Jump to content
Калькуляторы

Настройка ISG subscriber accounting

Добрый день.

Прошу Вашей помощи в настройки ISG ASR 1002X.

Необходимо настроить accounting subscribers session и отослать их на RADIUS server с идентификатором пользователя.

Может был у кого опыт в настройке подобной конфигурации...

Заранее Благодарю за помощь.

 

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname WAG_ASR1002X
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa group server radius SERVER_GROUP1
server name RAD1
!
aaa authentication login IP_AUTHEN_LIST group SERVER_GROUP1
aaa authorization network default group SERVER_GROUP1 local 
aaa authorization network AUTHOR_LIST group SERVER_GROUP1 local 
aaa authorization subscriber-service default local group SERVER_GROUP1 
aaa accounting include auth-profile framed-ip-address
aaa accounting network IP_SESSION start-stop group SERVER_GROUP1
aaa accounting system default start-stop group radius
!
aaa nas port extended
aaa server radius sesm
client 10.245.1.6 key 
message-authenticator ignore
!
!
!
!
aaa session-id common
clock calendar-valid
!
!

no ip dhcp use vrf connected
ip dhcp excluded-address 172.28.0.254
!
ip dhcp pool WIFI_users
network 172.28.0.0 255.255.255.0
default-router 172.28.0.254 
dns-server 8.8.8.8 
!
!
!
subscriber feature prepaid IP_SESSION
threshold time 0 seconds
threshold volume 0 bytes
method-list author default
method-list accounting IP_SESSION

!
subscriber service session-accounting
subscriber templating
subscriber authorization enable
subscriber accounting ssg
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
mode none
redirect server-group ISG_GROUP
server ip 10.245.1.6 port 80
!
!
!
!
ip tftp source-interface GigabitEthernet0

class-map type traffic match-any ISG_OPENGARDEN
match access-group output name ACL_OUT_OPENGARDEN
match access-group input name ACL_IN_OPENGARDEN
!
class-map type traffic match-any L4REDIRECT
match access-group input name ACL_IN_L4REDIRECT
!
class-map type control match-all IP_UNAUTH_COND
match timer IP_UNAUTH_TIMER 
match authen-status unauthenticated 
!
policy-map type service L4REDIRECT_SERVICE
10 class type traffic L4REDIRECT
 redirect to group ISG_GROUP
!
class type traffic default input
 drop
!
!
policy-map type service OPENGARDEN_SERVICE
20 class type traffic ISG_OPENGARDEN
!
!
policy-map type service PBHK_SERVICE
ip portbundle
!


policy-map type control TAL
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
class type control always event session-start
 20 service-policy type service name L4REDIRECT_SERVICE
 25 service-policy type service name OPENGARDEN_SERVICE
 30 set-timer IP_UNAUTH_TIMER 10
!
class type control always event account-logon
 10 authenticate aaa list IP_AUTHEN_LIST 
 20 service-policy type service unapply name L4REDIRECT_SERVICE
 30 service-policy type service unapply name L4REDIRECT_SERVICE
!
!         
!
! 
!

!
interface GigabitEthernet0/0/1.3901
encapsulation dot1Q 3901
ip address 172.28.0.254 255.255.255.0
service-policy type control TAL
ip subscriber routed
 initiator unclassified ip-address
!
!
ip access-list extended ACL_1_ACCESS_TO_WIX_IN
permit ip any host 10.245.4.6
permit ip any host 8.8.8.8
permit ip any host 10.245.1.6
deny   icmp any any echo
permit icmp any any
deny   ip any any
ip access-list extended ACL_1_ACCESS_TO_WIX_OUT
permit ip any any
ip access-list extended ACL_1_REDIRECT_PORTAL_IN
permit tcp any any eq www
permit tcp any any eq 3128
permit tcp any any eq 443
deny   icmp any any echo
permit icmp any any
ip access-list extended ACL_1_REDIRECT_PORTAL_OUT
permit ip any any
ip access-list extended ACL_IN_L4REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ACL_IN_OPENGARDEN
permit ip any host 8.8.8.8
permit ip host 8.8.8.8 any
ip access-list extended ACL_IN_SERVICE_INTERNET
permit ip any any
ip access-list extended ACL_OUT_OPENGARDEN
permit ip host 8.8.8.8 any
permit ip any host 8.8.8.8
ip access-list extended ACL_OUT_SERVICE_INTERNET
permit ip any any
ip access-list extended test
permit ip any any log-input
!
ip radius source-interface GigabitEthernet0/0/1.3721 
!
!
!
radius-server attribute 44 include-in-access-req all
radius-server attribute 188 format non-standard
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server attribute 61 extended
radius-server attribute 31 mac format ietf 
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria tries 3
radius-server host 10.245.1.6 auth-port 1812 acct-port 1813 key 
radius-server retransmit 5
radius-server timeout 10
radius-server deadtime 15
radius-server directed-request
radius-server domain-stripping
radius-server key 
!
radius server RAD1
address ipv4 10.245.0.10 auth-port 1822 acct-port 1823

Share this post


Link to post
Share on other sites

в профиле ответа радиус надо добавить чегото такое..

subscriber:accounting-list = "IP_SESSION"

за синтаксис верный не скажу по разному может писаться

 

потом увидеть что оно повешалось на сессию с абоннентом

sh subscriber session identifier source-ip-address 1.1.1.1 255.255.255.255

и появились строчки

Accounting:

Class-id Dir Packets Bytes Source

0 In 24937 2692239 Peruser

1 Out 31274 34787648 Peruser

 

ну и ловить аккаунтинг на радиусе куда он потом полетит.

Share this post


Link to post
Share on other sites

Добрый день!

 

 

Коллеги, помогите пожалуйста, вторую неделю не могу разобраться, что делаю не так. Перепробовал настройки с разных статей. Клиент по DHCP получает ip, но ASR не отправляется никаких запросов в Lanbilling.

Оборудование cisco ASR1001 Version 15.3(3)S4 + LAnBilling (он же Radius он же DHCP)

 

 

Вот мой конфиг: 

 

aaa authentication login default local
aaa authentication login CONS none
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authentication enable default enable
aaa authorization network default group ISG-RADIUS 
aaa authorization network ISG-AUTH-1 group ISG-RADIUS 
aaa authorization subscriber-service default local 
aaa authorization subscriber-service ISG-AUTH-1 group ISG-RADIUS 
aaa authorization console
aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS
aaa accounting delay-start
aaa accounting jitter maximum 0
aaa accounting update periodic 1

!
!
!
aaa server radius dynamic-author
 client 91.109.224.23 server-key 
 client 91.109.224.25 server-key 
 port 1777
 auth-type any
 ignore session-key
 ignore server-key
!
!
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute nas-port format d
radius-server attribute 31 mac format ietf 
radius-server dead-criteria time 120 tries 3
radius-server host 91.109.224.23 auth-port 1852 acct-port 1853
radius-server retry method reorder
radius-server retransmit 5
radius-server deadtime 3
radius-server key 7 XXXXXXXXXXXXXXXXX
radius-server vsa send cisco-nas-port
!
aaa group server radius ISG-RADIUS
 server 91.109.224.23 auth-port 1852 acct-port 1853
 server 91.109.224.25 auth-port 1852 acct-port 1853
 ip radius source-interface Port-channel10.10


access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 deny   ip any any
access-list 198 permit udp any any eq domain
access-list 198 permit udp any eq domain any
access-list 198 permit tcp any host 91.109.224.25 eq www
access-list 198 permit tcp any host 91.109.224.25 eq 443
access-list 198 permit tcp any host 91.109.224.7 eq www
access-list 198 permit tcp any host 91.109.224.7 eq 443
access-list 198 permit tcp any host 192.168.77.20 eq www
access-list 198 permit icmp any any
access-list 198 deny   ip any any


interface Port-channel10.97
 description IPoE_ISG_FIXA
 encapsulation dot1Q 97
 vrf forwarding ipoe
 ip address 10.97.1.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 service-policy type control ISG-CUSTOMERS-POLICY
 ip subscriber routed
  initiator unclassified ip-address


policy-map type control ISG-CUSTOMERS-POLICY
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event session-start
  10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
  20 set-timer UNAUTH-TIMER 3
  30 service-policy type service name SERVICE-TRUSTED
  40 service-policy type service name LOCAL_L4R
 !
 class type control always event radius-timeout
  1 service-policy type service name SERVICE-TRUSTED
  2 service-policy type service name LOCAL_L4R
 !
 class type control always event session-restart
  10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
  20 set-timer UNAUTH-TIMER 3
  30 service-policy type service name SERVICE-TRUSTED
  40 service-policy type service name LOCAL-L4R
 !
 class type control always event account-logoff
  1 service disconnect delay 5

 

 

 Благодарю за помощь!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this