ISG PPPoE

[ShyLion]

Приветствую.

Осваиваю ISG (ASR 1002X, 3.10.03S).

 

Меня интересуют в общем-то тривиальные вещи.

Клиенты PPPoE (пока)

 

радиус:

 

user1   Cleartext-Password := "user1"
       Cisco-Account-Info += "AANY",
       Cisco-Control-Info += "QV1000000",

ANY     Cleartext-Password := "cisco", Service-Type == Outbound-User
       Cisco-AVPair += "ip:traffic-class=in access-group name CM_T_ANY",
       Cisco-AVPair += "ip:traffic-class=in default drop",
       Cisco-AVPair += "ip:traffic-class=out access-group name CM_T_ANY",
       Cisco-AVPair += "ip:traffic-class=out default drop",
       Cisco-AVPair += "prepaid-config=PREPAID",

 

на циске:

 

aaa authentication ppp FREERADIUS group freeradius
aaa authorization network FREERADIUS group freeradius
aaa authorization subscriber-service FREERADIUS local group freeradius
aaa accounting network FREERADIUS start-stop group freeradius
!
aaa group server radius freeradius
server-private 10.0.6.10 auth-port 1812 acct-port 1813 key 7 142417081E013E
!
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 1 Kbytes
interim-interval 1 minutes
method-list author FREERADIUS
method-list accounting FREERADIUS
password cisco
!

 

Юзверь авторизуется, сервис циска запрашивает, траффик ходит, но за обновлением квоты киса на радиус не ходит и ничего не отклчает, траффик клиентом потребляется без ограничения.

Что я делаю не так?

 

asr-1002x-01#show subscriber session  username user1 detailed
Type: PPPoE, UID: 200, State: authen, Identity: user1
IPv4 Address: 192.168.128.127
IPv6 Address: 2A01:8960:4::
Session Up-time: 00:22:11, Last Changed: 00:22:11
Interface: Virtual-Access2.1
Switch-ID: 4677

Policy information:
 Context 7FBB6473CB60: Handle A80009BE
 AAA_id 00001B1F: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   Framed-Protocol      0   1 [PPP]
   service-type         0   2 [Framed]
   ssg-account-info     0   "AANY"
   ssg-control-info     0   "QV1000000"
   ssg-account-info     0   "QU;10240000;D;10240000"
   prefix               0   00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
   Interface-Id         0   00 00 00 00 00 00 00 01
   route                0   "2a01:8960:5::/56"
   delegated-prefix     0   00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
 Downloaded User profile, including services:
   Framed-Protocol      0   1 [PPP]
   service-type         0   2 [Framed]
   ssg-account-info     0   "AANY"
   ssg-control-info     0   "QV1000000"
   ssg-account-info     0   "QU;10240000;D;10240000"
   prefix               0   00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
   Interface-Id         0   00 00 00 00 00 00 00 01
   route                0   "2a01:8960:5::/56"
   delegated-prefix     0   00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
 Config history for session (recent to oldest):
   Access-type: Web-service-logon Client: SM
    Policy event: Apply Config Success (Unapplied) (Service)
     Profile name: ANY, 3 references
       traffic-class        0   "in access-group name CM_T_ANY"
       traffic-class        0   "in default drop"
       traffic-class        0   "out access-group name CM_T_ANY"
       traffic-class        0   "out default drop"
   Access-type: Web-service-logon Client: SM
    Policy event: Process Config Connecting (Service)
     Profile name: ANY, 3 references
       traffic-class        0   "in access-group name CM_T_ANY"
       traffic-class        0   "in default drop"
       traffic-class        0   "out access-group name CM_T_ANY"
       traffic-class        0   "out default drop"
   Access-type: PPP Client: SM
    Policy event: Process Config Connecting
     Profile name: apply-config-only, 2 references
       Framed-Protocol      0   1 [PPP]
       service-type         0   2 [Framed]
       ssg-account-info     0   "AANY"
       ssg-control-info     0   "QV1000000"
       ssg-account-info     0   "QU;10240000;D;10240000"
       prefix               0   00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
       Interface-Id         0   00 00 00 00 00 00 00 01
       route                0   "2a01:8960:5::/56"
       delegated-prefix     0   00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
 Rules, actions and conditions executed:
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-stop
       1 service-policy type service unapply identifier service-name

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    229275     13175066               0    Match Any
1           Out   714381     1038574772             0    Match Any

Features:

Static Routes:
Class-id  Configuration Status           Source
0          This feature is enabled       Peruser

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
0          In   10240000    1920000       3840000      Peruser
1          Out  10240000    1920000       3840000      Peruser

DHCPv6 PD from AAA:
Class-id  Configuration Status           Source
0          This feature is enabled       Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   00:22:11     -               Peruser
INT   00:22:11     -               Virtual-Template2

[ShyLion]

В ходе дебага и экспериментов выяснилось, что если добавить в профиль пользователя Framed-IP-Address, препейд начинает работать, запрашивать квоты с радиуса.

Правда теперь столкнулся с тем, что если квота кончилась, то:

1. подключеный сервис пропадает из сессии и киса перестает запрашивать квоту. Соответственно чтобы его возобновить нужно предпринять какое-то действие.

2. несмотря на то, что перейд сервис отваливается, пользователь продолжает получать доступ, словно никаких сервисов навешано не было.

[ShyLion]

пункт №2 я победил, добавив к профилю учетки еще сервисы редиректа на личный кабинет.