Hey there!

I've problem with accounting. ISG don't send accounting start-stop messages to the radius server.

Here the config file.

Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.2(33)SRE2, RELEASE SOFTWARE (fc1)

Radius Group that I use, ISG-Radius, on the vlan 202-204

Вот что сыпиться в дебаге:

2d16h: AAA/ACCT/EVENT/(00000C3D): ATTR REPLACE

2d16h: AAA/ACCT(00000C3D): Accounting response status = FAILURE

2d16h: AAA/ACCT(00000C3D): Send NEWINFO accounting notification to EM successfully

2d16h: AAA/ACCT/HC(00000C3D): Update Iedge IP SIP/FB000B25

2d16h: AAA/ACCT/HC(00000C3D): no intf info, Iedge IP SIP/FB000B25

2d16h: AAA/ACCT/HC(00000C3D): no HC Iedge IP SIP/FB000B25

2d16h: AAA/ACCT/HC(00000C3D): Update Iedge IP SIP/FB000B25

2d16h: AAA/ACCT/HC(00000C3D): no intf info, Iedge IP SIP/FB000B25

2d16h: AAA/ACCT/HC(00000C3D): no HC Iedge IP SIP/FB000B25

2d16h: AAA/ACCT/EVENT/(00000C3D): CALL STOP

2d16h: AAA/ACCT/CALL STOP(00000C3D): Sending stop requests

2d16h: AAA/ACCT(00000C3D): Send all stops

2d16h: AAA/ACCT/NET(00000C3D): STOP

bras#show

2d16h: AAA/ACCT/NET(00000C3D): Method list not found

2d16h: AAA/ACCT(00000C3D): del node, session 3132

2d16h: AAA/ACCT/NET(00000C3D): free_rec, count 0

2d16h: /AAA/ACCTNET(00000C3D) reccnt 0, csr TRUE, osr 0

2d16h: AAA/ACCT/NET(00000C3D): Last rec in db, intf not enqueued

bras#show

2d16h: AAA/BIND(00000C3E): Bind i/f

2d16h: AAA/ACCT/HC(00000C3E): Register Iedge IP SIP/4C000B26 64 bit counter support not configured

2d16h: AAA/ACCT/HC(00000C3E): Update Iedge IP SIP/4C000B26

2d16h: AAA/ACCT/HC(00000C3E): no intf info, Iedge IP SIP/4C000B26

2d16h: AAA/ACCT/HC(00000C3E): no HC Iedge IP SIP/4C000B26

2d16h: AAA/ACCT/EVENT/(00000C3E): CALL START

2d16h: Getting session id for NET(00000C3E) : db=75D1C08

2d16h: AAA/ACCT(00000000): add node, session 3133

2d16h: AAA/ACCT/NET(00000C3E): add, count 1

2d16h: AAA/BIND(00000C3E): Bind i/f GigabitEthernet0/1.203

2d16h: AAA/ACCT/EVENT/(00000C3E): IPCP_PASS

2d16h: AAA/ACCT/NET(00000C3E): Method list not found

bras#show

2d16h: Getting session id for NET(00000C3E) : db=75D1C08

Using 13489 out of 2095096 bytes

!

! Last configuration change at 07:42:10 UTC Tue Jul 23 2013 by qrg7t

! NVRAM config last updated at 07:42:10 UTC Tue Jul 23 2013 by qrg7t

!

version 12.2

service nagle

service timestamps debug uptime

service timestamps log datetime msec

service password-encryption

!

hostname bras

!

boot-start-marker

boot system flash c7200p-adventerprisek9-mz.122-33.SRE2.bin

boot system flash disk0:c7200p-adventerprisek9-mz.122-33.SRE2.bin

boot-end-marker

!

security passwords min-length 1

logging snmp-authfail

logging buffered 128000

logging console informational

enable password 7 1421173948102F33

!

aaa new-model

!

