Jump to content

Radius Accounting & Cisco ESR 10K

catalist
 Share

Recommended Posts

catalist

catalist

Posted
Posted (edited)

Доброго времени суток!

Взяли мы тут на тест железку ESR 10K PRE-2

Стоит задача терминировать PPPoE сессии.

Всё бы ничего, сессия создаётся и живёт, однако данный девайс не шлёт радиус серверу Accounting сессий, и как следствие эти сесси не видны в биллинге, подскажите пожалуйста знающие люди, как заставить слать аккаунтинг по активным сессиям PPPoE.

IOS c10k2-p11-mz.122-33.SB8a.bin

Конфиг

version 12.2
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service internal
service sequence-numbers
!
hostname ESR-10K-C-B
!
boot-start-marker
boot-end-marker
!
aaa new-model
aaa session-mib disconnect
!
!
aaa group server radius PPPoE
server-private xx.xx.xx.xx auth-port 1912 acct-port 1913
!
aaa authentication login default local
aaa authentication ppp PPPoE group PPPoE
aaa authorization exec default local
aaa authorization network PPPoE group PPPoE
aaa accounting delay-start all
aaa accounting delay-start
aaa accounting update newinfo periodic 1
aaa accounting connection PPPoE start-stop group PPPoE
!
aaa nas port extended
!
!
!
!
aaa session-id unique
clock timezone UTC 6
clock calendar-valid
facility-alarm core-temperature major 58
facility-alarm core-temperature minor 50
facility-alarm core-temperature critical 85
facility-alarm intake-temperature major 54
facility-alarm intake-temperature minor 45
facility-alarm intake-temperature critical 72
!
!
card 1/0 1gigethernet-1
card 2/0 1gigethernet-1
ip subnet-zero
no ip source-route
ip arp gratuitous none
no ip gratuitous-arps
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 100
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
ip vrf VOICE
!
ip flow-cache entries 524288
ip flow-cache timeout inactive 30
ip flow-cache timeout active 1
no ip bootp server
no ip dhcp use vrf connected
!
ip dhcp pool VOIP
  network 10.9.1.0 255.255.255.224
  dns-server 10.9.1.1
  default-router 10.9.1.1
  option 66 ascii "10.9.1.1"
  lease 20
!
!
login block-for 1 attempts 5 within 1
login on-failure log
!
!
multilink bundle-name authenticated
lacp system-priority 1
!
redundancy
mode sso
!
!
policy-map 2M-out
 class class-default
   shape 2048
policy-map 11M-in
 class class-default
   police 11264000 14080 14080 conform-action transmit exceed-action drop viola
te-action drop
policy-map 1M-in
 class class-default
   police 1024000 1280 1280 conform-action transmit exceed-action drop violate-
action drop
policy-map 4M-in
 class class-default
   police 4096000 5120 5120 conform-action transmit exceed-action drop violate-
action drop
policy-map 2M-in
 class class-default
   police 2048000 2560 2560 conform-action transmit exceed-action drop violate-
action drop
policy-map 12M-in
 class class-default
   police 12288000 15360 15360 conform-action transmit exceed-action drop viola
te-action drop
policy-map 8M-out
 class class-default
   shape 8192
policy-map 9M-in
 class class-default
   police 9216000 11520 11520 conform-action transmit exceed-action drop violat
e-action drop
policy-map 9M-out
 class class-default
   shape 9216
policy-map 7M-out
 class class-default
   shape 7168
policy-map 15M-in
 class class-default
   police 15360000 19200 19200 conform-action transmit exceed-action drop viola
te-action drop
policy-map 20M-out
 class class-default
   shape 20480
policy-map 8M-in
 class class-default
   police 8192000 10240 10240 conform-action transmit exceed-action drop violat
e-action drop
policy-map 10M-out
 class class-default
   shape 10240
policy-map 10M-in
 class class-default
   police 10240000 12800 12800 conform-action transmit exceed-action drop viola
te-action drop
policy-map 6M-in
 class class-default
   police 6144000 7680 7680 conform-action transmit exceed-action drop violate-
action drop
policy-map 11M-out
 class class-default
   shape 11264
policy-map 5M-in
 class class-default
   police 5120000 6400 6400 conform-action transmit exceed-action drop violate-
action drop
policy-map 15M-out
 class class-default
   shape 15360
policy-map 1M-out
 class class-default
   shape 1024
policy-map 12M-out
 class class-default
   shape 12288
policy-map 3M-out
 class class-default
   shape 3072
policy-map 3M-in
 class class-default
   police 3072000 3840 3840 conform-action transmit exceed-action drop violate-
action drop
policy-map 5M-out
 class class-default
   shape 5120
policy-map 7M-in
 class class-default
   police 7168000 8960 8960 conform-action transmit exceed-action drop violate-
action drop
policy-map 20M-in
 class class-default
   police 20480000 25600 25600 conform-action transmit exceed-action drop viola
te-action drop
policy-map 6M-out
 class class-default
   shape 6144
policy-map 4M-out
 class class-default
   shape 4096
!
buffers small permanent 15000
buffers middle permanent 12000
buffers big permanent 8000
!
!
bba-group pppoe global
ac name ESR-10K-CORE
!
bba-group pppoe PPPoE
virtual-template 1
sessions per-mac limit 1
sessions per-vlan limit 800
sessions per-mac throttle 6 60 240
sessions auto cleanup
!
!
interface Loopback0
description VOICE-PPPoE-UNNUMBER
ip vrf forwarding VOICE
ip address 10.9.254.254 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
speed 100
full-duplex
hold-queue 4096 in
hold-queue 4096 out
!
interface GigabitEthernet1/0/0
description C6509-C-A-GIG9/7
no ip address
negotiation auto
hold-queue 4096 in
hold-queue 4096 out
!
interface GigabitEthernet1/0/0.1
description MANAGE
encapsulation dot1Q 1 native
ip address 10.10.0.40 255.255.0.0
!
interface GigabitEthernet1/0/0.6
description NGN
encapsulation dot1Q 6
ip vrf forwarding VOICE
ip address 10.9.1.4 255.255.255.240
!
interface GigabitEthernet2/0/0
description C6509-C-A-GIG9/8
no ip address
negotiation auto
hold-queue 4096 in
hold-queue 4096 out
!
interface GigabitEthernet2/0/0.10
description OFFICE-MANAGE-GATE
encapsulation dot1Q 10
ip vrf forwarding VOICE
ip address 10.9.2.1 255.255.255.248
pppoe enable group PPPoE
!
interface Virtual-Template1
mtu 1492
ip vrf forwarding VOICE
ip unnumbered Loopback0
ip flow ingress
no logging event link-status
peer default ip address pool PPPoE
keepalive 30
ppp max-bad-auth 3
ppp authentication pap PPPoE
ppp authorization PPPoE
ppp accounting PPPoE
ppp ipcp dns 10.9.1.1
ppp timeout retry 3
ppp timeout authentication 45
ppp timeout idle 36000
!
ip classless
ip flow-export source GigabitEthernet2/0/0.1
ip flow-export version 5
!
no ip http server
!
!
ip radius source-interface GigabitEthernet1/0/0.3
access-list 100 deny   udp any host 255.255.255.255
access-list 100 permit ip any any
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 188 format non-standard
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 25 access-request include
radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33
radius-server attribute 61 extended
radius-server configure-nas
radius-server timeout 30
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
line con 0
history size 256
transport preferred none
escape-character 3
line aux 0
line vty 0 4
access-class ACCESS-VTY in
privilege level 15
transport input telnet
transport output telnet

Вот лог общения радиус сервера с цыской

04-13/22:23:27  INFO [radiusListener-p-2-t-5] RadiusListenerWorker - REQUEST:
Packet type: Access-Request

Attributes:
 User-Name=хххх
 NAS-Identifier=ESR-10K-C-B
 NAS-Port-Id=2/0/0/10
 User-Password=уууууууу
 NAS-IP-Address=10.10.0.40
 NAS-Port=536870922
 Service-Type=2
 Framed-Protocol=1
 Connect-Info=VOICE
 Acct-Session-Id=0000000000000A35
 NAS-Port-Type=33
 cisco-avpair=client-mac-address=001e.5842.7958

04-13/22:23:27  INFO [radiusListener-p-2-t-5] RadiusListenerWorker - RESPONSE:
Packet type: Access-Accept
Attributes:
 Acct-Interim-Interval=60
 Service-Type=2
 Framed-Protocol=1
 Framed-IP-Address=10.9.3.47

Process time auth: 44

Всё после этого ничего от цыски не приходит на радиус.

 

ЗЫ: Вроде как на цысках (IOS 12.4) отсыл аккаунтинга включается коммандой gw-accounting aaa, однако на ESR (12.2) я такой комманды не нашёл.

Заранее спасибо.

Edited by catalist

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.