- Read Me First
- Overview of ISG
- Configuring ISG Control Policies
- Configuring ISG Access for PPP Sessions
- Configuring ISG Access for IP Subscriber Sessions
- Configuring ISG IPv6 Support
- Configuring MQC Support for IP Sessions
- Configuring ISG Port-Bundle Host Key
- Configuring ISG as a RADIUS Proxy
- Configuring ISG as a RADIUS Proxy in Passthrough Mode
- ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Walk-By User Support in ISG
- ISG L2 Subscriber Roaming
- Configuring RADIUS-Based Policing
- Overview for Framed Route
- ISG Dynamic VLAN Interface Provisioning
- Ambiguous VLAN Support for IP sessions over ISG
- Configuring ISG Policies for Automatic Subscriber Logon
- Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
- Enabling ISG to Interact with External Policy Servers
- Configuring ISG Subscriber Services
- Configuring ISG Network Forwarding Policies
- Configuring ISG Accounting
- Configuring ISG Support for Prepaid Billing
- Configuring ISG Policies for Session Maintenance
- Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
- Configuring Layer 4 Redirect Logging
- Configuring ISG Policies for Regulating Network Access
- Configuring ISG Integration with SCE
- Service Gateway Interface
- ISG MIB
- ISG SSO and ISSU
- ISG Debuggability
- Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
- Configuring ISG Troubleshooting Enhancements
- Gx Diameter Support for ISG sessions
- DHCPv6 Support for ISG
- Finding Feature Information
- Prerequisites for ISG Accounting
- Restrictions for ISG Accounting
- Information About ISG Accounting
- How to Configure ISG Accounting
- Configuration Examples for ISG Accounting
- Example: Enabling ISG per-Flow Accounting
- Example: Enabling ISG per-Service Accounting
- Example: Enabling a per-User Accounting List
- Example: Enabling ISG per-Service Accounting in a Service Policy Map
- Example: Configuring Postpaid Tariff Switching
- Example: Enabling Periodic Session Update
- Examples: Verifying ISG Accounting and Postpaid Tariff Switching
- Example: Troubleshooting ISG Accounting
- Additional References
- Feature Information for ISG Accounting
Configuring ISG Accounting
The Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework to edge devices that can deliver flexible and scalable services to subscribers. This module describes how to configure ISG accounting, including per-session accounting or per-flow accounting, broadcast accounting, and postpaid tariff switching.
- Finding Feature Information
- Prerequisites for ISG Accounting
- Restrictions for ISG Accounting
- Information About ISG Accounting
- How to Configure ISG Accounting
- Configuration Examples for ISG Accounting
- Additional References
- Feature Information for ISG Accounting
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for ISG Accounting
Configure the authentication, authorization, and accounting (AAA) method list using the aaa accounting command before configuring Intelligent Services Gateway (ISG) accounting. ISG sends accounting records to the AAA method list specified in the user profile, service profile, or service policy map. For more information about the AAA commands, see the Cisco IOS Security Command Reference: Commands A to C .
AAA servers must be configured to support ISG accounting.
Restrictions for ISG Accounting
Information About ISG Accounting
- Overview of ISG Accounting
- ISG Accounting Records
- Interim ISG Accounting Updates
- Broadcast Accounting
- ISG Postpaid Tariff Switching
- Subscriber Accounting Accuracy
- HA Support for ISG Accounting
Overview of ISG Accounting
Intelligent Services Gateway (ISG) supports per-session, per-service, or per-flow accounting. Per-session accounting is the aggregate of all the flow traffic for a session and it can be enabled in a user profile.
Per-flow accounting, which accounts for a subset of session traffic as defined by a traffic class, is enabled in a service profile or service policy map. When per-flow accounting is configured, the Parent-Session-ID vendor-specific attribute (VSA) is included in accounting records so that per-session and per-flow accounting records can be correlated in the RADIUS server.
Within a subscriber session, per-service accounting enables RADIUS to track services when they become active and when they stop. Per-service accounting is the aggregate of all flow traffic for the duration of the service. Using this feature, the device includes all activated services for the session in a single accounting start message. Per-service accounting can be enabled in a service profile or service policy map. When per-service accounting is configured, the service name and Parent-Session-ID attributes are included in accounting records.
 Note | When accounting is configured in a user profile, the service name attribute is not included in accounting records. |
Session accounting is enabled if the aaa accounting network default command is configured and a authentication, authorization, and accounting (AAA) method list is specified. We recommend that you use a named method list rather than the default method list. Flow accounting is disabled by default and will take place only if a AAA method list is specified in the service profile or a service policy map. ISG accounting sends Accounting-Start, interim, and Accounting-Stop records to the specified AAA method list.
