Jump to content
Калькуляторы

ASR1002 + PPPoE

Уважаемые гуру, обращаюсь к вам за помощью...

 

Настраиваю сервис PPPoE на железке ASR1002 , fw asr1000rp1-advipservices.02.03.02.122-33.XNC2

 

Есть два вопроса:

 

1. Не понимаю в чём косяк - железка не посылает периодических апдэйтов аккаунтинга. Пакеты старт, стоп приходят.

2. Как заставить послать радиусу атрибут с содержимым circuit-id ?

 

 

 

 

Ниже привожу куски конфига:

 

aaa new-model

!

!

aaa authentication ppp default group radius

aaa authorization network default group radius

aaa accounting send stop-record authentication failure

aaa accounting delay-start

aaa accounting nested

aaa accounting update periodic 2

aaa accounting network default start-stop group radius

!

!

!

!

!

aaa session-id common

 

.....

 

bba-group pppoe global

virtual-template 2

vendor-tag circuit-id service

sessions per-mac limit 1

sessions auto cleanup

!

.....

interface GigabitEthernet0/1/1

no ip address

media-type rj45

negotiation auto

pppoe enable group global

!

...

 

interface Virtual-Template2

mtu 1492

ip unnumbered GigabitEthernet0/1/0

ip access-group 121 in

ip access-group 112 out

ip verify unicast source reachable-via rx

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

no logging event link-status

no peer default ip address

ppp authentication ms-chap-v2

!

......

 

radius-server attribute 31 mac format ietf

radius-server attribute nas-port-id include circuit-id

radius-server configure-nas

radius-server host 172.10.1.1 auth-port 1812 acct-port 1813

radius-server timeout 30

radius-server key secret

radius-server authorization default Framed-Protocol ppp

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

 

 

 

 

Share this post


Link to post
Share on other sites

по первому вопросу

- ставим новый ios asr1000rp1-advipservicesk9.02.05.00.122-33.XNE.bin

- убираем aaa accounting delay-start - и акаунтинг пойдет (есть щас у циски такой скрытый баг)

по второму - посмотрите какие радиус атрибуты умеет передавать ASR

Edited by alks

Share this post


Link to post
Share on other sites

по первому вопросу

- ставим новый ios asr1000rp1-advipservicesk9.02.05.00.122-33.XNE.bin

- убираем aaa accounting delay-start - и акаунтинг пойдет (есть щас у циски такой скрытый баг)

по второму - посмотрите какие радиус атрибуты умеет передавать ASR

Благодарю за ответ.

 

- попробовал на старом иосе убрать aaa accounting delay-start - аккаунтинг не побежал. Однако наш биллинг - NetUP не сможет тарифицировать трафик без этой строчки, поскольку испльзуем динамическую раздачу IP сессиям... а потому придётся либо ждать чудес от нового иоса, либо продолжать тарифицировать Netflow, а не accounting...

 

 

По второму - судя по всему не умеет передавать атрибут 87 в котором передаётся NAS-Port-id с Circut-Id -

http://www.cisco.com/en/US/docs/ios/ios_xe...de_Chapter.html

 

Хотя вот в дебаге вижу нужные мне данные: circuit-id-tag=00:A0:D1:66:AC:50::172.2.0.79::12

 

 

Jan 15 16:03:31.977: PPPoE: PADI Line-Id Tag type: 1, value: 00:A0:D1:66:AC:50::172.2.0.79::12

Jan 15 16:03:31.977: PPPoE 0: O PADO Stripped PPPoE Vendor Tag

Jan 15 16:03:31.979: [0]PPPoE: Session Circuit-id VSF Tag is 00:A0:D1:66:AC:50::172.2.0.79::12

Jan 15 16:03:31.979: PPPoE: PADR Line-Id Tag type: 1, value: 00:A0:D1:66:AC:50::172.2.0.79::12

Jan 15 16:03:31.980: PPPoE 1775: O PADS Stripped PPPoE Vendor Tag

Jan 15 16:03:32.024: RADIUS/ENCODE(000064CF):Orig. component type = PPoE

Jan 15 16:03:32.024: RADIUS(000064CF): Config NAS IP: 0.0.0.0

Jan 15 16:03:32.024: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included

Jan 15 16:03:32.024: RADIUS/ENCODE(000064CF): acct_session_id: 26183

Jan 15 16:03:32.024: RADIUS(000064CF): Config NAS IP: 0.0.0.0

Jan 15 16:03:32.024: RADIUS(000064CF): sending

Jan 15 16:03:32.024: RADIUS/ENCODE: Best Local IP-Address 172.10.1.10 for Radius-Server 172.10.1.1

