10-05-2009 09:40 AM - edited 03-01-2019 02:14 PM
Hello!
I'm trying to trigger accounting notifications from an ISG Router to a Radius Server.
Whenever a IP Session is created or deleted accounting notifications should be sent to the radius server. The problem is that the aaa accounting messages are not being sent to the server.
The following configuration is applied:
aaa new-model
aaa accounting network ISG start-stop group radius
aaa session-id common
!
ip dhcp pool test
network 172.16.1.0 255.255.255.0
!
!
!
!
subscriber feature accounting send ssg-compatible-vsas
call rsvp-sync
no scripting tcl init
no scripting tcl encdir
!
class-map type traffic match-any account
!
policy-map type service ACC
class type traffic account
accounting aaa list ISG
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
media-type rj45
speed auto
duplex auto
negotiation auto
ip subscriber l2-connected
initiator dhcp
!
radius-server host 192.168.12.190 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
!
The AAA debug output is the following:
2d18h: AAA/ACCT/HC(00000038): Register IEDGE_IP_SIP/C900002A 846Mbit/s, poll every 30.3000s
2d18h: AAA/ACCT/HC(00000038): Update IEDGE_IP_SIP/C900002A
2d18h: AAA/ACCT/HC(00000038): IEDGE_IP_SIP/C900002A [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0
2d18h: AAA/ACCT/HC(00000038): IEDGE_IP_SIP/C900002A [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0
2d18h: AAA/ACCT/EVENT/(00000038): CALL START
2d18h: Getting session id for NET(00000038) : db=64EC2680
2d18h: AAA/ACCT(00000000): add node, session 46
2d18h: AAA/ACCT/NET(00000038): add, count 1
2d18h: AAA/ACCT/EVENT/(00000038): IPCP_PASS
2d18h: AAA/ACCT/NET(00000038): Method list not found
Does anybody have had any similar experience? why "method list not found" is appearing in the debug message?
10-14-2009 09:32 PM
You have not defined the method list ISG:
aaa group server radius ISG
server 192.168.12.190 auth-port 1645 acct-port 1646...
(assuming you want to use that radius server for accounting)
07-23-2013 01:59 AM
Hey there!
I've problem with accounting. ISG don't send accounting start-stop messages to the radius server.
Here the config file.
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.2(33)SRE2, RELEASE SOFTWARE (fc1)
Radius Group that I use, ISG-Radius, on the vlan 202-204
Вот что сыпиться в дебаге:
2d16h: AAA/ACCT/EVENT/(00000C3D): ATTR REPLACE
2d16h: AAA/ACCT(00000C3D): Accounting response status = FAILURE
2d16h: AAA/ACCT(00000C3D): Send NEWINFO accounting notification to EM successfully
2d16h: AAA/ACCT/HC(00000C3D): Update Iedge IP SIP/FB000B25
2d16h: AAA/ACCT/HC(00000C3D): no intf info, Iedge IP SIP/FB000B25
2d16h: AAA/ACCT/HC(00000C3D): no HC Iedge IP SIP/FB000B25
2d16h: AAA/ACCT/HC(00000C3D): Update Iedge IP SIP/FB000B25
2d16h: AAA/ACCT/HC(00000C3D): no intf info, Iedge IP SIP/FB000B25
2d16h: AAA/ACCT/HC(00000C3D): no HC Iedge IP SIP/FB000B25
2d16h: AAA/ACCT/EVENT/(00000C3D): CALL STOP
2d16h: AAA/ACCT/CALL STOP(00000C3D): Sending stop requests
2d16h: AAA/ACCT(00000C3D): Send all stops
2d16h: AAA/ACCT/NET(00000C3D): STOP
bras#show
2d16h: AAA/ACCT/NET(00000C3D): Method list not found
2d16h: AAA/ACCT(00000C3D): del node, session 3132
2d16h: AAA/ACCT/NET(00000C3D): free_rec, count 0
2d16h: /AAA/ACCTNET(00000C3D) reccnt 0, csr TRUE, osr 0
2d16h: AAA/ACCT/NET(00000C3D): Last rec in db, intf not enqueued
bras#show
2d16h: AAA/BIND(00000C3E): Bind i/f
2d16h: AAA/ACCT/HC(00000C3E): Register Iedge IP SIP/4C000B26 64 bit counter support not configured
2d16h: AAA/ACCT/HC(00000C3E): Update Iedge IP SIP/4C000B26
2d16h: AAA/ACCT/HC(00000C3E): no intf info, Iedge IP SIP/4C000B26
2d16h: AAA/ACCT/HC(00000C3E): no HC Iedge IP SIP/4C000B26
2d16h: AAA/ACCT/EVENT/(00000C3E): CALL START
2d16h: Getting session id for NET(00000C3E) : db=75D1C08
2d16h: AAA/ACCT(00000000): add node, session 3133
2d16h: AAA/ACCT/NET(00000C3E): add, count 1
2d16h: AAA/BIND(00000C3E): Bind i/f GigabitEthernet0/1.203
2d16h: AAA/ACCT/EVENT/(00000C3E): IPCP_PASS
2d16h: AAA/ACCT/NET(00000C3E): Method list not found
bras#show
2d16h: Getting session id for NET(00000C3E) : db=75D1C08
Using 13489 out of 2095096 bytes
!
