Jump to content
Калькуляторы

CoA к ISG всегда выдает NAK Хочу менять ssg-account-info у сессий IPoE

Доброй пятницы. Второй день бьюсь над проблемой, не могу решить. Есть брас cisco ASR 1002 с ISG, все настроено и работает, кроме, конечно же, CoA.

Вот конфиг ISG

 

aaa new-model
!
!
aaa group server radius ISG-RADIUS
server name LANBILLING
!
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS 
aaa authorization subscriber-service default local group ISG-RADIUS 
!
!
!
!
aaa server radius dynamic-author
client 3.3.3.10 server-key KEY
port 3799
ignore session-key
ignore server-key
!         
aaa session-id common

class-map type traffic match-any CLASS-PERMITED-DEST
match access-group input name PERMITED-DEST
match access-group output name PERMITED-DEST
!
class-map type traffic match-any CLASS-REDIRECTOR
match access-group input name ACL-FOR-REDIRECT
match access-group output name ACL-FOR-REDIRECT
!
class-map type traffic match-any CLASS-BILLING-DOWN
match access-group input name ACL-BILLING-DOWN
match access-group output name ACL-BILLING-DOWN
!
class-map type control match-all ISG-IP-UNAUTH
match authen-status unauthenticated 
match timer UNAUTH-TIMER 
!         
class-map type control match-any SUBSCRIBER-NETWORKS
match source-ip-address 100.67.0.0 255.255.255.0 
!
policy-map type service REDIRECT-SERVICE
1 class type traffic CLASS-REDIRECTOR
 redirect to group GROUP-REDIRECT
!
class type traffic default input
 drop
!
!
policy-map type service SERVICE-PERMITED-DEST
1 class type traffic CLASS-PERMITED-DEST
 police input 1000000000
 police output 1000000000
!
class type traffic default input
 drop
!
!
policy-map type service SERVICE-BILLING-DOWN
class type traffic CLASS-BILLING-DOWN
 police input 20000000
 police output 20000000
!
class type traffic default input
 drop
!
!
policy-map type service PBHK
ip portbundle
!
policy-map type control ISG-CUSTOMER-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control SUBSCRIBER-NETWORKS event session-start
 10 authorize aaa list ISG-AUTH-1 password 100.67.0.61 identifier source-ip-address
!
class type control SUBSCRIBER-NETWORKS event access-reject
 5 set-timer UNAUTH-TIMER 3
 10 service-policy type service name SERVICE-PERMITED-DEST
 20 service-policy type service name REDIRECT-SERVICE
!
class type control SUBSCRIBER-NETWORKS event radius-timeout
 10 service-policy type service name SERVICE-BILLING-DOWN
!
!

[b]bras#show subscriber session detailed[/b] 
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IPv4, UID: 24, State: authen, Identity: 100.67.0.61
IPv4 Address: 100.67.0.61 
Session Up-time: 02:36:14, Last Changed: 02:36:14
Switch-ID: 4189

Policy information:
 Context 4384BC08: Handle 6900003C
 AAA_id 00000024: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   timeout              0   86400 (0x15180)
   service-type         0   5 [Outbound]
   addr                 0   100.67.0.61
   netmask              0   255.255.255.255
   ssg-account-info     0   "QU;30720000;576000;1152000;D;30720000;576000;1152000"
 Downloaded User profile, including services:
   timeout              0   86400 (0x15180)
   service-type         0   5 [Outbound]
   addr                 0   100.67.0.61
   netmask              0   255.255.255.255
   ssg-account-info     0   "QU;30720000;576000;1152000;D;30720000;576000;1152000"
 Config history for session (recent to oldest):
   Access-type: IP Client: SM
    Policy event: Service Selection Request
     Profile name: 100.67.0.61, 2 references 
       timeout              0   86400 (0x15180)
       service-type         0   5 [Outbound]
       addr                 0   100.67.0.61
       netmask              0   255.255.255.255
       ssg-account-info     0   "QU;30720000;576000;1152000;D;30720000;576000;1152000"
 Rules, actions and conditions executed:
       subscriber condition-map match-any SUBSCRIBER-NETWORKS
         match identifier source-ip-address 100.67.0.0 255.255.255.0 [TRUE]
   subscriber rule-map ISG-CUSTOMER-POLICY
     condition SUBSCRIBER-NETWORKS event session-start
       10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    53755      34902113               0    Match Any
1           Out   70173      59548994               0    Match Any

Template Id : 11

Features:

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          86400            21:23:45             Peruser

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
0          In   30720000    576000        1152000      Peruser
1          Out  30720000    576000        1152000      Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   02:36:14     -               Peruser
INT   02:36:14     -               GigabitEthernet0/0/1

 

Посылаю с помощью radclient любой CoA запрос и получаю NAK

echo User-Name="100.67.0.61",Acct-Session-Id=24,Cisco-Account-Info="S100.67.0.61",cisco-ssg-service-info="QU;1000;D;1000"| radclient -x 3.3.3.4:3799 coa KEY

Как только не пробовал, хотя бы добиться ACK. Тип подключения IPoE. Подскажите, пожалуйста, куда копать.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this