Intelligent Services Gateway Configuration Guide, Cisco IOS Release 15.1S
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Configuring ISG Accounting
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Contents
Configuring ISG AccountingLast Updated: May 27, 2011
Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure ISG accounting, including per-session accounting or per-flow accounting, broadcast accounting, and postpaid tariff switching. Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for ISG AccountingISG accounting supports only the RADIUS protocol. If authentication, authorization, and accounting (AAA) broadcast accounting is used in conjunction with periodic accounting, you cannot configure different accounting periods for different accounting groups. Postpaid billing and tariff switching are not supported on the Cisco 10000-PRE2. Information About ISG Accounting
Overview of ISG AccountingISG supports both per-session and per-flow accounting. Per-session accounting is the aggregate of all the flow traffic for a session. Per-session accounting can be enabled in a user profile or in a service profile or service policy map. Per-flow accounting, which accounts for a subset of session traffic as defined by a traffic class, is enabled in a service profile or service policy map. When per-flow accounting is configured, the Parent-Session-ID vendor-specific attribute (VSA) is included in accounting records so that per-session and per-flow accounting records can be correlated in the RADIUS server. When accounting is configured in a user profile, the service name attribute is not included in accounting records. Session accounting is enabled if the aaa accounting network default command is configured and a AAA method list is specified. (It is recommended that you use a named method list rather than the default method list.) Flow accounting is disabled by default and will take place only if a AAA method list is specified in the service profile or service policy map. ISG accounting sends Accounting-Start, interim, and Accounting-Stop records to the specified AAA method list. ISG Accounting Messages on ANCP PortsAccounting messages sent by ISG for sessions on an Access Node Control Protocol (ANCP) port contain the following AAA attributes: nas-tx-speed, nas-tx-speed-bps, nas-rx-speed, and nas-rx-speed-bps. ISG retrieves the values for these attributes from the Digital Subscriber Line Access Multiplexer (DSLAM) ANCP notification sent to ISG or from the Quality of Service (QoS) policy configured on the interface. When an ANCP port is in an UP state, the attribute values are taken from the DSLAM ANCP notification sent to ISG. If the ANCP port state changes to a DOWN state, the ANCP accounting messages will continue to contain the AAA attributes sent in the DSLAM notification. If the ANCP-port state has never been set to the UP state, ISG can retrieve the nas-tx-speed, nas-tx-speed-bps, nas-rx-speed, and nas-rx-speed-bps AAA attributes from the QoS policy on that interface. In order to retrieve the AAA attributes from the QoS policy, the policy must be configured prior to the configuration of the ANCP neighbor, otherwise ISG uses the previous values (if any) for the AAA attributes when a session is established. If the QoS policy values are changed, ISG continue to use the previous values until the ANCP neighbor is removed and reconfigured. ISG Accounting RecordsISG accounting uses the RADIUS protocol to facilitate interaction between ISG and an external RADIUS-based AAA or mediation server. ISG sends accounting records with the associated attributes to the AAA accounting method list when the following events occur: account logon, account logoff, service logon, and service logoff. The accounting server can be configured to interpret the records to generate bills for postpaid sessions. Account Logon and LogoffISG sends a RADIUS Accounting-Request record to the specified AAA method list when a subscriber logs onto or off of ISG. The Acct-Status-Type attribute included in the Accounting-Request record indicates if the record marks the start (commencement) of the subscriber session or the stop (termination) of the session. When the aaa accounting command is enabled with the system, default, start-stop, and groupkeywords, accounting records are sent to the AAA server. When a subscriber logs on, ISG sends an Accounting-Start record to the AAA server. When a subscriber logs off, ISG sends an Accounting-Stop record. Service Logon and LogoffISG sends a RADIUS Accounting-Start record to the AAA server when a service is activated for a subscriber, and it sends an Accounting-Stop record when a service is deactivated. The record contains a different accounting session ID from the accounting session ID of the parent session. The Acct-Status-Type attribute included in the Accounting-Request record indicates whether the record marks the start or the end of the service. The name of the service is included in accounting records for service logon and logoff. Accounting records may be sent for events other than account and service logon and logoff. See the "Configuring Accounting" chapter of the Cisco IOS Security Configuration Guide, Release 12.2, for more information. Interim ISG Accounting UpdatesISG supports interim (intermittent) RADIUS accounting updates, which work the same way as âwatchdogâ RADIUS accounting. Accounting updates are sent between the times that ISG sends Accounting-Start and Accounting-Stop records. ISG