!

aaa group server radius IPoE-RADIUS

server 10.95.11.5 auth-port 1816 acct-port 1817

ip radius source-interface GigabitEthernet0/1.11

!

aaa group server radius DHCP

server 10.95.11.5 auth-port 1818 acct-port 1819

ip radius source-interface GigabitEthernet0/1.11

!

aaa group server radius ISG-RADIUS

server 10.95.11.5 auth-port 1812 acct-port 1813

ip radius source-interface GigabitEthernet0/1.11

!

aaa authentication login default group tacacs+ local

aaa authentication login console enable none

aaa authentication login CONS none

aaa authentication login DHCP_test group DHCP

aaa authentication login DHCP-82 group IPoE-RADIUS

aaa authentication login ISG-AUTH-1 group ISG-RADIUS

aaa authentication enable default none

aaa authentication ppp PPPoE_ISG group PPPoE_ISG

aaa authorization exec default group tacacs+ local

aaa authorization exec DHCP_test group DHCP if-authenticated

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network PPPoE_ISG group PPPoE_ISG

aaa authorization network DHCP-82 group IPoE-RADIUS

aaa authorization network ISG-AUTH-1 group ISG-RADIUS

aaa authorization subscriber-service default group ISG-RADIUS

aaa accounting delay-start all

aaa accounting jitter maximum 0

aaa accounting update periodic 1

aaa accounting commands 1 tac_acc

action-type start-stop

group tacacs+

!

aaa accounting commands 15 tac_acc

action-type start-stop

group tacacs+

!

aaa accounting network PPPoE_ISG

action-type start-stop

group PPPoE_ISG

!

aaa accounting network IPoE-RADIUS

action-type start-stop

group IPoE-RADIUS

!

aaa accounting network ISG-AUTH-1

action-type start-stop

group ISG-RADIUS

!

aaa accounting network DHCP-82

action-type start-stop

group IPoE-RADIUS

!

aaa accounting connection tac_acc

action-type start-stop

group tacacs+

!

aaa accounting resource tac_acc

action-type start-stop-failure

group tacacs+

!

!

!

!

!

!

aaa session-id common

rlogin trusted-remoteuser-source local

rlogin trusted-localuser-source local

ip source-route

ip address-pool dhcp-pool

ip cef

!

!

ip dhcp relay information policy keep

no ip dhcp relay information check

ip dhcp relay information trust-all

ip dhcp excluded-address 10.100.100.1

ip dhcp excluded-address 10.100.100.0

ip dhcp excluded-address 10.100.100.255

ip dhcp excluded-address 10.100.100.2

ip dhcp excluded-address 10.101.0.1

ip dhcp excluded-address 10.201.0.1

ip dhcp excluded-address 10.202.0.1

!

ip dhcp pool WI-FI

network 10.100.0.0 255.255.0.0

default-router 10.100.100.1

dns-server 185.11.60.11

domain-name vertex-com.ru

lease 30

!

ip dhcp pool LAN

network 10.201.0.0 255.255.0.0

domain-name vertex-com.ru

default-router 10.201.0.1

lease 2

!

ip dhcp pool PPPoE

network 10.101.0.0 255.255.0.0

default-router 10.101.0.1

dns-server 185.11.60.11

domain-name vertex-com.ru

lease 3

!

!

ip domain name vetex-com.ru

ip subscriber list my-list

!

no ipv6 cef

!

subscriber feature prepaid TEST

threshold time 0 seconds

threshold volume 950 Kbytes

interim-interval 30 minutes

method-list author ISG-AUTH-1

method-list accounting ISG-AUTH-1

password cisco

subscriber feature prepaid PREPAID

threshold time 0 seconds

threshold volume 950 Kbytes

interim-interval 30 minutes

method-list author PPPoE_ISG

method-list accounting PPPoE_ISG

password cisco

!

redirect server-group REDIRECT_NOPAY

server ip 10.95.11.5 port 80

server ip 10.20.1.1 port 80

!

multilink bundle-name authenticated

!

!

!

ip ftp source-interface GigabitEthernet0/1.11

ip ftp username admin

ip ftp password 7 070E25414707

ip ssh authentication-retries 2

ip ssh source-interface Loopback100

ip ssh version 2

no ip rcmd domain-lookup

ip rcmd rsh-enable

ip rcmd remote-host rshbilling 10.95.11.5 rshbilling enable

ip rcmd remote-host root 10.95.11.5 root enable

class-map type control match-all IPoE-UNAUTH

match timer UNAUTH-TIMER

match authen-status unauthenticated

!

class-map type control match-all ISG-IP-UNAUTH

match timer UNAUTH-TIMER

match authen-status unauthenticated

!

policy-map type control DOMAIN_BASED_ACCESS

class type control always event session-start

10 authenticate aaa list PPPoE_ISG

20 service local

!

