ASR9000/XR: BNG VSA's (vendor specific attributes) and Services - Page 7

xthuijs · ‎08-15-2013

Introduction
Vendor Specific Attributes
- RADIUS Attributes for pQoS
  - Example
- VSA's for Account operations (services and logon/off)
  - Note
Template comparison to radius attribute
IPv6 Attributes
- - NOTE
Radius Accounting bytes and packets
Dynamic Route insertion
- Route destribution (please don't!)
Related Information

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

Back to top

1. RADIUS Attributes for pQoS

sub: indicates AVPair targets MQC policy on a subscriber session

<class-list>: identifies class to be added/removed or modified in the MQC policy

Multiple classes may be specified to modify classification in a nested (child) MQC policy

<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)

Supported QoS features:

•Shaping rate and percentage

•Policing rate and percentage

•Marking (CoS, DSCP, IP Prec)

•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

QOS Feature	Action format in Radius attribute
Shaping	shape(<rate-in-kbps>)
Shaping	shape-rpct(<rate-in-pct>)
Policing	police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>)
Policing	police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>)
Marking	set-cos(<cos-val>)
	set-ip-dscp(<dscp-val>)
	set-ip-prec(<precedence>)
Queuing	pri-level(<priority-level>)
	bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>)
	queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>)
	random-detect-dscp(<dscp>)
	random-detect-prec(<precedence>)

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

Back to top

2. VSA's for Account operations (services and logon/off)

Primitive	Radius AVP
Account Logon	authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon"
Account Logoff	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff"
Account update (used to change a profile)	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update>
Service Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>”
Service De-Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>”

All these operations from the first column, report an event to the control policy.

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

account-logoff Account logoff event

account-logon Account logon event

authentication-failure Authentication failure event

authentication-no-response Authentication no response event

authorization-failure Authorization failure event

authorization-no-response Authorization no response event

exception Exception event

service-start Service start event

service-stop Service stop event

session-activate Session activate event

session-start Session start event

session-stop Session stop event

timer-expiry Timer expiry event

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

Attribute 8: Framed-IP-Address

and starting 4.2.1:

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

Template comparison to radius attribute

Operation	Dynamic Template cmd	RADIUS Attribute
Service Activation
Service Activation	N/A	26	9,1	subscriber:sa=<service-name>
Network Forwarding
IP addess source intf	ipv4 unnumbered <interface>	26	9,1	ipv4:ipv4-unnumbered=<interface>
PPP framed address	N/A	8		framed-ip-address=<IPv4 address>
PPP Address Pool	ppp ipcp peer-address pool <addr pool >	26	9,1	ipv4:addr-pool=<addr pool name>
PPP framed pool	N/A	88		framed-pool=<addr pool name>
PPP framed route	N/A	22		framed-route=<subnet><mask>
VRF	vrf <vrf name>	26	9,1	subscriber:vrf-id=<vrf name>
V4 DNS	ppp ipcp dns <pprimary dns ip> <secondary dns ip>	26	9.1	ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip>
DHCP classname	N/A	26	9,1	subscriber:classname=<dhcp-class-name>

Traffic Accounting
Accounting	accounting aaa list <method list> type session	26	9,1	subscriber:accounting-list=<method list>
Interim Interval	accounting aaa list <method list> type session periodic-interval <minutes>	85		Acct-Interim-Interval <minutes>
Dual Stack Accnt Start Delay	accounting aaa list <method list> type session dual-stack-delay <secs>			subscriber:dual-stack-delay=<sec>
Session Administration
keepalives	keepalive <sec>	26	9,1	subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented
Absolute Timeout	ppp timeout absolute <sec>	27	n/a	session-timeout=<sec>
Idle Timeout	timeout idle <sec>	28	n/a	idle-timeout=<sec>

