DHCPv6-RADIUS integration: the Cisco way

Yesterday I described how the IPv6 architects split the functionality of IPCP into three different protocols (IPCPv6, RA and DHCPv6). While the split undoubtedly makes sense from the academic perspective, the service providers offering PPP-based services (including DSL and retrograde uses of PPP-over-FTTH) went berserk. They were already using RADIUS to authenticate PPP users ... and were not thrilled by the idea that they should deploy DHCPv6 servers just to make the protocol stack look nicer.

As expected, Cisco’s first response was a royal kludge: let’s trigger the first RADIUS request when the PAP/CHAP packet arrives and set interface IPv6 parameters from the RADIUS response attributes ... and then when the DHCPv6 request arrives, let’s do another RADIUS request, this time with a different username to get the IPv6 prefix that should be delegated to the CPE. Oh, and by the way, we don’t really support the IPv6 DNS-related RADIUS attributes yet, so if you want to pass IPv6 DNS server address to the CPE, just configure local DHCPv6 pools on the BRAS routers (did we mention you need them anyway to support DHCPv6-RADIUS integration?).

Update 2012-01-19: Cisco IOS release 15.1S and IOS XE release 3S support RFC 4818.

More information

Various methods a service provider can use to handle DHCPv6 prefix delegation are described in my Building IPv6 Service Provider Core webinar; you’ll also get tested router configurations that you can use in your IPv6 deployment. If you’re an enterprise engineers running a decently large network, you’ll probably find the webinar useful despite its title.

The webinar is also available as part of the yearly subscription package.

Recent posts in the same categories

4 comments:

  1. Chris Pollock 05 March 2011 01:44
    Aha, wish you'd posted this a few weeks ago back when I was trying to set this up! I just finished a v6 deployment for a DSL ISP and thorougly enjoyed the nice disconnect between the v6 RADIUS attributes and real life. There are ways around the problem of the second username with the -dhcpv6 suffix though, it just requires some experimentation. I've finally got mine working the way I want, which is fully dynamic local to the NAS, with RADIUS driven static PDs without the second username. The trick is to disable the nd framed-ipv 6-prefix on the virtual template, and number the customer WAN interface with a peer default statement pointing to a dhcpv6 pool. Then you can deliver the ipv6 prefix out of radius from the original user account and not have to duplicate.

    Fun times!
  2. Ivan Pepelnjak 05 March 2011 16:31
    Great trick. Thank you! Works nicely 15.0M. It seems 12.2SRE has a bug - it advertises framed-ipv6-prefix in RA and DHCPv6 IA_PD reply (totally confusing the CPE).
    Replies
    1. lochii 10 June 2012 12:55
      Do you know if this is recorded anywhere? or is now fixed?
  3. Chris Pollock 09 March 2011 11:13
    Oh balls, what a mess. I have an extensive list of v6 RADIUS attributes and av-pairs that my LNS either handles incorrectly, or rejects, or accepts then ignores haha. It's been an interesting discovery process, one I'll no doubt repeat over many IOS versions in the years to come.. loving this post series btw.
Add comment
Home
Sidebar