Control Policy Events - Cisco ASR 9000 Series Configuration Manual

Activating Control Policy

Control Policy Events

Control policy on BNG supports the events listed here. These events need to be defined while creating a
policy-map using the task
• Session-Start—This event is used by the PPPoE and DHCP access protocols to create a subscriber in
• Session-Activate—Some access protocols require a two-stage session bring-up; for example, with PPPoE
• Service-Stop—CoA is responsible for generating this event. The BNG operator configures the activate
• Authentication-No-Response—If configured, this event is triggered when there is no response from the
• Authorization-No-Response—If configured, this event is triggered when there is no response from the
• Authentication-Failure—If configured and if the RADIUS server returns an authentication failure, then
• Authorization-Failure—The authorization failure event indicates a RADIUS server rejection for the
• Timed-Policy-Expiry—If configured, this event is triggered as a result of a policy set-timer action that
• Account-Logon—If configured, this event provides an override behavior to the default account-logon
• Account-Logoff—If configured, this event provides an override behavior for the default account-logoff
OL-28375-03
Configuring a Policy-Map, on page
the policy plane. The operator may configure the AAA actions and activate dynamic templates, suitable
for subscriber.
subscribers, the PPPoE Access protocol calls the Session-Start event for first sign of life (FSOL), followed
by Session-Activate during PPP negotiation and authentication. The operator configures the AAA actions
and activates the dynamic templates as suitable for the subscriber.
or deactivate actions, to put the subscriber in a default state when a service is stopped.
AAA server(s) for an authentication request. This event allows the network access server (NAS) operators
to define how the failure should be handled. If the authentication-no-response event is not configured,
then the authentication failure result is propagated to the access protocol for default handling.
AAA server(s) for an authorization request. This event allows the NAS operators to define how the
failure should be handled. If the authorization-no-response event is not configured, then the authorization
results are propagated to the access protocol for default handling, which causes the client who triggered
the authorization to disconnect the subscriber session.
the Policy Rule Engine returns an "Authentication-Success" to the client that originated the request, in
order to prevent it from disconnecting the subscriber. Furthermore, instead of depending on the client
to provide the necessary behavior, the actions within the configured Authentication-Failure event are
applied on the subscriber.
access request. If configured, the service provider overrides the default handling of the failure from the
client.
is configured and set on a subscriber session. This event allows NAS operators to define a timer for a
number of possible scenarios. The set timer indicates that certain subscriber state changes have taken
place. If sessions are not in the desired state, the NAS operators can disconnect or terminate the session
through a configured disconnect action, or impose a different user policy.
processing. The default behavior only triggers authentication with provided credentials. However, if
you override the default account-logon event, then you must explicitly configure the authentication
action, and any additional action you require.
processing. The default behavior of the account-logoff processing is to disconnect the subscriber. Being
able to override the default behavior is useful. Instead of disconnecting the subscriber, the service provider
can perform a re-authentication. The re-authentication is done through a new account-logon by enabling
HTTP Redirect feature on the subscriber.
Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release
Control Policy Events
72.
4.3.x
71