Traffic conditioning
HQoS(with SPI)	service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name>	26	9,1	subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>]
pQoS	N/A	26	9,1	subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list))
Subscriber ACLs/ABF	ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out	26	9,1	ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name>
HTTP-R	service-policy type pbr <HTTR policy name>	26	9,1	subscriber:sub-pbr-policy-in=<HTTR policy name>

IPv6 Attributes

Attribute	Defined By	Received In	IPv6 Client	Address Assignment	Dynamic Template equivalent config
Framed-Interface-Id (96)	RFC3162	Access-Accept	PPPoE	Any	ppp ipv6cp peer-interface-id <64bit #>
Framed-IPv6-Prefix (97)	RFC3162	Access-Accept	PPPoE	SLAAC	N.A.
Framed-IPv6-Route (99)	RFC3162	Access-Accept CoA	Any	Any	N.A.
Framed-IPv6-Pool (100)	RFC3162	Access-Accept	PPPoE	SLAAC	ipv6 nd framed-prefix-pool <name>
Framed-ipv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.
Stateful-IPv6-Address-Pool(*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 address-pool <name>
Delegated-IPv6-Prefix-Pool (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 delegated-prefix-pool <name>
DNS-Server-IPv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	To be configured in DHCPv6 server profile
Delegated-IPv6-Prefix	RFC4818	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address	“ipv6:addrv6=<ipv6 address>”
Stateful-IPv6-Address-Pool	“ipv6:stateful-ipv6-address-pool=<name>”
Delegated-IPv6-Prefix-Pool	“ipv6:delegated-ipv6-pool=<name>”
DNS-Server-IPv6-Address	“ipv6:ipv6-dns-servers-addr=<ipv6 address>”

Radius Accounting bytes and packets

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

Attribute	Defined By	Description
Acct-Input-Octets (42)	RFC2866	Session input total byte count
Acct-Input-Packets (47)	RFC2866	Session input total packet count
Acct-Output-Octets (43)	RFC2866	Session output total byte count
Acct-Output-Packets (48)	RFC2866	Session output total packet count
Cisco VSA (26,9,1): acct-input-octets-ipv4	Cisco	Session input IPv4 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv4	Cisco	Session input IPv4 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv4	Cisco	Session output IPv4 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv4	Cisco	Session output IPv4 packet count
Cisco VSA (26,9,1): acct-input-octets-ipv6	Cisco	Session input IPv6 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv6	Cisco	Session input IPv6 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv6	Cisco	Session output IPv6 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv6	Cisco	Session output IPv6 packet count
Cisco VSA (26,9,1): connect-progress	Cisco	Indicates Session set up connection progress

Back to top

3.

Dynamic Route insertion

RADIUS attribute example for different type of framed-route:

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

Back to top

4. Route destribution (please don't!)

router bgp 100

address-family ipv4 unicast

redistribute subscriber <route-policy>

Related Information

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Back to top

xthuijs · ‎07-07-2016

hi dimitris, yeah it is sort of "native" to the ip session and control policy handling.

when you handle an event session-start for dhcp type sessions and if one of the actions is to do an aaa authorize.... in that event handler, before the dhcp discover is proxied FIRST an authorize/radius request is done. if there is no access accept, the discover is dropped.

if there is an accept, the return attributes such as fip, gateway, class etc are used when the dhcp discover is proxied and responded with an offer to the dhcp server.

cheers!

xander

Dimitris Kotsilis · ‎07-07-2016

Thanks a lot!

You were very helpful as always :)

puddingtech · ‎07-14-2016

posted wrong spot

puddingtech · ‎07-14-2016

xander,

Question we're using IPoE DHCP-Triggered with a DHCP Proxy setup, but for some reason if a customer needs a static ip, we try to send a framed-ip-address in radius to bypass the dhcp proxy ip and give them a specific ip....

But they still just get the DHCP ip... i actually opened an SR 680576098 for it but the recommendation to drop the interface from the dhcp ipv4 config just resulted in no subscriber session activity at all.

Chris

xthuijs · ‎07-14-2016

ah chris, I think you missed to provide the subnetmask possibly. when providing the framed ip, dhcp sessions also want a subnetmask and possibly (duh ;) a default gateway also.

so you'd want to mimick a profile like this:

<MAC-ADDRESS>    Cleartext-Password :="cisco"
                                       Framed-IP-Address+=7.2.5.5,
                                       Framed-IP-netmask+=255.255.255.248,
                                       Session-timeout += 9000,
                                       Idle-timeout += 9000

and then add a ipv4:default-gateway=bla.bla.bla.bla

too.

cheers!

xander

puddingtech · ‎07-14-2016

LOL ya i know i have it exactly like that sorry i wasn't clearer i'm sending address and netmask and the avpair with the ipv4:ipv4-default-gateway, but still it gets the same ip from dhcp on a renew, even if i let the lease expire with pc off and turn it back on for a fully clean session, it gets the ip from dhcp

xthuijs · ‎07-14-2016

oh ok, so on renew this goes wack, that is a bug obviously, as the proxy should have figured out what to do. this has been a bit of an iffy area pre XR 524. So the release in question matters here quite a bit.

If you are on 524 or 533, than possibly collect a show tech dhcp ipv4 and show tech subscriber and may be best to follow up with a tac case to see what needs to be addressed in order to mitigate this situation.

(am on paternity leave at the moment, so may not be able to provide continued support this week)

cheers!

xander

puddingtech · ‎07-14-2016

5.3.3 ya i have a tac case open with them, but apparently DHCP proxy can't do framed-ip-address override only the internal dhcp server can according to them. I don't recall seeing that anywere before :S

EDIT: yep apparently this appears to be the issue, when i switched from proxy to internet serer, tada right away it worked...

Why isn't it working with proxy that just seems like a pretty substantial oversight, is their any way to get it working the other way?

I think DHCP server mode is going to be an issue, because we wanted to use geo-redundancy, and according to the manual 5.3 doesn't support dhcp-server mode with geo redundancy for BNG.... so basically i either give up ability to static assign IP's or give up ability to have geo-redundancy support.

xthuijs · ‎07-14-2016

ah yeah forgot to mention you want to use a local dhcp server, so that the server piece can communicate with the client piece and leverage the addr from radius, especially at renew time.

alternatively, many dhcp servers that are external can do some static addr assignment based on vendor id or soemthing similar.

what you could do is download the vendor class from radius, that wil get inserted in the proxy request to the dhcp server so the dhcp server can use that vendor class for the addr assignment and you can do a static assignment based on that.

nice thing is, it is centralized, by dhcp server, only thing needed is vendor class assignment as opposed to framed ip assigmnet.

cheers

xander

puddingtech · ‎07-15-2016

well the issue is we want to be able to set a customer to a static ip if they want one otherwise get a standard basic ip from dhcp, internal DHCP server does that for us i've tested it and its working fine, but like i said that leaves us in a bind since according to docs geored wont work?

Using an external dhcp stops the framed-ip from working and that's how our oss works, and most external dhcp's don't like picking up fixed assignments from sql without hackery, so trying to avoid that, the idea is to stick to radius assignment for qos + ip + auth.

xthuijs · ‎07-16-2016

hi chris,

the static assignment while using a dhcp server requires some tricking right.

in fact, you dont even need a dhcp server for assigning a static address. if the server is external, it is hard to "ack/confirm" a particular lease as the lease is really constructed from the radius attributes.

One option could be that if you have a limited set of static subs, and you know their qiq combo's, you could make a local dhcp server profile for those subinterfaces that require that static assignment.

for instance, say your range is outer vlan 100, inner any.

then you define one access interface with ambigious dot1q 100 second any.

this amb sub interface points to an external dhcp via proxy in dhcp ipv4 config.

then, a (few) specific ones such as

encap dot1q 100 second 20

and assign that subinterface in the dhcp config to the local dhcp server for static assignment from radius.

cheers!

xander

Max Antonenko · ‎09-19-2016

Hi Xander,

Is it possible to remove previously applied ACL to the subscriber interface via CoA? For an example need to remove inacl from:

RP/0/RSP0/CPU0:BNG#show access-lists ipv4 interface Bundle-Ether100.100.ip71
Input ACL (common): N/A (interface): PERM_ALL
Output ACL: N/A

Request

Cisco-AVPair="inacl="

not do anything.

xthuijs · ‎09-19-2016

hi max, ah yeah, no sorry that is not possible, the trick I used in that example is to replace a restrictive ACL with a permit ip any any ACL, so there is an ACL applied, but it just allows everything.

xander

wilsonribeiro · ‎11-11-2016

Hello,

I would like to apply a PBR for my customers which are in debt. So at the start of connection I would like to apply a service-policy type pbr to customer to be redirected to a web portal which it will provide a payment method.

So for testing purposes, I'm doing something like:

policy-map type pbr policyREDIRECIONAMENTO

class type traffic classREDIRECIONAMENTO

http-redirect http://sac.portal.org

!

class type traffic class-default

!

end-policy-map

!

x.x.x.x are the network I would like him to be granted, everything else should be blocked.

ipv4 access-list aclREDIRECIONAMENTO

10 permit ipv4 x.x.x.x 0.255.255.255 any

!

class-map type traffic match-all classREDIRECIONAMENTO

match access-group ipv4 aclREDIRECIONAMENTO

end-class-map

!

I've applied

service-policy type pbr policyREDIRECIONAMENTO

to my dynamic template type ppp for testing purposes.

When I connect using these rules and I open a website, I got a 302 found. But it stops there.

I'm looking after I get this working to apply the service pbr for my customer from Radius using:

Cisco-AVPair = subscriber:sa=policyREDIRECIONAMENTO

Would it work fine?

smailmilak · ‎11-11-2016

Hi,

in my config I have also a ACL for open garden where I have allowed 80, 443, 53 and also icmp for testing purposes. Please note that dyn tempalte is type service. I have prepared it for our customer but I have not tested it yet. I have a very similar pmap for IPoE and it's working fine. In my pmap every sub that has not payed the bill which means that the account is disabled will be redirected to a website with a notification.

You can also use CoA to push the service if you want.

ipv4 access-list OpenGarden_ACL
5 permit icmp any host 8.8.8.8
13 permit tcp any host XX eq www
14 permit tcp any host XX eq 443
15 permit udp any any eq domain

class-map type traffic match-any HTTPRDRT_CM
match access-group ipv4 HTTPRDRT_ACL
end-class-map

ipv4 access-list HTTPRDRT_ACL
3 permit tcp any any eq www syn
4 permit tcp any any eq www ack
5 permit tcp any any eq www
6 permit tcp any any eq 443

class-map type traffic match-any OpenGarden_CM
match access-group ipv4 OpenGarden_ACL
end-class-map

policy-map type pbr OpenGarden_Redirect
class type traffic OpenGarden_CM
transmit
!
class type traffic HTTPRDRT_CM
http-redirect http://www.xy.com
!
class type traffic class-default
drop
!
end-policy-map

dynamic-template
type service OpenGarden_Redirect_TPL
service-policy type pbr OpenGarden_Redirect

////////////////////////////////////////////////////////////////

policy-map type control subscriber BNG_HSI_REDIRECT
event session-start match-all
class type control subscriber MATCH_PPP_HSI do-until-failure
1 activate dynamic-template BNG_HSI_TEMPLATE
!
!
event session-activate match-all
class type control subscriber MATCH_PPP_HSI do-until-failure
1 authenticate aaa list default
!
!
event authentication-failure match-all
class type control subscriber MATCH_PPP_HSI do-until-failure
5 activate dynamic-template OpenGarden_Redirect_TPL
10 set-timer UNAUTH_TMR 20
!
!
event timer-expiry match-first
class type control subscriber UNAUTH_TMR_CM do-until-failure
10 disconnect
!
!
end-policy-map
!