12-08-2017 02:00 AM - edited 03-01-2019 03:09 PM
Hello. I've set up classic IPoE routed subscriber service policy:
aaa group server radius rg_radiusbsd server-private 10.50.50.2 auth-port 1812 acct-port 1813 key blahblah ! aaa authentication login default local aaa authentication ppp IPOE group rg_radiusbsd aaa authorization console aaa authorization exec default local aaa authorization network IPOE group rg_radiusbsd aaa authorization configuration IPOE group rg_radiusbsd aaa authorization subscriber-service default local group rg_radiusbsd aaa authorization subscriber-service IPOE local group rg_radiusbsd aaa accounting delay-start all aaa accounting delay-start extended-delay 2 aaa accounting update periodic 1 aaa accounting include auth-profile framed-ip-address aaa accounting include auth-profile framed-ipv6-prefix aaa accounting include auth-profile delegated-ipv6-prefix aaa accounting network default start-stop group rg_radiusbsd aaa accounting network IPOE start-stop group rg_radiusbsd ! aaa server radius dynamic-author client 10.50.50.2 server-key 0 blahblah port 1645 auth-type any ignore session-key ! aaa session-id common aaa policy interface-config allow-subinterface ! subscriber service session-accounting subscriber templating subscriber accounting ssg subscriber accounting send-encoded-name ! redirect server-group IPOE_HTTP server ip xxxx port 80 ! redirect server-group IPOE_DNS server ip xxxx port 53 ! redirect server-group IPOE_HTTP_ipv6 server ip xxx port 5600 ! redirect server-group IPOE_DNS_ipv6 server ip xxx port 53 ! class-map type traffic match-any CM_T_IPOE_REDIRECT_DNS6 match access-group input name CM_T_IPOE_REDIRECT_DNS6 ! class-map type traffic match-any CM_T_IPOE_REDIRECT_WWW6 match access-group input name CM_T_IPOE_REDIRECT_WWW6 ! class-map type traffic match-any CM_T_NULL match access-group input name CM_T_NULL match access-group output name CM_T_NULL ! class-map type traffic match-any CM_ANY6 match access-group input name CM_T_ANY6 match access-group output name CM_T_ANY6 ! class-map type traffic match-any CM_ANY match access-group input name CM_T_ANY match access-group output name CM_T_ANY ! class-map type traffic match-any CM_T_IPOE_PASS match access-group input name CM_T_IPOE_PASS match access-group output name CM_T_IPOE_PASS ! class-map type traffic match-any CM_T_IPOE_REDIRECT_WWW match access-group input name CM_T_IPOE_REDIRECT_WWW ! class-map type traffic match-any CM_T_IPOE_REDIRECT_DNS match access-group input name CM_T_IPOE_REDIRECT_DNS ! class-map type traffic match-any CM_T_IPOE_PASS_IPv6 match access-group input name CM_T_IPOE_PASS_IPv6 match access-group output name CM_T_IPOE_PASS_IPv6 ! class-map type control match-all CM_C_IPOE_RTIMEOUT_REAUTH match timer IPOE_RTIMEOUT_REAUTH match authen-status unauthenticated ! class-map type control match-all CM_C_IPOE_REJECT_REAUTH match timer IPOE_REJECT_REAUTH match authen-status unauthenticated ! policy-map type service Block10 10 class type traffic CM_T_NULL ! class type traffic default in-out drop ! ! policy-map type service Redirect100 100 class type traffic CM_T_IPOE_PASS ! class type traffic default in-out drop ! ! policy-map type service Redirect110 110 class type traffic CM_T_IPOE_PASS_IPv6 ! class type traffic default in-out drop ! ! policy-map type service Redirect400 400 class type traffic CM_T_IPOE_REDIRECT_WWW6 redirect to group IPOE_HTTP_ipv6 ! class type traffic default in-out drop ! ! policy-map type service Redirect410 410 class type traffic CM_T_IPOE_REDIRECT_DNS6 redirect to group IPOE_DNS_ipv6 ! class type traffic default in-out drop ! ! policy-map type service Redirect500 500 class type traffic CM_T_IPOE_REDIRECT_WWW redirect to group IPOE_HTTP ! class type traffic default in-out drop ! ! policy-map type service Redirect510 510 class type traffic CM_T_IPOE_REDIRECT_DNS redirect to group IPOE_DNS ! class type traffic default in-out drop ! ! policy-map type control IPOE_routed class type control CM_C_IPOE_RTIMEOUT_REAUTH event timed-policy-expiry 1 service disconnect ! class type control CM_C_IPOE_REJECT_REAUTH event timed-policy-expiry 1 service disconnect ! class type control always event session-start 10 authorize aaa list IPOE password ciscoo identifier source-ip-address 20 set-timer IPOE_REJECT_REAUTH 1 30 service-policy type service aaa list IPOE name Redirect100 35 service-policy type service aaa list IPOE name Redirect110 38 service-policy type service aaa list IPOE name Redirect400 39 service-policy type service aaa list IPOE name Redirect410 40 service-policy type service aaa list IPOE name Redirect500 50 service-policy type service aaa list IPOE name Redirect510 ! class type control always event service-stop 1 service-policy type service unapply identifier service-name ! class type control always event session-restart 10 authorize aaa list IPOE password ciscoo identifier source-ip-address 20 set-timer IPOE_REJECT_REAUTH 1 30 service-policy type service aaa list IPOE name Redirect100 35 service-policy type service aaa list IPOE name Redirect110 38 service-policy type service aaa list IPOE name Redirect400 39 service-policy type service aaa list IPOE name Redirect410 40 service-policy type service aaa list IPOE name Redirect500 50 service-policy type service aaa list IPOE name Redirect510 ! class type control always event radius-timeout 1 set-timer IPOE_RTIMEOUT_REAUTH 1 10 service-policy type service aaa list IPOE name Redirect100 15 service-policy type service aaa list IPOE name Redirect110 20 service-policy type service aaa list IPOE name Redirect500 30 service-policy type service aaa list IPOE name Redirect510 38 service-policy type service aaa list IPOE name Redirect400 39 service-policy type service aaa list IPOE name Redirect410 ! ! interface GigabitEthernet0/0/1 description test link ip address .... negotiation auto service-policy type control IPOE_routed ip subscriber routed initiator unclassified ip-address ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 8 include-in-access-req radius-server attribute 55 include-in-acct-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf ! ip access-list ... all defined !
When session create, a list of services is applied:
(19) Sent Access-Accept Id 71 from 10.50.50.2:1812 to 10.50.50.1:1645 length 0 (19) Cisco-AVPair = "accounting-list=IPOE" (19) Acct-Interim-Interval = 60 (19) Cisco-Account-Info += "NBlock10" (19) Cisco-Account-Info += "NRedirect100" (19) Cisco-Account-Info += "NRedirect110" (19) Cisco-Account-Info += "NRedirect400" (19) Cisco-Account-Info += "NRedirect410" (19) Cisco-Account-Info += "NRedirect500" (19) Cisco-Account-Info += "NRedirect510" (19) Cisco-Account-Info += "QU;10000;D;10000" (19) Cisco-Account-Info += "Sx.x.x.x" (19) Idle-Timeout = 3600 (19) Finished request
Every works fine, except there is no Cisco-Account-Info fields in accounting messages:
(21) Received Accounting-Request Id 127 from 10.50.50.1:1646 to 10.50.50.2:1813 length 373 (21) Acct-Session-Id = "0001A61E" (21) Framed-IP-Address = x.x.x.x (21) Framed-Protocol = PPP (21) User-Name = "x.x.x.x" (21) Cisco-AVPair = "connect-progress=Call Up" (21) Cisco-Control-Info = "I0;40" (21) Cisco-Control-Info = "O0;0" (21) Acct-Session-Time = 65 (21) Acct-Input-Octets = 0 (21) Acct-Output-Octets = 40 (21) Acct-Input-Packets = 0 (21) Acct-Output-Packets = 1 (21) Acct-Authentic = Local (21) Acct-Status-Type = Interim-Update (21) NAS-Port-Type = Virtual (21) NAS-Port = 0 (21) NAS-Port-Id = "0/0/1/0" (21) Service-Type = Framed-User (21) NAS-IP-Address = 10.50.50.1 (21) Event-Timestamp = "Dec 8 2017 12:53:47 MSK" (21) Acct-Delay-Time = 0
I've got almost the same setup on another ASR 1002-X, with same IOS tree, just a bit older service release, and it sends along a list af all services subscriber has and a list of serices active, all in one common session accounting request. I really need that info in case radius failover - backup radius won't know which services are curently on on session and what actions are allowed.
Am i missing something?
08-09-2018 03:39 PM - edited 08-09-2018 03:46 PM
Hello
## this just for reference may help someone else
Could i suggest you change the Accounting list came in access accept from AAA and update the name in this lines
aaa accounting network IPOE start-stop group rg_radiusbsd
the requested attribute is with accounting on "service accounting" , the shared accounting logs is from "Session accounting"
BR
AbdelGalil
08-09-2018 11:50 PM
I have worked out that situation using cookies attributes, which in fact were more elegant way to determine if session's config is up to date.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide