an-denis Posted January 20, 2010 Posted January 20, 2010 Уважаемые гуру, обращаюсь к вам за помощью... Настраиваю сервис PPPoE на железке ASR1002 , fw asr1000rp1-advipservices.02.03.02.122-33.XNC2 Есть два вопроса: 1. Не понимаю в чём косяк - железка не посылает периодических апдэйтов аккаунтинга. Пакеты старт, стоп приходят. 2. Как заставить послать радиусу атрибут с содержимым circuit-id ? Ниже привожу куски конфига: aaa new-model ! ! aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting send stop-record authentication failure aaa accounting delay-start aaa accounting nested aaa accounting update periodic 2 aaa accounting network default start-stop group radius ! ! ! ! ! aaa session-id common ..... bba-group pppoe global virtual-template 2 vendor-tag circuit-id service sessions per-mac limit 1 sessions auto cleanup ! ..... interface GigabitEthernet0/1/1 no ip address media-type rj45 negotiation auto pppoe enable group global ! ... interface Virtual-Template2 mtu 1492 ip unnumbered GigabitEthernet0/1/0 ip access-group 121 in ip access-group 112 out ip verify unicast source reachable-via rx no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress no logging event link-status no peer default ip address ppp authentication ms-chap-v2 ! ...... radius-server attribute 31 mac format ietf radius-server attribute nas-port-id include circuit-id radius-server configure-nas radius-server host 172.10.1.1 auth-port 1812 acct-port 1813 radius-server timeout 30 radius-server key secret radius-server authorization default Framed-Protocol ppp radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication Вставить ник Quote
alks Posted January 21, 2010 Posted January 21, 2010 (edited) по первому вопросу - ставим новый ios asr1000rp1-advipservicesk9.02.05.00.122-33.XNE.bin - убираем aaa accounting delay-start - и акаунтинг пойдет (есть щас у циски такой скрытый баг) по второму - посмотрите какие радиус атрибуты умеет передавать ASR Edited January 21, 2010 by alks Вставить ник Quote
an-denis Posted January 21, 2010 Author Posted January 21, 2010 (edited) по первому вопросу- ставим новый ios asr1000rp1-advipservicesk9.02.05.00.122-33.XNE.bin - убираем aaa accounting delay-start - и акаунтинг пойдет (есть щас у циски такой скрытый баг) по второму - посмотрите какие радиус атрибуты умеет передавать ASR Благодарю за ответ. - попробовал на старом иосе убрать aaa accounting delay-start - аккаунтинг не побежал. Однако наш биллинг - NetUP не сможет тарифицировать трафик без этой строчки, поскольку испльзуем динамическую раздачу IP сессиям... а потому придётся либо ждать чудес от нового иоса, либо продолжать тарифицировать Netflow, а не accounting... По второму - судя по всему не умеет передавать атрибут 87 в котором передаётся NAS-Port-id с Circut-Id - http://www.cisco.com/en/US/docs/ios/ios_xe...de_Chapter.html Хотя вот в дебаге вижу нужные мне данные: circuit-id-tag=00:A0:D1:66:AC:50::172.2.0.79::12 Jan 15 16:03:31.977: PPPoE: PADI Line-Id Tag type: 1, value: 00:A0:D1:66:AC:50::172.2.0.79::12 Jan 15 16:03:31.977: PPPoE 0: O PADO Stripped PPPoE Vendor Tag Jan 15 16:03:31.979: [0]PPPoE: Session Circuit-id VSF Tag is 00:A0:D1:66:AC:50::172.2.0.79::12 Jan 15 16:03:31.979: PPPoE: PADR Line-Id Tag type: 1, value: 00:A0:D1:66:AC:50::172.2.0.79::12 Jan 15 16:03:31.980: PPPoE 1775: O PADS Stripped PPPoE Vendor Tag Jan 15 16:03:32.024: RADIUS/ENCODE(000064CF):Orig. component type = PPoE Jan 15 16:03:32.024: RADIUS(000064CF): Config NAS IP: 0.0.0.0 Jan 15 16:03:32.024: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included Jan 15 16:03:32.024: RADIUS/ENCODE(000064CF): acct_session_id: 26183 Jan 15 16:03:32.024: RADIUS(000064CF): Config NAS IP: 0.0.0.0 Jan 15 16:03:32.024: RADIUS(000064CF): sending Jan 15 16:03:32.024: RADIUS/ENCODE: Best Local IP-Address 172.10.1.10 for Radius-Server 172.10.1.1 Jan 15 16:03:32.024: RADIUS(000064CF): Send Access-Request to 172.10.1.1:1812 id 1645/210, len 369 Jan 15 16:03:32.024: RADIUS: authenticator AF 88 C1 CE 7D 25 A2 33 - 2E 1D A5 F8 CF 32 0B E1 Jan 15 16:03:32.024: RADIUS: Framed-Protocol [7] 6 PPP [1] Jan 15 16:03:32.025: RADIUS: User-Name [1] 10 "keeper20" Jan 15 16:03:32.025: RADIUS: Vendor, Microsoft [26] 24 Jan 15 16:03:32.025: RADIUS: MS-CHAP-Challenge [11] 18 Jan 15 16:03:32.025: RADIUS: AF 88 C1 CE 7D 25 A2 33 2E 1D A5 F8 CF 32 0B E1 [ }?3.2] Jan 15 16:03:32.025: RADIUS: Vendor, Microsoft [26] 58 Jan 15 16:03:32.025: RADIUS: MS-CHAP-V2-Response[25] 52 * Jan 15 16:03:32.025: RADIUS: Calling-Station-Id [31] 42 ":00-a0-d1-66-ac-50" Jan 15 16:03:32.025: RADIUS: NAS-Port-Type [61] 6 PPPoEoVLAN [33] Jan 15 16:03:32.025: RADIUS: NAS-Port [5] 6 0 Jan 15 16:03:32.025: RADIUS: NAS-Port-Id [87] 35 "00:A0:D1:66:AC:50::172.2.0.79::12" Jan 15 16:03:32.025: RADIUS: Vendor, Cisco [26] 41 Jan 15 16:03:32.025: RADIUS: Cisco AVpair [1] 35 "client-mac-address=00a0.d166.ac50" Jan 15 16:03:32.025: RADIUS: Vendor, Cisco [26] 56 Jan 15 16:03:32.025: RADIUS: Cisco AVpair [1] 50 "circuit-id-tag=00:A0:D1:66:AC:50::172.2.0.79::12" Jan 15 16:03:32.025: RADIUS: Service-Type [6] 6 Framed [2] Jan 15 16:03:32.025: RADIUS: NAS-IP-Address [4] 6 172.10.1.10 Jan 15 16:03:32.025: RADIUS: Acct-Session-Id [44] 18 "AC0A010A00006647" Jan 15 16:03:32.025: RADIUS: Nas-Identifier [32] 29 "172.010.001.010=172.10.1.10" Jan 15 16:03:32.025: RADIUS: Event-Timestamp [55] 6 1263571412 Jan 15 16:03:32.026: RADIUS: Received from id 1645/210 172.10.1.1:1812, Access-Accept, len 215 Jan 15 16:03:32.026: RADIUS: authenticator F6 32 DC 2C 96 84 66 31 - 64 58 5E CB 0D BE E6 DE Jan 15 16:03:32.026: RADIUS: Service-Type [6] 6 Framed [2] Jan 15 16:03:32.026: RADIUS: Framed-Protocol [7] 6 PPP [1] Jan 15 16:03:32.026: RADIUS: Framed-IP-Address [8] 6 109.94.2.2 Jan 15 16:03:32.026: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 Jan 15 16:03:32.026: RADIUS: Session-Timeout [27] 6 86400 Jan 15 16:03:32.026: RADIUS: Acct-Interim-Interva[85] 6 61 Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 12 Jan 15 16:03:32.026: RADIUS: MS-MPPE-Enc-Policy [7] 6 Jan 15 16:03:32.026: RADIUS: 00 00 00 01 Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 12 Jan 15 16:03:32.026: RADIUS: MS-MPPE-Enc-Type [8] 6 Jan 15 16:03:32.026: RADIUS: 00 00 00 06 Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 42 Jan 15 16:03:32.026: RADIUS: MS-MPPE-Send-Key [16] 36 * Jan 15 16:03:32.026: RADIUS: Vendor, Microsoft [26] 42 Jan 15 16:03:32.027: RADIUS: MS-MPPE-Recv-Key [17] 36 * Jan 15 16:03:32.027: RADIUS: Vendor, Microsoft [26] 51 Jan 15 16:03:32.027: RADIUS: MS-CHAP-V2-Success [26] 45 ".S=16686BA02E0804E66D2759BAD281DB33A83709E9" Jan 15 16:03:32.027: RADIUS(000064CF): Received from id 1645/210 Jan 15 16:03:32.054: RADIUS/ENCODE(000064CF):Orig. component type = PPoE Jan 15 16:03:32.054: RADIUS(000064CF): Config NAS IP: 0.0.0.0 Jan 15 16:03:32.054: RADIUS(000064CF): Config NAS IP: 0.0.0.0 Jan 15 16:03:32.054: RADIUS(000064CF): sending Jan 15 16:03:32.055: RADIUS/ENCODE: Best Local IP-Address 172.10.1.10 for Radius-Server 172.10.1.1 Jan 15 16:03:32.055: RADIUS(000064CF): Send Accounting-Request to 172.10.1.1:1813 id 1646/43, len 346 Jan 15 16:03:32.055: RADIUS: authenticator B8 E0 2E 54 2B 67 95 1A - 20 A4 8F D0 E7 62 77 C3 Jan 15 16:03:32.055: RADIUS: Acct-Session-Id [44] 18 "AC0A010A00006647" Jan 15 16:03:32.055: RADIUS: Framed-Protocol [7] 6 PPP [1] Jan 15 16:03:32.055: RADIUS: Framed-IP-Address [8] 6 109.94.2.2 Jan 15 16:03:32.055: RADIUS: User-Name [1] 10 "keeper20" Jan 15 16:03:32.055: RADIUS: Vendor, Cisco [26] 35 Jan 15 16:03:32.055: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up" Jan 15 16:03:32.055: RADIUS: Acct-Authentic [45] 6 RADIUS [1] Jan 15 16:03:32.055: RADIUS: Acct-Status-Type [40] 6 Start [1] Jan 15 16:03:32.055: RADIUS: Calling-Station-Id [31] 42 "::00-a0-d1-66-ac-50" Jan 15 16:03:32.055: RADIUS: NAS-Port-Type [61] 6 PPPoEoVLAN [33] Jan 15 16:03:32.055: RADIUS: NAS-Port [5] 6 0 Jan 15 16:03:32.055: RADIUS: NAS-Port-Id [87] 35 "00:A0:D1:66:AC:50::172.2.0.79::12" Jan 15 16:03:32.055: RADIUS: Vendor, Cisco [26] 41 Jan 15 16:03:32.055: RADIUS: Cisco AVpair [1] 35 "client-mac-address=00a0.d166.ac50" Jan 15 16:03:32.055: RADIUS: Vendor, Cisco [26] 56 Jan 15 16:03:32.055: RADIUS: Cisco AVpair [1] 50 "circuit-id-tag=00:A0:D1:66:AC:50::172.2.0.79::12" Jan 15 16:03:32.055: RADIUS: Service-Type [6] 6 Framed [2] Jan 15 16:03:32.055: RADIUS: NAS-IP-Address [4] 6 172.10.1.10 Jan 15 16:03:32.056: RADIUS: Event-Timestamp [55] 6 1263571412 Jan 15 16:03:32.056: RADIUS: Nas-Identifier [32] 29 "172.010.001.010=172.10.1.10" Jan 15 16:03:32.056: RADIUS: Acct-Delay-Time [41] 6 0 Jan 15 16:03:32.057: RADIUS: Received from id 1646/43 172.10.1.1:1813, Accounting-response, len 20 Jan 15 16:03:32.057: RADIUS: authenticator AC 66 D5 F7 4D AE 98 CC - 14 9C 31 13 8C 11 6E 01no debug radius Edited January 21, 2010 by an-denis Вставить ник Quote
alks Posted January 21, 2010 Posted January 21, 2010 пардон - у вас там isg или чистый ppoe? accounting aaa list -- еще не хватает Вставить ник Quote
an-denis Posted January 21, 2010 Author Posted January 21, 2010 пардон - у вас там isg или чистый ppoe? accounting aaa list -- еще не хватает чистый ppoe. может оно? sh aaa attributes AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Type=2 Name=Acct-Status-Type Format=Enum Type=3 Name=Tunnel-Packets-Lost Format=Ulong Type=4 Name=acl Format=Ulong Type=5 Name=auth-services Format=Enum Type=6 Name=auto-logon-service Format=String Type=7 Name=azn-tag Format=String Type=8 Name=addr Format=IPv4 Address Type=9 Name=svc-assigned-ipv4-address Format=IPv4 Address Type=10 Name=addrv6 Format=String Type=11 Name=addr-pool Format=String Type=12 Name=subscriber-route Format=String Type=13 Name=asyncmap Format=Ulong Type=14 Name=Authentic Format=Enum Type=15 Name=autocmd Format=String Type=16 Name=autocmd_ipprompt Format=String Type=17 Name=authen-status Format=Enum Type=18 Name=authen-type Format=Enum Type=19 Name=authen-method Format=Enum Type=20 Name=authen-strength Format=Enum Type=21 Name=callback-dialstring Format=String Type=22 Name=callback-line Format=Ulong Type=23 Name=nocallback-verify Format=Ulong Type=24 Name=callback-rotary Format=Ulong Type=25 Name=call-drops Format=Ulong Type=26 Name=call_type Format=String Type=27 Name=force-local-chap Format=Boolean Type=28 Name=call-origin-endpt Format=String Type=29 Name=call-origin-endpt-type Format=Enum Type=30 Name=challenge Format=Binary Type=31 Name=id Format=Ulong Type=32 Name=response Format=Binary Type=33 Name=nas-connect-info Format=String Type=34 Name=user-data Format=Binary Type=35 Name=server-data Format=Binary Type=36 Name=clid Format=String Type=37 Name=clid-mac-addr Format=Binary Type=38 Name=formatted-clid Format=String Type=39 Name=circuit-id-tag Format=String Type=40 Name=remote-id-tag Format=String Type=41 Name=vendor-class-id-tag Format=String Type=42 Name=caller-type-of-number Format=String Type=43 Name=session-limit Format=Ulong Type=44 Name=client-mac-address Format=String Type=45 Name=protocolVersion Format=String Type=46 Name=peerMode Format=Enum Type=47 Name=keepalivePeriod Format=Ulong Type=48 Name=informOwnerOnPull Format=Enum Type=49 Name=acct-flows Format=Ulong Type=50 Name=acct-flows-duration Format=Ulong Type=51 Name=actual-data-rate-upstream Format=Ulong Type=52 Name=actual-data-rate-downstream Format=Ulong Type=53 Name=minimum-data-rate-upstream Format=Ulong Type=54 Name=minimum-data-rate-downstream Format=Ulong Type=55 Name=attainable-data-rate-upstream Format=Ulong Type=56 Name=attainable-data-rate-downstrea Format=Ulong Type=57 Name=maximum-data-rate-upstream Format=Ulong Type=58 Name=maximum-data-rate-downstream Format=Ulong Type=59 Name=minimum-data-rate-upstream-low Format=Ulong Type=60 Name=minimum-data-rate-downstream-l Format=Ulong Type=61 Name=maximum-interleaving-delay-ups Format=Ulong Type=62 Name=maximum-interleaving-delay-dow Format=Ulong Type=63 Name=actual-interleaving-delay-upst Format=Ulong Type=64 Name=actual-interleaving-delay-down Format=Ulong Type=65 Name=interworking-functionality-tag Format=Boolean Type=66 Name=reporting-reason Format=Ulong Type=67 Name=cmd Format=String Type=68 Name=cmd-arg Format=String Type=69 Name=connect-progress Format=Enum Type=70 Name=connect-rx-speed Format=Ulong Type=71 Name=connect-tx-speed Format=Ulong Type=72 Name=nas-rx-speed Format=Ulong Type=73 Name=data-service Format=Ulong Type=74 Name=dial-number Format=String Type=75 Name=dnis Format=String Type=76 Name=dns-servers Format=String Type=77 Name=auto-update Format=String Type=78 Name=primary-dns Format=IPv4 Address Type=79 Name=secondary-dns Format=IPv4 Address Type=80 Name=EAP-Message Format=String Type=81 Name=assign-client-dns Format=Ulong Type=82 Name=email_server_ack_flag Format=String Type=83 Name=event Format=String Type=84 Name=reason Format=String Type=85 Name=fax_account_id_origin Format=String Type=86 Name=fax_auth_status Format=String Type=87 Name=fax_connect_speed Format=String Type=88 Name=fax_coverpage_flag Format=Boolean Type=89 Name=fax_dsn_address Format=IPv4 Address Type=90 Name=fax_dsn_flag Format=Boolean Type=91 Name=fax_mdn_address Format=String Type=92 Name=fax_mdn_flag Format=String Type=93 Name=fax_msg_id Format=String Type=94 Name=fax_modem_time Format=String Type=95 Name=fax_pages Format=String Type=96 Name=abort_cause Format=String Type=97 Name=email_server_address Format=String Type=98 Name=fax_process_abort_flag Format=Boolean Type=99 Name=fax_recipient_count Format=Ulong Type=100 Name=filter-cache-refresh Format=Enum Type=101 Name=filter-cache-time Format=Ulong Type=102 Name=filter-required Format=Enum Type=103 Name=Framed-Protocol Format=Enum Type=104 Name=Framed-MTU Format=Ulong Type=105 Name=force-56 Format=Boolean Type=106 Name=gateway_id Format=String Type=107 Name=h323-billing-model Format=String Type=108 Name=h323-call-origin Format=String Type=109 Name=h323-call-type Format=String Type=110 Name=h323-conf-id Format=String Type=111 Name=h323-connect-time Format=String Type=112 Name=h323-credit-amount Format=String Type=113 Name=h323-credit-time Format=String Type=114 Name=h323-currency Format=String Type=115 Name=h323-disconnect-cause Format=String Type=116 Name=h323-disconnect-time Format=String Type=117 Name=h323-gw-id Format=String Type=118 Name=h323-incoming-conf-id Format=String Type=119 Name=h323-ivr-in Format=String Type=120 Name=h323-ivr-out Format=String Type=121 Name=h323-preferred-lang Format=String Type=122 Name=h323-prompt-id Format=String Type=123 Name=h323-redirect-ip-address Format=String Type=124 Name=h323-redirect-number Format=String Type=125 Name=h323-remote-address Format=String Type=126 Name=h323-remote-id Format=String Type=127 Name=h323-return-code Format=String Type=128 Name=h323-setup-time Format=String Type=129 Name=h323-time-and-day Format=String Type=130 Name=h323-voice-quality Format=String Type=131 Name=subscriber Format=String Type=132 Name=release-source Format=Enum Type=133 Name=idletime Format=Ulong Type=134 Name=call-inacl Format=String Type=135 Name=inacl Format=String Type=136 Name=input-giga-words Form .... Вставить ник Quote
sirmax Posted January 21, 2010 Posted January 21, 2010 У меня для PPTP есть такое interface Virtual-Template1 ip unnumbered Loopback0 ... ppp authentication pap ms-chap-v2 RADIUS ppp accounting RADIUS aaa accounting network RADIUS start-stop group RADIUS-SERVER aaa group server radius RADIUS-SERVER server 192.168.1.1 auth-port 1812 acct-port 1813 ip radius source-interface FastEthernet0/0 attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU deadtime 10 Вставить ник Quote
an-denis Posted January 21, 2010 Author Posted January 21, 2010 У меня для PPTP есть такое interface Virtual-Template1 ip unnumbered Loopback0 ... ppp authentication pap ms-chap-v2 RADIUS ppp accounting RADIUS aaa accounting network RADIUS start-stop group RADIUS-SERVER aaa group server radius RADIUS-SERVER server 192.168.1.1 auth-port 1812 acct-port 1813 ip radius source-interface FastEthernet0/0 attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU deadtime 10 на 7201 кошках и аккаунитинг и PPtP работает, а вот на ASR пока нет... По сути всё тоже и у меня настроено - на строчку ppp accounting ... не ругается, но и не выводит её через sh run int virtual-template 2 Через фин-навигатор выяснил что в моём иосе нет вообще фичи "AAA Interim Accounting" - которая отвечает за периодику аккаунитига.- "This feature can be used to enable the network access server to send peridic accounting records about a subscriber's session at a predefined interval. Interim accounting records can use Radius or Tacacs+ protocol for transmitting the accounting records." Короче жду свежего иосаот кошки, благо они обещали (есть сервисный контракт) там по результатам отпишусь. Вставить ник Quote
darkagent Posted January 21, 2010 Posted January 21, 2010 Через фин-навигатор выяснил что в моём иосе нет вообще фичи "AAA Interim Accounting" - которая отвечает за периодику аккаунитига.- "This feature can be used to enable the network access server to send peridic accounting records about a subscriber's session at a predefined interval. Interim accounting records can use Radius or Tacacs+ protocol for transmitting the accounting records." не совсем понял про периодику аккаунтинга.на asr пробовал и l2tp и pppoe - в l2tp аккаунтинг идет нормально, все как положенно, а вот с pppoe действительно только start/stop, без периодики. пока на asr гоняем только l2tp. Вставить ник Quote
Stranix1979 Posted February 10, 2010 Posted February 10, 2010 по первому вопросу- ставим новый ios asr1000rp1-advipservicesk9.02.05.00.122-33.XNE.bin - убираем aaa accounting delay-start - и акаунтинг пойдет (есть щас у циски такой скрытый баг) по второму - посмотрите какие радиус атрибуты умеет передавать ASR эх, мне бы этот иос... не поделитесь ? :) Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.