BNG配置步骤

ASR9000BNG配置方法©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID2StructuredConfigurationModelI.ConfigureNorthboundinterfacesAAAPortal/PolicyServerCoAII.ConfigureTemplates,UserandServiceProfilesIII.ConfigureSubscriberAccessConfiguresessiontypeandinitiatorCreateandapplythecontrolpolicyOtherdeploymentspecificcfgsIV.ConfigureSubscriberAuthenticationV.DynamicManagementofDynamicTemplatescontrolpolicyGlobalOnBoxOutOfBoxinterfaceI.II.III.IV.III.SomeglobalconfigurationalsorequiredII.IV.V.IV.©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID3StructuredConfigurationModelI.ConfigureNorthboundinterfacesAAAPortal/PolicyServerCoAII.ConfigureTemplates,UserandServiceProfilesIII.ConfigureSubscriberAccessConfiguresessiontypeandinitiatorCreateandapplythecontrolpolicyOtherdeploymentspecificcfgsIV.ConfigureSubscriberAuthenticationV.DynamicManagementofDynamicTemplatescontrolpolicyGlobalOnBoxOutOfBoxinterfaceI.II.III.IV.III.SomeglobalconfigurationalsorequiredII.IV.V.IV.©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID4I.ConfigureNorthboundInterfacesa.AAA–BasicRADIUSConnectivityaaagroupserverradiusSERVER_GRPserver192.168.110.10auth-port1812acct-port1813!interfaceLoopback0ipv4address192.168.2.2255.255.255.255!radiussource-interfaceLoopback0radius-serverhost192.168.110.10auth-port1812acct-port1813keyaaacisco192.168.110.10DefinetheRADIUSserverandservergroupLo0=192.168.2.2©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID5I.ConfigureNorthboundInterfacesb.AAA–RADIUSAttributesinrecordscustomizationradius-serverattributelistATTR_LISTattributeattr-listattributevendor-specific…!aaagroupserver{authentication|authorization|accounting}{reply|request}{accept|reject}ATTR_LIST!192.168.110.10Lo0=192.168.2.2DefinesalistofattributesAssociatesattributelistfilterstoRADIUSrecordssent/receivedaspecificservergroup©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID6I.ConfigureNorthboundInterfacesb.AAA–RADIUSAttributescustomization(NASPortID)aaaattributeformatNAS-PORT-IDcircuit-idplusremote-id!aaaradiusattributenas-port-idformatNAS-PORT-ID192.168.110.10Lo0=192.168.2.2DefinesNAS-PORT-IDformatAssociatesNAS-PORT-IDformattoRADIUSattribute(Attr87)©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID7I.ConfigureNorthboundInterfacesc.AAA–RADIUSAttributescustomization(NASPort)aaaradiusattributenas-portformateformat[type0-44]192.168.110.10Lo0=192.168.2.2DefinesNAS-PORTformat(Attr5)“Type”keywordallowsfordifferentformatsfordifferentaccessintfFormat(32bits):enteredasastringofletters:Zero:0One:1Slot:SAdapter:APort:P(Outer)VLANId:VSession-Id:UInnerVLANID:QEx“SSSSAAPPPPPVVVVVVVVVVVVVVVVVVVVV”TypeETHERNET15PPPOEOE32PPPOEOVLAN33PPPOEOQINQ34VIRTUAL_PPPOEOE35VIRTUAL_PPPOEOVLAN36VIRTUAL_PPPOEOQINQ37IPOEOE39IPOEOVLAN40IPOEOQINQ41VIRTUAL_IPOEOE42VIRTUAL_IPOEOVLAN43VIRTUAL_IPOEOQINQ44©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID8I.ConfigureNorthboundInterfacesd.Portal/PolicyServer—BasicCoaConnectivityaaaserverradiusdynamic-authorclient192.168.110.10vrfdefaultserver-keyciscoauth-type[any|all]port(1700)192.168.110.10clientdevicesendingCoArequestsandsharedpasswordwithBNGUDPPortforRADIUSCoAmessages(default:1700)MatchalloranyofsessionlookupkeysinCoArequest©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID9StructuredConfigurationModelI.ConfigureNorthboundinterfacesAAAPortal/PolicyServerCoAII.ConfigureDynamicTemplates,UserandServiceProfilesIII.ConfigureSubscriberAccessConfiguresessiontypeandinitiatorCreateandapplythecontrolpolicyOtherdeploymentspecificcfgsIV.ConfigureSubscriberAuthenticationV.DynamicManagementofDynamicTemplatescontrolpolicyGlobalOnBoxOutOfBoxinterfaceI.II.III.IV.III.SomeglobalconfigurationalsorequiredII.IV.V.IV.©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID10II.ConfigureTemplates,UserandServiceProfilesa.UserProfilesUserProfilesincludesubscriberspecificattributesthatshouldbeactivatedonthesessionRADIUSAccess-requestUsername:john.smithPassword:passwordRADIUSAccess-acceptFeatures/Servicesassociatedw/John’suserprofile12JohnSmithUser-Name:“john.smith”User-Password:“******”Attr28:idle-timeout=600AVPair:“subscriber:accounting-list=SESS_ACCNT_LIST”Attributescanbemodified,butnotunappliedfromsession©2010Ciscoand/oritsaffiliates.Allrightsreserved.CiscoConfidentialPresentation_ID11II.ConfigureTemplates,UserandServiceProfilesSpecifyTemplateDefinitionLocationaaaauthorizationsubscriberTPL_MLgroupsrvgroupDynamic-templatelocationspecifiedatactivationincontrolpolicy10activatedynamic-templatetemplatename[aaalistTPL_ML]Ifamethod-listisnotspecified,localconfigurationisusedPasswordfortemplatedownloadfromexternalAAAserverdefaultsto“cisco”RADIUSAccess-requestUsername:Premiun_HSIPassword:ciscoRADIUSAccess-acceptattributesassociatedw/serviceprofile2•PREMIUM_HSIserviceshouldbeactivatedonth