Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19286845
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类: 系统运维

2008-05-20 20:47:38

CISCO 7401ASR,SSG+SESM,作WEB PORTAL,实现宽带用户web认证。
拓朴见附图:
user posted image border=0>
SESM配置成RADIUS模式,但利用第三方RADIUS,例中RADIUS利用merit 3.6B。
[page]
*********************************************************
7401中SSG配置:

version 12.3

aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero

ssg enable
ssg accounting interval 300
ssg default-network 192.168.3.10 255.255.255.255
ssg service-password servicecisco
ssg radius-helper auth-port 1812 acct-port 1812
ssg radius-helper key cisco
ssg maxservice 20
ssg auto-logoff icmp interval 30 packet 3 timeout 600
ssg bind service internet GigabitEthernet0/0
ssg bind service Internet GigabitEthernet0/0
ssg open-garden opengarden-dns
ssg qos police user
ssg qos police session
!
ssg port-map
destination range 8080 to 8080 ip 192.168.3.10
source ip Loopback0
!
ssg tcp-redirect
network-list LAN
network 10.0.0.0 255.255.255.0
!
port-list web
port 80
port 8080
port 443
!
server-group cap
server 192.168.3.10 8080
!
redirect port-list web to cap
redirect unauthorized-service destination network-list LAN to cap
!
server-group redirect
server 192.168.3.10 8090
!
redirect unauthenticated-user to redirect
!
redirect unauthorized-service to cap
redirect captivate initial default group cap duration 10
ssg service-search-order local remote
!
local-profile opengarden-dns
attribute 26 9 251 "D192.168.4.1"
attribute 26 9 251 "R192.168.4.1;255.255.255.255"
attribute 26 9 251 "Idns-server"
interface Loopback0
ip address 192.168.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description TO 6501
ip address 192.168.254.1 255.255.255.252
ip ospf cost 10
duplex full
speed 1000
media-type gbic
no negotiation auto
ssg direction uplink
!
interface GigabitEthernet0/1
description TO L3-switch
ip address 192.168.254.5 255.255.255.252
ip ospf cost 10
duplex full
speed 100
media-type rj45
ssg direction downlink
!
ip radius source-interface Loopback0
radius-server host 192.168.4.10 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server deadtime 1
radius-server key 7 104D000A0618
radius-server vsa send accounting
radius-server vsa send authentication

**************************************************************
SESM安装记录:
SESM安装为命令行模式:
# ./sesm_sol.bin -console
InstallShield Wizard
...................................
...................................
...................................
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

Welcome to the InstallShield Wizard for Cisco SESM 3.2(2)

The InstallShield Wizard will install Cisco SESM 3.2(2) on your computer.
To continue, choose Next.

Cisco Subscriber Edge Services Manager
Cisco Systems Inc.


Build: 3.2(2)
Java Home (bundled JRE): /_jvm
Java Version: 1.4.2

Press 1 for Next, 3 to Cancel or 4 to Redisplay [1]
-------------------------------------------------------------------------------


Select one of the evaluation options or the licensed option. A license number
is required for deploying SESM in a production environment. An evaluation
version requires no license number, has no expiry date and includes the same
functionality as a licensed product.

Is this an evaluation copy for RADIUS mode (y/n) [n] y

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
-------------------------------------------------------------------------------

Please select the type of installation that you require.

[ ] 1 - Typical
The program will be installed with the suggested configuration.
Recommended for most users.

[X] 2 - Custom
The program will be installed with the features you choose. This is the
only option that allows installation of the Captive Portal application.

[ ] 3 - Demo
Install only those components necessary to run in Demo Mode and set the
default configuration to be Demo Mode.

To select an item enter its number, or 0 when you are finished: [0]


Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------
Select the features for "Cisco SESM 3.2(2)" you would like to install:

Cisco SESM 3.2(2)

To select/deselect a feature or to view its children, type its number:

1. [x] Web Applications
2. [x] RDP
3. [x] SPE
4. [x] CDAT Services and Subscriber Management
5. [x] Application Management
6. [x] Jetty
7. [ ] Captive Portal
8. [x] Tools
9. [ ] Web Services Gateway

Other options:

0. Continue installing

Enter command [0] 2


Select the features for "Cisco SESM 3.2(2)" you would like to install:

Cisco SESM 3.2(2)

To select/deselect a feature or to view its children, type its number:

1. [x] Web Applications
2. [ ] RDP
3. [x] SPE
4. [x] CDAT Services and Subscriber Management
5. [x] Application Management
6. [x] Jetty
7. [ ] Captive Portal
8. [x] Tools
9. [ ] Web Services Gateway

Other options:

0. Continue installing

Enter command [0] 3


Select the features for "Cisco SESM 3.2(2)" you would like to install:

Cisco SESM 3.2(2)

To select/deselect a feature or to view its children, type its number:

1. [x] Web Applications
2. [ ] RDP
3. [ ] SPE
4. [x] CDAT Services and Subscriber Management
5. [x] Application Management
6. [x] Jetty
7. [ ] Captive Portal
8. [x] Tools
9. [ ] Web Services Gateway

Other options:

0. Continue installing

Enter command [0] 4


Select the features for "Cisco SESM 3.2(2)" you would like to install:

Cisco SESM 3.2(2)

To select/deselect a feature or to view its children, type its number:

1. [x] Web Applications
2. [ ] RDP
3. [ ] SPE
4. [ ] CDAT Services and Subscriber Management
5. [x] Application Management
6. [x] Jetty
7. [ ] Captive Portal
8. [x] Tools
9. [ ] Web Services Gateway

Other options:

0. Continue installing

Enter command [0] 7


Select the features for "Cisco SESM 3.2(2)" you would like to install:

Cisco SESM 3.2(2)

To select/deselect a feature or to view its children, type its number:

1. [x] Web Applications
2. [ ] RDP
3. [ ] SPE
4. [ ] CDAT Services and Subscriber Management
5. [x] Application Management
6. [x] Jetty
7. [x] Captive Portal
8. [x] Tools
9. [ ] Web Services Gateway

Other options:

0. Continue installing

Enter command [0] 8


Select the features for "Cisco SESM 3.2(2)" you would like to install:

Cisco SESM 3.2(2)

To select/deselect a feature or to view its children, type its number:

1. [x] Web Applications
2. [ ] RDP
3. [ ] SPE
4. [ ] CDAT Services and Subscriber Management
5. [x] Application Management
6. [x] Jetty
7. [x] Captive Portal
8. [ ] Tools
9. [ ] Web Services Gateway

Other options:

0. Continue installing

Enter command [0]


Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------


Configuration and Deployment

This should be the IP address or hostname of the host on which the application
will run. Do not use localhost.
Web Application Host [sesm-webserver] 192.168.3.10

This should be the port number on which the web server will listen.
Web Application Port Number [8080]

Configure SESM for use with SSG. This option should be selected for RADIUS
mode.
SSG Deployment Option [True]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Enter details about the SSG

The port number on which the SSG listens for Radius requests
Port Number [1812]

The shared secret needed to communicate with the SSG
Shared Secret [cisco]

Indicates the number of bits used for the port bundle/host key mechanism. A
value of zero indicates that the SSG does not use the port bundle/host key
mechanism, in which case the next panel will ask you for further details about
one SSG. Further SSGs can be configured manually following this installation by
editing .../'web app name'/config/'web app'.xml.
Port Bundle Size [0] 4

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


AAA Server Details

This should be set to the IP address or host name of the primary AAA server
Primary IP [sesm-webserver] 192.168.4.10

This should be set to the port number of the primary AAA server
Primary Port [

1812]

This should be set to the IP address or host name of the secondary AAA server.
If there is only one AAA server this should be set to the same value as the
primary IP.
Secondary IP [sesm-webserver] 192.168.4.10

This should be set to the port number of the secondary AAA server. If there is
only one AAA server this should have the same value as the Primary Port.
Secondary Port [1812]

This should be set to the shared secret. This has to be the same on both
servers.
Shared Secret [cisco]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Please enter the service and group passwords

This should be set to the password needed to access service attributes using
Radius
Service Password [servicecisco]

This should be set to the password needed to access service group attributes
using Radius
Service Group Password [groupcisco]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Captive Portal Server Configuration

This should be the IP address or hostname of this server.
Captive Portal Host [sesm-webserver] 192.168.3.10

This is the number of the first port on which the captive portal web server
will listen. There will be several listeners for the different types of
redirection.
Captive Portal Port Number [8090]

The message portal server provides welcome or advertising pages. A message
portal is required for initial or advertising captivation.
Install Message Portal [True]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Message Portal Server Configuration

This should be the port number on which the message portal web server will
listen.
Message Portal Port Number [8085]

If this is checked, then the subscriber is redirected to the originally
requested URL after having been presented the message page.
Redirect After Message Page [True]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


The Main Web Server Configuration.

