DHCPv6 Prefix Delegation with Radius Works in IOS Release 15.1
A while ago I described the pre-standard way Cisco IOS used to get delegated IPv6 prefixes from a RADIUS server. Cisco’s documentation always claimed that Cisco IOS implements RFC 4818, but you simply couldn’t get it to work in IOS releases 12.4T or 15.0M. In December I wrote about the progress Cisco is making on the DHCPv6 front and [email protected] commented that IOS 15.1S does support RFC 4818. You know I absolutely had to test that claim ... and it’s true!
This is the configuration you can use on the PE-router:
aaa authorization configuration IA_PD group radius
!
ipv6 dhcp pool PPP-Radius
prefix-delegation aaa method-list IA_PD lifetime 7200 300
dns-server FEC0::CCCC:4
domain-name example.com
!
interface Virtual-Template10
mtu 1480
no ip address
ipv6 enable
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server PPP-Radius
And this is the FreeRADIUS user definition:
Site-A Cleartext-Password := "Site-A"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IPv6-Prefix = "fec0:1:2400:1::/64",
Delegated-IPv6-Prefix = "fec0:1:2400:1100::/56"
Cisco IOS release 15.1(3)S that I used in the tests also supports a fallback mechanism:
- The value of the Delegated-IPv6-Prefix from the RADIUS reply is saved in a per-interface DHCPv6 block;
- When the PPPoE client uses DHCPv6 to get a delegated prefix, PE-router checks the pre-populated DHCPv6 reply associated with the incoming interface. If the delegated prefix is already in there, it returns the reply without querying the RADIUS server;
- If the delegated IPv6 prefix is not yet available, the PE-router uses the pre-standard method and sends another RADIUS request for the *user-*dhcpv6 username.
According to Cisco’s documentation, you get the same functionality (RFC 4818 support) in IOS XE release 3S.
More information
You’ll get more IPv6 access network design and configuration guidelines in Building Large IPv6 Service Provider Networks webinar.
debug radius authentication
debug ipv6 nd (this one is not really good)
We would like setup into our radius /48 pool that we delegate into /56. Does it possible ?
If not how can I setup such pool directly on the Cisco router ?