ISG Accounting Messages on ANCP Ports
When an ANCP port is in an up state, the attribute values are taken from the DSLAM ANCP notification sent to ISG. If the ANCP port state changes to a down state, the ANCP accounting messages will continue to contain the AAA attributes sent in the DSLAM notification.
If the ANCP port state has never been set to up, ISG can retrieve the nas-tx-speed, nas-tx-speed-bps, nas-rx-speed, and nas-rx-speed-bps AAA attributes from the QoS policy on that interface.
To retrieve the AAA attributes from the QoS policy, the policy must be configured before the configuration of the ANCP neighbor; otherwise, ISG uses the previous values (if any) for the AAA attributes when a session is established.
If the QoS policy values are changed, ISG continues to use the previous values until the ANCP neighbor is removed and reconfigured.
Service Activation and Deactivation Configuration on RADIUS
You can configure Cisco VSA 250 and VSA 252 in the service profile on RADIUS to dynamically activate and deactivate services. RADIUS uses VSA 250 in Access-Accept and VSA 252 in Change of Authorization (CoA) messages. These VSAs have the following syntax:
252 0b "service(parameter1=value,parameter2=value,...)" 250 "service(parameter1=value,parameter1=value,...)"
When deactivating a service, RADIUS sends the same information in VSA 252 that was used for service activation, except that service deactivation uses 0c parameters in the VSA instead of the 0b parameter used for service activation. VSA 252 has the following syntax for service deactivation:
252 0xC "service(parameter1=value,parameter2=value,...)"
ISG Accounting Records
Intelligent Services Gateway (ISG) accounting uses the RADIUS protocol to facilitate interaction between ISG and an external RADIUS-based authentication, authorization, and accounting (AAA) server or a mediation server. ISG sends accounting records with the associated attributes to the AAA accounting method list when the following events occur—account logon, account logoff, service logon, and service logoff. The accounting server can be configured to interpret the accounting records to generate bills for postpaid sessions.
Account Logon and Logoff
ISG sends a RADIUS Accounting-Request record to the specified AAA method list when a subscriber logs on to or out off ISG. The Acct-Status-Type attribute included in the Accounting-Request record indicates if the record marks the start (commencement) of the subscriber session or the stop (termination) of the session.
When the aaa accounting command is enabled with the system, default, start-stop, and group keywords, accounting records are sent to the AAA server. When a subscriber logs on, ISG sends an Accounting-Start record to the AAA server. When a subscriber logs off, ISG sends an Accounting-Stop record to the AAA server.
Service Logon and Logoff
ISG sends a RADIUS Accounting-Start record to the AAA server when a service is activated for a subscriber, and it sends an Accounting-Stop record when a service is deactivated. The record contains an accounting session ID that is different from the accounting session ID of the parent session.
The Acct-Status-Type attribute included in the Accounting-Request record indicates whether the record marks the start or the end of the service. The name of the service is included in accounting records for service logon and logoff.
Accounting records may be sent for events other than account and service logon and logoff. See the Securing User Services Configuration Guide Library for more information.
Interim ISG Accounting Updates
Intelligent Services Gateway (ISG) supports interim (intermittent) RADIUS accounting updates that work the same way as “watchdog” RADIUS accounting. Accounting updates are sent between the time that ISG sends Accounting-Start and Accounting-Stop records.
ISG supports two types of interim accounting—accounting updates for new information (such as a new IP address) and periodic accounting, in which accounting records are sent at a configurable interval.
Interim accounting can be enabled or disabled globally for new information. Periodic accounting can be enabled for specific contexts, such as globally, in user profiles, and in services.
Broadcast Accounting
Intelligent Services Gateway (ISG) supports authentication, authorization, and accounting (AAA) broadcast accounting, which is the ability to send user accounting records to multiple RADIUS servers. AAA broadcast accounting provides service providers with geographical redundancy for RADIUS servers and provides accounting records to partners in wholesale models. For information about configuring AAA broadcast accounting, see the “Configuring Accounting” chapter in the Cisco Authentication, Authorization, and Accounting Configuration Guide.
ISG Postpaid Tariff Switching
The Intelligent Services Gateway (ISG) Postpaid Tariff Switching feature allows changes in tariffs during the lifetime of a connection. This feature applies to time-based or volume-based postpaid sessions in which the tariff changes at certain times of the day.
Typically, a service provider would use postpaid tariff switching to offer different tariffs to a subscriber while the subscriber is still connected. For example, changing a subscriber to a less expensive tariff during off-peak hours.
To handle tariff switches for postpaid connections, accounting packets log the usage information during the various tariff-switch intervals. The service profile contains a weekly tariff-switch plan detailing the times of day during which tariff changes occur. ISG monitors the usage at every tariff-switch point and records this information in interim accounting records. The billing server monitors all the interim accounting updates and obtains the information about the traffic sent at each tariff rate.
Note | Tariff switching is not required for time-based billing services. Because the billing server knows the service logon and logoff time stamps, it can calculate the various tariffs that apply during that time. |
Subscriber Accounting Accuracy
The Subscriber Accounting Accuracy feature guarantees that the I/O packet/byte statistics in the Accounting-Stop record are accurate to within one second.
Subscriber accounting data is sent to authentication, authorization, and accounting (AAA) servers during the following events:
Use the subscriber accounting accuracy milliseconds command to set the value for the Subscriber Accounting Accuracy feature.
HA Support for ISG Accounting
The accounting start and stop records that Intelligent Services Gateway (ISG) sends to an external RADIUS accounting server contains cumulative counters associated with subscriber sessions. ISG can also send interim accounting records containing the latest time and volume statistics at periodic intervals during a session’s lifetime. This information is correlated by a third-party billing software to generate billing records for the subscriber.
The ISG stateful switchover (SSO) and In Service Software Upgrade (ISSU) feature adds high availability (HA) support to the ISG session, service, and flow accounting. This HA support includes a periodic session update feature that enables ISG to retain cumulative accounting counters associated with the subscriber sessions after an SSO or ISSU event. Configuring this feature prevents the new active processor from restarting the accounting counters from zero after an SSO event. You can also specify that the first record sent after an SSO event is an interim accounting record for sessions, services, and flows that survive the switchover.
For information about configuring HA on the ISG device, see the High Availability Configuration Guide.
How to Configure ISG Accounting
- Enabling ISG per-Session Accounting
- Enabling ISG per-Flow Accounting
- Enabling ISG per-Service Accounting
- Configuring ISG Postpaid Tariff Switching
- Verifying ISG Accounting and Postpaid Tariff Switching
- Enabling Periodic Session Update
- Verifying Periodic Session Update
- Troubleshooting ISG Accounting
Enabling ISG per-Session Accounting
Per-session accounting can be configured in the user profile of a authentication, authorization, and accounting (AAA) server.
This task contains the following sections:
- Enabling ISG per-Session Accounting in a User Profile on a AAA Server
- Enabling a per-User Accounting List
Enabling ISG per-Session Accounting in a User Profile on a AAA Server
Use the attributes given in this procedure to enable per-session accounting in a user profile on an authentication, authorization, and accounting (AAA) server.
Note | You must configure a service for an accounting list before enabling a per-session accounting in a user profile. A per-session accounting list cannot be applied on a session in Intelligent Services Gateway (ISG) if a service is not configured; that is, you must have a dummy service configured under the accounting list when there is no service configured. |
1. Cisco-Attribute-Value pair (AVpair)=“accounting-list=accounting-mlist-name”
2. IETF RADIUS attribute Acct-Interim-Interval (attribute 85)
DETAILED STEPS
Enabling a per-User Accounting List
Perform this task to enable a dummy service on an accounting list. A dummy service is a string that is used to get an authorization from a server for a user profile when no service is configured.
1. userxxx2@cisco.com Cleartext-Password := “cisco111”
2. Cisco-Account-Info += “ADUMMYSERVICE”,
DETAILED STEPS
Enabling ISG per-Flow Accounting
Intelligent Services Gateway (ISG) per-flow accounting can be configured in the following configuration sources:
This procedure contains the following sections:
- Enabling ISG per-Flow Accounting in a Service Profile on the AAA Server
- Enabling ISG per-Flow Accounting in a Service Policy Map
Enabling ISG per-Flow Accounting in a Service Profile on the AAA Server
Perform this task to configure a per-flow accounting in a service profile on the authentication, authorization, and accounting (AAA) server.
This task assumes that you have defined IP access lists for specifying the traffic.
1. Cisco-AVpair=“ip:traffic-class={in | out} access-group [acl-number | name acl-name] [priority n]”
2. Cisco-AVpair=“accounting-list=accounting-mlist-name”
3. IETF RADIUS attribute Acct-Interim-Interval (attribute 85)
DETAILED STEPS
Enabling ISG per-Flow Accounting in a Service Policy Map
Perform this task to enable accounting in a local service policy map for the device for a specific flow.
