Cisco ISG Integration with AAA & Policy Server

Bhavesh Patel · ‎05-10-2012

Hi,

We are integrating Cisco ISG (IOS XE - ASR1001) with AAA and Policy Server. we have below to specific service provider requirement.

1. TAL - Transparent Automatic Subsriber for Range of IP or Pool of IP - how we add such identifier in Policy/Control Maps as attibute handshake with AAA

2. Different QoS Enforcement to Single User based on Day and Night Time.. what logic should be used??

Note: The Subscribers are from wired network and DHCP controlled.

Please help, Thanx in advance...

Bhavesh

vishallumbhani · ‎06-25-2012

Dear Bhavesh,
     Try with this it is working & tested policy for TAL & ISG ASR 1001.
QoS will be work with Radius request & will apply on online user with diffrent plan.


class-map type traffic match-any PPPOE
 match access-group output name PPPOE-out
 match access-group input name PPPOE-in
!
class-map type control match-any TAL
 match source-ip-address 30.30.30.0 255.255.255.0 
!
class-map type control match-all IP_UNAUTH_COND
 match timer IP_UNAUTH_TIMER 
 match authen-status unauthenticated 
!
class-map type control match-all PPPOE-CON
 match media ether 
 match authen-status unauthenticated 
 match protocol ppp 
!
policy-map type control PPPOE-USR
 class type control always event timed-policy-expiry
  10 service disconnect
 !
 class type control always event account-logoff
  10 service disconnect delay 2
 !
 class type control always event quota-depleted
  10 set-param drop-traffic TRUE
 !
 class type control always event session-start
  10 authenticate aaa list PPP-USR 
 !
 class type control always event service-start
  20 service-policy type service identifier service-name
 !
 class type control always event service-stop
  1 service-policy type service unapply identifier service-name
 !
!
policy-map type control TAL_IP_POLICY_RULE
 class type control IP_UNAUTH_COND event timed-policy-expiry
  10 service disconnect
 !
 class type control TAL event account-logoff
  10 service disconnect delay 5
 !
 class type control TAL event session-start
 30 authorize aaa list AAA-STATIC password cisco identifier source-ip-address
  50 set-timer IP_UNAUTH_TIMER 5
 !
 class type control TAL event session-restart
  30 authorize aaa list AAA-STATIC password cisco identifier source-ip-address
  50 set-timer IP_UNAUTH_TIMER 5
 !
 class type control TAL event quota-depleted
  10 set-param drop-traffic TRUE
 !
 class type control TAL event service-start
  10 service-policy type service identifier service-name
 !
!
!
! 
!
!
!
!
!
bba-group pppoe global
 virtual-template 1
!
!
interface GigabitEthernet0/0/0
 ip address 10.10.10.2 255.255.255.0
 no ip proxy-arp
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 30.30.30.1 255.255.255.0
 negotiation auto
 pppoe enable group global
 service-policy type control TAL_IP_POLICY_RULE
 ip subscriber routed
  initiator unclassified ip-address
!
interface GigabitEthernet0/0/2
 ip address 172.16.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/2/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/2/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/2/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/2/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
 !
interface Virtual-Template1
 ip dhcp relay information trusted
 ip unnumbered GigabitEthernet0/0/1
 ip helper-address 10.10.10.1
 timeout absolute 43200 0
 peer default ip address dhcp
 ppp mtu adaptive
 ppp authentication pap
 ppp authorization PPP-USR
 service-policy type control PPPOE-USR
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ip access-list extended DROP-in
 deny   ip any any
ip access-list extended DROP-out
 deny   ip any any
ip access-list extended PPPOE-in
 permit ip any any
ip access-list extended PPPOE-out
 permit ip any any

vishal lumbhani

mavespig · ‎06-26-2012

Hi Bhavesh,

for IP subnet sessions you need to be sure that the radius server adds in the access-accept a Framed-IP-Netmask attribute.

ISG will match the netmask attribute with the subscriber's IP, and if it matches it will add that traffic to the single subnet subscriber.

There is no special config required for TAL, just use source ip as identifier.

You can also refer to this page:

http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_acess_sub_sessns.html#wp1054603

Regarding the QoS, one approach will be to add timed ACL's directly in the MQC policy-map. You will have a single QoS policy with different classes, matching different times of the day.

Another alternative is to implement the logic in your policy server, and push a new service with CoA at a specific time of the day.

Marco

kalianetTO · ‎12-04-2013

I am looking for help on the same issue with slightly different requirements and appreciate any help.

1. Customers are connecting using PPPoE

2. Prepaid customers will be send to a third-party AAA server

3. Postpaid customers will send to our own AAA server for normal billing.

A sample configuration or just an explanation of the process involved would be very much appreciated. I got an idea from the configuration above but I am not sure how TAL fit in with PPPoE session. Does this mean there would be 2 authentication. One for the PPPoE session and one for TAL?

Thanks