cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19409
Views
5
Helpful
117
Comments
xthuijs
Cisco Employee
Cisco Employee

 

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

 

1. RADIUS Attributes for pQoS

 

ASR9000_BNG_Attributes.jpg

sub: indicates AVPair targets MQC policy on a subscriber session
<class-list>: identifies class to be added/removed or modified in the MQC policy
Multiple classes may be specified to modify classification in a nested (child) MQC policy
<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)
 
Supported QoS features:
•Shaping rate and percentage
•Policing rate and percentage
•Marking (CoS, DSCP, IP Prec)
•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

 

 

QOS FeatureAction format in Radius attribute
Shaping

shape(<rate-in-kbps>)

shape-rpct(<rate-in-pct>)

Policing

police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>,    <conform-action>,<exceed-action>,    <violate-action>)

police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>,   <conform-action>,<exceed-action>,   <violate-action>)

Marking

set-cos(<cos-val>)

set-ip-dscp(<dscp-val>)

set-ip-prec(<precedence>)

Queuing

pri-level(<priority-level>)

bw-rpct(<pct>)

bw-rratio(<ratio>)

bw-abs(<bw-in-kbps>)

bw-pct(<bw-in-pct>)

queue-limit(<qlimit-in-packets>)

queue-limit-us(<qlimit-in-us>)

random-detect-dscp(<dscp>)

random-detect-prec(<precedence>)

 

 

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

 

 

2. VSA's for Account operations (services and logon/off)

 

 

PrimitiveRadius AVP
Account Logon

authentication cpe12 CoA cisco123

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logon"

Account Logoff

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logoff"

Account update

(used to change a profile)

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-update”

<radius attributes to set/update>

Service Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sa=<service-name>”

Service De-Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sd=<service-name>”

 

 

All these operations from the first column, report an event to the control policy.

 

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

  account-logoff              Account logoff event

  account-logon               Account logon event

  authentication-failure      Authentication failure event

  authentication-no-response  Authentication no response event

  authorization-failure       Authorization failure event

  authorization-no-response   Authorization no response event

  exception                   Exception event

  service-start               Service start event

  service-stop                Service stop event

  session-activate            Session activate event

  session-start               Session start event

  session-stop                Session stop event

  timer-expiry                Timer expiry event

 

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

 

Attribute 8: Framed-IP-Address

 

and starting 4.2.1:

 

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

 

Template comparison to radius attribute

 

 

 

Operation

Dynamic Template cmd

RADIUS Attribute

 

Service Activation

Service Activation

N/A

26

9,1

subscriber:sa=<service-name>

 

Network Forwarding

IP addess source intf

ipv4 unnumbered <interface>

26

9,1

ipv4:ipv4-unnumbered=<interface>

PPP framed address

N/A

8

 

framed-ip-address=<IPv4   address>

PPP Address Pool

ppp ipcp peer-address pool <addr pool >

26

9,1

ipv4:addr-pool=<addr pool name>

PPP framed pool

N/A

88

 

framed-pool=<addr pool name>

PPP framed route

N/A

22

 

framed-route=<subnet><mask>

VRF

vrf <vrf name>

26

9,1

subscriber:vrf-id=<vrf name>

V4 DNS

ppp ipcp dns <pprimary dns ip> <secondary dns ip>

26

9.1

ip:primary-dns=<primary dns ip>

Ip:secondary-dns=<secondary dns ip>

DHCP classname

N/A

26

9,1

subscriber:classname=<dhcp-class-name>

 

 

Traffic Accounting

Accounting

accounting aaa list <method list> type session

26

9,1

subscriber:accounting-list=<method list>

Interim Interval

accounting aaa list <method list> type session periodic-interval <minutes>

85

 

Acct-Interim-Interval   <minutes>

Dual Stack Accnt Start Delay

accounting aaa list <method list> type session dual-stack-delay <secs>

  

subscriber:dual-stack-delay=<sec>

 

Session Administration

keepalives

keepalive <sec>

26

9,1

subscriber:keepalive=interval<sec>

NOT SUPPORTED/Implemented

Absolute Timeout

ppp timeout absolute <sec>

27

n/a

session-timeout=<sec>

Idle Timeout

timeout idle <sec>

28

n/a

idle-timeout=<sec>

 

 

Traffic conditioning

HQoS(with SPI)

service-policy input <in_mqc_name> shared-policy-instance <spi-name>

service-policy output <out_mqc_name> shared-policy-instance <spi-name>

26

9,1

subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance   <spi-name> ]

subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance   <spi-name>]

pQoS

N/A

26

9,1

subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-in=remove-class(target policy (class-list))

subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-out=remove-class(target policy  (class-list))

Subscriber ACLs/ABF

ipv4 access-group <in_acl_name> in

Ipv4 access-group <out_acl_name> out

ipv6 access-group <in_v6acl_name> in

ipv6 access-group <out_v6acl_name> out

26

9,1

ipv4:inacl=<in_acl_name>

ipv4:outacl=<out_acl_name>

ipv6:ipv6_inacl=<in_v6acl_name>

ipv6:ipv6_outacl=<out_v6acl_name>

HTTP-R

service-policy type pbr <HTTR policy   name>

26

9,1

subscriber:sub-pbr-policy-in=<HTTR policy name>

 

 

IPv6 Attributes

 

Attribute

Defined By

Received In

IPv6 Client

Address Assignment

Dynamic Template   equivalent config

Framed-Interface-Id (96)

RFC3162

Access-Accept

PPPoE

Any

ppp ipv6cp peer-interface-id <64bit #>

Framed-IPv6-Prefix (97)

RFC3162

Access-Accept

PPPoE

SLAAC

N.A.

Framed-IPv6-Route (99)

RFC3162

Access-Accept CoA

Any

Any

N.A.

Framed-IPv6-Pool (100)

RFC3162

Access-Accept

PPPoE

SLAAC

ipv6 nd   framed-prefix-pool <name>

Framed-ipv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

Stateful-IPv6-Address-Pool(*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   address-pool <name>

Delegated-IPv6-Prefix-Pool   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   delegated-prefix-pool <name>

DNS-Server-IPv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

To be   configured in DHCPv6 server profile

Delegated-IPv6-Prefix

RFC4818

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

 

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address

“ipv6:addrv6=<ipv6 address>”

Stateful-IPv6-Address-Pool

“ipv6:stateful-ipv6-address-pool=<name>”

Delegated-IPv6-Prefix-Pool

“ipv6:delegated-ipv6-pool=<name>”

DNS-Server-IPv6-Address

“ipv6:ipv6-dns-servers-addr=<ipv6   address>”

 

Radius Accounting bytes and packets

 

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

 

Attribute

Defined By

Description

Acct-Input-Octets     (42)

RFC2866

Session input total   byte count

Acct-Input-Packets    (47)

RFC2866

Session input total   packet count

Acct-Output-Octets    (43) 

RFC2866

Session output   total byte count

Acct-Output-Packets (48)

RFC2866

Session output   total packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv4

Cisco

Session input IPv4   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv4

Cisco

Session input IPv4   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv4

Cisco

Session output IPv4   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv4

Cisco

Session output IPv4   packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv6

Cisco

Session input IPv6   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv6

Cisco

Session input IPv6   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv6

Cisco

Session output IPv6   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv6

Cisco

Session output IPv6   packet count

Cisco VSA   (26,9,1): connect-progress

Cisco

Indicates   Session set up connection progress

3.

 


Dynamic Route insertion

 

RADIUS attribute example  for different type of framed-route:

 

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

 

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

 

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

 

4. Route destribution (please don't!)

 

router bgp 100

address-family ipv4 unicast

  redistribute subscriber <route-policy>

 

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Comments
xthuijs
Cisco Employee
Cisco Employee

hi dimitris, yeah it is sort of "native" to the ip session and control policy handling.

when you handle an event session-start for dhcp type sessions and if one of the actions is to do an aaa authorize.... in that event handler, before the dhcp discover is proxied FIRST an authorize/radius request is done. if there is no access accept, the discover is dropped.

if there is an accept, the return attributes such as fip, gateway, class etc are used when the dhcp discover is proxied and responded with an offer to the dhcp server.

cheers!

xander

Thanks a lot!

You were very helpful as always :)

puddingtech
Beginner
Beginner

posted wrong spot

puddingtech
Beginner
Beginner

xander, 

Question we're using IPoE DHCP-Triggered with a DHCP Proxy setup, but for some reason if a customer needs a static ip, we try to send a framed-ip-address in radius to bypass the dhcp proxy ip and give them a specific ip.... 

But they still just get the DHCP ip... i actually opened an SR 680576098  for it but the recommendation to drop the interface from the dhcp ipv4 config just resulted in no subscriber session activity at all.

Chris

xthuijs
Cisco Employee
Cisco Employee

ah chris, I think you missed to provide the subnetmask possibly. when providing the framed ip, dhcp sessions also want a subnetmask and possibly (duh ;) a default gateway also.

so you'd want to mimick a profile like this:

<MAC-ADDRESS>    Cleartext-Password :="cisco"
                                       Framed-IP-Address+=7.2.5.5,
                                       Framed-IP-netmask+=255.255.255.248,
                                       Session-timeout += 9000,
                                       Idle-timeout += 9000

and then add a ipv4:default-gateway=bla.bla.bla.bla

too.

cheers!

xander

puddingtech
Beginner
Beginner

LOL ya i know i have it exactly like that sorry i wasn't clearer i'm sending address and netmask and the avpair with the ipv4:ipv4-default-gateway, but still it gets the same ip from dhcp on a renew, even if i let the lease expire with pc off and turn it back on for a fully clean session, it gets the ip from dhcp 

xthuijs
Cisco Employee
Cisco Employee

oh ok, so on renew this goes wack, that is a bug obviously, as the proxy should have figured out what to do. this has been a bit of an iffy area pre XR 524. So the release in question matters here quite a bit.

If you are on 524 or 533, than possibly collect a show tech dhcp ipv4 and show tech subscriber and may be best to follow up with a tac case to see what needs to be addressed in order to mitigate this situation.

(am on paternity leave at the moment, so may not be able to provide continued support this week)

cheers!

xander

puddingtech
Beginner
Beginner

5.3.3 ya i have a tac case open with them, but apparently DHCP proxy can't do framed-ip-address override only the internal dhcp server can according to them. I don't recall seeing that anywere before :S

EDIT: yep apparently this appears to be the issue, when i switched from proxy to internet serer, tada right away it worked...

Why isn't it working with proxy that just seems like a pretty substantial oversight, is their any way to get it working the other way?

I think DHCP server mode is going to be an issue, because we wanted to use geo-redundancy, and according to the manual 5.3 doesn't support dhcp-server mode with geo redundancy for BNG.... so basically i either give up ability to static assign IP's or give up ability to have geo-redundancy support.

xthuijs
Cisco Employee
Cisco Employee

ah yeah forgot to mention you want to use a local dhcp server, so that the server piece can communicate with the client piece and leverage the addr from radius, especially at renew time.

alternatively, many dhcp servers that are external can do some static addr assignment based on vendor id or soemthing similar.

what you could do is download the vendor class from radius, that wil get inserted in the proxy request to the dhcp server so the dhcp server can use that vendor class for the addr assignment and you can do a static assignment based on that.

nice thing is, it is centralized, by dhcp server, only thing needed is vendor class assignment as opposed to framed ip assigmnet.

cheers

xander

puddingtech
Beginner
Beginner

well the issue is we want to be able to set a customer to a static ip if they want one otherwise get a standard basic ip from dhcp, internal DHCP server does that for us i've tested it and its working fine, but like i said that leaves us in a bind since according to docs geored wont work?

Using an external dhcp stops the framed-ip from working and that's how our oss works, and most external dhcp's don't like picking up fixed assignments from sql without hackery, so trying to avoid that, the idea is to stick to radius assignment for qos + ip + auth.

xthuijs
Cisco Employee
Cisco Employee

hi chris,

the static assignment while using a dhcp server requires some tricking right.

in fact, you dont even need a dhcp server for assigning a static address. if the server is external, it is hard to "ack/confirm" a particular lease as the lease is really constructed from the radius attributes.

One option could be that if you have a limited set of static subs, and you know their qiq combo's, you could make a local dhcp server profile for those subinterfaces that require that static assignment.

for instance, say your range is outer vlan 100, inner any.

then you define one access interface with ambigious dot1q 100 second any.

this amb sub interface points to an external dhcp via proxy in dhcp ipv4 config.

then, a (few) specific ones such as

encap dot1q 100 second 20

and assign that subinterface in the dhcp config to the local dhcp server for static assignment from radius.

cheers!

xander

Max Antonenko
Beginner
Beginner

Hi Xander,

Is it possible to remove previously applied ACL to the subscriber interface via CoA? For an example need to remove inacl from:

RP/0/RSP0/CPU0:BNG#show access-lists ipv4 interface Bundle-Ether100.100.ip71
Input ACL (common): N/A (interface): PERM_ALL
Output ACL: N/A

Request 

Cisco-AVPair="inacl="

not do anything.

xthuijs
Cisco Employee
Cisco Employee

hi max, ah yeah, no sorry that is not possible, the trick I used in that example is to replace a restrictive ACL with a permit ip any any ACL, so there is an ACL applied, but it just allows everything.

xander

wilsonribeiro
Beginner
Beginner

Hello,

I would like to apply a PBR for my customers which are in debt. So at the start of connection I would like to apply a service-policy type pbr to customer to be redirected to a web portal which it will provide a payment method.

So for testing purposes, I'm doing something like:

policy-map type pbr policyREDIRECIONAMENTO

class type traffic classREDIRECIONAMENTO

  http-redirect http://sac.portal.org

!

class type traffic class-default

!

end-policy-map

!

x.x.x.x are the network I would like him to be granted, everything else should be blocked.

 

ipv4 access-list aclREDIRECIONAMENTO

10 permit ipv4 x.x.x.x 0.255.255.255 any

!

class-map type traffic match-all classREDIRECIONAMENTO

match access-group ipv4 aclREDIRECIONAMENTO

end-class-map

!

I've applied 

  service-policy type pbr policyREDIRECIONAMENTO

to my dynamic template type ppp for testing purposes.

When I connect using these rules and I open a website, I got a 302 found. But it stops there.

I'm looking after I get this working to apply the service pbr for my customer from Radius using:

Cisco-AVPair = subscriber:sa=policyREDIRECIONAMENTO

Would it work fine?

smailmilak
Enthusiast
Enthusiast

Hi,

in my config I have also a ACL for open garden where I have allowed 80, 443, 53 and also icmp for testing purposes. Please note that dyn tempalte is type service. I have prepared it for our customer but I have not tested it yet. I have a very similar pmap for IPoE and it's working fine. In my pmap every sub that has not payed the bill which means that the account is disabled will be redirected to a website with a notification. 

You can also use CoA to push the service if you want.


ipv4 access-list OpenGarden_ACL
5 permit icmp any host 8.8.8.8
13 permit tcp any host XX eq www
14 permit tcp any host XX eq 443
15 permit udp any any eq domain

class-map type traffic match-any HTTPRDRT_CM
match access-group ipv4 HTTPRDRT_ACL
end-class-map

ipv4 access-list HTTPRDRT_ACL
3 permit tcp any any eq www syn
4 permit tcp any any eq www ack
5 permit tcp any any eq www
6 permit tcp any any eq 443

class-map type traffic match-any OpenGarden_CM
match access-group ipv4 OpenGarden_ACL
end-class-map


policy-map type pbr OpenGarden_Redirect
class type traffic OpenGarden_CM
transmit
!
class type traffic HTTPRDRT_CM
http-redirect http://www.xy.com
!
class type traffic class-default
drop
!
end-policy-map

dynamic-template
type service OpenGarden_Redirect_TPL
service-policy type pbr OpenGarden_Redirect

////////////////////////////////////////////////////////////////

policy-map type control subscriber BNG_HSI_REDIRECT
event session-start match-all
class type control subscriber MATCH_PPP_HSI do-until-failure
1 activate dynamic-template BNG_HSI_TEMPLATE
!
!
event session-activate match-all
class type control subscriber MATCH_PPP_HSI do-until-failure
1 authenticate aaa list default
!
!
event authentication-failure match-all 
class type control subscriber MATCH_PPP_HSI do-until-failure
5 activate dynamic-template OpenGarden_Redirect_TPL
10 set-timer UNAUTH_TMR 20
!
!
event timer-expiry match-first
class type control subscriber UNAUTH_TMR_CM do-until-failure
10 disconnect
!
!
end-policy-map
!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links