Jan 15 16:03:32.024: RADIUS(000064CF): Send Access-Request to 172.10.1.1:1812 id 1645/210, len 369

Jan 15 16:03:32.024: RADIUS: authenticator AF 88 C1 CE 7D 25 A2 33 - 2E 1D A5 F8 CF 32 0B E1

Jan 15 16:03:32.024: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 15 16:03:32.025: RADIUS: User-Name [1] 10 "keeper20"

Jan 15 16:03:32.025: RADIUS: Vendor, Microsoft [26] 24

Jan 15 16:03:32.025: RADIUS: MS-CHAP-Challenge [11] 18

Jan 15 16:03:32.025: RADIUS: AF 88 C1 CE 7D 25 A2 33 2E 1D A5 F8 CF 32 0B E1 [ }?3.2]

Jan 15 16:03:32.025: RADIUS: Vendor, Microsoft [26] 58

Jan 15 16:03:32.025: RADIUS: MS-CHAP-V2-Response[25] 52 *

Jan 15 16:03:32.025: RADIUS: Calling-Station-Id [31] 42 ":00-a0-d1-66-ac-50"

Jan 15 16:03:32.025: RADIUS: NAS-Port-Type [61] 6 PPPoEoVLAN [33]

Jan 15 16:03:32.025: RADIUS: NAS-Port [5] 6 0

Jan 15 16:03:32.025: RADIUS: NAS-Port-Id [87] 35 "00:A0:D1:66:AC:50::172.2.0.79::12"

Jan 15 16:03:32.025: RADIUS: Vendor, Cisco [26] 41

Jan 15 16:03:32.025: RADIUS: Cisco AVpair [1] 35 "client-mac-address=00a0.d166.ac50"

Jan 15 16:03:32.025: RADIUS: Vendor, Cisco [26] 56

Jan 15 16:03:32.025: RADIUS: Cisco AVpair [1] 50 "circuit-id-tag=00:A0:D1:66:AC:50::172.2.0.79::12"

Jan 15 16:03:32.025: RADIUS: Service-Type [6] 6 Framed [2]

Jan 15 16:03:32.025: RADIUS: NAS-IP-Address [4] 6 172.10.1.10

Jan 15 16:03:32.025: RADIUS: Acct-Session-Id [44] 18 "AC0A010A00006647"

Jan 15 16:03:32.025: RADIUS: Nas-Identifier [32] 29 "172.010.001.010=172.10.1.10"

Jan 15 16:03:32.025: RADIUS: Event-Timestamp [55] 6 1263571412

Jan 15 16:03:32.026: RADIUS: Received from id 1645/210 172.10.1.1:1812, Access-Accept, len 215

Jan 15 16:03:32.026: RADIUS: authenticator F6 32 DC 2C 96 84 66 31 - 64 58 5E CB 0D BE E6 DE

Jan 15 16:03:32.026: RADIUS: Service-Type [6] 6 Framed [2]

Jan 15 16:03:32.026: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 15 16:03:32.026: RADIUS: Framed-IP-Address [8] 6 109.94.2.2

Jan 15 16:03:32.026: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255

Jan 15 16:03:32.026: RADIUS: Session-Timeout [27] 6 86400

Jan 15 16:03:32.026: RADIUS: Acct-Interim-Interva[85] 6 61

Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 12

Jan 15 16:03:32.026: RADIUS: MS-MPPE-Enc-Policy [7] 6

Jan 15 16:03:32.026: RADIUS: 00 00 00 01

Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 12

Jan 15 16:03:32.026: RADIUS: MS-MPPE-Enc-Type [8] 6

Jan 15 16:03:32.026: RADIUS: 00 00 00 06

Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 42

Jan 15 16:03:32.026: RADIUS: MS-MPPE-Send-Key [16] 36 *

Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 42

Jan 15 16:03:32.027: RADIUS: MS-MPPE-Recv-Key [17] 36 *

Jan 15 16:03:32.027: RADIUS: Vendor, Microsoft [26] 51

Jan 15 16:03:32.027: RADIUS: MS-CHAP-V2-Success [26] 45 ".S=16686BA02E0804E66D2759BAD281DB33A83709E9"

