This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.
police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>)
police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>)
authentication cpe12 CoA cisco123
attribute 44 “<string>” <<< Accounting Session ID
vsa cisco generic 1 string "subscriber:command=account-logon"
vsa cisco generic 1 string "subscriber:command=account-logoff"
(used to change a profile)
vsa cisco generic 1 string "subscriber:command=account-update”
<radius attributes to set/update>
vsa cisco generic 1 string "subscriber:sa=<service-name>”
vsa cisco generic 1 string "subscriber:sd=<service-name>”
All these operations from the first column, report an event to the control policy.
account-logoff Account logoff event
account-logon Account logon event
authentication-failure Authentication failure event
authentication-no-response Authentication no response event
authorization-failure Authorization failure event
authorization-no-response Authorization no response event
exception Exception event
service-start Service start event
service-stop Service stop event
session-activate Session activate event
session-start Session start event
session-stop Session stop event
timer-expiry Timer expiry event
Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)
Attribute 8: Framed-IP-Address
and starting 4.2.1:
Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>
Dynamic Template cmd
IP addess source intf
ipv4 unnumbered <interface>
PPP framed address
PPP Address Pool
ppp ipcp peer-address pool <addr pool >
ipv4:addr-pool=<addr pool name>
PPP framed pool
framed-pool=<addr pool name>
PPP framed route
vrf <vrf name>
ppp ipcp dns <pprimary dns ip> <secondary dns ip>
ip:primary-dns=<primary dns ip>
Ip:secondary-dns=<secondary dns ip>
accounting aaa list <method list> type session
accounting aaa list <method list> type session periodic-interval <minutes>
Dual Stack Accnt Start Delay
accounting aaa list <method list> type session dual-stack-delay <secs>
ppp timeout absolute <sec>
timeout idle <sec>
service-policy input <in_mqc_name> shared-policy-instance <spi-name>
service-policy output <out_mqc_name> shared-policy-instance <spi-name>
subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ]
subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>]
subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)
subscriber:qos-policy-in=remove-class(target policy (class-list))
subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)
subscriber:qos-policy-out=remove-class(target policy (class-list))
ipv4 access-group <in_acl_name> in
Ipv4 access-group <out_acl_name> out
ipv6 access-group <in_v6acl_name> in
ipv6 access-group <out_v6acl_name> out
service-policy type pbr <HTTR policy name>
subscriber:sub-pbr-policy-in=<HTTR policy name>
Dynamic Template equivalent config
ppp ipv6cp peer-interface-id <64bit #>
ipv6 nd framed-prefix-pool <name>
DHCP6 (Local Server)
dhcpv6 address-pool <name>
dhcpv6 delegated-prefix-pool <name>
To be configured in DHCPv6 server profile
the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6
Session input total byte count
Session input total packet count
Session output total byte count
Session output total packet count
Cisco VSA (26,9,1): acct-input-octets-ipv4
Session input IPv4 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv4
Session input IPv4 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv4
Session output IPv4 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv4
Session output IPv4 packet count
Cisco VSA (26,9,1): acct-input-octets-ipv6
Session input IPv6 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv6
Session input IPv6 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv6
Session output IPv6 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv6
Session output IPv6 packet count
Cisco VSA (26,9,1): connect-progress
Indicates Session set up connection progress
RADIUS attribute example for different type of framed-route:
PPPoE V6 route
Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”
PPPoE v4 route
Framed-Route = "22.214.171.124 255.255.255.0 0.0.0.0 6 tag 7”
IPoE v4 route
Framed-Route = "vrf vpn1 126.96.36.199/24 vrf vpn1 0.0.0.0 4 tag 5”
router bgp 100
address-family ipv4 unicast
redistribute subscriber <route-policy>
Xander Thuijs CCIE#6775
Principal Engineer, ASR9000
hi dimitris, yeah it is sort of "native" to the ip session and control policy handling.
when you handle an event session-start for dhcp type sessions and if one of the actions is to do an aaa authorize.... in that event handler, before the dhcp discover is proxied FIRST an authorize/radius request is done. if there is no access accept, the discover is dropped.
if there is an accept, the return attributes such as fip, gateway, class etc are used when the dhcp discover is proxied and responded with an offer to the dhcp server.
