[c-nsp] Rate limiting via radius

Paul Stewart pstewart at nexicomgroup.net
Thu May 4 12:10:24 EDT 2006 

Sorry to bump my own post...;)

I'm getting much "warmer" now... 

acs1-con-mb#sh interfaces vi988 rate-limit
Virtual-Access988
  Input
    matches: all traffic
      params:  128000 bps, 7500 limit, 7500 extended limit
      conformed 1402 packets, 123100 bytes; action: transmit
      exceeded 11 packets, 16566 bytes; action: drop
      last packet: 3560ms ago, current burst: 6988 bytes
      last cleared 00:00:32 ago, conformed 30000 bps, exceeded 4000 bps
  Output
    matches: all traffic
      params:  3000000 bps, 7500 limit, 7500 extended limit
      conformed 2353 packets, 3453865 bytes; action: transmit
      exceeded 59 packets, 88845 bytes; action: drop
      last packet: 3592ms ago, current burst: 0 bytes
      last cleared 00:00:32 ago, conformed 862000 bps, exceeded 22000
bps

This is working now with a test account... But we're not getting nearly
the speeds we should... Above we should see "roughly" 128kb/s connect
speed and running a local speed test we're only seeing about 38kb/s  -
same on output, it's roughly 2 meg

Thoughts?  Thanks again to everyone for your help...

Paul
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Thursday, May 04, 2006 11:57 AM
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Rate limiting via radius

I ran a debug on the router for radius and I get this: 

May  4 11:50:12: RADIUS(00A7FEBF): Send Access-Request to
xxx.xxx.xxx.xxx:1812 id 1645/211, len 178 May  4 11:50:12: RADIUS:
authenticator 30 E3 95 B0 E4 A3 8C DB - 67 67 5E F8 1D 54 7E 68
May  4 11:50:12: RADIUS:  Vendor, Cisco       [26]  41
May  4 11:50:12: RADIUS:   Cisco AVpair       [1]   35
"client-mac-address=0012.3f09.6417"
May  4 11:50:12: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]
May  4 11:50:12: RADIUS:  User-Name           [1]   15
"xxxxxxxxxxxxxxx"
May  4 11:50:12: RADIUS:  User-Password       [2]   18  *
May  4 11:50:12: RADIUS:  NAS-Port-Type       [61]  6   Ethernet
[15]
May  4 11:50:12: RADIUS:  NAS-Port            [5]   6   33554447
May  4 11:50:12: RADIUS:  NAS-Port-Id         [87]  10  "0/0/2/15"
May  4 11:50:12: RADIUS:  Service-Type        [6]   6   Framed
[2]
May  4 11:50:12: RADIUS:  NAS-IP-Address      [4]   6   xxx.xxx.xxx.xxx
May  4 11:50:12: RADIUS:  Acct-Session-Id     [44]  19
"0/0/2/15_014ECBD2"
May  4 11:50:12: RADIUS:  Nas-Identifier      [32]  25
"acs1-con-mb.nexicom.net"
May  4 11:50:12: RADIUS: Received from id 1645/211 216.168.xxx.xxx:1812,
Access-Accept, len 247 May  4 11:50:12: RADIUS:  authenticator 2C F0 71
D9 E2 FE AD 08 - 7F 6E
F7 68 2B 9B A4 9A
May  4 11:50:12: RADIUS:  Service-Type        [6]   6   Framed
[2]
May  4 11:50:12: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header
Compressi[1]
May  4 11:50:12: RADIUS:  Vendor, Cisco       [26]  107
May  4 11:50:12: RADIUS:   Cisco AVpair       [1]   101
"lcp:interface-config#1=rate-limit input 256000 7500 7500 conform-action
transmit exceed-action drop"
May  4 11:50:12: RADIUS:  Vendor, Cisco       [26]  108
May  4 11:50:12: RADIUS:   Cisco AVpair       [1]   102
"lcp:interface-config#2=rate-limit output 512000 7500 7500
conform-action transmit exceed-action drop"
May  4 11:50:12: RADIUS(00A7FEBF): Received from id 1645/211 May  4
11:50:12: RADIUS/ENCODE(00A7D4DC):Orig. component type = VPDN May  4
11:50:12: RADIUS(00A7D4DC): Config NAS IP: 216.168.xxx.xxx May  4
11:50:12: RADIUS(00A7D4DC): Config NAS IP: 216.168.xxx.xxx May  4
11:50:12: RADIUS: Received from id 1646/175 216.168.xxx.xxx:1813,
Accounting-response, len 20

It looks like radius is sending the information forward....

How do I check specifically the "network authorization" is enabled?  I
believe it is, but want to clarify it's function and command
structure.... As I do have:

aaa authorization network Nexicom group Nexicom

In the configuration??

Thanks :)

Paul


-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com]
Sent: Thursday, May 04, 2006 11:43 AM
To: Paul Stewart; Kristofer Sigurdsson
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate limiting via radius

do you have network authorization enabled? 

If you send "lcp:interface-config=rate-limit output access-group 101
64000 1 6000 32000 conform-action transmit exceed-action drop", you need
to define acl 101 on your router locally.

"debug radius authentication", "debug aaa authorization" and "debug aaa
per-user" should give you some hints on what is going on. 

	oli


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list