! Last configuration change at 07:42:10 UTC Tue Jul 23 2013 by qrg7t
! NVRAM config last updated at 07:42:10 UTC Tue Jul 23 2013 by qrg7t
!
version 12.2
service nagle
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname bras
!
boot-start-marker
boot system flash c7200p-adventerprisek9-mz.122-33.SRE2.bin
boot system flash disk0:c7200p-adventerprisek9-mz.122-33.SRE2.bin
boot-end-marker
!
security passwords min-length 1
logging snmp-authfail
logging buffered 128000
logging console informational
enable password 7 1421173948102F33
!
aaa new-model
!
!
aaa group server radius IPoE-RADIUS
server 10.95.11.5 auth-port 1816 acct-port 1817
ip radius source-interface GigabitEthernet0/1.11
!
aaa group server radius DHCP
server 10.95.11.5 auth-port 1818 acct-port 1819
ip radius source-interface GigabitEthernet0/1.11
!
aaa group server radius ISG-RADIUS
server 10.95.11.5 auth-port 1812 acct-port 1813
ip radius source-interface GigabitEthernet0/1.11
!
aaa authentication login default group tacacs+ local
aaa authentication login console enable none
aaa authentication login CONS none
aaa authentication login DHCP_test group DHCP
aaa authentication login DHCP-82 group IPoE-RADIUS
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authentication enable default none
aaa authentication ppp PPPoE_ISG group PPPoE_ISG
aaa authorization exec default group tacacs+ local
aaa authorization exec DHCP_test group DHCP if-authenticated
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network PPPoE_ISG group PPPoE_ISG
aaa authorization network DHCP-82 group IPoE-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa authorization subscriber-service default group ISG-RADIUS
aaa accounting delay-start all
aaa accounting jitter maximum 0
aaa accounting update periodic 1
aaa accounting commands 1 tac_acc
action-type start-stop
group tacacs+
!
aaa accounting commands 15 tac_acc
action-type start-stop
group tacacs+
!
aaa accounting network PPPoE_ISG
action-type start-stop
group PPPoE_ISG
!
aaa accounting network IPoE-RADIUS
action-type start-stop
group IPoE-RADIUS
!
aaa accounting network ISG-AUTH-1
action-type start-stop
group ISG-RADIUS
!
aaa accounting network DHCP-82
action-type start-stop
group IPoE-RADIUS
!
aaa accounting connection tac_acc
action-type start-stop
group tacacs+
!
aaa accounting resource tac_acc
action-type start-stop-failure
group tacacs+
!
!
!
!
!
!
aaa session-id common
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source local
ip source-route
ip address-pool dhcp-pool
ip cef
!
!
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
ip dhcp excluded-address 10.100.100.1
ip dhcp excluded-address 10.100.100.0
ip dhcp excluded-address 10.100.100.255
ip dhcp excluded-address 10.100.100.2
ip dhcp excluded-address 10.101.0.1
ip dhcp excluded-address 10.201.0.1
ip dhcp excluded-address 10.202.0.1
!
ip dhcp pool WI-FI
network 10.100.0.0 255.255.0.0
default-router 10.100.100.1
dns-server 185.11.60.11
domain-name vertex-com.ru
lease 30
!
ip dhcp pool LAN
network 10.201.0.0 255.255.0.0
domain-name vertex-com.ru
default-router 10.201.0.1
lease 2
!
ip dhcp pool PPPoE
network 10.101.0.0 255.255.0.0
default-router 10.101.0.1
dns-server 185.11.60.11
domain-name vertex-com.ru
lease 3
!