Jan 15 16:03:32.027: RADIUS(000064CF): Received from id 1645/210

Jan 15 16:03:32.054: RADIUS/ENCODE(000064CF):Orig. component type = PPoE

Jan 15 16:03:32.054: RADIUS(000064CF): Config NAS IP: 0.0.0.0

Jan 15 16:03:32.054: RADIUS(000064CF): Config NAS IP: 0.0.0.0

Jan 15 16:03:32.054: RADIUS(000064CF): sending

Jan 15 16:03:32.055: RADIUS/ENCODE: Best Local IP-Address 172.10.1.10 for Radius-Server 172.10.1.1

Jan 15 16:03:32.055: RADIUS(000064CF): Send Accounting-Request to 172.10.1.1:1813 id 1646/43, len 346

Jan 15 16:03:32.055: RADIUS: authenticator B8 E0 2E 54 2B 67 95 1A - 20 A4 8F D0 E7 62 77 C3

Jan 15 16:03:32.055: RADIUS: Acct-Session-Id [44] 18 "AC0A010A00006647"

Jan 15 16:03:32.055: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 15 16:03:32.055: RADIUS: Framed-IP-Address [8] 6 109.94.2.2

Jan 15 16:03:32.055: RADIUS: User-Name [1] 10 "keeper20"

Jan 15 16:03:32.055: RADIUS: Vendor, Cisco [26] 35

Jan 15 16:03:32.055: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"

Jan 15 16:03:32.055: RADIUS: Acct-Authentic [45] 6 RADIUS [1]

Jan 15 16:03:32.055: RADIUS: Acct-Status-Type [40] 6 Start [1]

Jan 15 16:03:32.055: RADIUS: Calling-Station-Id [31] 42 "::00-a0-d1-66-ac-50"

Jan 15 16:03:32.055: RADIUS: NAS-Port-Type [61] 6 PPPoEoVLAN [33]

Jan 15 16:03:32.055: RADIUS: NAS-Port [5] 6 0

Jan 15 16:03:32.055: RADIUS: NAS-Port-Id [87] 35 "00:A0:D1:66:AC:50::172.2.0.79::12"

Jan 15 16:03:32.055: RADIUS: Vendor, Cisco [26] 41

Jan 15 16:03:32.055: RADIUS: Cisco AVpair [1] 35 "client-mac-address=00a0.d166.ac50"

Jan 15 16:03:32.055: RADIUS: Vendor, Cisco [26] 56

Jan 15 16:03:32.055: RADIUS: Cisco AVpair [1] 50 "circuit-id-tag=00:A0:D1:66:AC:50::172.2.0.79::12"

Jan 15 16:03:32.055: RADIUS: Service-Type [6] 6 Framed [2]

Jan 15 16:03:32.055: RADIUS: NAS-IP-Address [4] 6 172.10.1.10

Jan 15 16:03:32.056: RADIUS: Event-Timestamp [55] 6 1263571412

Jan 15 16:03:32.056: RADIUS: Nas-Identifier [32] 29 "172.010.001.010=172.10.1.10"

Jan 15 16:03:32.056: RADIUS: Acct-Delay-Time [41] 6 0

Jan 15 16:03:32.057: RADIUS: Received from id 1646/43 172.10.1.1:1813, Accounting-response, len 20

Jan 15 16:03:32.057: RADIUS: authenticator AC 66 D5 F7 4D AE 98 CC - 14 9C 31 13 8C 11 6E 01no debug radius

Edited by an-denis

Share this post


Link to post
Share on other sites

пардон - у вас там isg или чистый ppoe?

 

 

 

accounting aaa list -- еще не хватает

чистый ppoe.

 

может оно?

 

sh aaa attributes

 

AAA ATTRIBUTE LIST:

Type=1 Name=disc-cause-ext Format=Enum

Type=2 Name=Acct-Status-Type Format=Enum

Type=3 Name=Tunnel-Packets-Lost Format=Ulong

Type=4 Name=acl Format=Ulong

Type=5 Name=auth-services Format=Enum

Type=6 Name=auto-logon-service Format=String

Type=7 Name=azn-tag Format=String

Type=8 Name=addr Format=IPv4 Address

Type=9 Name=svc-assigned-ipv4-address Format=IPv4 Address

Type=10 Name=addrv6 Format=String

Type=11 Name=addr-pool Format=String

Type=12 Name=subscriber-route Format=String

Type=13 Name=asyncmap Format=Ulong

Type=14 Name=Authentic Format=Enum

Type=15 Name=autocmd Format=String

Type=16 Name=autocmd_ipprompt Format=String

Type=17 Name=authen-status Format=Enum

Type=18 Name=authen-type Format=Enum

Type=19 Name=authen-method Format=Enum

Type=20 Name=authen-strength Format=Enum

Type=21 Name=callback-dialstring Format=String

Type=22 Name=callback-line Format=Ulong

Type=23 Name=nocallback-verify Format=Ulong

Type=24 Name=callback-rotary Format=Ulong

Type=25 Name=call-drops Format=Ulong

Type=26 Name=call_type Format=String

Type=27 Name=force-local-chap Format=Boolean

Type=28 Name=call-origin-endpt Format=String

Type=29 Name=call-origin-endpt-type Format=Enum

Type=30 Name=challenge Format=Binary

Type=31 Name=id Format=Ulong

Type=32 Name=response Format=Binary

Type=33 Name=nas-connect-info Format=String

Type=34 Name=user-data Format=Binary

Type=35 Name=server-data Format=Binary

Type=36 Name=clid Format=String

Type=37 Name=clid-mac-addr Format=Binary

Type=38 Name=formatted-clid Format=String

Type=39 Name=circuit-id-tag Format=String

Type=40 Name=remote-id-tag Format=String

Type=41 Name=vendor-class-id-tag Format=String

Type=42 Name=caller-type-of-number Format=String

Type=43 Name=session-limit Format=Ulong

Type=44 Name=client-mac-address Format=String

Type=45 Name=protocolVersion Format=String

Type=46 Name=peerMode Format=Enum

Type=47 Name=keepalivePeriod Format=Ulong

Type=48 Name=informOwnerOnPull Format=Enum

Type=49 Name=acct-flows Format=Ulong

Type=50 Name=acct-flows-duration Format=Ulong

Type=51 Name=actual-data-rate-upstream Format=Ulong

Type=52 Name=actual-data-rate-downstream Format=Ulong

Type=53 Name=minimum-data-rate-upstream Format=Ulong

Type=54 Name=minimum-data-rate-downstream Format=Ulong

Type=55 Name=attainable-data-rate-upstream Format=Ulong

Type=56 Name=attainable-data-rate-downstrea Format=Ulong

Type=57 Name=maximum-data-rate-upstream Format=Ulong

Type=58 Name=maximum-data-rate-downstream Format=Ulong

Type=59 Name=minimum-data-rate-upstream-low Format=Ulong

Type=60 Name=minimum-data-rate-downstream-l Format=Ulong

Type=61 Name=maximum-interleaving-delay-ups Format=Ulong

Type=62 Name=maximum-interleaving-delay-dow Format=Ulong

Type=63 Name=actual-interleaving-delay-upst Format=Ulong

Type=64 Name=actual-interleaving-delay-down Format=Ulong

Type=65 Name=interworking-functionality-tag Format=Boolean

Type=66 Name=reporting-reason Format=Ulong

Type=67 Name=cmd Format=String

Type=68 Name=cmd-arg Format=String

Type=69 Name=connect-progress Format=Enum

Type=70 Name=connect-rx-speed Format=Ulong

Type=71 Name=connect-tx-speed Format=Ulong

Type=72 Name=nas-rx-speed Format=Ulong

Type=73 Name=data-service Format=Ulong

Type=74 Name=dial-number Format=String

Type=75 Name=dnis Format=String

Type=76 Name=dns-servers Format=String

Type=77 Name=auto-update Format=String

Type=78 Name=primary-dns Format=IPv4 Address

Type=79 Name=secondary-dns Format=IPv4 Address

Type=80 Name=EAP-Message Format=String

Type=81 Name=assign-client-dns Format=Ulong

Type=82 Name=email_server_ack_flag Format=String

Type=83 Name=event Format=String

Type=84 Name=reason Format=String

Type=85 Name=fax_account_id_origin Format=String

Type=86 Name=fax_auth_status Format=String

Type=87 Name=fax_connect_speed Format=String

Type=88 Name=fax_coverpage_flag Format=Boolean

Type=89 Name=fax_dsn_address Format=IPv4 Address

Type=90 Name=fax_dsn_flag Format=Boolean

Type=91 Name=fax_mdn_address Format=String

Type=92 Name=fax_mdn_flag Format=String

Type=93 Name=fax_msg_id Format=String

Type=94 Name=fax_modem_time Format=String

Type=95 Name=fax_pages Format=String

Type=96 Name=abort_cause Format=String

Type=97 Name=email_server_address Format=String

Type=98 Name=fax_process_abort_flag Format=Boolean

Type=99 Name=fax_recipient_count Format=Ulong

Type=100 Name=filter-cache-refresh Format=Enum

Type=101 Name=filter-cache-time Format=Ulong

Type=102 Name=filter-required Format=Enum

Type=103 Name=Framed-Protocol Format=Enum

Type=104 Name=Framed-MTU Format=Ulong

Type=105 Name=force-56 Format=Boolean

Type=106 Name=gateway_id Format=String

Type=107 Name=h323-billing-model Format=String

Type=108 Name=h323-call-origin Format=String

Type=109 Name=h323-call-type Format=String

Type=110 Name=h323-conf-id Format=String

Type=111 Name=h323-connect-time Format=String

Type=112 Name=h323-credit-amount Format=String

Type=113 Name=h323-credit-time Format=String

Type=114 Name=h323-currency Format=String

Type=115 Name=h323-disconnect-cause Format=String

Type=116 Name=h323-disconnect-time Format=String

Type=117 Name=h323-gw-id Format=String

Type=118 Name=h323-incoming-conf-id Format=String

Type=119 Name=h323-ivr-in Format=String

Type=120 Name=h323-ivr-out Format=String

Type=121 Name=h323-preferred-lang Format=String

Type=122 Name=h323-prompt-id Format=String

Type=123 Name=h323-redirect-ip-address Format=String

Type=124 Name=h323-redirect-number Format=String

Type=125 Name=h323-remote-address Format=String

Type=126 Name=h323-remote-id Format=String

Type=127 Name=h323-return-code Format=String

Type=128 Name=h323-setup-time Format=String

Type=129 Name=h323-time-and-day Format=String

Type=130 Name=h323-voice-quality Format=String

Type=131 Name=subscriber Format=String

Type=132 Name=release-source Format=Enum

Type=133 Name=idletime Format=Ulong

Type=134 Name=call-inacl Format=String

Type=135 Name=inacl Format=String

Type=136 Name=input-giga-words Form

....

 

 

Share this post


Link to post
Share on other sites

У меня для PPTP есть такое

 interface Virtual-Template1
ip unnumbered Loopback0
...
ppp authentication pap ms-chap-v2 RADIUS
ppp accounting RADIUS

aaa accounting network RADIUS start-stop group RADIUS-SERVER

 

aaa group server radius RADIUS-SERVER
server 192.168.1.1 auth-port 1812 acct-port 1813
ip radius source-interface FastEthernet0/0
attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
deadtime 10

Share this post


Link to post
Share on other sites

У меня для PPTP есть такое

 interface Virtual-Template1
ip unnumbered Loopback0
...
ppp authentication pap ms-chap-v2 RADIUS
ppp accounting RADIUS

aaa accounting network RADIUS start-stop group RADIUS-SERVER

 

aaa group server radius RADIUS-SERVER
server 192.168.1.1 auth-port 1812 acct-port 1813
ip radius source-interface FastEthernet0/0
attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
deadtime 10

на 7201 кошках и аккаунитинг и PPtP работает, а вот на ASR пока нет...

По сути всё тоже и у меня настроено - на строчку ppp accounting ... не ругается, но и не выводит её через sh run int virtual-template 2

Через фин-навигатор выяснил что в моём иосе нет вообще фичи "AAA Interim Accounting" - которая отвечает за периодику аккаунитига.-

"This feature can be used to enable the network access server to send peridic accounting records about a subscriber's session at a predefined interval. Interim accounting records can use Radius or Tacacs+ protocol for transmitting the accounting records."

 

Короче жду свежего иосаот кошки, благо они обещали (есть сервисный контракт) там по результатам отпишусь.

 

Share this post


Link to post
Share on other sites

Через фин-навигатор выяснил что в моём иосе нет вообще фичи "AAA Interim Accounting" - которая отвечает за периодику аккаунитига.-

"This feature can be used to enable the network access server to send peridic accounting records about a subscriber's session at a predefined interval. Interim accounting records can use Radius or Tacacs+ protocol for transmitting the accounting records."

не совсем понял про периодику аккаунтинга.

на asr пробовал и l2tp и pppoe - в l2tp аккаунтинг идет нормально, все как положенно, а вот с pppoe действительно только start/stop, без периодики. пока на asr гоняем только l2tp.

 

Share this post


Link to post
Share on other sites

по первому вопросу

- ставим новый ios asr1000rp1-advipservicesk9.02.05.00.122-33.XNE.bin

- убираем aaa accounting delay-start - и акаунтинг пойдет (есть щас у циски такой скрытый баг)

по второму - посмотрите какие радиус атрибуты умеет передавать ASR

эх, мне бы этот иос... не поделитесь ? :)

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.