!

policy-map type control IPOE_subs_control

class type control always event session-start

10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address

20 set-timer UNAUTH-TIMER 1

!

class type control always event quota-depleted

1 set-param drop-traffic FALSE

!

class type control always event account-logon

10 authenticate aaa list ISG-RADIUS

!

!

policy-map type control IPoE-Radius-Subscriber

class type control IPoE-UNAUTH event timed-policy-expiry

1 service disconnect

!

class type control always event quota-depleted

1 set-param drop-traffic FALSE

!

class type control always event session-start

10 authorize aaa list DHCP-82 password ISG identifier mac-address

20 set-timer UNAUTH-TIMER 1

30 service-policy type service name SVC_WORLD

!

!

!

!

!

!

!

bba-group pppoe global

virtual-template 2

sessions max limit 8000

ac name PPPoE

sessions per-mac limit 2

sessions per-vlan limit 1000

!

!

interface Loopback0

description ==For_PPPoE==

ip address 10.101.0.1 255.255.0.0

!

interface Loopback3

description ==For_LAN==

ip address 10.201.0.1 255.255.0.0

!

interface Loopback4

description ==For_IP+MAC==

no ip address

!

!

interface FastEthernet0/0

description --- -M- | MGMT Backup

ip address 10.95.10.2 255.255.255.224

speed auto

duplex auto

vlan-id dot1q 10

exit-vlan-config

!

!

interface GigabitEthernet0/0

description --- -X- | border@ge-1/0/9

ip address 10.95.0.2 255.255.255.252

no ip proxy-arp

media-type sfp

speed 1000

duplex auto

negotiation auto

!

!

interface GigabitEthernet0/1

description --- -X- | sw01@gi1/0/1

no ip address

media-type rj45

speed auto

duplex auto

negotiation auto

!

interface GigabitEthernet0/1.11

description --- -M- | MGMT

encapsulation dot1Q 11

ip address 10.95.11.2 255.255.255.224

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/1.97

description ===MGMT_secondary===

encapsulation dot1Q 97

ip address 172.31.4.6 255.255.252.0

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/1.200

description --- -CI | WiFi CUSTOMERS NAT | INTERNET

encapsulation dot1Q 200

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/1.201

encapsulation dot1Q 201

ip unnumbered Loopback3

no ip unreachables

pppoe enable group global

no cdp enable

!

interface GigabitEthernet0/1.202

encapsulation dot1Q 202

ip address 10.202.0.1 255.255.0.0

no ip unreachables

no ip proxy-arp

service-policy type control IPOE_subs_control

ip subscriber routed

initiator unclassified ip-address

!

interface GigabitEthernet0/1.203

encapsulation dot1Q 203

ip address 10.203.0.1 255.255.0.0

no ip unreachables

no ip proxy-arp

service-policy type control IPOE_subs_control

ip subscriber routed

initiator unclassified ip-address

!

interface GigabitEthernet0/1.204

encapsulation dot1Q 204

ip address 10.204.0.1 255.255.0.0

no ip unreachables

no ip proxy-arp

service-policy type control IPOE_subs_control

ip subscriber routed

initiator unclassified ip-address

!

interface GigabitEthernet0/1.205

encapsulation dot1Q 205

ip address 10.205.0.1 255.255.0.0

ip helper-address 10.95.11.5

no ip unreachables

no ip proxy-arp

service-policy type control IPoE-Radius-Subscriber

ip subscriber l2-connected

initiator unclassified mac-address

!

interface GigabitEthernet0/1.206

encapsulation dot1Q 206

ip address 10.206.0.1 255.255.0.0

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/2

no ip address

no ip proxy-arp

speed 1000

duplex auto

negotiation auto

!

interface GigabitEthernet0/2.12

encapsulation dot1Q 12

ip address 10.95.0.6 255.255.255.252

no ip unreachables

no ip proxy-arp

!

interface GigabitEthernet0/2.203

!

interface GigabitEthernet0/2.205

encapsulation dot1Q 205

!

interface GigabitEthernet0/3

no ip address

speed auto

duplex auto

negotiation auto

!

interface GigabitEthernet0/3.200

encapsulation dot1Q 200

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/3.201

encapsulation dot1Q 201

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/3.202

encapsulation dot1Q 202

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/3.203

encapsulation dot1Q 203

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/3.204

encapsulation dot1Q 204

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/3.205

encapsulation dot1Q 205

no ip unreachables

no ip proxy-arp

ip nat inside

!