This task assumes that you have defined a traffic class map and associated IP access lists. See the module “Configuring ISG Subscriber Services” for more information about configuring traffic classes.
1.
enable
2.
configure
terminal
3.
policy-map
type
service
policy-map-name
4.
class
type
traffic
class-map-name
5.
accounting
aaa
list
AAA-method-list
6.
end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 |
policy-map
type
service
policy-map-name
Example: Device(config)# policy-map type service service1 |
Creates or defines a service policy map, which is used to define an Intelligent Services Gateway (ISG) service and enters service policy-map configuration mode. |
| Step 4 |
class
type
traffic
class-map-name
Example: Device(config-service-policymap)# class type traffic firstclass |
Associates a previously configured traffic class with the policy map and enters control policy-map traffic class configuration. |
| Step 5 |
accounting
aaa
list
AAA-method-list
Example: Device(config-control-policymap-class-traffic)# accounting aaa list list1 |
Enables accounting and specifies the authentication, authorization, and accounting (AAA) method list to which accounting updates will be sent. |
| Step 6 |
end
Example: Device(config-control-policymap-class-traffic)# end |
Returns to privileged EXEC mode. |
Enabling ISG per-Service Accounting
Per-service accounting can be configured in the following configuration sources:
This procedure contains the following sections:
- Enabling per-Service Accounting on ISG
- Enabling per-Service Accounting in a Service Profile on a AAA Server
- Enabling per-Service Accounting in a Service Policy Map
Enabling per-Service Accounting on ISG
1.
enable
2.
configure
terminal
3.
subscriber service multiple-accept
4.
subscriber service session-accounting
5.
end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Device> enable |
|
| Step 2 |
configure
terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 |
subscriber service multiple-accept
Example: Device(config)# subscriber service multiple-accept |
Enables multiple services in a single Access-Accept message. |
| Step 4 |
subscriber service session-accounting
Example: Device(config)# subscriber service session-accounting |
Enables subscriber services accounting. |
| Step 5 |
end
Example: Device(config)# end |
Returns to privileged EXEC mode. |
Enabling per-Service Accounting in a Service Profile on a AAA Server
Use the attributes in this procedure to enable per-service accounting in a service profile on a authentication, authorization, and accounting (AAA) server. Note that for per-service accounting, the traffic class attribute should not be included in the service profile.
1. Cisco-AVpair=“accounting-list=accounting_mlist_name”
2. IETF RADIUS attribute Acct-Interim-Interval (attribute 85)
DETAILED STEPS
| Step 1 | Cisco-AVpair=“accounting-list=accounting_mlist_name”
Adds the Accounting attribute to the service profile. This attribute enables accounting and specifies the AAA method list to which accounting updates will be sent. |
| Step 2 | IETF RADIUS attribute Acct-Interim-Interval (attribute 85)
(Optional) Adds the Acct-Interim-Interval (attribute 85) to the service profile. This attribute specifies the number of seconds between interim updates. |
Enabling per-Service Accounting in a Service Policy Map
To configure a per-service accounting in a service policy map on the device, you must configure an empty traffic class map (a traffic class map that does not specify an access list) and enable accounting within the empty traffic class in the service policy map.
1.
enable
2.
configure terminal
3.
class-map type traffic match-any
class-map-name
4.
exit
5.
policy-map type service
policy-map-name
6.
class type traffic
class-map-name
7.
accounting aaa list
AAA-method-list
8.
end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 |
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 |
class-map type traffic match-any
class-map-name
Example: Device(config)# class-map type traffic match-any empty_class |
Creates or modifies a traffic class map, which is used for matching packets to a specified ISG traffic class, and enters traffic class-map configuration mode. |
| Step 4 |
exit
Example: Device(config-traffic-classmap)# exit |
Exits traffic class-map configuration mode. |
| Step 5 |
policy-map type service
policy-map-name
Example: Device(config)# policy-map type service polmap1 |
Creates or defines a service policy map, which is used to define an ISG service, and enters service policy-map configuration mode. |
| Step 6 |
class type traffic
class-map-name
Example: Device(config-service-policymap)# class type traffic empty_class |
Associates a traffic class map with the service policy map and enters service policy-map traffic class configuration mode. |
| Step 7 |
accounting aaa list
AAA-method-list
Example: Device(config-service-policymap-class-traffic)# accounting aaa list list1 |
Enables accounting and specifies the authentication, authorization, and accounting (AAA) method list to which accounting updates will be sent. |
| Step 8 |
end
Example: Device(config-service-policymap-class-traffic)# end |
Returns to privileged EXEC mode. |
Configuring ISG Postpaid Tariff Switching
ISG postpaid tariff switching can be configured in the service profile on a authentication, authorization, and accounting (AAA) server.