!
ip domain name vetex-com.ru
ip subscriber list my-list
!
no ipv6 cef
!
subscriber feature prepaid TEST
threshold time 0 seconds
threshold volume 950 Kbytes
interim-interval 30 minutes
method-list author ISG-AUTH-1
method-list accounting ISG-AUTH-1
password cisco
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 950 Kbytes
interim-interval 30 minutes
method-list author PPPoE_ISG
method-list accounting PPPoE_ISG
password cisco
!
redirect server-group REDIRECT_NOPAY
server ip 10.95.11.5 port 80
server ip 10.20.1.1 port 80
!
multilink bundle-name authenticated
!
!
!
ip ftp source-interface GigabitEthernet0/1.11
ip ftp username admin
ip ftp password 7 070E25414707
ip ssh authentication-retries 2
ip ssh source-interface Loopback100
ip ssh version 2
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host rshbilling 10.95.11.5 rshbilling enable
ip rcmd remote-host root 10.95.11.5 root enable
class-map type control match-all IPoE-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type control DOMAIN_BASED_ACCESS
class type control always event session-start
10 authenticate aaa list PPPoE_ISG
20 service local
!
!
policy-map type control IPOE_subs_control
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
!
class type control always event quota-depleted
1 set-param drop-traffic FALSE
!
class type control always event account-logon
10 authenticate aaa list ISG-RADIUS
!
!
policy-map type control IPoE-Radius-Subscriber
class type control IPoE-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event quota-depleted
1 set-param drop-traffic FALSE
!
class type control always event session-start
10 authorize aaa list DHCP-82 password ISG identifier mac-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name SVC_WORLD
!
!
!
!
!
!
!
bba-group pppoe global
virtual-template 2
sessions max limit 8000
ac name PPPoE
sessions per-mac limit 2
sessions per-vlan limit 1000
!
!
interface Loopback0
description ==For_PPPoE==
ip address 10.101.0.1 255.255.0.0
!
interface Loopback3
description ==For_LAN==
ip address 10.201.0.1 255.255.0.0
!
interface Loopback4
description ==For_IP+MAC==
no ip address
!
!
interface FastEthernet0/0
description --- -M- | MGMT Backup
ip address 10.95.10.2 255.255.255.224
speed auto
duplex auto
vlan-id dot1q 10
exit-vlan-config
!
!
interface GigabitEthernet0/0
description --- -X- | border@ge-1/0/9
ip address 10.95.0.2 255.255.255.252
no ip proxy-arp
media-type sfp
speed 1000
duplex auto
negotiation auto
!
!
interface GigabitEthernet0/1
description --- -X- | sw01@gi1/0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/1.11
description --- -M- | MGMT
encapsulation dot1Q 11
ip address 10.95.11.2 255.255.255.224
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/1.97
description ===MGMT_secondary===
encapsulation dot1Q 97
ip address 172.31.4.6 255.255.252.0
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/1.200
description --- -CI | WiFi CUSTOMERS NAT | INTERNET
encapsulation dot1Q 200
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/1.201
encapsulation dot1Q 201
ip unnumbered Loopback3
no ip unreachables
pppoe enable group global
no cdp enable
!
interface GigabitEthernet0/1.202
encapsulation dot1Q 202
ip address 10.202.0.1 255.255.0.0
no ip unreachables
no ip proxy-arp
service-policy type control IPOE_subs_control
ip subscriber routed
initiator unclassified ip-address
!
interface GigabitEthernet0/1.203
encapsulation dot1Q 203
ip address 10.203.0.1 255.255.0.0
no ip unreachables
no ip proxy-arp
service-policy type control IPOE_subs_control
ip subscriber routed
initiator unclassified ip-address
!
interface GigabitEthernet0/1.204
encapsulation dot1Q 204
ip address 10.204.0.1 255.255.0.0
no ip unreachables
no ip proxy-arp
service-policy type control IPOE_subs_control
ip subscriber routed
initiator unclassified ip-address
!
interface GigabitEthernet0/1.205
encapsulation dot1Q 205
ip address 10.205.0.1 255.255.0.0
ip helper-address 10.95.11.5
no ip unreachables
no ip proxy-arp
service-policy type control IPoE-Radius-Subscriber
ip subscriber l2-connected
initiator unclassified mac-address
!
interface GigabitEthernet0/1.206
encapsulation dot1Q 206
ip address 10.206.0.1 255.255.0.0
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/2
no ip address
no ip proxy-arp
speed 1000
duplex auto
negotiation auto
!
interface GigabitEthernet0/2.12
encapsulation dot1Q 12
ip address 10.95.0.6 255.255.255.252
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/2.203
!
interface GigabitEthernet0/2.205
encapsulation dot1Q 205
!
