Hi guys, I got this simple topology on IOS 15.2 for 7200 routers:
And I have configured PPPoE on these devices. here's my configs:
aaa authentication ppp PPPoE_AUTHE local
username 2221111 password 0 123
username 2221122 password 0 123
ip local pool PPPoE_POOL 184.108.40.206 220.127.116.11
ip address 18.104.22.168 255.255.255.0
peer default ip address pool PPPoE_POOL
ppp authentication chap PPPoE_AUTHE
bba-group pppoe PPPoE_GROUP
no ip address
pppoe enable group PPPoE_GROUP
ip address negotiated
dialer pool 1
ppp chap hostname 2221111
ppp chap password 0 123
no ip address
pppoe-client dial-pool-number 1
ISG#show pppoe session
2 sessions in LOCALLY_TERMINATED (PTA) State
2 sessions total
Uniq ID PPPoE RemMAC Port VT VA State
SID LocMAC VA-st Type
369 369 ca00.2754.0008 Fa0/0 1 Vi1.1 PTA
370 370 ca01.2754.0008 Fa0/0 1 Vi1.2 PTA
1- Authenticate customers via local database (local AAA)
For PPPoE sessions, this is done at PPP level on the VTemplate interface. You are already doing this using list
2- if customers got authenticated, I want R1 & R2 to be authorized (via local AAA) to access R4 with speed of 128Kbps and 256 Kbps respectively (QoS rate-limiting)
You can use a service with MQC on it. Check: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-mqc-ip-sess.html
You can also apply the QoS policy using per-user QoS. Check: http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbsbpssq.html#wp1050969
3- And for accounting (using local AAA), I want the credit for R1 & R2 get finished when their only sent traffic reached 10MB.
I'm afraid this is not possible. The only way to track quota consumption in ISG is using the pre-paid feature. This features takes care of reporting the quota to an external server and that server is responsible of providing further quota and maintain the total quota information for the subscriber. ISG only reports the consumption (based on accounting packets) and takes actions reacting based on the quota information provided by the server. Is not possible to use this feature without an external server. Check http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-prepaid-bill.html
Many thanks for your reply and sorry for delay
Based on your answer and also some other researches, for the last 3 months, I have been working (programming) on that accounting system you said and finally it turned out to be a full AAA server. Now I feel very comfortable with all its concepts and depending attributes and other stuff.
Today, after 3 months, I just came back to the same point:D
I built the AAA server, but I can't match it with ISG. I wrote the details in this link:
Would you please take a look at it? Many thanks again.
Sorry for the delay. I read your thread and it seems the issue is with the service authorization. You are expecting to see authorization request sent from ISG to radius to download the service profile but you don't see it. Correct?
I so, I would suggest to add subscriber-service authorization statement to your AAA config. Something like:
aaa authorization subscriber-service default group radius
aaa authorization subscriber-service PPPoE_AUTHO group radius
This way, ISG should send authorization requests to radius to download service profile.
Hope this helps.
Also, there seems to be a mismatch in your subscriber profile regarding the QoS policy. In the ISG you have defined:
However, in the radius response you are sending VSA with:
The names of the policies are not matching. This is why you see the log:"
%SGPM-3-POLICY_RULE_SERVICE_CONFIG_ERROR: Service () is configured incorrectly, service_failed event will be thrown"