Downloads |
Table Of Contents
Prerequisites for DHCP Accounting
Restrictions for DHCP Accounting
Information About DHCP Accounting
DHCP Operation in Public Wireless LANs
Security Vulnerabilities in Public Wireless LANs
DHCP Secured IP Address Assignment and DHCP Accounting
How to Configure DHCP Accounting
Configuring AAA and RADIUS for DHCP Accounting
Configuration Examples for DHCP Accounting
AAA and RADIUS for DHCP Accounting: Example
Verifying DHCP Accounting: Example
DHCP Accounting
The DHCP Accounting feature introduces authentication, authorization, and accounting (AAA) and RADIUS support for Dynamic Host Configuration Protocol (DHCP) configuration. The introduction of AAA and RADIUS support improves public wireless LAN (PWLAN) security by sending secure START and STOP accounting messages. The configuration of this feature adds a layer of security that allows DHCP lease assignment and termination to be triggered for the appropriate RADIUS START and STOP accounting records so that the session state is properly maintained by upstream devices, such as a Service Selection Gateway (SSG). The additional security provided by this feature can help to prevent unauthorized clients or hackers from gaining illegal entry to the network by spoofing authorized DHCP leases.
Feature Specifications for the DHCP Accounting Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for DHCP Accounting
•
•
•
•
Prerequisites for DHCP Accounting
Your network should be configured to run DHCP. You will also need to complete the following tasks before you can configure this feature:
•
•
•
•
Restrictions for DHCP Accounting
The following restrictions apply to the DHCP Accounting feature:
•
•
Information About DHCP Accounting
To configure this feature, you must understand the following concepts:
•
•
•
DHCP Operation in Public Wireless LANs
The configuration of DHCP in a public wireless LAN (PWLAN) simplifies the configuration of wireless clients and reduces the overhead necessary to maintain the network. DHCP clients are leased IP addresses by the DHCP server and then authenticated by the Service Selection Gateway (SSG), which allows the clients to access network services. The DHCP server and client exchange DHCP messages for IP address assignments. When a DHCP server assigns an IP address to a client, a DHCP binding is created. The IP address is leased to the client until the client explicitly releases the IP address and disconnects from the network. If the client disconnects without releasing the address, the server terminates the lease after the lease time is over. In either case, the DHCP server removes the binding and the IP address is returned to the pool.
Security Vulnerabilities in Public Wireless LANs
If the DHCP lease is not explicitly terminated by the client, the SSG will terminate the lease only when the ping-idle timer expires. This type of termination typically occurs in a PWLAN when an authenticated client moves out of range of the access point. This type of disconnection can expose a security vulnerability during the period of time it takes for the ping-idle timer to expire. By design, DHCP will maintain this lease for the configured lease time. However, DHCP ARP table entries are dynamic and DHCP alone does not have the capability to secure the transmission and storage of the DHCP binding or verify the integrity of the information that is sent from the client. This exposes the PWLAN to the following security risks:
•
•
A hacker can exploit this vulnerability by snooping for leases that have been dropped by the client but have not expired in the DHCP database. Once the hacker detects the unexpired lease, he or she can quickly reconfigure a laptop to use the unexpired lease. Because DHCP ARP entries are dynamic, a hacker can take control of the unexpired lease and access the network, posing as the authenticated client.
DHCP Accounting Operation
The DHCP Accounting feature counteracts this security vulnerability by introducing authentication, authorization, and accounting (AAA) and Remote Authentication Dial-In User Service (RADIUS) security features for Dynamic Host Configuration Protocol (DHCP) support. RADIUS provides the accounting capability for the transmission of secure START and STOP accounting messages.
When the DHCP Accounting feature is configured, an accounting START message is generated and sent to the SSG when the authorized client is assigned an IP address by the DHCP server, and an accounting STOP message is generated and sent to the SSG when the client explicitly terminates the DHCP lease or when the DHCP server terminates the lease. The SSG authenticates the client and then uses the START and STOP accounting messages to control DHCP lease assignment and termination. The SSG will not maintain or terminate a DHCP lease unless a START or STOP accounting message is received.
The DHCP Accounting feature introduces the accounting DHCP pool configuration command. The accounting command is used to enable DHCP accounting. DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis. AAA and RADIUS are enabled prior to the configuration of the DHCP Accounting feature but can also be enabled in an existing DHCP network to upgrade the security of active preexisting leases.
When the accounting command is configured, RADIUS will automatically send a secure START accounting message to the SSG when the DHCP server responds to the client with the DHCPACK message that contains the committed IP address and network configuration options. The lease is maintained until a explicit STOP accounting message is received. A STOP accounting message is sent only when the client explicitly disconnects from the network by sending a DHCPRELEASE message or by the SSG if the DHCP lease times out. When a STOP message is received, the DHCP binding is destroyed and the IP address is returned to the DHCP pool. If the client moves out of range of the PWLAN or the DHCP lease otherwise times out, the lease can be maintained only by the authorized client because the SSG will not validate acknowledgements that are not authenticated through the SSG.
When the DHCP Accounting feature is enabled, RADIUS accounting is configured automatically for new leases and DHCP bindings. However, existing active leases are not secured. These leases are still insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically.
Note
DHCP Secured IP Address Assignment and DHCP Accounting
For an additional layer of security, the DHCP Accounting feature can be configured with the DHCP Secured IP Address Assignment feature. The DHCP Secured IP Address Assignment feature provides an additional layer of security by binding the MAC address of the client interface to the DHCP binding with the configuration of the update arp DHCP pool configuration command. This command secures the DHCP lease to the MAC address of the client interface and secures the ARP table entry. The secured ARP table entry can be deleted only by an explicit termination message from the DHCP client or by the DHCP server if the binding expires. The configuration of the update arp command does not interrupt service and is not visible to the DHCP client. The configuration of these two features greatly improves the security of DHCP operation and can be used to protect PWLANs by preventing unauthorized clients or hackers from gaining illegal entry to the network by spoofing authorized DHCP leases. For more information about the DHCP Secured IP Address Assignment feature, refer to the following document:
How to Configure DHCP Accounting
This section contains the following procedures for configuring DHCP Accounting:
•
Configuring AAA and RADIUS for DHCP Accounting
Perform this task to configure AAA and RADIUS for DHCP accounting.
RADIUS provides the accounting capability for the transmission of secure START and STOP messages. AAA and RADIUS are enabled prior to the configuration of DHCP accounting but can also be enabled to secure an insecure DHCP network. The configuration steps in this section are required for configuring DHCP accounting in a new or existing network.
RADIUS Accounting Attributes
DHCP accounting introduces the attributes shown in Table 1. These attributes are processed directly by the RADIUS server when DHCP accounting is enabled. These attributes can be monitored in the output of the debug radius command. The output will show the status of the DHCP leases and specific configuration details about the client. The accounting keyword can be used with the debug radius command to filter the output and display only DHCP accounting messages.
Table 1 RADIUS Accounting Attributes
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Troubleshooting Tips
The command in the following table can be used to monitor and troubleshoot the configuration of RADIUS accounting:
Configuring DHCP Accounting
Perform this task to configure DHCP accounting.
DHCP Accounting
AAA and RADIUS must be enabled before DHCP accounting will operate. DHCP accounting is enabled with the accounting DHCP pool configuration command. This command configures DHCP to operate with AAA and RADIUS to enable secure START and STOP accounting messages. This configuration adds a layer of security that allows DHCP lease assignment and termination to be triggered for the appropriate RADIUS START and STOP accounting records so that the session state is properly maintained by upstream devices, such as the SSG.
DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis.
Prerequisites
You must configure an SSG for client authentication.
Restrictions
The following restrictions apply to DHCP accounting:
•
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
ip dhcp pool pool-name
Example:Router(config)# ip dhcp pool WIRELESS-POOL
Configures a DHCP address pool and enters DHCP pool configuration mode.
Step 4
accounting method-list-name
Example:Router(dhcp-config)# accounting RADIUS-GROUP1
Enables DHCP accounting if the specified server group is configured to run RADIUS accounting.
•
Verifying DHCP Accounting
Perform this task to verify the DHCP accounting configuration.
The debug radius, debug ip dhcp server events, debug aaa accounting, debug aaa id commands do not need to be issued together or in the same session as there are differences in the information that is provided. These commands, however, can be used to display DHCP accounting start and stop events, AAA accounting messages, and information about AAA and DHCP hosts and clients. See the "RADIUS Accounting Attributes" section of this document for a list of AAA attributes that have been introduced by DHCP accounting. The show running-config | begin dhcp command can be used to display the local DHCP configuration including the configuration of DHCP accounting.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuration Examples for DHCP Accounting
•
•
AAA and RADIUS for DHCP Accounting: Example
The following example shows how to configure AAA and RADIUS for DHCP accounting.
aaa new-modelaaa group server radius RGROUP-1server 10.1.1.1 auth-port 1645 acct-port 1646exitaaa accounting network RADIUS-GROUP1 start-stop group RGROUP-1aaa session-id commonip radius source-interface Ethernet0radius-server host 10.1.1.1 auth-port 1645 acct-port 1646radius-server retransmit 3exitDHCP Accounting: Example
DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis. The following example shows how to configure DHCP accounting START and STOP messages to be sent if RADIUS-GROUP1 is configured as a start-stop group.
ip dhcp pool WIRELESS-POOLaccounting RADIUS-GROUP1exitVerifying DHCP Accounting: Example
DHCP accounting is enabled after both RADIUS and AAA for DHCP are configured. DHCP START and STOP accounting generation information can be monitored with the debug radius accounting and debug ip dhcp server events commands. See the How to Configure DHCP Accounting section of this document for a list of AAA attributes that have been introduced by the DHCP accounting.
The following is sample output from the debug radius accounting command. The output shows the DHCP lease session ID, the MAC address, and the IP address of the client interface.
00:00:53: RADIUS: Pick NAS IP for uid=2 tableid=0 cfg_addr=10.0.18.3 best_addr=0.0.0.0 00:00:53: RADIUS(00000002): sending 00:00:53: RADIUS(00000002): Send to unknown id 21645/1 10.1.1.1 :1646, Accounting-Request, len 76 00:00:53: RADIUS: authenticator C6 FE EA B2 1F 9A 85 A2 - 9A 5B 09 B5 36 B5 B9 27 00:00:53: RADIUS: Acct-Session-Id [44] 10 "00000002" 00:00:53: RADIUS: Framed-IP-Address [8] 6 10.0.0.10 00:00:53: RADIUS: Calling-Station-Id [31] 16 "00000c59df76" 00:00:53: RADIUS: Acct-Status-Type [40] 6 Start [1] 00:00:53: RADIUS: Service-Type [6] 6 Framed [2] 00:00:53: RADIUS: NAS-IP-Address [4] 6 10.0.18.3 00:00:53: RADIUS: Acct-Delay-Time [41] 6 0The following is sample output from the debug ip dhcp server events command. The output was generated on a DHCP server and shows an exchange of DHCP messages between the client and server to negotiate a DHCP lease. The acknowledgment that confirms to the DHCP server that the client has accepted the assigned IP address triggers the accounting START message. It is shown in the last line of the following output:
00:45:50:DHCPD:DHCPDISCOVER received from client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31 oninterface Ethernet0.00:45:52:DHCPD:assigned IP address 10.10.10.16 to client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31.00:45:52:DHCPD:Sending DHCPOFFER to client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31(10.10.10.16)00:45:52:DHCPD:broadcasting BOOTREPLY to client 0001.42c9.ec75.00:45:52:DHCPD:DHCPREQUEST received from client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31.00:45:52:DHCPD:Sending DHCPACK to client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31(10.10.10.16).00:45:52:DHCPD:broadcasting BOOTREPLY to client 0001.42c9.ec75.00:45:52:DHCPD:triggered Acct Start for 0001.42c9.ec75 (10.10.10.16).The following is sample output from the debug ip dhcp server events command. The output was generated on a DHCP server and shows the receipt of an explicit release message from the DHCP client. The DHCP server triggers an accounting STOP message and then returns the IP address to the DHCP pool. Information about the accounting STOP message is shown in the third line of the following output:
00:46:26:DHCPD:DHCPRELEASE message received from client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31 (10.10.10.16)00:46:26:DHCPD:triggered Acct Stop for (10.10.10.16).00:46:26:DHCPD:returned 10.10.10.16 to address pool WIRELESS-POOL.Additional References
For additional information related to DHCP Accounting, refer to the following references:
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
1 Not all supported standards are listed.
MIBs
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
RFCs
RFC 2131
Dynamic Host Configuration Protocol
RFC 2132
DHCP Options and BOOTP Vendor Extensions
RFC 2866
RADIUS Accounting
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
This section documents a new command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
accounting (DHCP)
To enable DHCP accounting, use the accounting command in DHCP pool configuration mode. To disable DHCP accounting for the specified server group, use the no form of this command.
accounting server-group-name
no accounting server-group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
DHCP pool configuration
Command History
Usage Guidelines
The accounting DHCP pool configuration command is used to enable the DHCP accounting feature by sending secure DHCP START accounting messages when IP addresses are assigned to DHCP clients, and secure DHCP STOP accounting messages when DHCP leases are terminated. A DHCP lease is terminated when the client explicitly releases the lease, when the session times out, and when the DHCP bindings are cleared from the DHCP database. DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis.
The accounting command can be used only to network pools in which bindings are created automatically and destroyed upon lease termination (or when the client sends a DHCP RELEASE message). DHCP bindings are also destroyed when the clear ip dhcp binding or no service dhcp command is issued. These commands should be used with caution if an address pool is configured with DHCP accounting.
AAA and RADIUS must be configured before this command can be used to enable DHCP accounting. A server group must be defined with the aaa group server command. START and STOP message generation is configured with the aaa accounting command. The aaa accounting command can be configured to enable the DHCP accounting to send both START and STOP messages or STOP messages only.
Examples
The following example configures DHCP accounting START and STOP messages to be sent if RADIUS-GROUP1 is configured as a start-stop group. STOP messages will only be sent if RADIUS-GROUP1 is configured as a stop-only group.
Router(config)# ip dhcp pool WIRELESS-POOLRouter(dhcp-config)# accounting RADIUS-GROUP1Router(dhcp-config)# exitRelated Commands
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
