DHCPv6-RADIUS integration: the Cisco way

Yesterday I described how the IPv6 architects split the functionality of IPCP into three different protocols (IPCPv6, RA and DHCPv6). While the split undoubtedly makes sense from the academic perspective, the service providers offering PPP-based services (including DSL and retrograde uses of PPP-over-FTTH) went berserk. They were already using RADIUS to authenticate PPP users ... and were not thrilled by the idea that they should deploy DHCPv6 servers just to make the protocol stack look nicer.

As expected, Cisco’s first response was a royal kludge: let’s trigger the first RADIUS request when the PAP/CHAP packet arrives and set interface IPv6 parameters from the RADIUS response attributes ... and then when the DHCPv6 request arrives, let’s do another RADIUS request, this time with a different username to get the IPv6 prefix that should be delegated to the CPE. Oh, and by the way, we don’t really support the IPv6 DNS-related RADIUS attributes yet, so if you want to pass IPv6 DNS server address to the CPE, just configure local DHCPv6 pools on the BRAS routers (did we mention you need them anyway to support DHCPv6-RADIUS integration?).

Update 2012-01-19: Cisco IOS release 15.1S and IOS XE release 3S support RFC 4818.

More information

Various methods a service provider can use to handle DHCPv6 prefix delegation are described in my Building IPv6 Service Provider Core webinar (buy the recording or register for an online session); you’ll also get tested router configurations that you can use in your IPv6 deployment. If you’re an enterprise engineers running a decently large network, you’ll probably find the webinar useful despite its title.

The webinar is also available as part of the yearly subscription package.

4 comments:

  1. Aha, wish you'd posted this a few weeks ago back when I was trying to set this up! I just finished a v6 deployment for a DSL ISP and thorougly enjoyed the nice disconnect between the v6 RADIUS attributes and real life. There are ways around the problem of the second username with the -dhcpv6 suffix though, it just requires some experimentation. I've finally got mine working the way I want, which is fully dynamic local to the NAS, with RADIUS driven static PDs without the second username. The trick is to disable the nd framed-ipv 6-prefix on the virtual template, and number the customer WAN interface with a peer default statement pointing to a dhcpv6 pool. Then you can deliver the ipv6 prefix out of radius from the original user account and not have to duplicate.

    Fun times!

    ReplyDelete
  2. Ivan Pepelnjak05 March, 2011 16:31

    Great trick. Thank you! Works nicely 15.0M. It seems 12.2SRE has a bug - it advertises framed-ipv6-prefix in RA and DHCPv6 IA_PD reply (totally confusing the CPE).

    ReplyDelete
    Replies
    1. Do you know if this is recorded anywhere? or is now fixed?

      Delete
  3. Oh balls, what a mess. I have an extensive list of v6 RADIUS attributes and av-pairs that my LNS either handles incorrectly, or rejects, or accepts then ignores haha. It's been an interesting discovery process, one I'll no doubt repeat over many IOS versions in the years to come.. loving this post series btw.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.