Thanks a lot!
You were very helpful as always :)
posted wrong spot
Question we're using IPoE DHCP-Triggered with a DHCP Proxy setup, but for some reason if a customer needs a static ip, we try to send a framed-ip-address in radius to bypass the dhcp proxy ip and give them a specific ip....
But they still just get the DHCP ip... i actually opened an SR 680576098 for it but the recommendation to drop the interface from the dhcp ipv4 config just resulted in no subscriber session activity at all.
ah chris, I think you missed to provide the subnetmask possibly. when providing the framed ip, dhcp sessions also want a subnetmask and possibly (duh ;) a default gateway also.
so you'd want to mimick a profile like this:
<MAC-ADDRESS> Cleartext-Password :="cisco"
Session-timeout += 9000,
Idle-timeout += 9000
and then add a ipv4:default-gateway=bla.bla.bla.bla
LOL ya i know i have it exactly like that sorry i wasn't clearer i'm sending address and netmask and the avpair with the ipv4:ipv4-default-gateway, but still it gets the same ip from dhcp on a renew, even if i let the lease expire with pc off and turn it back on for a fully clean session, it gets the ip from dhcp
oh ok, so on renew this goes wack, that is a bug obviously, as the proxy should have figured out what to do. this has been a bit of an iffy area pre XR 524. So the release in question matters here quite a bit.
If you are on 524 or 533, than possibly collect a show tech dhcp ipv4 and show tech subscriber and may be best to follow up with a tac case to see what needs to be addressed in order to mitigate this situation.
(am on paternity leave at the moment, so may not be able to provide continued support this week)
5.3.3 ya i have a tac case open with them, but apparently DHCP proxy can't do framed-ip-address override only the internal dhcp server can according to them. I don't recall seeing that anywere before :S
EDIT: yep apparently this appears to be the issue, when i switched from proxy to internet serer, tada right away it worked...
Why isn't it working with proxy that just seems like a pretty substantial oversight, is their any way to get it working the other way?
I think DHCP server mode is going to be an issue, because we wanted to use geo-redundancy, and according to the manual 5.3 doesn't support dhcp-server mode with geo redundancy for BNG.... so basically i either give up ability to static assign IP's or give up ability to have geo-redundancy support.
ah yeah forgot to mention you want to use a local dhcp server, so that the server piece can communicate with the client piece and leverage the addr from radius, especially at renew time.
alternatively, many dhcp servers that are external can do some static addr assignment based on vendor id or soemthing similar.
what you could do is download the vendor class from radius, that wil get inserted in the proxy request to the dhcp server so the dhcp server can use that vendor class for the addr assignment and you can do a static assignment based on that.
nice thing is, it is centralized, by dhcp server, only thing needed is vendor class assignment as opposed to framed ip assigmnet.
well the issue is we want to be able to set a customer to a static ip if they want one otherwise get a standard basic ip from dhcp, internal DHCP server does that for us i've tested it and its working fine, but like i said that leaves us in a bind since according to docs geored wont work?
Using an external dhcp stops the framed-ip from working and that's how our oss works, and most external dhcp's don't like picking up fixed assignments from sql without hackery, so trying to avoid that, the idea is to stick to radius assignment for qos + ip + auth.
the static assignment while using a dhcp server requires some tricking right.
in fact, you dont even need a dhcp server for assigning a static address. if the server is external, it is hard to "ack/confirm" a particular lease as the lease is really constructed from the radius attributes.