This should be the hostname or address of the server for a SESM web application
such as NWSP. This is required in conjunction with the captive portal
application to provide the content pages after the redirection for
unauthenticated users, unconnected services and error handling.
Host [192.168.3.10]

This should be the port number of the server for the SESM web application such
as NWSP.
Port [8080]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Unauthenticated User Redirection

Unauthenticated user redirection redirects the subscriber to the login page of
the SESM web application such as NWSP.
Enable User Redirection [True]

Requests on this port are redirected to the URL for the unauthenticated user
redirect.
Port In [8090]

Hostname used in URL for the user redirect. This is typically that of the
server for the SESM web application such as NWSP.
URL Out: Host [192.168.3.10]

Port used in URL for the user redirect. This is typically that of the server
for the SESM web application such as NWSP.
URL Out: Port [8080]

URI used in URL for the user redirect. This is typically relevant to the SESM
web application such as NWSP.
URL Out: URI [/home]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Initial Captivation

The initial captivation feature provides a welcome message page to the user.
Enable Initial Captivation [True]

Requests on this port are redirected to the URL for initial captivation.
Port In [8091]

Hostname used in URL for initial captivation. This is typically that of the
message portal.
URL Out: Host [192.168.3.10]

Port used in URL for initial captivation. This is typically that of the message
portal.
URL Out: Port [8085]

URI used in URL for initial captivation. This is typically relevant to the
message portal.
URL Out: URI [/initial]

The duration in seconds that the welcome message should be displayed.
Duration [15] 10

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Advertising Captivation

Advertising captivation provides an advertisement page to the user at regular
intervals.
Enable Advertising Captivation [True]

Requests on this port are redirected to the URL for advertising captivation.
Port In [8092]

Hostname used in URL for advertising captivation. This is typically that of the
message portal.
URL Out: Host [192.168.3.10]

Port used in URL for advertising captivation. This is typically that of the
message portal.
URL Out: Port [8085]

URI used in URL for advertising captivation. This is typically relevant to the
message portal.
URL Out: URI [/advertising]

The duration in seconds that the advertisement should be displayed.
Duration [10]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Unconnected Service Redirection

Unconnected service redirection takes a subscriber to eg NWSP if they attempt
getting to an as yet unconnected service.
Enable Service Redirect [True]

Requests on this port are for the default service redirect. This happens when
an attempt to connect to a service whose address does not belong to the
destination network of any of the specific service redirects.
Default Service Redirect Port In [8093]

Requests on this port are for a specific service redirect. If there is no such
service redirect set up at the PoE, then the presence of this listener is not a
problem. Complete configuration flexibility is available if required.
First Service Redirect Port In [8094]

Requests on this port are for a specific service redirect.
Second Service Redirect Port In [8095]

Requests on this port are for a specific service redirect.
Third Service Redirect In [8096]

This URL is used for all service redirects. Individual URLs can be assigned for
specific service redirects in the configuration files, if necessary. The host &
port in this URL are typically those for NWSP.
URL Out []

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Details for Unconnected Service Redirection

If this is checked, then specific service names as given below are passed to eg
NWSP. This assumes that only one service is associated with each service
redirection. This service name is used by NWSP to attempt to connect to the
service. Having this box not checked is equivalent to having empty fields
below. In this case NWSP will instead display a general information page, such
as the status page.
Pass Service Names [True]

When the request is redirected to eg NWSP, this service name will be passed as
well.
First Service Redirect Service Name [service1] internet

When the request is redirected to eg NWSP, this service name is passed as well.
Second Service Redirect Service Name [service2]

When the request is redirected to eg NWSP, this service name is passed as well.
Third Service Redirect Service Name [service3]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------


Application Management Web Server Configuration

This should be the port number on which the Application Management web server
will listen
Application Management Port Number [8082]

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

-------------------------------------------------------------------------------
Cisco SESM 3.2(2) will be installed in the following location:

C:Program Filesciscosesm_3.2.2

with the following features:

Web Applications
Application Management
Jetty
Captive Portal
Tools

for a total size:

98.3 MB

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]
***************************************************************

Merit 3.6B配置:
/usr/local/merit/raddb/lients的配置:
# RCSID: $Id: clients,v 1.1.1.1 1998/05/12 19:37:11 web Exp $
# Next entries for SESM
221.11.128.250 cisco type=RAD_RFC+ACCT_RFC

# Next entries Cisco NAS SSG (7401)
221.11.129.38 cisco type=Cisco:NAS

/usr/local/merit/raddb/users的配置:
###### SSG user profiles

cisco Password = "cisco"
Account-Info = "Ninternet"
#****************************************#
test Password = "test"
Account-Info = "Ninternet",
Account-Info = "H"


###### SSG service profiles

# SSG Internet Service profile.
internet Password = "servicecisco", Service-Type = Outbound
Service-Info = "Iinternet",
Service-Info = "R0.0.0.0;0.0.0.0",
Service-Info = "MC",
Service-Info = "TP"
********************************************************

附:SESM安装记录是将终端捕捉下来的文本,当然去掉了部分不必的文字。
如果你有过一次安装经验,就清楚是什么的了。
这个记录主要是说明SESM安装为RADIUS模式需要安装哪些模块,安装时配置哪些内容。
当然,安装好后也可以在相应的配置文档中修改。
详细全套官方SESM3.20文档见这里:

阅读(905) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~