Cisco PPPoE not disconnecting user after data limit

promise kumalo · ‎02-18-2016

Good day all

I am trying to configure PPPoE on a Cisco 2911 router Using an external Radius server (Ubuntu freeRadius). My configs are as below for the Cisco part.

######################################################################################################

aaa new-model

aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting send stop-record authentication failure
aaa accounting send stop-record always
aaa accounting delay-start
aaa accounting update periodic 2
aaa accounting include auth-profile framed-ip-address
aaa accounting network default start-stop group radius
aaa accounting resource default stop-failure group radius

bba-group pppoe global
virtual-template 1
!
interface Loopback0
description IP for Unnumbered Tunnel Interfaces
ip address x.x.x.x 255.255.255.255

nterface GigabitEthernet0/2
no ip address
duplex auto
speed auto
pppoe enable group global
end

radius server PPPOE
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key xxxx

#########################################################################################################

Users are able to connect using PPPoE, but the challenge is that when they reach their data limit they are not being disconnected. When one reaches their data limit they still continue to browse. It is only when they disconnect and they try to reconnect when they are denied access because they have reached their data limits.

Below are Radius debug messages

#################################################################################################

Debug when a user connects for the 1st time

*Feb 19 07:13:03.612: RADIUS/ENCODE(00000959):Orig. component type = PPPoE
*Feb 19 07:13:03.612: RADIUS: AAA Unsupported Attr: interface [221] 7 997127868
*Feb 19 07:13:03.612: RADIUS: AAA Unsupported Attr: client-mac-address[44] 14 997127920
*Feb 19 07:13:03.612: RADIUS(00000959): Config NAS IP: 0.0.0.0
*Feb 19 07:13:03.612: RADIUS(00000959): Config NAS IPv6: ::
*Feb 19 07:13:03.612: RADIUS/ENCODE(00000959): acct_session_id: 38
*Feb 19 07:13:03.612: RADIUS(00000959): sending
*Feb 19 07:13:03.612: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Feb 19 07:13:03.612: RADIUS(00000959): Sending a IPv4 Radius Packet
*Feb 19 07:13:03.612: RADIUS(00000959): Send Access-Request to x.x.x.x:1812 id 1645/19,len 87
*Feb 19 07:13:03.612: RADIUS: authenticator 06 F8 77 32 6E 34 FB 50 - 1F 1E 5F 7F 15 97 90 4B
*Feb 19 07:13:03.612: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Feb 19 07:13:03.612: RADIUS: User-Name [1] 9 "test555"
*Feb 19 07:13:03.612: RADIUS: CHAP-Password [3] 19 *
*Feb 19 07:13:03.612: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 07:13:03.612: RADIUS: NAS-Port [5] 6 0
*Feb 19 07:13:03.612: RADIUS: NAS-Port-Id [87] 9 "0/0/2/0"
*Feb 19 07:13:03.612: RADIUS: Service-Type [6] 6 Framed [2]
*Feb 19 07:13:03.612: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Feb 19 07:13:03.612: RADIUS(00000959): Started 5 sec timeout
*Feb 19 07:13:03.616: RADIUS: Received from id 1645/19 x.x.x.x:1812, Access-Accept, len 62
*Feb 19 07:13:03.616: RADIUS: authenticator EC 9A DF 78 32 AC F2 97 - C7 F3 EC 26 AF DE 3D FB
*Feb 19 07:13:03.616: RADIUS: Session-Timeout [27] 6 43199980
*Feb 19 07:13:03.616: RADIUS: Vendor, Unknown [26] 12
*Feb 19 07:13:03.616: RADIUS: NAS-Port [5] 6
*Feb 19 07:13:03.616: RADIUS: 00 00 20 00 [ ]
*Feb 19 07:13:03.616: RADIUS: Vendor, Unknown [26] 12
*Feb 19 07:13:03.616: RADIUS: CHAP-Password [3] 6
*Feb 19 07:13:03.616: RADIUS: 00 A0 00 00
*Feb 19 07:13:03.616: RADIUS: Vendor, Unknown [26] 12
*Feb 19 07:13:03.616: RADIUS: NAS-IP-Address [4] 6
*Feb 19 07:13:03.616: RADIUS: 00 00 20 00 [ ]
*Feb 19 07:13:03.616: RADIUS(00000959): Received from id 1645/19
*Feb 19 07:13:03.644: RADIUS/ENCODE(00000959):Orig. component type = PPPoE
*Feb 19 07:13:03.644: RADIUS(00000959): Config NAS IP: 0.0.0.0
*Feb 19 07:13:03.644: RADIUS(00000959): Config NAS IPv6: ::
*Feb 19 07:13:03.644: RADIUS(00000959): sending
*Feb 19 07:13:03.644: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Feb 19 07:13:03.644: RADIUS(00000959): Sending a IPv4 Radius Packet
*Feb 19 07:13:03.644: RADIUS(00000959): Send Accounting-Request to x.x.x.x:1813 id 1646/88,len 102
*Feb 19 07:13:03.644: RADIUS: authenticator 8D DD 92 D0 F9 28 94 EB - 49 F9 D4 32 86 05 DF 34
*Feb 19 07:13:03.644: RADIUS: Acct-Session-Id [44] 10 "00000026"
*Feb 19 07:13:03.644: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Feb 19 07:13:03.644: RADIUS: Framed-IP-Address [8] 6 41.57.66.13
*Feb 19 07:13:03.644: RADIUS: User-Name [1] 9 "test555"
*Feb 19 07:13:03.644: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Feb 19 07:13:03.644: RADIUS: Acct-Status-Type [40] 6 Start [1]
*Feb 19 07:13:03.644: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 07:13:03.644: RADIUS: NAS-Port [5] 6 0
*Feb 19 07:13:03.644: RADIUS: NAS-Port-Id [87] 9 "0/0/2/0"
*Feb 19 07:13:03.644: RADIUS: Service-Type [6] 6 Framed [2]
*Feb 19 07:13:03.644: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Feb 19 07:13:03.644: RADIUS: Acct-Delay-Time [41] 6 0
*Feb 19 07:13:03.644: RADIUS(00000959): Started 5 sec timeout
*Feb 19 07:13:03.648: RADIUS: Received from id 1646/88 x.x.x.x:1813, Accounting-response, len 20
*Feb 19 07:13:03.648: RADIUS: authenticator 57 BA 73 A1 B5 7D A9 8F - 0D 68 51 2F 64 A1 75 C7

############################################################################################################

Debug for periodic update messages between Radius server and Cisco Router

*Feb 19 07:15:10.876: RADIUS/ENCODE(00000959):Orig. component type = PPPoE
*Feb 19 07:15:10.876: RADIUS(00000959): Config NAS IP: 0.0.0.0
*Feb 19 07:15:10.876: RADIUS(00000959): Config NAS IPv6: ::
*Feb 19 07:15:10.876: RADIUS(00000959): sending
*Feb 19 07:15:10.876: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Feb 19 07:15:10.876: RADIUS(00000959): Sending a IPv4 Radius Packet
*Feb 19 07:15:10.876: RADIUS(00000959): Send Accounting-Request to x.x.x.x:1813 id 1646/89,len 132
*Feb 19 07:15:10.876: RADIUS: authenticator 34 6D 17 ED 32 7D 6C 13 - 57 92 AF 05 88 BC 22 A2
*Feb 19 07:15:10.876: RADIUS: Acct-Session-Id [44] 10 "00000026"
*Feb 19 07:15:10.876: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Feb 19 07:15:10.876: RADIUS: Framed-IP-Address [8] 6 41.57.66.13
*Feb 19 07:15:10.876: RADIUS: User-Name [1] 9 "test555"
*Feb 19 07:15:10.876: RADIUS: Acct-Session-Time [46] 6 127
*Feb 19 07:15:10.876: RADIUS: Acct-Input-Octets [42] 6 3534834
*Feb 19 07:15:10.876: RADIUS: Acct-Output-Octets [43] 6 112034765
*Feb 19 07:15:10.876: RADIUS: Acct-Input-Packets [47] 6 45109
*Feb 19 07:15:10.876: RADIUS: Acct-Output-Packets [48] 6 82415
*Feb 19 07:15:10.876: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Feb 19 07:15:10.876: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Feb 19 07:15:10.876: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 07:15:10.876: RADIUS: NAS-Port [5] 6 0
*Feb 19 07:15:10.876: RADIUS: NAS-Port-Id [87] 9 "0/0/2/0"
*Feb 19 07:15:10.876: RADIUS: Service-Type [6] 6 Framed [2]
*Feb 19 07:15:10.876: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Feb 19 07:15:10.876: RADIUS: Acct-Delay-Time [41] 6 0
*Feb 19 07:15:10.876: RADIUS(00000959): Started 5 sec timeout
*Feb 19 07:15:10.880: RADIUS: Received from id 1646/89 x.x.x.x:1813, Accounting-response, len 20
*Feb 19 07:15:10.880: RADIUS: authenticator B6 09 97 06 4E 47 14 C8 - 54 0E 48 FC EE 7D A9 22

##########################################################################################################

Bebug for user disconnecting( This is user initiating the disconnect rather than the server initiating the disconnect.)

