IPv6 RADIUS Accounting

Somehow I got involved in an IPv6 RADIUS accounting discussion. This is what I found to work in Cisco IOS release 15.2(4)S:

  • It helps if you configure aaa accounting delay-start all to ensure the accounting Start record always includes addresses assigned to the end-user (or CPE);
  • The IPv6 prefix assigned to the virtual access interface is reported in the Framed-IPv6-Prefix RADIUS attribute regardless of whether it was specified by the RADIUS server or allocated from a local pool specified with interface configuration command or Framed-IPv6-Pool RADIUS attribute. You can thus rely on this attribute to track IPv6 prefixes assigned to individual users;
  • After configuring aaa accounting include auth-profile delegated-ipv6-prefix the router includes the value of the Delegated-IPv6-Prefix sent from the RADIUS server in Access-Accept response in every accounting request. The attribute is included regardless of whether the prefix has actually been delegated to the customer (which happens only after the CPE router sends DHCP IA_PD REQUEST).
  • If you use any other prefix delegation method (DHCP relay or local IPv6 pool), the delegated prefix is not included in the RADIUS accounting packets. You have to use DHCP server logging to track those prefixes.
  • I could not figure out what the aaa accounting send counters ipv6 command does. Hints appreciated.

3 comments:

  1. This post is actually surprisingly useful, just getting to grips with IPv6 at the moment and there's some good stuff here

    ReplyDelete
  2. Ivan,

    "aaa accounting send counters ipv6" gives you ipv6 bytes/packets in acct records.

    Regarding "aaa accounting include auth-profile delegated-ipv6-prefix", i'm using accounting under the ipv6 dhcp pool config (which uses local defined pools for the delegated prefixes or gets them from the radius.

    Regarding "aaa accounting delay-start all" have a look at CSCua18679, because you might be missing the IPv4 address. Since the bug fix introduces just an extra delay, i'm hoping for an actual fix at the PPP code.

    ReplyDelete
  3. You might also want to add "ipv6 dhcp binding track ppp" in order to have your dhcp bindings cleared with ppp teardown.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.