supports two types of interim accounting: accounting updates for new information (such as a new IP address) and periodic accounting, in which accounting records are sent at a configurable interval. Interim accounting for new information can be enabled or disabled globally. Periodic accounting can be enabled for specific contexts, such as globally, in user profiles, and in services. Broadcast ISG AccountingISG supports AAA broadcast accounting, which is the ability to send user accounting records to multiple RADIUS servers. AAA broadcast accounting provides service providers with geographical redundancy for RADIUS servers, and provides accounting records to partners in wholesale models. For information about configuring AAA broadcast accounting, see the "Configuring Accounting" chapter in the âAuthentication, Authorization, and Accountingâ part of the Cisco IOS Security Configuration Guide. ISG Postpaid Tariff SwitchingISG postpaid tariff switching allows changes in tariffs during the lifetime of a connection. This feature applies to time-based or volume-based postpaid sessions in which the tariff changes at certain times of the day. Typically, a service provider would use postpaid tariff switching to offer different tariffs to a subscriber while the subscriber is still connected; for example, changing a subscriber to a less expensive tariff during off-peak hours. To handle tariff switches for postpaid connections, the accounting packets log the usage information during the various tariff-switch intervals. The service profile contains a weekly tariff-switch plan detailing the times of day at which tariff changes occur. ISG monitors the usage at every tariff-switch point and records this information in interim accounting records. The billing server monitors all interim accounting updates and obtains the information about the traffic sent at each tariff rate. How to Configure ISG Accounting
Enabling ISG Per-Session AccountingPer-session accounting can be configured in the following configuration sources: This procedure contains the following sections:
PrerequisitesISG sends accounting records to the authentication, authorization, and accounting (AAA) method list specified in the user profile, service profile, or service policy map. The tasks in this section assume that you have configured a AAA method list by using the aaa accounting command. See the Cisco IOS Security Command Reference for more information. AAA servers must be configured to support ISG accounting. Enabling Per-Session Accounting in a User Profile on a AAA ServerUse the attributes in this procedure to enable per-session accounting in a user profile on a AAA server. When accounting is configured in the user profile instead of the service profile, the Service Name attribute does not appear in the accounting. DETAILED STEPS Enabling Per-Session Accounting in a Service Profile on a AAA ServerUse the attributes in this procedure to enable per-session accounting in a service profile on a AAA server. Note that for per-session accounting the traffic class attribute should not be included in the service profile. DETAILED STEPS Enabling Per-Session Accounting in a Service Policy Map on the RouterTo configure per-session accounting in a service policy map on the router, you must configure an empty traffic class map (a traffic class map that does not specify an access list) and enable accounting within the empty traffic class in a service policy map. Perform this task to enable per-session accounting in a service policy map. DETAILED STEPS Enabling ISG Per-Flow AccountingISG per-flow accounting can be configured in the following configuration sources: This procedure contains the following sections:
PrerequisitesISG sends accounting records to the authentication, authorization, and accounting (AAA) method list specified in the user profile, service profile, or service policy map. The tasks in this section assume that you have configured a AAA method list by using the aaa accounting command. See the Cisco IOS Security Command Reference for more information. AAA servers must be configured to support ISG accounting. Enabling Per-Flow Accounting in a Service Profile on the AAA Server
SUMMARY STEPS
DETAILED STEPS Enabling Per-Flow Accounting in a Service Policy Map on the RouterBefore You Begin
SUMMARY STEPS
This task assumes that you have defined a traffic class map and associated IP access lists. See the module "Configuring ISG Subscriber Services" for more information about configuring traffic classes. DETAILED STEPS
Configuring ISG Postpaid Tariff SwitchingISG postpaid tariff switching can be configured in the service profile on a AAA server. If you include a traffic class in the service profile, postpaid tariff switching will apply to the specified flow. If you do not configure a traffic class, postpaid tariff switching will apply to the session. Perform this task to configure per-session or per-flow postpaid tariff switching. Before You Begin
SUMMARY STEPS
ISG per-session or per-flow accounting must be configured in order for postpaid tariff switching to work. DETAILED STEPS
Verifying ISG Accounting and Postpaid Tariff Switching
Examplesshow subscriber session Output When ISG Accounting Is Applied to a FlowIn the following example, ISG accounting is configured in a service profile that specifies a traffic class, which means that accounting will be performed on the flow and not the parent session. In this example, 157 is the unique ID of the traffic class.