*Feb 19 07:16:38.444: RADIUS/ENCODE(00000959):Orig. component type = PPPoE
*Feb 19 07:16:38.444: RADIUS(00000959): Config NAS IP: 0.0.0.0
*Feb 19 07:16:38.444: RADIUS(00000959): Config NAS IPv6: ::
*Feb 19 07:16:38.444: RADIUS(00000959): sending
*Feb 19 07:16:38.448: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Feb 19 07:16:38.448: RADIUS(00000959): Sending a IPv4 Radius Packet
*Feb 19 07:16:38.448: RADIUS(00000959): Send Accounting-Request to x.x.x.x:1813 id 1646/90,len 138
*Feb 19 07:16:38.448: RADIUS: authenticator A5 B5 D8 60 8F B7 8D 29 - 1E 1F 73 B3 20 49 59 C5
*Feb 19 07:16:38.448: RADIUS: Acct-Session-Id [44] 10 "00000026"
*Feb 19 07:16:38.448: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Feb 19 07:16:38.448: RADIUS: Framed-IP-Address [8] 6 41.57.66.13
*Feb 19 07:16:38.448: RADIUS: User-Name [1] 9 "test555"
*Feb 19 07:16:38.448: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Feb 19 07:16:38.448: RADIUS: Acct-Session-Time [46] 6 215
*Feb 19 07:16:38.448: RADIUS: Acct-Input-Octets [42] 6 5377397
*Feb 19 07:16:38.448: RADIUS: Acct-Output-Octets [43] 6 172771892
*Feb 19 07:16:38.448: RADIUS: Acct-Input-Packets [47] 6 69622
*Feb 19 07:16:38.448: RADIUS: Acct-Output-Packets [48] 6 126750
*Feb 19 07:16:38.448: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]
*Feb 19 07:16:38.448: RADIUS: Acct-Status-Type [40] 6 Stop [2]
*Feb 19 07:16:38.448: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 07:16:38.448: RADIUS: NAS-Port [5] 6 0
*Feb 19 07:16:38.448: RADIUS: NAS-Port-Id [87] 9 "0/0/2/0"
*Feb 19 07:16:38.448: RADIUS: Service-Type [6] 6 Framed [2]
*Feb 19 07:16:38.448: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Feb 19 07:16:38.448: RADIUS: Acct-Delay-Time [41] 6 0
*Feb 19 07:16:38.448: RADIUS(00000959): Started 5 sec timeout
*Feb 19 07:16:38.448: RADIUS: Received from id 1646/90 x.x.x.x:1813, Accounting-response, len 20
*Feb 19 07:16:38.448: RADIUS: authenticator 6F 49 F9 AA ED 3D 4B 22 - E0 85 57 B4 B3 A0 50 5B
*Feb 19 07:16:38.484: RADIUS: Removing all radius source-int. pointing to Virtual-Access1.1

#############################################################################################################

debug when user tried to connect, but is told you have reached your data limit.

Feb 19 07:16:46.492: RADIUS/ENCODE(0000095A):Orig. component type = PPPoE
*Feb 19 07:16:46.492: RADIUS: AAA Unsupported Attr: interface [221] 7 997128140
*Feb 19 07:16:46.492: RADIUS: AAA Unsupported Attr: client-mac-address[44] 14 997128192
*Feb 19 07:16:46.492: RADIUS(0000095A): Config NAS IP: 0.0.0.0
*Feb 19 07:16:46.492: RADIUS(0000095A): Config NAS IPv6: ::
*Feb 19 07:16:46.492: RADIUS/ENCODE(0000095A): acct_session_id: 40
*Feb 19 07:16:46.492: RADIUS(0000095A): sending
*Feb 19 07:16:46.492: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Feb 19 07:16:46.492: RADIUS(0000095A): Sending a IPv4 Radius Packet
*Feb 19 07:16:46.492: RADIUS(0000095A): Send Access-Request to x.x.x.x:1812 id 1645/20,len 87
*Feb 19 07:16:46.492: RADIUS: authenticator 4F 4B 0B E3 92 8F 21 AF - 1F 1E 5F 7F A0 9F 36 65
*Feb 19 07:16:46.492: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Feb 19 07:16:46.492: RADIUS: User-Name [1] 9 "test555"
*Feb 19 07:16:46.492: RADIUS: CHAP-Password [3] 19 *
*Feb 19 07:16:46.492: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 07:16:46.492: RADIUS: NAS-Port [5] 6 0
*Feb 19 07:16:46.492: RADIUS: NAS-Port-Id [87] 9 "0/0/2/0"
*Feb 19 07:16:46.492: RADIUS: Service-Type [6] 6 Framed [2]
*Feb 19 07:16:46.492: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Feb 19 07:16:46.492: RADIUS(0000095A): Started 5 sec timeout
*Feb 19 07:16:47.492: RADIUS: Received from id 1645/20 x.x.x.x:1812, Access-Reject, len 59
*Feb 19 07:16:47.492: RADIUS: authenticator 8B 34 AB 2F 5D 13 19 70 - 0F 46 DC 37 26 CE 28 F4
*Feb 19 07:16:47.492: RADIUS: Reply-Message [18] 39
*Feb 19 07:16:47.492: RADIUS: 59 6F 75 20 68 61 76 65 20 72 65 61 63 68 65 64 [You have reached]
*Feb 19 07:16:47.492: RADIUS: 20 79 6F 75 72 20 62 61 6E 64 77 69 64 74 68 20 [ your bandwidth ]
*Feb 19 07:16:47.492: RADIUS: 6C 69 6D 69 74 [ limit]
*Feb 19 07:16:47.492: RADIUS(0000095A): Received from id 1645/20
*Feb 19 07:16:47.492: RADIUS/DECODE: Reply-Message fragments, 37, total 37 bytes
*Feb 19 07:16:47.496: RADIUS/ENCODE(0000095A):Orig. component type = PPPoE
*Feb 19 07:16:47.496: RADIUS(0000095A): Config NAS IP: 0.0.0.0
*Feb 19 07:16:47.496: RADIUS(0000095A): Config NAS IPv6: ::
*Feb 19 07:16:47.496: RADIUS(0000095A): sending
*Feb 19 07:16:47.496: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Feb 19 07:16:47.496: RADIUS(0000095A): Sending a IPv4 Radius Packet
*Feb 19 07:16:47.496: RADIUS(0000095A): Send Accounting-Request to x.x.x.x:1813 id 1646/91,len 126
*Feb 19 07:16:47.496: RADIUS: authenticator 54 D8 06 42 3C 17 38 BE - BE 0F 04 F4 03 79 BD D8
*Feb 19 07:16:47.496: RADIUS: Acct-Session-Id [44] 10 "00000028"
*Feb 19 07:16:47.496: RADIUS: User-Name [1] 9 "test555"
*Feb 19 07:16:47.496: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Feb 19 07:16:47.496: RADIUS: Acct-Session-Time [46] 6 0
*Feb 19 07:16:47.496: RADIUS: Acct-Input-Octets [42] 6 0
*Feb 19 07:16:47.496: RADIUS: Acct-Output-Octets [43] 6 0
*Feb 19 07:16:47.496: RADIUS: Acct-Input-Packets [47] 6 0
*Feb 19 07:16:47.496: RADIUS: Acct-Output-Packets [48] 6 0
*Feb 19 07:16:47.496: RADIUS: Acct-Terminate-Cause[49] 6 user-error [17]
*Feb 19 07:16:47.496: RADIUS: Acct-Status-Type [40] 6 Stop [2]
*Feb 19 07:16:47.496: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 07:16:47.496: RADIUS: NAS-Port [5] 6 0
*Feb 19 07:16:47.496: RADIUS: NAS-Port-Id [87] 9 "0/0/2/0"
*Feb 19 07:16:47.496: RADIUS: Service-Type [6] 6 Framed [2]
*Feb 19 07:16:47.496: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Feb 19 07:16:47.496: RADIUS: Acct-Delay-Time [41] 6 0
*Feb 19 07:16:47.496: RADIUS(0000095A): Started 5 sec timeout
*Feb 19 07:16:47.496: RADIUS: Received from id 1646/91 x.x.x.x:1813, Accounting-response, len 20
*Feb 19 07:16:47.496: RADIUS: authenticator E5 F5 44 F4 8E E2 85 40 - 3C 42 B2 CC B7 DD 84 CE

##############################################################################################################