If you include a traffic class in the service profile, postpaid tariff switching will apply to the specified flow. If you do not configure a traffic class, postpaid tariff switching will apply to the session. Perform this task to configure per-session or per-flow postpaid tariff switching.
Intelligent Services Gateway (ISG) per-session or per-flow accounting must be configured for postpaid tariff switching to work.
1. Cisco-AVpair = “PPWhh:mm:ss:d”
2. Cisco-AVpair = “ip:traffic-class={in | out} access-group [acl-number | name acl-name ] [priority n ]”
DETAILED STEPS
| Step 1 | Cisco-AVpair = “PPWhh:mm:ss:d”
Adds the postpaid VSA to the service profile. This attribute specifies the weekly tariff-switch points for postpaid tariff switching. The syntax description is as follows: hh :mm:ss:d—Weekly tariff-switch time. |
| Step 2 | Cisco-AVpair = “ip:traffic-class={in | out} access-group [acl-number
| name
acl-name ] [priority
n ]”
Adds the ISG traffic class attribute to the service profile. This attribute specifies input and output traffic to which the service will apply. Both an input and output traffic classifier can be added to a service profile. |
What to Do Next
You may want to configure a method of activating the service policy map or service profile. For example, control policies can be used to activate services. For more information about methods of service activation, see the “Configuring ISG Subscriber Services” module.
Verifying ISG Accounting and Postpaid Tariff Switching
To verify and troubleshoot Intelligent Services Gateway (ISG) accounting and postpaid tariff switching, use any of the following commands in privileged EXEC mode. You can use these commands in any order.
1.
show
subscriber
session
2.
show
aaa
sessions
3.
show
aaa
user
{all |
unique
id}
4.
show
sss
session
[all]
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
show
subscriber
session
Example: Device# show subscriber session |
Displays ISG subscriber session information. |
| Step 2 |
show
aaa
sessions
Example: Device# show aaa sessions |
Displays authentication, authorization, and accounting (AAA) subscriber session information. |
| Step 3 |
show
aaa
user
{all |
unique
id}
Example: Device# show aaa user all |
Displays AAA subscriber information for all users or a specified user. |
| Step 4 |
show
sss
session
[all]
Example: Device# show sss session |
Displays Subscriber Service Switch (SSS) session status. |
Enabling Periodic Session Update
Perform this task to enable Intelligent Services Gateway (ISG) to periodically synchronize the dynamic accounting statistics (counters) for subscriber sessions on the standby processor, to suppress accounting on and accounting off messages during a switchover, or to send the interim accounting record first after a switchover.
1.
enable
2.
configure terminal
3.
subscriber redundancy dynamic periodic-update interval
minutes
4.
aaa accounting redundancy suppress system-records
5.
aaa accounting redundancy best-effort-reuse send-interim
6.
end
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
| Step 2 |
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
| Step 3 |
subscriber redundancy dynamic periodic-update interval
minutes
Example: Device(config)# subscriber redundancy dynamic periodic-update interval 30 |
Enables periodic update of accounting statistics for subscriber sessions. |
| Step 4 | aaa accounting redundancy suppress system-records
Example: Device(config)# aaa accounting redundancy suppress system-records |
Suppresses accounting on and accounting off messages during a switchover. |
| Step 5 | aaa accounting redundancy best-effort-reuse send-interim
Example: Device(config)# aaa accounting redundancy best-effort-reuse send-interim |
Sends the interim accounting record first after a switchover for session and service accounting. |
| Step 6 |
end
Example: Device(config)# end |
Returns to privileged EXEC mode. |
Verifying Periodic Session Update
To verify and troubleshoot the configuration of the periodic session update on the ISG device, use any of the following commands in privileged EXEC mode. You can use these commands in any order.
Command |
Purpose |
|---|---|
|
show ccm clients |
Displays information about cluster control manager (CCM) clients in HA dual RP systems. |
|
show ccm queues |
Displays CCM queue statistics for HA dual RP systems. |
|
show ccm sessions |
Displays information about CCM sessions in HA dual RP systems. |
Troubleshooting ISG Accounting
Use the commands in this task to monitor and troubleshoot Intelligent Services Gateway (ISG) accounting. All these commands are optional and can be entered in any order.