interface GigabitEthernet0/3
no ip address
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/3.200
encapsulation dot1Q 200
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/3.201
encapsulation dot1Q 201
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/3.202
encapsulation dot1Q 202
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/3.203
encapsulation dot1Q 203
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/3.204
encapsulation dot1Q 204
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/3.205
encapsulation dot1Q 205
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface Virtual-Template1
no ip address
no ip proxy-arp
ip verify unicast source reachable-via rx
ip nat inside
ip flow ingress
ip tcp adjust-mss 1452
no logging event link-status
no peer default ip address
no snmp trap link-status
keepalive 30
ppp mtu adaptive
ppp authentication chap pap ms-chap PPPoE_ISG
ppp authorization PPPoE_ISG
ppp accounting PPPoE_ISG
ppp ipcp dns 213.176.224.101
ppp ipcp mask 255.255.255.255
ppp ipcp address request ignore
no clns route-cache
service-policy type control DOMAIN_BASED_ACCESS
!
interface Virtual-Template2
description ==For_PPPoE==
ip unnumbered Loopback0
ip flow ingress
peer default ip address dhcp-pool PPPoE
ppp authentication chap pap ms-chap callin PPPoE_ISG
ppp authorization PPPoE_ISG
ppp accounting PPPoE_ISG
ppp ipcp dns 213.176.224.101
ppp ipcp mask 255.255.255.255
service-policy type control DOMAIN_BASED_ACCESS
!
ip nat pool BILL-TMP 185.11.61.2 185.11.61.2 prefix-length 24
ip nat pool CUSTOMERS 185.11.61.3 185.11.61.5 prefix-length 24 type rotary
ip nat inside source list 5 pool CUSTOMERS overload
ip nat inside source list 22 pool BILL-TMP overload
ip nat inside source static tcp 10.95.11.5 80 185.11.61.2 80 extendable
ip nat inside source static tcp 10.95.11.5 22 185.11.61.2 1022 extendable
!
!
ip http server
ip http authentication aaa login-authentication default
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.95.0.5
!
ip access-list extended local-in
permit ip 10.100.0.0 0.2.255.255 any
!
logging history debugging
logging alarm informational
logging trap debugging
logging facility local5
logging 10.95.11.4
access-list 5 remark === Customers ===
access-list 5 permit 10.100.0.0 0.0.255.255
access-list 22 permit 10.95.11.0 0.0.0.255
access-list 77 remark --- SNMP ---
access-list 77 permit 10.95.11.4
access-list 77 permit 185.11.60.11
!
snmp-server community 5EIUmXDO RO 77
!
tacacs-server host 10.95.11.4 key 7 113D11041427190821207D
tacacs-server directed-request
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute 31 mac format unformatted
radius-server attribute 31 send nas-port-detail mac-only
radius-server host 10.95.11.5 auth-port 1812 acct-port 1813 key 7 10480518111B1B013A112D
radius-server host 10.95.11.5 auth-port 1814 acct-port 1815 key 7 10480518111B1B013A112D
radius-server host 10.95.11.5 auth-port 1816 acct-port 1817 key 7 10480518111B1B013A112D
radius-server host 10.95.11.5 auth-port 1818 acct-port 1819 key 7 10480518111B1B013A112D
radius-server key 7 110F1504031E0206323F2C
radius-server vsa send accounting
!
control-plane
!
privilege exec level 15 access-template
privilege exec level 15 clear access-template
privilege exec level 1 clear
!
line con 0
logging synchronous
login authentication console
terminal-type mon
history size 256
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
timeout login response 10
privilege level 15
logging synchronous
history size 256
transport input telnet ssh
transport output telnet ssh
line vty 5 15
exec-timeout 120 0
timeout login response 10
privilege level 15
logging synchronous
history size 256
transport input telnet ssh
transport output telnet ssh
!
ntp clock-period 17180244
ntp master 15
ntp server 10.95.11.4
end
08-02-2013 07:25 AM
Hi Rizvan,
I'm not sure if you are still facing this problem. If so, can you collect:
- debug subscriber policy all
- debug radius
- debug aaa accounting
Then initiate the session. Probably those will letus see what's happening.
Regards
06-10-2014 09:46 AM
Hi,
Im having the same issue, were you able to fix it?
06-11-2014 12:44 AM
Hi,
The person who asked this question never provided the debugs so I'm not sure if it was fixed or how.
If you share your configuration and the same debugs I asked before, I can take a look.
Regards
07-01-2014 08:51 AM
In order to solve the issue next steps were done:
- Save startup-config on flash.
- Erase startup config.
- Reload the router.
- Configure the router line by line (copy backup to run wasnt try).
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide