройка RADIUS-атрибутов в тарифах для пользователей
h2. Внимание\!
Все предоставленные примеры не обязательно являются рабочими, использовать их для настройки своего оборудования без понимания принципа действия не рекомендуется.
Примеры предоставлены исключительно для понимания принципов работы Ideco ACP с сторонним оборудованием.
h2. Настройка оборудования (Cisco 7204 с модулем ISG)
{code}
class-map type traffic match-any Redir_to_web
match access-group input 101
!
class-map type traffic match-any to_Portal
match access-group input 103
!
class-map type traffic match-any Redirect_DNS
match access-group input 104
!
class-map type control match-all USER_DROP
match authen-status unauthenticated
match timer 5Min
!
class-map match-all NOT_SHAPE_TRF
match access-group 130
policy-map type service NOMONEY
class type traffic Redir_to_web
redirect to group REDIRECT
!
policy-map type service L4REDIRECT_to_DNS
class type traffic Redirect_DNS
redirect to group REDIRECT_DNS
!
policy-map type service L4REDIRECT-ATT
class type traffic to_Portal
redirect to group REDIRECT
class type traffic default input
drop
!
policy-map type service 512k_DEF
service-policy input 512IN
service-policy output 512OUT
!
policy-map type service DEF1000
service-policy input IN1000
service-policy output OUT1000
!
policy-map type service DEF1500
service-policy input IN1500
service-policy output OUT1500
!
policy-map type service DEF2000
service-policy input DEF2000
service-policy output DEF2000
!
policy-map type control RULEISG
class type control USER_DROP event timed-policy-expiry
1 service disconnect
class type control always event quota-depleted
1 set-param drop-traffic FALSE
class type control always event session-start
1 authorize aaa list ISG password cisco identifier source-ip-address
2 service-policy type service name L4REDIRECT_to_DNS
3 service-policy type service name L4REDIRECT-ATT
4 set-timer 5Min 5
class type control always event credit-exhausted
1 service-policy type service name NOMONEY
class type control always event service-failed
1 service-policy type service name 512k_DEF
2 log-session-state
class type control always event service-stop
1 service-policy type service unapply identifier service-name
2 service-policy type service name 512k_DEF
!
policy-map IN2000
class NOT_SHAPE_TRF
police cir 2000000 bc 375000 be 750000 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT2000
class NOT_SHAPE_TRF
police cir 2000000 bc 375000 be 750000 conform-action transmit exceed-action drop violate-action drop
!
policy-map IN1500
class NOT_SHAPE_TRF
police cir 1500000 bc 281250 be 562500 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT1500
class NOT_SHAPE_TRF
police cir 1500000 bc 281250 be 562500 conform-action transmit exceed-action drop violate-action drop
!
policy-map IN1000
class NOT_SHAPE_TRF
police cir 1000000 bc 187500 be 375000 conform-action transmit exceed-action drop violate-action drop
!
policy-map OUT1000
class NOT_SHAPE_TRF
police cir 1000000 bc 187500 be 375000 conform-action transmit exceed-action drop violate-action drop
{code}
h2. Примеры команд для event_inc.sh
h3. Команды для диагностики сервисов и профилей на Cisco (нужны только для первоначальной настройки).
\#TODO nas_passwd вместо статики
{code}
echo "User-Name=\"$ip_addr\",cisco-avpair=\"subscriber:command=service-status-query\",\
cisco-avpair+=\"subscriber:service-name=PREPAID_INT2200\",\
Cisco-Account-Info=\"S$ip_addr\"" | radclient -x $nas_ip:1700 coa 1234
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair=\"subscriber:command=profile-status-query\"" | \
radclient -x $nas_ip:1700 coa $radius_secret
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair=\"subscriber:command=account-profile-status-query\"" | \
radclient -x $nas_ip:1700 coa 1234
{code}
h3. Смена скорости с помощью смены сервиса
{code}
echo "User-Name=\"$ip\",Cisco-Account-Info=\"S$ip\",cisco-avpair+=\"subscriber:service-name=NOMONEY\",\
cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa 1234
{code}
h3. Редирект с помощью смены сервиса
{code}
echo "User-Name=\"$ip\",Cisco-Account-Info=\"S$ip\",cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",\
cisco-avpair+=\"subscriber:command=activate-service\"" | radclient -x $nas_ip:1700 coa 1234
{code}
h3. Пример event_inc.sh
{code}
/usr/bin/selfkiller -30:TERM -50:KILL & disown -a
LOG_LEVEL=ALL
SENDER=$1; shift
EVENT=$1; shift
DATA=$@
for VAR in $DATA; do
[[ "$VAR" = *"="* ]] && eval ${VAR%%=*}=\'${VAR#*=}\'
done
LOG INFO "$SENDER $EVENT $DATA"
case "$EVENT" in
"balance_negative")
LOG INFO "event type: $EVENT $DATA"
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",\
cisco-avpair+=\"subscriber:command=deactivate-service\"" | \
radclient -x $nas_ip:1700 coa $radius_secret
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$ip_addr\",\
cisco-avpair+=\"subscriber:service-name=L4REDIRECT-ATT\",\
cisco-avpair+=\"subscriber:command=activate-service\"" | \
radclient -x $nas_ip:1700 coa $radius_secret
;;
"balance_positive")
LOG INFO "event type: $EVENT $DATA"
sendsms "ГородТелеком%20доступ%20разрешен"
;;
"login")
echo "User-Name=\"$login\",cisco-avpair=\"subscriber:command=account-logon\",Cisco-Account-Info=\"S$ip\",Idle-Timeout=200" | radclient -x $nas_ip:1700 coa $radius_secret
;;
"logout")
LOG INFO "event type: $EVENT $DATA"
# неправильно
# echo "User-Name=\"$login\",cisco-avpair=\"subscriber:command=account-logoff\",Cisco-Account-Info=\"S$ip\",Idle-Timeout=200" | radclient -x $nas_ip:1700 coa $radius_secret
# правильно
echo "User-Name=\"$login\",Cisco-Account-Info=\"S$ip\" | radclient -x $nas_ip:1700 disconnect $radius_secret
;;
period_closed | user_data_changed )
LOG INFO "event type: $EVENT $DATA"
;;
"rate_set" )
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$IP_ADDR\",\
cisco-avpair+=\"subscriber:service-name=DEF${ceil_in}\",\
cisco-avpair+=\"subscriber:command=deactivate-service\" | \
radclient -x $nas_ip:1700 coa $radius_secret
echo "User-Name=\"$ip_addr\",Cisco-Account-Info=\"S$IP_ADDR\",\
cisco-avpair+=\"subscriber:service-name=DEF${ceil_in}\",\
cisco-avpair+=\"subscriber:command=activate-service\" | \
radclient -x $nas_ip:1700 coa $radius_secret
;;
*)
:
;;
esac
{code}