|
|
This feature module describes the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature. It includes information on the benefits of the new feature, supported platforms, and related documents.
This document includes the following sections:
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the user name, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and stop packets will also include the same IP address provided in attribute 8.
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible to run applications on the RADIUS server that build mapping tables of users and IP addresses. The server can then use the mapping table information in other applications, such as preparing customized user login pages in advance of a successful user authentication with the RADIUS server.
This feature is supported on the following platforms:
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Sending RADIUS attribute 8 in the RADIUS access requests assumes that the login host has been configured to request its IP address from the NAS server. It also assumes that the login host has been configured to accept an IP address from the NAS.
The NAS must be configured with a pool of network addresses on the interface supporting the login hosts.
See the following section for the configuration task for the RADIUS Attribute 8 (IP-Framed-Address) in Access Requestsfeature: Configuring RADIUS Attribute 8 in Access Requests (required).
To send RADIUS attribute 8 in the access request, use the following global configuration command:
| Command | Purpose |
|---|---|
Router(config)# radius-server attribute 8 include-in-access-req | Sends RADIUS attribute 8 in access-request packets. |
To verify that RADIUS attribute 8 is being sent in access requests, use the following commands in privileged EXEC mode. Attribute 8 should be present in all ppp access requests.
| Command | Purpose |
|---|---|
Router# more system:running-config | Displays the contents of the current running configuration file. (Note that the more system:running-config command has replaced the show running-config command.) |
Router# debug radius | Displays information associated with RADIUS. The output of this command shows whether attribute 8 is being sent in access requests. |
The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.
aaa new-model aaa authentication login default group radius aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ip address-pool local ! interface Async1 peer default ip address pool async1-pool ! ip local pool async1-pool 209.165.200.225 209.165.200.229 ! radius-server host 172.31.71.146 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute 8 include-in-access-req radius-server key radhost
To send the IP address of a user to the RADIUS server in the access request, use the radius-server attribute 8 include in access-req global configuration command. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command.
radius-server attribute 8 include in access-reqSyntax Description
This command has no arguments or keywords.
Defaults
This feature is disabled.
Command Modes
Global configuration mode
Command History
12.1(3)AA This command was introduced.
Release
Modification
Usage Guidelines
Using the radius-server attribute 8 include in access-req command makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of user names and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.
When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the user name, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and stop packets will also include the same IP address as in attribute 8.
 |
NoteConfiguring the NAS to send the host IP address in the RADIUS access request assumes that the login host is configured to request an IP address from the NAS server. It also assumes that the login host is configured to accept an IP address from the NAS. In addition, the NAS must be configured with a pool of network addresses at the interface supporting the login hosts. |
Examples
The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.
aaa new-model aaa authentication login default group radius aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ip address-pool local ! interface Async1 peer default ip address pool async1-pool ! ip local pool async1-pool 209.165.200.225 209.165.200.229 ! radius-server host 172.31.71.146 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server attribute 8 include-in-access-req radius-server key radhost
Posted: Mon Jul 24 10:35:33 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.