interface Virtual-Template1

no ip address

no ip proxy-arp

ip verify unicast source reachable-via rx

ip nat inside

ip flow ingress

ip tcp adjust-mss 1452

no logging event link-status

no peer default ip address

no snmp trap link-status

keepalive 30

ppp mtu adaptive

ppp authentication chap pap ms-chap PPPoE_ISG

ppp authorization PPPoE_ISG

ppp accounting PPPoE_ISG

ppp ipcp dns 213.176.224.101

ppp ipcp mask 255.255.255.255

ppp ipcp address request ignore

no clns route-cache

service-policy type control DOMAIN_BASED_ACCESS

!

interface Virtual-Template2

description ==For_PPPoE==

ip unnumbered Loopback0

ip flow ingress

peer default ip address dhcp-pool PPPoE

ppp authentication chap pap ms-chap callin PPPoE_ISG

ppp authorization PPPoE_ISG

ppp accounting PPPoE_ISG

ppp ipcp dns 213.176.224.101

ppp ipcp mask 255.255.255.255

service-policy type control DOMAIN_BASED_ACCESS

!

ip nat pool BILL-TMP 185.11.61.2 185.11.61.2 prefix-length 24

ip nat pool CUSTOMERS 185.11.61.3 185.11.61.5 prefix-length 24 type rotary

ip nat inside source list 5 pool CUSTOMERS overload

ip nat inside source list 22 pool BILL-TMP overload

ip nat inside source static tcp 10.95.11.5 80 185.11.61.2 80 extendable

ip nat inside source static tcp 10.95.11.5 22 185.11.61.2 1022 extendable

!

!

ip http server

ip http authentication aaa login-authentication default

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.95.0.5

!

ip access-list extended local-in

permit ip 10.100.0.0 0.2.255.255 any

!

logging history debugging

logging alarm informational

logging trap debugging

logging facility local5

logging 10.95.11.4

access-list 5 remark === Customers ===

access-list 5 permit 10.100.0.0 0.0.255.255

access-list 22 permit 10.95.11.0 0.0.0.255

access-list 77 remark --- SNMP ---

access-list 77 permit 10.95.11.4

access-list 77 permit 185.11.60.11

!

snmp-server community 5EIUmXDO RO 77

!

tacacs-server host 10.95.11.4 key 7 113D11041427190821207D

tacacs-server directed-request

radius-server attribute 44 include-in-access-req

radius-server attribute 44 extend-with-addr

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 55 access-request include

radius-server attribute 25 access-request include

radius-server attribute 31 mac format unformatted

radius-server attribute 31 send nas-port-detail mac-only

radius-server host 10.95.11.5 auth-port 1812 acct-port 1813 key 7 10480518111B1B013A112D

radius-server host 10.95.11.5 auth-port 1814 acct-port 1815 key 7 10480518111B1B013A112D

radius-server host 10.95.11.5 auth-port 1816 acct-port 1817 key 7 10480518111B1B013A112D

radius-server host 10.95.11.5 auth-port 1818 acct-port 1819 key 7 10480518111B1B013A112D

radius-server key 7 110F1504031E0206323F2C

radius-server vsa send accounting

!

control-plane

!

privilege exec level 15 access-template

privilege exec level 15 clear access-template

privilege exec level 1 clear

!

line con 0

logging synchronous

login authentication console

terminal-type mon

history size 256

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

timeout login response 10

privilege level 15

logging synchronous

history size 256

transport input telnet ssh

transport output telnet ssh

line vty 5 15

exec-timeout 120 0

timeout login response 10

privilege level 15

logging synchronous

history size 256

transport input telnet ssh

transport output telnet ssh

!

ntp clock-period 17180244

ntp master 15

ntp server 10.95.11.4

end

Hi Rizvan,

I'm not sure if you are still facing this problem. If so, can you collect:

- debug subscriber policy all

- debug radius

- debug aaa accounting

Then initiate the session. Probably those will letus see what's happening.

Regards

Hi,

Im having the same issue, were you able to fix it?

Hi,

The person who asked this question never provided the debugs so I'm not sure if it was fixed or how.

If you share your configuration and the same debugs I asked before, I can take a look.

Regards

In order to solve the issue next steps were done:

- Save startup-config on flash.

- Erase startup config.

- Reload the router.

- Configure the router line by line (copy backup to run wasnt try).

Regards