Router# show subscriber session detailed uid 157
Subscriber session handle: E5000092, state: connected, service: Ltm Internal
Unique Session ID: 157
Identifier:
SIP subscriber access type(s): Traffic-Class
Root SIP Handle: 2B000011, PID: 76
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 3 minutes, 45 seconds, Last Changed: 3 minutes, 45 seconds
AAA unique ID: 0
Switch handle: F300015F
Session inbound features:
Feature: Service accounting
Service: video1
Method List: remote-local
Outbound direction:
Packets = 84, Bytes = 33600 Feature: Policing Upstream Params: Average rate = 8000, Normal burst = 1500, Excess burst = 3000 Config level = Service Session outbound features: Feature: Service accounting Service: video1 Method List: remote-local Outbound direction: Packets = 84, Bytes = 33600 Feature: Policing Dnstream Params: Average rate = 64000, Normal burst = 12000, Excess burst = 24000 Config level = Service Configuration sources associated with this session: Service: video1, Active Time = 3 minutes, 46 seconds show subscriber session Output When ISG Accounting Is Applied to a SessionThe following example shows sample output from the show subscriber session command for a session rather than a flow:
Router# show subscriber session detailed uid 730
Subscriber session handle: 3800009A, state: connected, service: Local Term
Unique Session ID: 730
Identifier: igq2acct
SIP subscriber access type(s): IP-Interface/Account-Logon-CH
Root SIP Handle: A600000E, PID: 75
Child SIP Handle: F9000018, PID: 73
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 3 minutes, 57 seconds, Last Changed: 2 minutes, 59 seconds
AAA unique ID: 81
Switch handle: 890003A0
Interface: ATM6/0.1
Policy information:
Authentication status: authen
Config downloaded for session policy:
From Access-Type: Account-Logon-CH, Client: SM, Event: Got More Keys
Profile name: apply-config-only, 2 references
ssg-account-info "SAfoo"
Rules, actions and conditions executed:
subscriber rule-map rule1
condition always event any-event
action 1 authenticate
Session inbound features:
Feature: Session accounting
Method List: foo
Outbound direction:
Packets = 10, Bytes = 1000
Session outbound features:
Feature: Session accounting
Method List: foo
Outbound direction:
Packets = 10, Bytes = 1000
Configuration sources associated with this session:
Interface: ATM6/0.1, Active Time = 3 minutes, 58 seconds This example shows the output from the show aaa sessions command:
Router# show aaa sessions
Total sessions since last reload: 141
Session Id: 167
Unique Id: 151
User Name: *not available*
IP Address: 192.168.0.1
Idle Time: 0
CT Call Handle: 0
The following examples show the output from the show aaa user command: Output for a Specific UserUnique id 151 is currently in use. Accounting: log=0x20C201 Events recorded : CALL START NET UP IPCP_PASS INTERIM START VPDN NET UP update method(s) : PERIODIC update interval = 60 Outstanding Stop Records : 0 Dynamic attribute list: 1A1CABE8 0 00000001 connect-progress(68) 4 Call Up 1A1CABF8 0 00000001 pre-session-time(294) 4 0(0) 1A1CAC08 0 00000001 nas-tx-speed(421) 4 423630024(194014C8) 1A1CAC18 0 00000001 nas-rx-speed(71) 4 139317740(84DD1EC) 1A1CAC28 0 00000001 elapsed_time(364) 4 46122(B42A) 1A1CAC50 0 00000001 bytes_in(135) 4 11434660(AE7AA4) 1A1CAC60 0 00000001 bytes_out(274) 4 0(0) 1A1CAC70 0 00000001 pre-bytes-in(290) 4 0(0) 1A1CAC80 0 00000001 pre-bytes-out(291) 4 0(0) 1A1CAC90 0 00000001 paks_in(136) 4 92215(16837) 1A1CADF0 0 00000001 paks_out(275) 4 0(0) 1A1CAE00 0 00000001 pre-paks-in(292) 4 0(0) 1A1CAE10 0 00000001 pre-paks-out(293) 4 0(0) No data for type EXEC No data for type CONN NET: Username=(n/a) Session Id=000000A7 Unique Id=00000097 Start Sent=1 Stop Only=N stop_has_been_sent=N Method List=189F046C : Name = CAR_mlist Attribute list: 1A1CADF0 0 00000001 session-id(361) 4 167(A7) 1A1CAE00 0 00000001 protocol(297) 4 ip 1A1CAE10 0 00000001 addr(8) 4 192.168.0.1 1A1CAE20 0 00000001 Framed-Protocol(101) 4 PPP 1A1CAE30 0 00000009 clid-mac-addr(37) 6 00 00 04 00 00 2A -------- No data for type CMD No data for type SYSTEM No data for type RM CALL No data for type RM VPDN No data for type AUTH PROXY No data for type 8 No data for type CALL No data for type VPDN-TUNNEL No data for type VPDN-TUNNEL-LINK No data for type 12 No data for type IPSEC-TUNNEL No data for type RESOURCE No data for type 15 Debg: No data available Radi: No data available Interface: TTY Num = -1 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0 Pre Paks In = 0 Pre Paks Out = 0 Cumulative Byte/Packet Counts : Bytes In = 11434660 Bytes Out = 0 Paks In = 92215 Paks Out = 0 StartTime = 12:02:40 IST Oct 16 2007 AuthenTime = 12:02:40 IST Oct 16 2007 Component = IEDGE_ACCOUNTING Authen: service=NONE type=NONE method=RADIUS Kerb: No data available Meth: No data available Preauth: No Preauth data. General: Unique Id = 00000097 Session Id = 000000A7 Attribute List: 1A1CADF0 0 00000001 port-type(198) 4 PPPoE over VLAN 1A1CAE00 0 00000009 interface(194) 7 4/0/0/2 PerU: No data available Output for All Users
Router# show aaa user all
--------------------------------------------------
Unique id 151 is currently in use.
