cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ASR9K BNG radius and COA deployment guide

3044
Views
20
Helpful
14
Comments

This is a 200 pages long document , here only list the table of content, you can download the attachment for whole content in detail.

Executive summary 5
Acknowledgement 6
Chapter 1, ASR9K’s RADIUS overview 7
BNG relationship with RADIUS SERVER 7
BNG RADIUS configuration task 10
RADIUS attributes 11
ASR9K BNG supported RADIUS attributes 11
Cisco AVPair overview 11
key explanations for Cisco AVPair for ASR9K BNG 14
Chapter 2, how RADIUS/CoA attribute work on a session 17
AAA attribute and RADUS attribute 18
show downloaded RADIUS attribute 19
debug command to display radius attributes 21
debug command to display internal AAA attributes 22
SADB - Subscriber Attribute Database 27
SUBDB - Subscriber Database and session config handling 28
session config from multiple sources including radius server 28
Example of multi-source session config 30
Chapter 3, Authentication and Authorization 36
Terminology and fact 36
Authentication 36
PPPoE PTA session 37
Web-logon for both PPPoE and IPoE session 37
Authorization 37
Transparent Auto-logon 37
LAC authorization using domain name 37
Service authorization 40
Authenticated and authorised state 42
Chapter 4, Attributes in Access-Request - report session information 45
Manipulation of attributes - the principle 45
IPoE session access-request 45
PPPoE session access-reqeust 48
Customising the attribute in access-request 51
NAS-Port-Type 51
AAA Attribute Format 54
Username 56
NAS-Port-ID 61
Called-Station-Id and Calling-Station-Id 62
NAS-Port 65
Cisco-AVPair remote-id-tag, cuicuit-id-tag and dhcpv6-interface-id 66
DHCPv4 session 66
DHCPv6 session 66
PPPoE session 67
Chapter 5, Attributes in Access-Accept - configure a session. 68
convention 68
attributes usage in detail 69
No. 1 v4 unnumbered 69
No. 2 V4 pool for PPP 69
No. 3 V4 address for PPPoE PTA session 70
No. 4 V4 netmask for PPPoE PTA session 71
No. 5 V4 DNS server for PPP PTA 72
No. 6 IPv4 MTU for PPPoE PTA session 73
No. 8 v4 pool for DHCP 82
No. 9 - V4 address for DHCP session 84
No. 10 - V4 netmask for DHCP session 87
No. 12 - IPv4 MTU for DHCP triggered session 97
No. 13 - vrf-id 98
No. 14 - V4 ACL 99
No. 15 - QoS policy-map 100
No. 16 - Parameter QoS (P-QoS) 101
No. 17 - session accounting list 105
No. 18 - session accounting interim interval 106
No. 19 - session accounting dual stack delay 107
No. 20 - service accounting list 108
No. 21 - Session-Timeout 109
No. 22 - idle Timeout threshold and direction 110
No. 23 - lawful intercept 111
No. 24 - v4 uRPF 112
No. 25 - ipv4-ICMP-unreachable 115
No. 26 - double dip 117
No. 27 - enable HTTP redirect 118
No. 28 - DHCPv4 session limit 119
No. 29 - DHCPv4 class 120
No. 30 - class (IETF attribute 25) 125
No. 31 - echo-string (Cisco AVpair) 127
No. 32 - v6 enable 128
No. 33 - V6 prefix for PPPoE PTA session using SLAAC 130
No. 34 - V6 framed-interface-id for PPPoE PTA session using SLAAC 135
No. 35 - V6 framed-ipv6-pool for PPPoE PTA session using SLAAC 138
No. 37 - Framed-ipv6-address for DHCPv6 for both PPPoE and IPoE 142
No. 38 - Stateful-IPv6-Address-Pool for DHCPv6 for both PPPoE and IPoE 144
No. 39 - Delegated-IPv6-prefix-Pool for DHCPv6 for both PPPoE and IPoE 146
No. 40 - V6 DNS sERVER for DHCPv6 for both PPPoE and IPoE 148
No. 41 - DHCPv6 class 149
No. 42 - v6 ACL 150
No. 43 - ipv6-unreachable 151
No. 44 - IPv6 uRPF 152
No. 45 - service-activate 155
No. 46 - service-deactivate 160
No. 47 - L2TP LAC/VPDN related attributes 161
Chapter 6, CoA and PoD 169
CoA/PoD overview 169
restriction of ASR9K CoA/PoD implementation 170
key component in a CoA message 170
Session key (mandatory) 170
CoA command(mandatory with some exception) 171
RADIUS attributes (optional) 172
session-BNG address mapping 173
PoD ( DM) and different session key 173
Example of a failed POD 173
Example of PoD using acct-session-id as session key 176
Example of PoD using framed-ip-address as session key 179
Example of PoD using framed-ip-address plus AVPair vrf-id as session key 182
Example of PoD using username as session key 185
Account-logoff 189
Example of basic CoA account-logoff 189
Example of CoA account-logoff with explicit actions in control policy 194
Account-logon 196
Example of TAL + CoA account-logon 197
Account-update 209
Example of CoA account-update for interface session 210
Service-Activate 223
Example of Service-Activate failed to override the existing user-profile 224
Example of a successful Service-Activate 227
Service-Deactivate 231
Example of a successful Service-Deactivate 231