One option could be that if you have a limited set of static subs, and you know their qiq combo's, you could make a local dhcp server profile for those subinterfaces that require that static assignment.
for instance, say your range is outer vlan 100, inner any.
then you define one access interface with ambigious dot1q 100 second any.
this amb sub interface points to an external dhcp via proxy in dhcp ipv4 config.
then, a (few) specific ones such as
encap dot1q 100 second 20
and assign that subinterface in the dhcp config to the local dhcp server for static assignment from radius.
Is it possible to remove previously applied ACL to the subscriber interface via CoA? For an example need to remove inacl from:
RP/0/RSP0/CPU0:BNG#show access-lists ipv4 interface Bundle-Ether100.100.ip71Input ACL (common): N/A (interface): PERM_ALLOutput ACL: N/A
not do anything.
hi max, ah yeah, no sorry that is not possible, the trick I used in that example is to replace a restrictive ACL with a permit ip any any ACL, so there is an ACL applied, but it just allows everything.
I would like to apply a PBR for my customers which are in debt. So at the start of connection I would like to apply a service-policy type pbr to customer to be redirected to a web portal which it will provide a payment method.
So for testing purposes, I'm doing something like:
policy-map type pbr policyREDIRECIONAMENTO
class type traffic classREDIRECIONAMENTO
class type traffic class-default
x.x.x.x are the network I would like him to be granted, everything else should be blocked.
ipv4 access-list aclREDIRECIONAMENTO
10 permit ipv4 x.x.x.x 0.255.255.255 any
class-map type traffic match-all classREDIRECIONAMENTO
match access-group ipv4 aclREDIRECIONAMENTO
service-policy type pbr policyREDIRECIONAMENTO
to my dynamic template type ppp for testing purposes.
When I connect using these rules and I open a website, I got a 302 found. But it stops there.
I'm looking after I get this working to apply the service pbr for my customer from Radius using:
Cisco-AVPair = subscriber:sa=policyREDIRECIONAMENTO
Would it work fine?
in my config I have also a ACL for open garden where I have allowed 80, 443, 53 and also icmp for testing purposes. Please note that dyn tempalte is type service. I have prepared it for our customer but I have not tested it yet. I have a very similar pmap for IPoE and it's working fine. In my pmap every sub that has not payed the bill which means that the account is disabled will be redirected to a website with a notification.
You can also use CoA to push the service if you want.
ipv4 access-list OpenGarden_ACL5 permit icmp any host 188.8.131.523 permit tcp any host XX eq www14 permit tcp any host XX eq 44315 permit udp any any eq domain
class-map type traffic match-any HTTPRDRT_CMmatch access-group ipv4 HTTPRDRT_ACL end-class-map ipv4 access-list HTTPRDRT_ACL3 permit tcp any any eq www syn4 permit tcp any any eq www ack5 permit tcp any any eq www6 permit tcp any any eq 443 class-map type traffic match-any OpenGarden_CMmatch access-group ipv4 OpenGarden_ACL end-class-map policy-map type pbr OpenGarden_Redirectclass type traffic OpenGarden_CMtransmit! class type traffic HTTPRDRT_CM http-redirect http://www.xy.com! class type traffic class-default drop! end-policy-map dynamic-templatetype service OpenGarden_Redirect_TPLservice-policy type pbr OpenGarden_Redirect ////////////////////////////////////////////////////////////////
policy-map type control subscriber BNG_HSI_REDIRECTevent session-start match-allclass type control subscriber MATCH_PPP_HSI do-until-failure1 activate dynamic-template BNG_HSI_TEMPLATE! ! event session-activate match-allclass type control subscriber MATCH_PPP_HSI do-until-failure1 authenticate aaa list default! ! event authentication-failure match-all class type control subscriber MATCH_PPP_HSI do-until-failure5 activate dynamic-template OpenGarden_Redirect_TPL10 set-timer UNAUTH_TMR 20! ! event timer-expiry match-firstclass type control subscriber UNAUTH_TMR_CM do-until-failure10 disconnect! ! end-policy-map!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: