Jump to content
Калькуляторы

Проблемы с аккаунтингом

Здравствуйте. Подскажите в чем может быть проблема

Сессия висит на bras(cisco 7201) даже после того, как вынули кабель. На биллинг шлется acct-update, из-за чего сессия постоянно считается работающей. Помогите, может кто сталкивался с такой проблемой.

Конфиг браса

Building configuration...

Current configuration : 15383 bytes
!
! Last configuration change at 16:20:35 MSK Tue Feb 25 2014 by irihorn
! NVRAM config last updated at 12:10:01 MSK Fri Feb 21 2014 by rizvan
!
version 12.2
service nagle
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname bras
!
boot-start-marker
boot system flash c7200p-adventerprisek9-mz.122-33.SRE2.bin
boot system flash disk0:c7200p-adventerprisek9-mz.122-33.SRE2.bin
boot-end-marker
!
security passwords min-length 1
logging snmp-authfail
logging buffered 128000
logging console informational
enable secret 5 $1$NdnT$tl9jkSpfpIefS/MyhDsev.
enable password 7 1421173948102F33
!
aaa new-model
!
!

!

aaa group server radius OPT82
server 10.95.11.5 auth-port 1816 acct-port 1817
ip radius source-interface GigabitEthernet0.1/11

!

!
aaa authentication login default group tacacs+ local
aaa authentication login console enable none
aaa authentication login CONS none
aaa authentication login OPT82 group OPT82
aaa authentication enable default none
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network OPT82 group OPT82
aaa accounting delay-start all
aaa accounting jitter maximum 0
aaa accounting update periodic 10
aaa accounting commands 1 tac_acc
action-type start-stop
group tacacs+
!
aaa accounting commands 15 tac_acc
action-type start-stop
group tacacs+
!
aaa accounting network PPPoE_ISG
action-type start-stop
group PPPoE_ISG
!
aaa accounting network REDIR-AUTH
action-type start-stop
group REDIR
!
aaa accounting network ISG-AUTH-1
action-type start-stop
group ISG-RADIUS
!
aaa accounting network OPT82
action-type start-stop
group OPT82
!
aaa accounting network ISG-RADIUS
action-type start-stop
group ISG-RADIUS
!
aaa accounting network REDIR
action-type start-stop
group REDIR
!
aaa accounting connection tac_acc
action-type start-stop
group tacacs+
!
aaa accounting resource tac_acc
action-type start-stop-failure
group tacacs+
!
!
!
!
!
aaa server radius dynamic-author
client 10.95.11.5 server-key 7 XXXXXXX
auth-type any
!
aaa session-id common
clock timezone MSK 4
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source local
ip source-route
ip address-pool dhcp-pool
ip cef
!
!
ip dhcp relay information option
ip dhcp relay information policy keep
no ip dhcp relay information check
ip dhcp relay information trust-all
ip dhcp excluded-address 10.101.0.1
ip dhcp excluded-address 10.201.0.1
ip dhcp excluded-address 10.202.0.1
!
ip dhcp pool PPPoE
  network 10.101.0.0 255.255.0.0
  default-router 10.101.0.1
  dns-server 
  domain-name vertex-com.ru
  lease 3
!
ip dhcp pool OPT82
  update arp
  relay source 10.205.0.0 255.255.0.0
  relay destination 10.95.11.5
!
!
no ip domain lookup
ip domain name vetex-com.ru
ip name-server 
no ipv6 cef
!
subscriber feature prepaid REDIR
threshold time 0 seconds
threshold volume 950 Kbytes
interim-interval 30 minutes
method-list author REDIR-AUTH
method-list accounting REDIR-AUTH
password cisco
subscriber feature prepaid TEST
threshold time 0 seconds
threshold volume 950 Kbytes
interim-interval 30 minutes
method-list author ISG-AUTH-1
method-list accounting ISG-AUTH-1
password cisco
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 950 Kbytes
interim-interval 30 minutes
method-list author PPPoE_ISG
method-list accounting PPPoE_ISG
password cisco
subscriber feature prepaid OPT82
threshold time 0 seconds
threshold volume 950 Kbytes
interim-interval 30 minutes
method-list author OPT82
method-list accounting OPT82
password cisco
!
multilink bundle-name authenticated
!
!

!
!
ip ssh authentication-retries 2
ip ssh source-interface Loopback100
ip ssh version 2
class-map type traffic match-any CLASS-TRUSTED
match access-group output 198
match access-group input 198
!
class-map type control match-all ISG-IP-UNAUTH
match authen-status unauthenticated
match timer UNAUTH-TIMER
!
policy-map type service SERVICE-TRUSTED
1 class type traffic CLASS-TRUSTED
 police input 64000 8000 16000
 police output 64000 8000 16000
!
!
policy-map type control DOMAIN_BASED_ACCESS
class type control always event session-start
 10 authenticate aaa list PPPoE_ISG
 20 service local
!
!
policy-map type control OPT82_subs_control
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 10 authorize aaa list OPT82 password OPT82 identifier auto-detect
 20 set-timer UNAUTH-TIMER 1
 30 service-policy type service name DENY-ALL
!
class type control always event quota-depleted
 1 set-param drop-traffic FALSE
!
class type control always event account-logon
 10 authenticate aaa list OPT82
!
class type control always event session-restart
 10 authorize aaa list OPT82 identifier auto-detect
!
!
policy-map type control IPOE_subs_control
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
 20 set-timer UNAUTH-TIMER 1
 30 service-policy type service name DENY-ALL
!
class type control always event quota-depleted
 2 set-param drop-traffic FALSE
!
class type control always event account-logon
 10 authenticate aaa list ISG-RADIUS
!
!
policy-map type control REDIR
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 10 authorize aaa list REDIR-AUTH password ISG identifier source-ip-address
 20 set-timer UNAUTH-TIMER 1
 30 service-policy type service name DENY-ALL
!
class type control always event quota-depleted
 2 set-param drop-traffic FALSE
!
class type control always event account-logon
 10 authenticate aaa list REDIR-AUTH
!
!
!
!
!
!
!
bba-group pppoe global
virtual-template 2
sessions max limit 8000
ac name PPPoE
sessions per-mac limit 2
sessions per-vlan limit 1000
!
!
interface Loopback0
description For | PPPoe
ip address 10.101.0.1 255.255.0.0
!
interface Loopback3
description For | LAN
ip address 10.201.0.1 255.255.0.0
!

!
!
interface GigabitEthernet0/0
description --- -X- | border@ge-1/0/9
ip address 10.95.0.2 255.255.255.252
no ip proxy-arp
media-type sfp
speed 1000
duplex auto
negotiation auto
!

interface GigabitEthernet0/1
description --- -X- | sw01@gi1/0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/1.11
description --- -M- | MGMT
encapsulation dot1Q 11
ip address 10.95.11.2 255.255.255.224
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/1.16
description BRAS-IPTV
encapsulation dot1Q 16
ip address 10.95.0.22 255.255.255.252
ip access-group 199 in
no ip unreachables
no ip proxy-arp
service-policy type control IPOE_subs_control
ip subscriber routed
 initiator unclassified ip-address
!
interface GigabitEthernet0/1.97
description MGMT | Secondary
encapsulation dot1Q 97
ip address 172.31.4.6 255.255.252.0
ip access-group 197 in
no ip unreachables
no ip proxy-arp
ip nat inside
!

!
interface GigabitEthernet0/1.205
description IPoE-opt82
encapsulation dot1Q 205
ip dhcp relay information trusted
ip address 10.205.0.1 255.255.0.0
ip access-group 199 in
ip helper-address 10.95.11.5
no ip unreachables
no ip proxy-arp
service-policy type control OPT82_subs_control
ip subscriber routed
 initiator dhcp
!

!
interface GigabitEthernet0/2
no ip address
no ip proxy-arp
speed 1000
duplex auto
negotiation auto
!
interface GigabitEthernet0/2.12
encapsulation dot1Q 12
ip address 10.95.0.6 255.255.255.252
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/3
no ip address
speed auto
duplex auto
negotiation auto
!
interface Virtual-Template2
description ==For_PPPoE==
ip unnumbered Loopback0
ip access-group 199 in
no ip proxy-arp
peer default ip address dhcp-pool PPPoE
ppp authentication chap pap ms-chap callin PPPoE_ISG
ppp authorization PPPoE_ISG
ppp accounting PPPoE_ISG
ppp ipcp dns XXXXXXXXXX
ppp ipcp mask 255.255.255.255
service-policy type control DOMAIN_BASED_ACCESS
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.95.0.5
!
ip radius source-interface GigabitEthernet0/1.11
logging history debugging
logging alarm informational
logging trap debugging
logging facility local5
logging 10.95.11.4
access-list 101 deny   ip XXXXXXXXX 0.0.0.31
access-list 101 deny   ip 10.0.0.0 0.0.0.255 10.95.0.0 0.0.0.31
access-list 197 permit ip any any
access-list 198 permit ip any any
access-list 198 permit tcp any any
access-list 199 deny   ip 192.168.0.0 0.0.255.255 any
access-list 199 deny   tcp any host XXXXXXX eq 22
access-list 199 deny   tcp any host XXXXXXXX eq telnet
access-list 199 deny   tcp any host XXXXXXXXXX eq ftp
access-list 199 deny   icmp any host XXXXXXXXX echo
access-list 199 deny   tcp any XXXXXXX 0.0.0.127 eq 22
access-list 199 deny   tcp any XXXXXXXXXX  0.0.0.127 eq telnet
access-list 199 deny   tcp any XXXXXXXXX  0.0.0.127 eq ftp
access-list 199 deny   icmp any XXXXXXXXX 0.0.0.127 echo
access-list 199 deny   icmp any 10.0.0.0 0.255.255.255 echo
access-list 199 deny   tcp any 10.0.0.0 0.255.255.255 eq 22
access-list 199 deny   tcp any 10.0.0.0 0.255.255.255 eq telnet
access-list 199 deny   tcp any 10.0.0.0 0.255.255.255 eq ftp
access-list 199 permit ip any any
!

!
tacacs-server host 10.95.11.4 key 7 113D11041427190821207D
tacacs-server directed-request
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute 31 mac format unformatted
radius-server attribute 31 send nas-port-detail mac-only
radius-server host 10.95.11.5 auth-port 1812 acct-port 1813 key 7 XXXXX
radius-server host 10.95.11.5 auth-port 1814 acct-port 1815 key 7 XXXXX
radius-server host 10.95.11.5 auth-port 1816 acct-port 1817 key 7 XXXXX
radius-server host 10.95.11.5 auth-port 1818 acct-port 1819 key 7 XXXXX
radius-server key 7 XXXXX
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
privilege exec level 15 access-template
privilege exec level 15 clear access-template
privilege exec level 1 clear
!
line con 0
logging synchronous
login authentication console
terminal-type mon
history size 256
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
timeout login response 10
privilege level 15
logging synchronous
history size 256
transport input telnet ssh
transport output telnet ssh
line vty 5 15
exec-timeout 120 0
timeout login response 10
privilege level 15
logging synchronous
history size 256
transport input telnet ssh
transport output telnet ssh
!
end

Edited by irihorn95

Share this post


Link to post
Share on other sites

быть может поможет

в виртуал темплейт добавьте keepalive 15

в пппое групп sessions auto cleanup

Share this post


Link to post
Share on other sites

быть может поможет

в виртуал темплейт добавьте keepalive 15

в пппое групп sessions auto cleanup

Проблема в том, что virtual-template у нас для PPPoE. А проблемы с IPoE. Интерфейс в сторону клиентов - gi0/1.205

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this