Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1682
Views
0
Helpful
2
Replies

No Cisco-Accoint-Info in accounting update on ASR 1000

Utair Corporation
Level 3
Level 3

‎12-08-2017 02:00 AM - edited ‎03-01-2019 03:09 PM

Hello. I've set up classic IPoE routed subscriber service policy:

aaa group server radius rg_radiusbsd
 server-private 10.50.50.2 auth-port 1812 acct-port 1813 key blahblah
!
aaa authentication login default local
aaa authentication ppp IPOE group rg_radiusbsd
aaa authorization console
aaa authorization exec default local 
aaa authorization network IPOE group rg_radiusbsd 
aaa authorization configuration IPOE group rg_radiusbsd 
aaa authorization subscriber-service default local group rg_radiusbsd 
aaa authorization subscriber-service IPOE local group rg_radiusbsd 
aaa accounting delay-start all
aaa accounting delay-start extended-delay 2
aaa accounting update periodic 1
aaa accounting include auth-profile framed-ip-address
aaa accounting include auth-profile framed-ipv6-prefix
aaa accounting include auth-profile delegated-ipv6-prefix
aaa accounting network default start-stop group rg_radiusbsd
aaa accounting network IPOE start-stop group rg_radiusbsd
!
aaa server radius dynamic-author
 client 10.50.50.2 server-key 0 blahblah
 port 1645
 auth-type any
 ignore session-key
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
subscriber service session-accounting
subscriber templating
subscriber accounting ssg
subscriber accounting send-encoded-name
!
redirect server-group IPOE_HTTP
 server ip xxxx port 80
!
redirect server-group IPOE_DNS
 server ip xxxx port 53
!
redirect server-group IPOE_HTTP_ipv6
 server ip xxx port 5600
!
redirect server-group IPOE_DNS_ipv6
 server ip xxx port 53
!
class-map type traffic match-any CM_T_IPOE_REDIRECT_DNS6
 match access-group input name CM_T_IPOE_REDIRECT_DNS6
!
class-map type traffic match-any CM_T_IPOE_REDIRECT_WWW6
 match access-group input name CM_T_IPOE_REDIRECT_WWW6
!
class-map type traffic match-any CM_T_NULL
 match access-group input name CM_T_NULL
 match access-group output name CM_T_NULL
!
class-map type traffic match-any CM_ANY6
 match access-group input name CM_T_ANY6
 match access-group output name CM_T_ANY6
!
class-map type traffic match-any CM_ANY
 match access-group input name CM_T_ANY
 match access-group output name CM_T_ANY
!
class-map type traffic match-any CM_T_IPOE_PASS
 match access-group input name CM_T_IPOE_PASS
 match access-group output name CM_T_IPOE_PASS
!
class-map type traffic match-any CM_T_IPOE_REDIRECT_WWW
 match access-group input name CM_T_IPOE_REDIRECT_WWW
!
class-map type traffic match-any CM_T_IPOE_REDIRECT_DNS
 match access-group input name CM_T_IPOE_REDIRECT_DNS
!
class-map type traffic match-any CM_T_IPOE_PASS_IPv6
 match access-group input name CM_T_IPOE_PASS_IPv6
 match access-group output name CM_T_IPOE_PASS_IPv6
!
class-map type control match-all CM_C_IPOE_RTIMEOUT_REAUTH
 match timer IPOE_RTIMEOUT_REAUTH 
 match authen-status unauthenticated 
!
class-map type control match-all CM_C_IPOE_REJECT_REAUTH
 match timer IPOE_REJECT_REAUTH 
 match authen-status unauthenticated 
!
policy-map type service Block10
 10 class type traffic CM_T_NULL
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service Redirect100
 100 class type traffic CM_T_IPOE_PASS
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service Redirect110
 110 class type traffic CM_T_IPOE_PASS_IPv6
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service Redirect400
 400 class type traffic CM_T_IPOE_REDIRECT_WWW6
  redirect to group IPOE_HTTP_ipv6
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service Redirect410
 410 class type traffic CM_T_IPOE_REDIRECT_DNS6
  redirect to group IPOE_DNS_ipv6
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service Redirect500
 500 class type traffic CM_T_IPOE_REDIRECT_WWW
  redirect to group IPOE_HTTP
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service Redirect510
 510 class type traffic CM_T_IPOE_REDIRECT_DNS
  redirect to group IPOE_DNS
 !
 class type traffic default in-out
  drop
 !
!
policy-map type control IPOE_routed
 class type control CM_C_IPOE_RTIMEOUT_REAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control CM_C_IPOE_REJECT_REAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event session-start
  10 authorize aaa list IPOE password ciscoo identifier source-ip-address 
  20 set-timer IPOE_REJECT_REAUTH 1
  30 service-policy type service aaa list IPOE name Redirect100
  35 service-policy type service aaa list IPOE name Redirect110
  38 service-policy type service aaa list IPOE name Redirect400
  39 service-policy type service aaa list IPOE name Redirect410
  40 service-policy type service aaa list IPOE name Redirect500
  50 service-policy type service aaa list IPOE name Redirect510
 !
 class type control always event service-stop
  1 service-policy type service unapply identifier service-name
 !
 class type control always event session-restart
  10 authorize aaa list IPOE password ciscoo identifier source-ip-address 
  20 set-timer IPOE_REJECT_REAUTH 1
  30 service-policy type service aaa list IPOE name Redirect100
  35 service-policy type service aaa list IPOE name Redirect110
  38 service-policy type service aaa list IPOE name Redirect400
  39 service-policy type service aaa list IPOE name Redirect410
  40 service-policy type service aaa list IPOE name Redirect500
  50 service-policy type service aaa list IPOE name Redirect510
 !
 class type control always event radius-timeout
  1 set-timer IPOE_RTIMEOUT_REAUTH 1
  10 service-policy type service aaa list IPOE name Redirect100
  15 service-policy type service aaa list IPOE name Redirect110
  20 service-policy type service aaa list IPOE name Redirect500
  30 service-policy type service aaa list IPOE name Redirect510
  38 service-policy type service aaa list IPOE name Redirect400
  39 service-policy type service aaa list IPOE name Redirect410
 !
!
interface GigabitEthernet0/0/1
 description test link
 ip address ....
 negotiation auto
 service-policy type control IPOE_routed
 ip subscriber routed
  initiator unclassified ip-address
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 8 include-in-access-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf 
!
ip access-list ... all defined
!

