Hi,Sorry for the delay. I

salarciscodx · ‎10-30-2014

Hi guys, I got this simple topology on IOS 15.2 for 7200 routers:

And I have configured PPPoE on these devices. here's my configs:

ISG:

aaa new-model
aaa authentication ppp PPPoE_AUTHE local
!
username 2221111 password 0 123
username 2221122 password 0 123
!
ip local pool PPPoE_POOL 20.1.1.1 20.1.255.255
!
interface Virtual-Template1
 ip address 20.1.1.1 255.255.255.0
 peer default ip address pool PPPoE_POOL
 ppp authentication chap PPPoE_AUTHE
!
bba-group pppoe PPPoE_GROUP
 virtual-template 1
!
interface FastEthernet0/0
 no ip address
 pppoe enable group PPPoE_GROUP
!

R1 & R2:

!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 ppp chap hostname 2221111
 ppp chap password 0 123
!
interface FastEthernet0/0
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 1
!

Everything works perfectly and I got this output on ISG:

ISG#show pppoe session
     2 sessions in LOCALLY_TERMINATED (PTA) State
     2 sessions total

Uniq ID  PPPoE  RemMAC          Port                    VT  VA         State
           SID  LocMAC                                      VA-st      Type
    369    369  ca00.2754.0008  Fa0/0                    1  Vi1.1      PTA
                ca03.1014.0008                              UP
    370    370  ca01.2754.0008  Fa0/0                    1  Vi1.2      PTA
                ca03.1014.0008                              UP

Now, I wanna run ISG on the ISG Router

I looked for many documentations and couldn't find anything except Cisco documents! They seemed pretty vague to me! I mean, I just saw some short examples about policy-map control/class-map control/service ... when I tried to implement them on my network I just stuck in the first phase (authentication via local AAA). I know that real ISG implementations definitely require separate AAA Servers (like RADIUS), but for the sake of learning, I want some simple documents and examples for ISG (specially implementations on PPPoE)
Also, would someone please implement an ISG on my simple topology which does following stuff:

1- Authenticate customers via local database (local AAA)
2- if customers got authenticated, I want R1 & R2 to be authorized (via local AAA) to access R4 with speed of 128Kbps and 256 Kbps respectively (QoS rate-limiting)
3- And for accounting (using local AAA), I want the credit for R1 & R2 get finished when their only sent traffic reached 10MB.

I just wanna see the steps, I don't know where to begin
Many thanks in advance.

Manuel Rodriguez · ‎10-31-2014

Hi,

1- Authenticate customers via local database (local AAA)

For PPPoE sessions, this is done at PPP level on the VTemplate interface. You are already doing this using list PPPoE_AUTHE
2- if customers got authenticated, I want R1 & R2 to be authorized (via local AAA) to access R4 with speed of 128Kbps and 256 Kbps respectively (QoS rate-limiting)

You can use a service with MQC on it. Check: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-mqc-ip-sess.html

You can also apply the QoS policy using per-user QoS. Check: http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbsbpssq.html#wp1050969

3- And for accounting (using local AAA), I want the credit for R1 & R2 get finished when their only sent traffic reached 10MB.

I'm afraid this is not possible. The only way to track quota consumption in ISG is using the pre-paid feature. This features takes care of reporting the quota to an external server and that server is responsible of providing further quota and maintain the total quota information for the subscriber. ISG only reports the consumption (based on accounting packets) and takes actions reacting based on the quota information provided by the server. Is not possible to use this feature without an external server. Check http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-prepaid-bill.html

Regards

salarciscodx · ‎01-19-2015

Hi,

Many thanks for your reply and sorry for delay

Based on your answer and also some other researches, for the last 3 months, I have been working (programming) on that accounting system you said and finally it turned out to be a full AAA server. Now I feel very comfortable with all its concepts and depending attributes and other stuff.

Today, after 3 months, I just came back to the same point:D

I built the AAA server, but I can't match it with ISG. I wrote the details in this link:

http://www.networking-forum.com/viewtopic.php?f=33&t=46957

Would you please take a look at it? Many thanks again.

Manuel Rodriguez · ‎02-10-2015

Hi,

Sorry for the delay. I read your thread and it seems the issue is with the service authorization. You are expecting to see authorization request sent from ISG to radius to download the service profile but you don't see it. Correct?

I so, I would suggest to add subscriber-service authorization statement to your AAA config. Something like:

aaa authorization subscriber-service default group radius

aaa authorization subscriber-service PPPoE_AUTHO group radius

This way, ISG should send authorization requests to radius to download service profile.

Hope this helps.

Regards.

Manuel Rodriguez · ‎02-10-2015

Hi,

Also, there seems to be a mismatch in your subscriber profile regarding the QoS policy. In the ISG you have defined:

policy-map P_IN_INTER_128K

policy-map P_OUT_INTER_128K

However, in the radius response you are sending VSA with:

Cisco-Policy-Up=IN_INTER_128K

Cisco-Policy-Down=OUT_INTER_128K

The names of the policies are not matching. This is why you see the log:"%SGPM-3-POLICY_RULE_SERVICE_CONFIG_ERROR: Service () is configured incorrectly, service_failed event will be thrown"

Regards

How ISG works?