Accounting:
log=0x20C201
Events recorded :
CALL START
NET UP
IPCP_PASS
INTERIM START
VPDN NET UP
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
1A1CABE8 0 00000001 connect-progress(68) 4 Call Up
1A1CABF8 0 00000001 pre-session-time(294) 4 0(0)
1A1CAC08 0 00000001 nas-tx-speed(421) 4 423630024(194014C8)
1A1CAC18 0 00000001 nas-rx-speed(71) 4 139317740(84DD1EC)
1A1CAC28 0 00000001 elapsed_time(364) 4 46122(B42A)
1A1CAC50 0 00000001 bytes_in(135) 4 11434660(AE7AA4)
1A1CAC60 0 00000001 bytes_out(274) 4 0(0)
1A1CAC70 0 00000001 pre-bytes-in(290) 4 0(0)
1A1CAC80 0 00000001 pre-bytes-out(291) 4 0(0)
1A1CAC90 0 00000001 paks_in(136) 4 92215(16837)
1A1CADF0 0 00000001 paks_out(275) 4 0(0)
1A1CAE00 0 00000001 pre-paks-in(292) 4 0(0)
1A1CAE10 0 00000001 pre-paks-out(293) 4 0(0)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000000A7 Unique Id=00000097
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=189F046C : Name = CAR_mlist
Attribute list:
1A1CADF0 0 00000001 session-id(361) 4 167(A7)
1A1CAE00 0 00000001 protocol(297) 4 ip
1A1CAE10 0 00000001 addr(8) 4 192.168.0.1
1A1CAE20 0 00000001 Framed-Protocol(101) 4 PPP
1A1CAE30 0 00000009 clid-mac-addr(37) 6 00 00 04 00 00 2A
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type 8
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
No data for type 12
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 15
Debg: No data available
Radi: No data available
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 11434660 Bytes Out = 0
Paks In = 92215 Paks Out = 0
StartTime = 12:02:40 IST Oct 16 2007
AuthenTime = 12:02:40 IST Oct 16 2007
Component = IEDGE_ACCOUNTING
Authen: service=NONE type=NONE method=RADIUS
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000097
Session Id = 000000A7
Attribute List:
1A1CADF0 0 00000001 port-type(198) 4 PPPoE over VLAN
1A1CAE00 0 00000009 interface(194) 7 4/0/0/2
PerU: No data available
Configuration Examples for ISG AccountingPer-Flow Accounting ExamplesPer-Flow Accounting Configured in a Local Service Policy MapThe following example shows per-flow accounting configured in a service policy map for a service called âvideo1â: class-map type traffic match-any video1 match access-group output 101 match access-group input 100 policy-map type service video1 class type traffic video1 accounting aaa list mlist1 Per-Flow Accounting Configured in a Service Profile on the AAA ServerThe following example shows per-flow accounting configured in a remote service profile for a service called âvideo1â: video1 Password = "cisco" Cisco-AVpair = "traffic-class=input access-group 101 priority 20", Cisco-AVpair = "traffic-class=output access-group 112 priority 20", Cisco-Avpair = "accounting-list=remote-local", Service-Info = "QU;8000", Service-Info = "QD;64000" ISG Postpaid Tariff Switching ExamplesThe following example shows the configuration of a postpaid tariff switch each day of the week at midnight: Cisco-AVpair = "PPW00:00:00:127" The following example shows the configuration of a postpaid tariff switch Monday through Friday at 8:00 p.m.: Cisco-AVpair = "PPW20:00:00:31" The following example shows the configuration of a postpaid tariff switch Monday through Friday at 6:00 a.m.: Cisco-AVpair = "PPW06:00:00:31" Additional ReferencesRelated Documents
MIBsTechnical Assistance
Feature Information for ISG AccountingThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||