cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASR9K BNG radius and COA deployment guide

4435
Views
20
Helpful
21
Comments

This is a 200 pages long document , here only list the table of content, you can download the attachment for whole content in detail.

Executive summary 5
Acknowledgement 6
Chapter 1, ASR9K’s RADIUS overview 7
BNG relationship with RADIUS SERVER 7
BNG RADIUS configuration task 10
RADIUS attributes 11
ASR9K BNG supported RADIUS attributes 11
Cisco AVPair overview 11
key explanations for Cisco AVPair for ASR9K BNG 14
Chapter 2, how RADIUS/CoA attribute work on a session 17
AAA attribute and RADUS attribute 18
show downloaded RADIUS attribute 19
debug command to display radius attributes 21
debug command to display internal AAA attributes 22
SADB - Subscriber Attribute Database 27
SUBDB - Subscriber Database and session config handling 28
session config from multiple sources including radius server 28
Example of multi-source session config 30
Chapter 3, Authentication and Authorization 36
Terminology and fact 36
Authentication 36
PPPoE PTA session 37
Web-logon for both PPPoE and IPoE session 37
Authorization 37
Transparent Auto-logon 37
LAC authorization using domain name 37
Service authorization 40
Authenticated and authorised state 42
Chapter 4, Attributes in Access-Request - report session information 45
Manipulation of attributes - the principle 45
IPoE session access-request 45
PPPoE session access-reqeust 48
Customising the attribute in access-request 51
NAS-Port-Type 51
AAA Attribute Format 54
Username 56
NAS-Port-ID 61
Called-Station-Id and Calling-Station-Id 62
NAS-Port 65
Cisco-AVPair remote-id-tag, cuicuit-id-tag and dhcpv6-interface-id 66
DHCPv4 session 66
DHCPv6 session 66
PPPoE session 67
Chapter 5, Attributes in Access-Accept - configure a session. 68
convention 68
attributes usage in detail 69
No. 1 v4 unnumbered 69
No. 2 V4 pool for PPP 69
No. 3 V4 address for PPPoE PTA session 70
No. 4 V4 netmask for PPPoE PTA session 71
No. 5 V4 DNS server for PPP PTA 72
No. 6 IPv4 MTU for PPPoE PTA session 73
No. 8 v4 pool for DHCP 82
No. 9 - V4 address for DHCP session 84
No. 10 - V4 netmask for DHCP session 87
No. 12 - IPv4 MTU for DHCP triggered session 97
No. 13 - vrf-id 98
No. 14 - V4 ACL 99
No. 15 - QoS policy-map 100
No. 16 - Parameter QoS (P-QoS) 101
No. 17 - session accounting list 105
No. 18 - session accounting interim interval 106
No. 19 - session accounting dual stack delay 107
No. 20 - service accounting list 108
No. 21 - Session-Timeout 109
No. 22 - idle Timeout threshold and direction 110
No. 23 - lawful intercept 111
No. 24 - v4 uRPF 112
No. 25 - ipv4-ICMP-unreachable 115
No. 26 - double dip 117
No. 27 - enable HTTP redirect 118
No. 28 - DHCPv4 session limit 119
No. 29 - DHCPv4 class 120
No. 30 - class (IETF attribute 25) 125
No. 31 - echo-string (Cisco AVpair) 127
No. 32 - v6 enable 128
No. 33 - V6 prefix for PPPoE PTA session using SLAAC 130
No. 34 - V6 framed-interface-id for PPPoE PTA session using SLAAC 135
No. 35 - V6 framed-ipv6-pool for PPPoE PTA session using SLAAC 138
No. 37 - Framed-ipv6-address for DHCPv6 for both PPPoE and IPoE 142
No. 38 - Stateful-IPv6-Address-Pool for DHCPv6 for both PPPoE and IPoE 144
No. 39 - Delegated-IPv6-prefix-Pool for DHCPv6 for both PPPoE and IPoE 146
No. 40 - V6 DNS sERVER for DHCPv6 for both PPPoE and IPoE 148
No. 41 - DHCPv6 class 149
No. 42 - v6 ACL 150
No. 43 - ipv6-unreachable 151
No. 44 - IPv6 uRPF 152
No. 45 - service-activate 155
No. 46 - service-deactivate 160
No. 47 - L2TP LAC/VPDN related attributes 161
Chapter 6, CoA and PoD 169
CoA/PoD overview 169
restriction of ASR9K CoA/PoD implementation 170
key component in a CoA message 170
Session key (mandatory) 170
CoA command(mandatory with some exception) 171
RADIUS attributes (optional) 172
session-BNG address mapping 173
PoD ( DM) and different session key 173
Example of a failed POD 173
Example of PoD using acct-session-id as session key 176
Example of PoD using framed-ip-address as session key 179
Example of PoD using framed-ip-address plus AVPair vrf-id as session key 182
Example of PoD using username as session key 185
Account-logoff 189
Example of basic CoA account-logoff 189
Example of CoA account-logoff with explicit actions in control policy 194
Account-logon 196
Example of TAL + CoA account-logon 197
Account-update 209
Example of CoA account-update for interface session 210
Service-Activate 223
Example of Service-Activate failed to override the existing user-profile 224
Example of a successful Service-Activate 227
Service-Deactivate 231
Example of a successful Service-Deactivate 231