1.
enable
2.
debug aaa accounting
3.
debug radius brief
4.
debug subscriber feature name
accounting
event
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable
Example: Device> enable |
|
| Step 2 | debug aaa accounting
Example: Device# debug aaa accounting
|
Displays information about authentication, authorization, and accounting (AAA) TACACS+ authentication. |
| Step 3 | debug radius brief
Example: Device# debug radius brief
|
Enables debugging of the RADIUS configuration. |
| Step 4 | debug subscriber feature name
accounting
event
Example: Device# debug subscriber feature name accounting event
|
Displays diagnostic information about the installation and removal of ISG features on ISG subscriber sessions. |
Configuration Examples for ISG Accounting
- Example: Enabling ISG per-Flow Accounting
- Example: Enabling ISG per-Service Accounting
- Example: Enabling a per-User Accounting List
- Example: Enabling ISG per-Service Accounting in a Service Policy Map
- Example: Configuring Postpaid Tariff Switching
- Example: Enabling Periodic Session Update
- Examples: Verifying ISG Accounting and Postpaid Tariff Switching
- Example: Troubleshooting ISG Accounting
Example: Enabling ISG per-Flow Accounting
Example: Enabling ISG per-Flow Accounting in a Service Profile on the AAA Server
The following example shows Intelligent Services Gateway (ISG) per-flow accounting configured in a remote service profile for a service called “video1”:
video1 Password = "cisco" Cisco-AVpair = "traffic-class=input access-group 101 priority 20", Cisco-AVpair = "traffic-class=output access-group 112 priority 20", Cisco-Avpair = "accounting-list=remote-local", Service-Info = "QU;8000", Service-Info = "QD;64000"
Example: Enabling ISG per-Flow Accounting in a Service Policy Map
The following example shows ISG per-flow accounting configured in a service policy map for a service called “video1”:
class-map type traffic match-any video1 match access-group output 101 match access-group input 100 ! policy-map type service video1 class type traffic video1 accounting aaa list mlist1
Example: Enabling ISG per-Service Accounting
The following configuration example allows multiple services in a single Access-Accept message and enables session accounting for services. The example also shows how to enable RADIUS to authorize the subscriber to access services.
subscriber service multiple-accept subscriber service session-accounting subscriber authorization enable
Example: Enabling a per-User Accounting List
The following example shows a dummy service configured for an Intelligent Services Gateway (ISG) per-session accounting list configured on an authentication, authorization, and accounting (AAA) server:
userxxx2@cisco.com Cleartext-Password := "cisco111"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.17.17,
Cisco-Account-Info += "ADUMMYSERVICE",
DUMMYSERVICE Cleartext-Password := "cisco"
Cisco-AVPair+= "accounting-list=testacct",
Example: Enabling ISG per-Service Accounting in a Service Policy Map
The following example shows how to configure per-service accounting in a service policy map on the Intelligent Services Gateway (ISG) device:
class-map type traffic match-any classmap1 ! policy-map type service polmap1 class type traffic classmap1 accounting aaa list mlist1
Example: Configuring Postpaid Tariff Switching
The following example shows the configuration of a postpaid tariff switch each day of the week at midnight:
Cisco-AVpair = "PPW00:00:00:127"
The following example shows the configuration of a postpaid tariff switch Monday through Friday at 8:00 p.m.:
Cisco-AVpair = "PPW20:00:00:31"
The following example shows the configuration of a postpaid tariff switch Monday through Friday at 6:00 a.m.:
Cisco-AVpair = "PPW06:00:00:31"
Example: Enabling Periodic Session Update
subscriber redundancy dynamic periodic-update interval 30 ! aaa accounting redundancy suppress system-records aaa accounting redundancy best-effort-reuse send-interim
Examples: Verifying ISG Accounting and Postpaid Tariff Switching
This section contains examples of output for the “Verifying ISG Accounting and Postpaid Tariff Switching” task.
show subscriber session Output When ISG Accounting Is Applied to a Flow
In the following example, Intelligent Services Gateway (ISG) accounting is configured in a service profile that specifies a traffic class, which means that accounting will be performed on the flow and not the parent session. In this example, 157 is the unique ID of the traffic class.
Device# show subscriber session uid 157 detailed Subscriber session handle: E5000092, state: connected, service: Ltm Internal Unique Session ID: 157 Identifier: SIP subscriber access type(s): Traffic-Class Root SIP Handle: 2B000011, PID: 76 Current SIP options: Req Fwding/Req Fwded Session Up-time: 3 minutes, 45 seconds, Last Changed: 3 minutes, 45 seconds AAA unique ID: 0 Switch handle: F300015F Session inbound features: Feature: Service accounting Service: video1 Method List: remote-local Outbound direction: Packets = 84, Bytes = 33600
Feature: Policing
Upstream Params:
Average rate = 8000, Normal burst = 1500, Excess burst = 3000
Config level = Service
Session outbound features:
Feature: Service accounting
Service: video1
Method List: remote-local
Outbound direction:
Packets = 84, Bytes = 33600
Feature: Policing
Dnstream Params:
Average rate = 64000, Normal burst = 12000, Excess burst = 24000
Config level = Service
Configuration sources associated with this session:
Service: video1, Active Time = 3 minutes, 46 seconds
show subscriber session Output When ISG Accounting Is Applied to a Session
The following is sample output from the show subscriber session command for a session rather than a flow:
Device# show subscriber session uid 730 detailed
Subscriber session handle: 3800009A, state: connected, service: Local Term
Unique Session ID: 730
Identifier: igq2acct
SIP subscriber access type(s): IP-Interface/Account-Logon-CH
Root SIP Handle: A600000E, PID: 75
Child SIP Handle: F9000018, PID: 73
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 3 minutes, 57 seconds, Last Changed: 2 minutes, 59 seconds
AAA unique ID: 81
Switch handle: 890003A0
Interface: ATM6/0.1
Policy information:
Authentication status: authen
Config downloaded for session policy:
From Access-Type: Account-Logon-CH, Client: SM, Event: Got More Keys
Profile name: apply-config-only, 2 references
ssg-account-info "SAfoo"
Rules, actions and conditions executed:
subscriber rule-map rule1
condition always event any-event
action 1 authenticate
Session inbound features:
Feature: Session accounting
Method List: foo
Outbound direction:
Packets = 10, Bytes = 1000
Session outbound features:
Feature: Session accounting
Method List: foo
Outbound direction:
Packets = 10, Bytes = 1000
Configuration sources associated with this session:
Interface: ATM6/0.1, Active Time = 3 minutes, 58 seconds
The following is sample output from the show aaa sessions command:
Device# show aaa sessions Total sessions since last reload: 141 Session Id: 167 Unique Id: 151 User Name: *not available* IP Address: 192.168.0.1 Idle Time: 0 CT Call Handle: 0
Output for a Specific User
The following is sample output from the show aaa user command:
Device# show aaa user
Unique id 151 is currently in use.
Accounting:
log=0x20C201
Events recorded :
CALL START
NET UP
IPCP_PASS
INTERIM START
VPDN NET UP
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
1A1CABE8 0 00000001 connect-progress(68) 4 Call Up
1A1CABF8 0 00000001 pre-session-time(294) 4 0(0)
1A1CAC08 0 00000001 nas-tx-speed(421) 4 423630024(194014C8)
1A1CAC18 0 00000001 nas-rx-speed(71) 4 139317740(84DD1EC)
1A1CAC28 0 00000001 elapsed_time(364) 4 46122(B42A)
1A1CAC50 0 00000001 bytes_in(135) 4 11434660(AE7AA4)
1A1CAC60 0 00000001 bytes_out(274) 4 0(0)
1A1CAC70 0 00000001 pre-bytes-in(290) 4 0(0)
1A1CAC80 0 00000001 pre-bytes-out(291) 4 0(0)
1A1CAC90 0 00000001 paks_in(136) 4 92215(16837)
1A1CADF0 0 00000001 paks_out(275) 4 0(0)
1A1CAE00 0 00000001 pre-paks-in(292) 4 0(0)
1A1CAE10 0 00000001 pre-paks-out(293) 4 0(0)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000000A7 Unique Id=00000097
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=189F046C : Name = CAR_mlist
Attribute list:
1A1CADF0 0 00000001 session-id(361) 4 167(A7)
1A1CAE00 0 00000001 protocol(297) 4 ip
1A1CAE10 0 00000001 addr(8) 4 192.168.0.1
1A1CAE20 0 00000001 Framed-Protocol(101) 4 PPP
1A1CAE30 0 00000009 clid-mac-addr(37) 6 00 00 04 00 00 2A
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type 8
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
No data for type 12
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 15
Debg: No data available
Radi: No data available
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 11434660 Bytes Out = 0
Paks In = 92215 Paks Out = 0
StartTime = 12:02:40 IST Oct 16 2007
AuthenTime = 12:02:40 IST Oct 16 2007
Component = IEDGE_ACCOUNTING
Authen: service=NONE type=NONE method=RADIUS
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000097
Session Id = 000000A7
Attribute List:
1A1CADF0 0 00000001 port-type(198) 4 PPPoE over VLAN
1A1CAE00 0 00000009 interface(194) 7 4/0/0/2
PerU: No data available
Output for All Users
Device# show aaa user all
--------------------------------------------------
Unique id 151 is currently in use.
Accounting:
log=0x20C201
Events recorded :
CALL START
NET UP
IPCP_PASS
INTERIM START
VPDN NET UP
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
1A1CABE8 0 00000001 connect-progress(68) 4 Call Up
1A1CABF8 0 00000001 pre-session-time(294) 4 0(0)
1A1CAC08 0 00000001 nas-tx-speed(421) 4 423630024(194014C8)
1A1CAC18 0 00000001 nas-rx-speed(71) 4 139317740(84DD1EC)
1A1CAC28 0 00000001 elapsed_time(364) 4 46122(B42A)
1A1CAC50 0 00000001 bytes_in(135) 4 11434660(AE7AA4)
1A1CAC60 0 00000001 bytes_out(274) 4 0(0)
1A1CAC70 0 00000001 pre-bytes-in(290) 4 0(0)
1A1CAC80 0 00000001 pre-bytes-out(291) 4 0(0)
1A1CAC90 0 00000001 paks_in(136) 4 92215(16837)
1A1CADF0 0 00000001 paks_out(275) 4 0(0)
1A1CAE00 0 00000001 pre-paks-in(292) 4 0(0)
1A1CAE10 0 00000001 pre-paks-out(293) 4 0(0)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000000A7 Unique Id=00000097
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=189F046C : Name = CAR_mlist
Attribute list:
1A1CADF0 0 00000001 session-id(361) 4 167(A7)
1A1CAE00 0 00000001 protocol(297) 4 ip
1A1CAE10 0 00000001 addr(8) 4 192.168.0.1
1A1CAE20 0 00000001 Framed-Protocol(101) 4 PPP
1A1CAE30 0 00000009 clid-mac-addr(37) 6 00 00 04 00 00 2A
--------
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type 8
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
No data for type 12
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 15
Debg: No data available
Radi: No data available
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 11434660 Bytes Out = 0
Paks In = 92215 Paks Out = 0
StartTime = 12:02:40 IST Oct 16 2007
AuthenTime = 12:02:40 IST Oct 16 2007
Component = IEDGE_ACCOUNTING
Authen: service=NONE type=NONE method=RADIUS
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000097
Session Id = 000000A7
Attribute List:
1A1CADF0 0 00000001 port-type(198) 4 PPPoE over VLAN
1A1CAE00 0 00000009 interface(194) 7 4/0/0/2
PerU: No data available
Example: Troubleshooting ISG Accounting
The following is sample output from the debug aaa accounting command:
Device# debug aaa accounting
16:49:21: AAA/ACCT: EXEC acct start, line 10
16:49:32: AAA/ACCT: Connect start, line 10, glare
16:49:47: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=209.165.201.1 cmd=glare bytes_in=308 bytes_out=76 paks_in=45
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
ISG commands |
|
|
AAA configuration tasks |
Authentication, Authorization, and Accounting Configuration Guide |
|
AAA commands |
Cisco IOS Security Command Reference: Commands A to C |
|
Configuring ISG subscriber services |
“Configuring ISG Subscriber Services” section in the Intelligent Services Gateway Configuration Guide |
|
HA commands |
|
|
HA configuration |
Cisco IOS XE High Availability Configuration Guide |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for ISG Accounting
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
1 second accuracy—IPv6 session counters and ISGv6 services |
Cisco IOS XE Release 3.5S |
Support for PPP IPv6 and dual-stack sessions was added to the Subscriber Accounting Accuracy feature. |
|
ISG Accounting—Postpaid |
Cisco IOS XE Release 2.2 |
ISG accounting provides the means to bill for account or service usage. ISG sends accounting start and accounting stop records for sessions and services to an accounting server for postpaid billing. The accounting server interprets the records to generate bills. |
|
ISG Accounting—per-Service Accounting |
Cisco IOS XE Release 2.4 |
ISG accounting provides the means to bill for account or service usage. ISG accounting uses the RADIUS protocol to facilitate interaction between ISG and an external RADIUS-based AAA or mediation server. |
|
ISG Accounting—Tariff Switching |
Cisco IOS XE Release 2.2 |
ISG accounting provides the means to bill for account or service usage. Where billing rates change at fixed times and sessions are active across the boundary at which the rates change, ISG will provide accounting data to the billing server indicating the boundary. |
|
ISG Flow Control—SSO/ISSU |
Cisco IOS XE Release 3.5S |
HA support was added for ISG features including ISG accounting. |
Feedback