ISG IPv4 l2-connected RADIUS timeout event issue

Alberto Romano · ‎05-08-2018

Hi all,
I'm trying to implement the Cisco ISG framework for the aggregation of the IPoE sessions by many FTTCab customers.
When the client startup, the ISG intercept the DHCP discovery message, ask to RADIUS for the authorization and, if It's ok, returns to ISG a DHCP class for the assignment of an IP address. Otherwise, the service is denied. All comes good.

Now, I'm trying to implement a sort of redirection to a web portal in the event of RADIUS TIMEOUT, so to give a communication of ongoing trouble to the customers. Obviously, I need to assign first an IP address to the client and then redirect the traffic to the portal. This is my problem... I'm not find how to achieve this. Following is my configuration.

aaa group server radius ISG_SRV
 server name ISG_RAD_SRV1
 ip radius source-interface GigabitEthernet2
 attribute nas-port format d
!
aaa authentication login IPOE_SUB group ISG_SRV
aaa authorization network IPOE_SUB local group ISG_SRV
aaa accounting network IPOE_SUB start-stop group ISG_SRV
!
ip dhcp excluded-address 192.168.105.1 192.168.105.30
!
ip dhcp pool DHCP_RELAY01
 relay source 192.168.222.0 255.255.254.0
 class RELAY_IPOE
  relay target 10.0.0.101 giaddr 192.168.222.1
!
ip dhcp pool DHCP_RELAY02
 relay source 192.168.232.0 255.255.248.0
 class RELAY_VOIP
  relay target 10.0.0.101 giaddr 192.168.232.1
!
ip dhcp pool DHCP_RELAY03
 relay source 172.16.185.0 255.255.255.0
 class RELAY_RAGANET
  relay target 10.0.0.101 giaddr 172.16.185.1
!
ip dhcp pool DHCP_RELAY04
 relay source 172.25.134.0 255.255.255.0
 class RELAY_BUSINESS
  relay target 10.0.0.101 giaddr 172.25.134.1
!
ip dhcp pool DHCP_L4R
 network 192.168.105.0 255.255.255.0
 default-router 192.168.105.1
 dns-server 8.8.8.8 8.8.4.4
 lease 0 0 30
 class L4R-CLASS
!
!
ip dhcp class RELAY_IPOE
!
ip dhcp class RELAY_VOIP
!
ip dhcp class RELAY_RAGANET
!
ip dhcp class RELAY_BUSINESS
!
ip dhcp class L4R-CLASS
!
redirect server-group GROUP-TO-RDT
 server ip 10.0.0.102 port 80
!
class-map type traffic match-any CLASS-TO-REDIRECT
 match access-group input name ACL-RDT-TRAFFIC
 match access-group output name ACL-RDT-TRAFFIC
!
class-map type control match-all IPOE_UNAUTH
 match authen-status unauthenticated
 match timer UNAUTH_TIMER
!
policy-map type service PM-DHCP-L4R
 classname L4R-CLASS
!
policy-map type service PM-RDT-SVC
 5 class type traffic CLASS-TO-REDIRECT
  redirect to group GROUP-TO-RDT
 !
 class type traffic default input
  drop
 !
!
policy-map type control PM_IPOE
 class type control IPOE_UNAUTH event timed-policy-expiry
  5 service disconnect
 !
 class type control always event session-start
  5 authorize aaa list IPOE_SUB password ciscopwd identifier nas-port
  10 set-timer UNAUTH_TIMER 3
 !
 class type control always event access-reject
  5 service deny
 !
 class type control always event session-restart
  5 authorize aaa list IPOE_SUB password ciscopwd identifier nas-port
  10 set-timer UNAUTH_TIMER 3
 !
!
 class type control always event radius-timeout
  10 service-policy type service name PM-DHCP-L4R
  20 service-policy type service name PM-RDT-SVC
 !
!
interface GigabitEthernet1.105
 description IPOE SUBSCRIBERS SESS_AGGR
 encapsulation dot1Q 105 second-dot1q 1001-2000
 ip dhcp relay information option-insert
 ip dhcp relay information policy-action replace
 ip address 172.16.185.1 255.255.255.0 secondary
 ip address 172.25.134.1 255.255.255.0 secondary
 ip address 192.168.232.1 255.255.248.0 secondary
 ip address 192.168.105.1 255.255.255.0 secondary
 ip address 192.168.222.1 255.255.254.0
 service-policy type control PM_IPOE
 ip subscriber l2-connected
  initiator dhcp class-aware
!
interface GigabitEthernet2
 description to ISP SERVER FARM
 ip dhcp relay information trusted
 ip address 10.0.0.1 255.255.255.0
 negotiation auto
!
ip access-list extended ACL-RDT-TRAFFIC
 permit tcp any any eq www
 permit tcp any eq www any
 permit tcp any any eq 443
 permit tcp any eq 443 any
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute nas-port format d
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria tries 3
radius-server retransmit 5
radius-server deadtime 15
!
radius server ISG_RAD_SRV1
 address ipv4 10.0.0.100 auth-port 1812 acct-port 1813
 timeout 3
 retransmit 5
 key isg.cisco
!
end

I've tried to debug with the command "debug subscriber event", "debug subscriber aaa authorization event", "debug subscriber policy event" and son on... the problem seems to be related to client authorization. But I'm not understand where I'm wrong.
Hope someone can help me.

Best regards
Alberto

Alberto Romano · ‎05-30-2018

More then one hundred views without an idea... :-(

So let's try changing the perspective. We have a lot of FTTCab customers l2-connected. When all systems works fine, at the client startup, ISG intercept the DHCP discover, ask to RADIUS and if the authorization is ok, returns in the Access-Accept message a DHCP classname for the address assignment, otherwise (Access-Reject) session will be disconnected.

Now suppose the RADIUS server is down or unreachable... client startup, sends a DHCP discover, ISG intercept the request, ask to RADIUS, but no response will be received. This trigger the ISG "radius-timeout" event (confirmed from the show policy-map control command, too). So, now, what can we do to assign an IP address to the customer and ensure anyway the internet access???

My idea is to use a service policy map, activated by a control policy, and assign a DHCP classname to the customer. But this one doesn't works, and I'm not understanding why. So any idea is welcome.

Thanks all in advance.