Comments
Beginner

Hi @xthuijs & @Zhichun Jiang 

 

    I was just working on this and we are facing an issue with PPPOE accounting we are unable to enable it from the device directly only through radius attribute.

   also when enabled it doesn't send the attribute "framed-ip-address" in the accounting "start" only in "Interm-Update" or "Stop" it's available can we do anything to solve this to include it in Start accounting?

   also about part 2 of this doc. which is focusing on accounting is it available some where we can access it? 

Cisco Employee
hi there!
you need to configure aaa accounting delay-start for that.
this because the acc record start is sent while ipcp is not completed, hence we dont know the fip yet.
xander
Beginner

Hello Xander,

 

We are testing a AAA solution to communicate with our BNG ASR9k versio 6.2.3, and it sends the following RFC6911 attributes for dual stack user and the NAS does not understand them:

 

DNS-Server-IPv6-Address (169)

Delegated-IPv6-Prefix-Pool(171)

 

on  the debug radius, on the access-accept from radius the debug says:

 

RADIUS: AAA Unsupported Attr: negotiated-route [169] 18

RADIUS: AAA Unsupported Attr: route [171] 18

 

I have the following configuration in the dynamic template: dhcpv6 delegated-prefix-pool <name>

 

and in the dhcp ipv6 process. The user gets the IPv6 from the delegated pool, but in the show subs session filter username <usern> detail internal the attribute list is not filled with the above attributes.

 

Based on the PDF the above are supported but i cannot verify it. The relevant Cisco Av-pair are working.Screenshot 2020-04-20 at 13.23.32.png

 

Hi,  Zhichun and Xander:

 

 

I have a deployment where my customer wants me to use IPoE sessions so that they can account for them via AAA accounting. So, no authen/autho takes place. I have both working except for one little detail: it looks like the accounting records (when there's no authentication or authorization) do not send the username attribute. Customer wants us to send the MAC address as username in the accounting.

 

This is something well documented when you actually authorize, but is this possible when you only do session accounting? If yes, can you please provide an example.

 

I'd really appreciate it.

Thank you!

c.

Hello Xander and Zhichun 

 

I've faced up the problemregarding DNS attribute via RADIUS in BNG IPOE sessions. 

 

The problem is that when radius assigns an attribute:  Cisco-AVPair += "primary-dns=8.8.8.8" to an IPOE session, triggered by DHCP, it can be seen in session's attribute list, but BNG doesn't translate this attribute to dhcp offer packet. According to the document above:

 

‐radius attribute for v4 DNS for DHCP triggered IPoE session has not been supported yet as of 5.2.0, another word, you can download the DNS attribute from radius server, but BNG will not translate it to DHCP options in the offer message to the client.

 

yesterday I tested it on 6.4.2 version but still the same. 

 

Do you have some information, is it planned to deploy this feature in later releases or is there any other sollution to assign DNS server's ip address 'per-subscriber basis'?

 

 

Thank you very much. 

Beginner

Hi!

I'm testing Radius Based Lawful Intercept.

 

What's the IP address used as source for packets sent to MD? Can I bound it to a specific loopback IP address?

 

Thanks!

Content for Community-Ad

This widget could not be displayed.