When session create, a list of services is applied:

 

(19) Sent Access-Accept Id 71 from 10.50.50.2:1812 to 10.50.50.1:1645 length 0
(19)   Cisco-AVPair = "accounting-list=IPOE"
(19)   Acct-Interim-Interval = 60
(19)   Cisco-Account-Info += "NBlock10"
(19)   Cisco-Account-Info += "NRedirect100"
(19)   Cisco-Account-Info += "NRedirect110"
(19)   Cisco-Account-Info += "NRedirect400"
(19)   Cisco-Account-Info += "NRedirect410"
(19)   Cisco-Account-Info += "NRedirect500"
(19)   Cisco-Account-Info += "NRedirect510"
(19)   Cisco-Account-Info += "QU;10000;D;10000"
(19)   Cisco-Account-Info += "Sx.x.x.x"
(19)   Idle-Timeout = 3600
(19) Finished request

Every works fine, except there is no Cisco-Account-Info fields in accounting messages:

 

(21) Received Accounting-Request Id 127 from 10.50.50.1:1646 to 10.50.50.2:1813 length 373
(21)   Acct-Session-Id = "0001A61E"
(21)   Framed-IP-Address = x.x.x.x
(21)   Framed-Protocol = PPP
(21)   User-Name = "x.x.x.x"
(21)   Cisco-AVPair = "connect-progress=Call Up"
(21)   Cisco-Control-Info = "I0;40"
(21)   Cisco-Control-Info = "O0;0"
(21)   Acct-Session-Time = 65
(21)   Acct-Input-Octets = 0
(21)   Acct-Output-Octets = 40
(21)   Acct-Input-Packets = 0
(21)   Acct-Output-Packets = 1
(21)   Acct-Authentic = Local
(21)   Acct-Status-Type = Interim-Update
(21)   NAS-Port-Type = Virtual
(21)   NAS-Port = 0
(21)   NAS-Port-Id = "0/0/1/0"
(21)   Service-Type = Framed-User
(21)   NAS-IP-Address = 10.50.50.1
(21)   Event-Timestamp = "Dec  8 2017 12:53:47 MSK"
(21)   Acct-Delay-Time = 0

I've got almost the same setup on another ASR 1002-X, with same IOS tree, just a bit older service release, and it sends along a list af all services subscriber has and a list of serices active, all in one common session accounting request. I really need that info in case radius failover - backup radius won't know which services are curently on on session and what actions are allowed.

Am i missing something?

Labels:
0 Helpful
2 Replies 2

aelganzo
Cisco Employee
Cisco Employee

‎08-09-2018 03:39 PM - edited ‎08-09-2018 03:46 PM

Hello

 ## this just for reference may help someone else 

Could i suggest you change the Accounting list came in access accept from AAA and update the name in this lines

 

aaa accounting network IPOE start-stop group rg_radiusbsd

the requested attribute is with accounting on "service accounting" , the shared accounting logs is from "Session accounting"

 

BR

AbdelGalil 

0 Helpful

Utair Corporation
Level 3
Level 3
In response to aelganzo

‎08-09-2018 11:50 PM

I have worked out that situation using cookies attributes, which in fact were more elegant way to determine if session's config is up to date.

0 Helpful
Customers Also Viewed These Support Documents