CoA к ISG всегда выдает NAK

[infery]

Доброй пятницы. Второй день бьюсь над проблемой, не могу решить. Есть брас cisco ASR 1002 с ISG, все настроено и работает, кроме, конечно же, CoA.

Вот конфиг ISG

 

aaa new-model
!
!
aaa group server radius ISG-RADIUS
server name LANBILLING
!
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS 
aaa authorization subscriber-service default local group ISG-RADIUS 
!
!
!
!
aaa server radius dynamic-author
client 3.3.3.10 server-key KEY
port 3799
ignore session-key
ignore server-key
!         
aaa session-id common

class-map type traffic match-any CLASS-PERMITED-DEST
match access-group input name PERMITED-DEST
match access-group output name PERMITED-DEST
!
class-map type traffic match-any CLASS-REDIRECTOR
match access-group input name ACL-FOR-REDIRECT
match access-group output name ACL-FOR-REDIRECT
!
class-map type traffic match-any CLASS-BILLING-DOWN
match access-group input name ACL-BILLING-DOWN
match access-group output name ACL-BILLING-DOWN
!
class-map type control match-all ISG-IP-UNAUTH
match authen-status unauthenticated 
match timer UNAUTH-TIMER 
!         
class-map type control match-any SUBSCRIBER-NETWORKS
match source-ip-address 100.67.0.0 255.255.255.0 
!
policy-map type service REDIRECT-SERVICE
1 class type traffic CLASS-REDIRECTOR
 redirect to group GROUP-REDIRECT
!
class type traffic default input
 drop
!
!
policy-map type service SERVICE-PERMITED-DEST
1 class type traffic CLASS-PERMITED-DEST
 police input 1000000000
 police output 1000000000
!
class type traffic default input
 drop
!
!
policy-map type service SERVICE-BILLING-DOWN
class type traffic CLASS-BILLING-DOWN
 police input 20000000
 police output 20000000
!
class type traffic default input
 drop
!
!
policy-map type service PBHK
ip portbundle
!
policy-map type control ISG-CUSTOMER-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control SUBSCRIBER-NETWORKS event session-start
 10 authorize aaa list ISG-AUTH-1 password 100.67.0.61 identifier source-ip-address
!
class type control SUBSCRIBER-NETWORKS event access-reject
 5 set-timer UNAUTH-TIMER 3
 10 service-policy type service name SERVICE-PERMITED-DEST
 20 service-policy type service name REDIRECT-SERVICE
!
class type control SUBSCRIBER-NETWORKS event radius-timeout
 10 service-policy type service name SERVICE-BILLING-DOWN
!
!

[b]bras#show subscriber session detailed[/b] 
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IPv4, UID: 24, State: authen, Identity: 100.67.0.61
IPv4 Address: 100.67.0.61 
Session Up-time: 02:36:14, Last Changed: 02:36:14
Switch-ID: 4189

Policy information:
 Context 4384BC08: Handle 6900003C
 AAA_id 00000024: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   timeout              0   86400 (0x15180)
   service-type         0   5 [Outbound]
   addr                 0   100.67.0.61
   netmask              0   255.255.255.255
   ssg-account-info     0   "QU;30720000;576000;1152000;D;30720000;576000;1152000"
 Downloaded User profile, including services:
   timeout              0   86400 (0x15180)
   service-type         0   5 [Outbound]
   addr                 0   100.67.0.61
   netmask              0   255.255.255.255
   ssg-account-info     0   "QU;30720000;576000;1152000;D;30720000;576000;1152000"
 Config history for session (recent to oldest):
   Access-type: IP Client: SM
    Policy event: Service Selection Request
     Profile name: 100.67.0.61, 2 references 
       timeout              0   86400 (0x15180)
       service-type         0   5 [Outbound]
       addr                 0   100.67.0.61
       netmask              0   255.255.255.255
       ssg-account-info     0   "QU;30720000;576000;1152000;D;30720000;576000;1152000"
 Rules, actions and conditions executed:
       subscriber condition-map match-any SUBSCRIBER-NETWORKS
         match identifier source-ip-address 100.67.0.0 255.255.255.0 [TRUE]
   subscriber rule-map ISG-CUSTOMER-POLICY
     condition SUBSCRIBER-NETWORKS event session-start
       10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    53755      34902113               0    Match Any
1           Out   70173      59548994               0    Match Any

Template Id : 11

Features:

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          86400            21:23:45             Peruser

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
0          In   30720000    576000        1152000      Peruser
1          Out  30720000    576000        1152000      Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   02:36:14     -               Peruser
INT   02:36:14     -               GigabitEthernet0/0/1

 

Посылаю с помощью radclient любой CoA запрос и получаю NAK

echo User-Name="100.67.0.61",Acct-Session-Id=24,Cisco-Account-Info="S100.67.0.61",cisco-ssg-service-info="QU;1000;D;1000"| radclient -x 3.3.3.4:3799 coa KEY

Как только не пробовал, хотя бы добиться ACK. Тип подключения IPoE. Подскажите, пожалуйста, куда копать.