Comments
Cisco Employee

Excellent guide.

Many thanks for such a great share.

Cisco Employee

Hi Expert,

Small Query, Please help me.

What if i send 2 COA.? 1st COA idle timeout set to 120. After 90 sec i'm sending 2nd COA idle timeout 60.

What should be happen.. What is the expected behavior?

 

Regards,

Annamalai 

Cisco Employee

In the going releases that we have, the 2 requests are processed individually and sequentially.

I can't verify right now because my lab is undergoing power maintenance but it depends on whether the idle time of the session is reset upon idle-timeout application.

if the timer is NOT reset, then on the next validation cycle the session will expire because 90>60.

if the timer IS reset, then after the NEXT 60 seconds the session will get disconnected.

if you do show subscr ses fil id <id> detail you can see the idle time of the session and whether the sw resets the timer on application (I didnt think it did that, nor do I see it in the code resetting it on timer change, but may be overlooking something).

xander

Cisco Employee

Thanks Xander, 

It seems the timer is not getting reset. But my question is if the admin changing the COA 120 to 60 then the user should be disconnected after the 60 sec form the COA 60 configuration.

One more question? What would be the impact if we reset the timer.

Could i get the RFC or pre document where this I can verify.

 

Regards,

Annamalai

Cisco Employee

if the session is already idle for >60 seconds and the idle timer is not reset after the reconfig then the next time the idle time is evaluated (now 60) then the session will get disconnected.

there is no RFC that defines this; whether the idle timer needs to be reset on reconfiguration of it.

if you like to check : ppp rfc 1661 or radius rfc 2685

xander

Community Member

great stuff!

very usful!

Beginner

Dear Xander,

Can you please suggest if there are any limitations, restrictions or performance impact for the asr9001 xr5.3.3/5.3.4 running ~8k RSP based subscribers with dhcp FSOL in case of all sessions' attributes are provisioned via Radius and no dynamic-templates are present in config of bng.

IP/GW/MASK/VRF/LOOPBACK/IDLE-TIMEOUT/Parameterized QoS/SPAN/Redirect etc.

Thanks in advance

Tom

Cisco Employee

hey tom! 

8k rp based sessions is very well below the max scale of the 9001, so from that standpointnot a problem. I never tested/seen a deployment/configuration without an activation of dynamic template, so inclined to recommend to activate some template with minimal configuration (that can be overrided by whatever you want to pass from radius of course!

cheer!

xander

Beginner

Hi Xander,

Thanks for a quick answer. One more question regarding on the fly configuration change, so are there any cavities/restrictions to add secondary ip address to subscribers' unnumbered loopback for the count growth while a lot of users are acting on bng? And the second case when we need to add some more lines to the already attached dynamic-template?

Tom

Cisco Employee

changes can be made, but will result in some background work (to reconfigure the existing sessions) and may drop as a result of it.

so the changes can be done, but recommend to do that in a "down time" and restarting all sessions (or down all sessions first, make changes) and bring everything back up.

xander

Beginner

So adding more secondary IP addresses also touches existing sessions already bound to loopback? Thanks. 

Beginner

Extremely usefull document!

Thanks

Cisco Employee

thank you for the comment Sergey!! :)

xander

Beginner

I hope this thread is still somehow active..

 

What happens when remote ID is inserted on a node before BNG, and a Q-in-Q tags rewrite is taking place. Can remote ID still refer to S-TAG & C-TAG before any rewrite, POP, or any manipulation in general ?

 

TIA 

 

/Sam

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards