DHCP Server RADIUS Proxy

Last Updated: December 3, 2012

The DHCP Server RADIUS Proxy feature is a RADIUS-based address assignment mechanism in which a Dynamic Host Configuration Protocol (DHCP) server authorizes remote clients and allocates addresses based on replies from a RADIUS server.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for DHCP Server RADIUS Proxy

Before you can configure the DHCP Server RADIUS Proxy feature, you must be running DHCPv4 or a later version. For information about release and platform support, see the Feature Information for DHCP Server RADIUS Proxy.

Restrictions for DHCP Server RADIUS Proxy

The DHCP Server RADIUS Proxy supports only one address authorization pool on the router.

Information About DHCP Server RADIUS Proxy

DHCP Server RADIUS Proxy Overview

The DHCP Server RADIUS Proxy feature is an address allocation mechanism for RADIUS-based authorization of DHCP leases. This feature supports DHCP options 60 and 121.

The process of authorizing the client using the RADIUS server is as follows:

  1. The DHCP server passes client information to a RADIUS server.
  2. The RADIUS server returns all required information to the DHCP server as RADIUS attributes.
  3. The DHCP server translates the RADIUS attributes into DHCP options and sends this information back to RADIUS in a DHCP OFFER message.
  4. DHCP binding is synchronized after the RADIUS server authorizes the client session.

If a local pool and an authorization pool are configured on the router, the DHCP server can assign addresses from both pools for different client interfaces.

DHCP Server RADIUS Proxy Enhancement

The DHCP Server RADIUS Proxy Enhancement feature is an enhancement to the DHCP Server RADIUS Proxy feature introduced in Cisco IOS Release 15.0(1)S. This feature supports DHCP options 60 and 121.

The process of authorizing the client using the RADIUS server is as follows:

  1. The DHCP server passes client information to a RADIUS server.
  2. The RADIUS server returns classname information and other optional information (Session-Timeout and Session-Duration) to the DHCP server as RADIUS attributes.
  3. The DHCP server assigns the IP address from the specified class, if it is available, and translates any other optional attributes received from the RADIUS server into DHCP options. The information is sent to the DHCP client as a DHCP OFFER message.
  4. DHCP binding is synchronized after the RADIUS server authorizes the client session.

DHCP Server RADIUS Proxy Architecture

The allocation of addresses in a DHCP and RADIUS proxy architecture occurs in the following sequence:

  1. The client accesses the network from a residential gateway and sends a DHCP DISCOVER broadcast message to the relay agent. The DHCP DISCOVER message contains the client IP address, hostname, vendor class identifier, and client identifier.
  2. The relay agent sends a DHCP DISCOVER unicast message with the following information to the router:
    • Relay agent information (option 82) with the remote ID suboption containing the inner and outer VLAN IDs.
    • Client information in the DHCP DISCOVER packet.

The router determines the address of the DHCP server from the IP helper address on the interface that receives the DHCP packet.

  1. RADIUS receives an access-request message to translate the DHCP options to RADIUS attributes.
  2. RADIUS responds with an access-accept message, and delivers the following attributes to the DHCP server:
    • Framed-IP-Address
    • Framed-IP-Netmask
    • Session-Timeout
    • Session-Duration
  3. The DHCP server sends an OFFER unicast message with the following translations from the RADIUS server access-accept message to the client:
    • Framed-IP-Address inserted into the DHCP header.
    • Framed-IP-Netmask inserted into DHCP option 1 (subnet mask).
    • Session-Timeout inserted into DHCP option 51 (IP address lease time).
    • Framed-Route that is translated from the standard Cisco Framed-Route format into DHCP option 121 or the DHCP default gateway option (if the network and netmask are appropriate for a default route).
    • A copy of relay agent information (option 82). Before the DHCP client receives the packet, the relay removes option 82.
    • T1 time set to the Session-Timeout and T2 time set to the Session-Duration.
  4. The client returns a formal request for the offered IP address to the DHCP server in a DHCP REQUEST broadcast message.
  5. The DHCP confirms that the IP address is allocated to the client by returning a DHCP ACK unicast message containing the lease information and the DHCP options to the client.
  6. A RADIUS server accounting request starts, followed by a RADIUS server accounting response that is used by the authentication, authorization, and accounting (AAA) subsystem.

When a RADIUS server attribute is not present in an access-accept message, the corresponding DHCP option is not sent to the DHCP client. If the required information to produce a particular RADIUS server attribute is not available to the DHCP server, the DHCP server does not include information in the RADIUS packet. Noninclusion can be in the form of not sending an attribute (if there is no information at all), or omitting information from the attribute (in the case of CLI-based format strings).

If a DHCP option is provided to the DHCP server but is invalid, the DHCP server may not transmit the corresponding RADIUS attribute in the access-request, or may transmit an invalid RADIUS server attribute.

DHCP Server RADIUS Proxy Enhancement Architecture

The allocation of addresses in a DHCP and RADIUS proxy enhancement architecture occurs in the following sequence:

  1. The client accesses the network from a residential gateway and sends a DHCP DISCOVER broadcast message to the relay agent. The DHCP DISCOVER message contains the client IP address, hostname, vendor class identifier, and client identifier.
  2. The relay agent sends a DHCP DISCOVER unicast message with the following information to the router:
    • Relay agent information (option 82) with the remote ID suboption containing the inner and outer VLAN IDs.
    • Client information in the DHCP DISCOVER packet.

The router determines the address of the DHCP server from the IP helper address on the interface that receives the DHCP packet.

  1. The RADIUS server receives an access-request message to translate the DHCP options to RADIUS attributes.
  2. The RADIUS server responds with an access-accept message and delivers the following attributes to the DHCP server:
    • Classname
    • Session-Timeout (optional)
    • Session-Duration (optional)
  3. The DHCP server identifies the addresses configured under the specified classname and assigns an address to the client.
  4. The DHCP server sends an OFFER unicast message containing the following translations from the RADIUS server access-accept message to the client:
    • Session-Timeout inserted into DHCP option 51 (IP address lease time).
    • Framed-Route that is translated from the standard Cisco Framed-Route format into DHCP option 121 or the DHCP default gateway option
    • A copy of relay agent information (option 82). Before the DHCP client receives the packet, the relay removes option 82.
    • T1 time set to the Session-Timeout and T2 time set to the Session-Duration.
  5. The client returns a formal request for the offered IP address to the DHCP server in a DHCP REQUEST broadcast message.
  6. The DHCP server confirms the IP address allocation by sending a DHCP ACK unicast message containing the lease information and the DHCP options to the client.
  7. A RADIUS server accounting request starts, followed by a RADIUS server accounting response that is used by the AAA subsystem.

Note
If the classname attribute is not present in the access-accept message received, the DHCP server assumes a default classname and tries to assign the IP address from a default class. The IP address is assigned to the client only if the IP address is available for a default class.
  • If the Framed-IP-Address, Framed-IP-Netmask, Session-Timeout, and Session-Duration attributes are present in the access-accept message, then the classname attribute is ignored and the DHCP server assigns the IP address received in the Framed-IP-Address attribute to the client.

DHCP Server and RADIUS Translations

The table below lists the translations of DHCP options in a DHCP DISCOVER message to attributes in a RADIUS server access-request message.

Table 1 DCHP DISCOVER to RADIUS Access-Request Translations

DHCP DISCOVER

RADIUS Access-Request

Client identifier

Cisco attribute-value (AV) pair dhcp-client-id that equals the hexadecimal-encoded value of DHCP option 61

DHCP relay information option that can contain a VLAN parameter on the D-router

Cisco AV pair dhcp-relay-info that equals the hexadecimal-encoded value of DHCP option 82

Gateway address of the relay agent (giaddr field of a DHCP packet)

NAS-identifier

Hostname

Cisco AV pair client-hostname that equals the value of DHCP option 12

Not Applicable

User-Password as configured on the DHCP server

Vendor class

Cisco AV pair dhcp-vendor-class that equals a hexadecimal-encoded value of DHCP option 60

Virtual MAC address of the residential gateway

User-Name

The table below lists the translations of attributes in a RADIUS server access-accept message to DHCP options in a DHCP OFFER message.

Table 2 RADIUS Access-Accept to DHCP OFFER Translations

RADIUS Access-Accept

DHCP OFFER

Cisco AV pair session-duration in seconds, where seconds is greater than or equal to the number of seconds in the Session-Timeout attribute

Provides session control on the DHCP server. This attribute is not transmitted to the DHCP client.

Classname

Contains a string that specifies the class to be used by the DHCP server in the an address allocation.

Framed-IP-Address

IP address of the residential gateway.

Framed-IP-Netmask

Subnet mask (option 1).

Framed-Route (RADIUS attribute 22). One route for each DHCP option is allowed with a maximum of 16 Framed-Route options for a RADIUS packet

Contains up to 16 classless routes in one option (option 121).

Session-Timeout

IP address lease time (option 51).

RADIUS Profiles for the DHCP Server RADIUS Proxy

When you configure the RADIUS server user profiles for the DHCP server RADIUS proxy, use the following guidelines:

  • The Session-Timeout attribute must contain a value, in seconds. If this attribute is not present, the DHCP OFFER is not sent to the client.
  • A RADIUS user profile must contain the following attributes:
    • Framed-IP-Address
    • Framed-IP-Netmask
    • Framed-Route
    • Session-Timeout
    • Session-Duration--Session-Duration is the Cisco AV pair session-duration = seconds, where seconds is the maximum time for the duration of a lease including all renewals. The value for Session-Duration must be greater than or equal to the Session-Timeout attribute value, and it cannot be zero.
  • Additional RADIUS server attributes are allowed but are not required. The DHCP server ignores additional attributes that it does not understand. If a RADIUS server user profile contains a required attribute that is empty, the DHCP server does not generate the DHCP options.

RADIUS Profiles for the DHCP Server RADIUS Proxy Enhancement

When you configure the RADIUS server user profiles for the DHCP server RADIUS proxy enhancement for a classname, use the following guidelines:

  • The Session-Timeout attribute (if present) must contain a value, in seconds.
  • A RADIUS user profile may contain the following attributes:
    • Classname (default classname is considered, if this attribute is not present)
    • Framed-Route
    • Session-Timeout
    • Session-Duration--Session-Duration is the Cisco AV pair session-duration = seconds, where "seconds" is the maximum time for the duration of a lease including all renewals. The value for Session-Duration should be greater than or equal to the Session-Timeout attribute value, and it cannot be zero.
  • Additional RADIUS server attributes are allowed but are not required. The DHCP server ignores additional attributes that it does not understand.

How to Configure DHCP Server RADIUS Proxy

Configuring AAA-Related Commands for DHCP Server RADIUS Proxy

Perform this task to configure AAA-related commands required to configure the DHCP Server RADIUS Proxy and DHCP Server RADIUS Proxy Enhancement features.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    service dhcp

4.    aaa new-model

5.    aaa group server radius group-name

6.    server ip-address [auth-port port-number] [acct-port port-number]

7.    exit

8.    aaa authorization network method-list-name group group-name

9.    aaa accounting network method-list-name start-stop group group-name

10.    interface type slot / subslot / port [. subinterface]

11.    encapsulation dot1q vlan-id second-dot1q {any | vlan-id [, vlan-id [- vlan-id]]}

12.    ip address address mask

13.    no shutdown

14.    exit

15.    radius-server host ip-address [auth-port port-number] [acct-port port-number]

16.    radius-server key {0 string | 7 string | string}

17.    exit


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
service dhcp


Example:

Router(config)# service dhcp

 

Enables DHCP server and relay agent features on the router.

  • By default, these features are enabled on the router.
 
Step 4
aaa new-model


Example:

Router(config)# aaa new-model

 

Enables the AAA access control system.

 
Step 5
aaa group server radius group-name


Example:

Router(config)# aaa group server radius group1

 

Specifies the name of the server host list to group RADIUS server hosts, and enters server-group configuration mode.

  • group-name --Character string to name the server group. The following words cannot be used as the group name:
    • auth-guest
    • enable
    • guest
    • if-authenticated
    • if-needed
    • krb5
    • krb-instance
    • krb-telnet
    • line
    • local
    • none
    • radius
    • rcmd
    • tacacs
    • tacacsplus
 
Step 6
server ip-address [auth-port port-number] [acct-port port-number]


Example:

Router(config-sg-radius)# server 10.1.1.1 auth-port 1700 acct-port 1701

 

Specifies the IP address of the RADIUS server host for the defined server group.

  • Repeat this command for each RADIUS server host to associate with the server group.

    • ip-address- --IP address of the RADIUS server host.
    • auth-port port-number- --(Optional) Specifies the UDP destination port for authentication requests. Default value is 1645.
    • acct-port port-number --(Optional) Specifies the UDP destination port for accounting requests. Default value is 1646.
 
Step 7
exit


Example:

Router(config-sg-radius)# exit

 

Exits server-group configuration mode.

 
Step 8
aaa authorization network method-list-name group group-name


Example:

Router(config)# aaa authorization network auth1 group group1

 

Specifies the methods list and server group for DHCP authorization.

  • method-list-name --Character string to name the authorization methods list.
  • group --Specifies a server group.
  • group-name --Name of the server group to apply to DHCP authorization.
 
Step 9
aaa accounting network method-list-name start-stop group group-name


Example:

Router(config)# aaa accounting network acct1 start-stop group group1

 

Specifies that AAA accounting runs for all network service requests.

  • method-list-name --Character string to name the accounting methods list.
  • start-stop --Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice is received by the accounting server.
  • group --Specifies a server group.
  • group-name --Name of the server group to apply to DHCP accounting.
 
Step 10
interface type slot / subslot / port [. subinterface]


Example:

Router(config)# interface ethernet 1/10/0.0

 

Configures an interface or subinterface that allows the DHCP client to obtain an IP address from the DHCP server, and enters subinterface configuration mode.

 
Step 11
encapsulation dot1q vlan-id second-dot1q {any | vlan-id [, vlan-id [- vlan-id]]}


Example:

Router(config-subif)# encapsulation dot1q 100 second-dot1q 200

 

(Optional) Enables IEEE 802.1Q encapsulation of traffic on a subinterface in a VLAN.

  • vlan-id --VLAN ID, integer in the range 1 to 4094. To separate the starting and ending VLAN ID values that are used to define a range of VLAN IDs, enter a hyphen. (Optional) To separate each VLAN ID range from the next range, enter a comma.
  • second-dot1q --Supports the IEEE 802.1Q-in-Q VLAN Tag Termination feature to configure an inner VLAN ID.
  • any --Any second tag in the range 1 to 4094.
 
Step 12
ip address address mask


Example:

Router(config-subif)# ip address 192.168.1.1 255.255.255.0

 

Specifies an IP address for an interface or subinterface.

  • address is the IP address of the interface or subinterface.
  • mask is the subnet address for the IP address.
 
Step 13
no shutdown


Example:

Router(config-subif)# no shutdown

 

Enables the interface or subinterface.

 
Step 14
exit


Example:

Router(config-subif)# exit

 

Exits subinterface configuration mode and enters global configuration mode.

 
Step 15
radius-server host ip-address [auth-port port-number] [acct-port port-number]


Example:

Router(config)# radius-server host 10.1.1.1

 

Specifies a RADIUS server host.

  • ip-address is the IP address of the RADIUS server host.
  • auth-port port-number-- (Optional) Specifies the UDP destination port for authentication requests. Default value is 1645.
  • acct-port port-number-- (Optional) Specifies the UDP destination port for accounting requests. Default value is 1646.
 
Step 16
radius-server key {0 string | 7 string | string}


Example:

Router(config)# radius-server key string1

 

Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

  • 0 string-- Specifies an unencrypted (cleartext) shared key
  • 7 string -- Specifies a hidden shared key.
Note    Any key you enter must match the key on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
 
Step 17
exit


Example:

Router(config)# exit

 

Exits global configuration mode.

 

Configuring the DHCP Server for RADIUS Proxy Authorization

Perform this task to configure the DHCP Server for RADIUS Proxy feature.

Before You Begin

Configure the AAA configuration before configuring the DHCP Server for RADIUS Proxy feature.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip dhcp use class [aaa]

4.    ip dhcp pool name

5.    accounting method-list-name

6.    authorization method method-list-name

7.    authorization shared-password password

8.    authorization username string

9.    exit


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip dhcp use class [aaa]


Example:

Router(config)# ip dhcp use class aaa

 

Configures the DHCP server to use the AAA server to get the class name.

 
Step 4
ip dhcp pool name


Example:

Router(config)# ip dhcp pool pool1

 

Specifies a name for the DHCP server address pool, and enters DHCP pool configuration mode.

  • name --Name of the pool.
 
Step 5
accounting method-list-name


Example:

Router(dhcp-config)# accounting acct1

 

Enables DHCP accounting.

  • method-list-name --Name of the accounting methods list.
 
Step 6
authorization method method-list-name


Example:

Router(dhcp-config)# authorization method auth1

 

Enables DHCP authorization.

  • method-list-name --Name of the authorization methods list.
 
Step 7
authorization shared-password password


Example:

Router(dhcp-config)# authorization shared-password password1

 

Specifies the password that is configured in the RADIUS user profile.

 
Step 8
authorization username string


Example:

Router(dhcp-config)# authorization username %c-user1

 

Specifies the parameters that RADIUS sends to a DHCP server when downloading configuration information for a DHCP client.

  • The string argument contains the following formatting characters to insert DHCP client information:
    • %%--Transmits the percent sign (%) character in the string sent to the RADIUS server
    • %c--Ethernet address of the DHCP client (chaddr field) in ASCII format
    • %C--Ethernet address of the DHCP client in hexadecimal format
    • %g--Gateway address of the DHCP relay agent (giaddr field)
    • %i--Inner VLAN ID from the DHCP relay information (option 82) in ASCII format
    • %I--Inner VLAN ID from the DHCP relay information in hexadecimal format
    • %o--Outer VLAN ID from the DHCP relay information (option 82) in ASCII format
    • %O--Outer VLAN ID from the DHCP relay information (option 82) in hexadecimal format
    • %p--Port number from the DHCP relay information (option 82) in ASCII format
    • %P--Port number from the DHCP relay information (option 82) in hexadecimal format
    • %u--Circuit ID from the DHCP relay information in ASCII format
    • %U--Circuit ID from the DHCP relay information in hexadecimal format
    • %r--Remote ID from the DHCP relay information in ASCII format
    • %R--Remote ID from the DHCP relay information in hexadecimal format
Note    The percent (%) sign is a marker to insert the DHCP client information associated with the specified character. The % is not sent to the RADIUS server unless you specify the %% characters.
 
Step 9
exit


Example:

Router(dhcp-config)# exit

 

Exits DHCP pool configuration mode.

 

Configuring the DHCP Server Proxy Enhancement

Perform this task to configure the DHCP Server Proxy Enhancement feature.

Before You Begin

Configure the AAA configuration before configuring the DHCP Server for RADIUS Proxy feature.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip dhcp use class aaa

4.    ip dhcp pool name

5.    accounting server-group-name

6.    authorization method method-list-name

7.    authorization shared-password password

8.    authorization username username

9.    exit

10.    ip dhcp pool name

11.    network network-number [mask [secondary] | / prefix-length [secondary]]

12.    class class-name

13.    address range start-ip end-ip


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip dhcp use class aaa


Example:

Router(config)# ip dhcp use class aaa

 

Specifies to use the AAA server to get class name.

 
Step 4
ip dhcp pool name


Example:

Router(config)# ip dhcp pool pool1

 

Configures a DHCP address pool on a DHCP server and enters DHCP pool configuration mode.

 
Step 5
accounting server-group-name


Example:

Router(dhcp-config)# accounting list1

 

Enables DHCP accounting on a server group.

 
Step 6
authorization method method-list-name


Example:

Router(dhcp-config)# authorization method list1

 

Specifies a method list to be used for address allocation using RADIUS for DHCP.

 
Step 7
authorization shared-password password


Example:

Router(dhcp-config)# authorization shared-password password1

 

Specifies the password that RADIUS sends to a DHCP or RADIUS server when downloading configuration information for a DHCP client.

 
Step 8
authorization username username


Example:

Router(dhcp-config)# authorization username user1

 

Specifies the parameters that RADIUS sends to a DHCP server when downloading configuration information for a DHCP client.

 
Step 9
exit


Example:

Router(dhcp-config)# exit

 

Exits DHCP pool configuration mode and returns to global configuration mode.

 
Step 10
ip dhcp pool name


Example:

Router(config)# ip dhcp pool name2

 

Configures a DHCP address pool on a DHCP server and enters DHCP pool configuration mode.

 
Step 11
network network-number [mask [secondary] | / prefix-length [secondary]]


Example:

Router(config)# network 10.0.0.1 255.255.255.0

 

Configures the network number and mask for a DHCP address pool primary or secondary subnet on a Cisco IOS DHCP server.

 
Step 12
class class-name


Example:

Router(config)# class name1

 

Associates a class with a DHCP address pool and enters DHCP pool class configuration mode.

 
Step 13
address range start-ip end-ip


Example:

Router(config-dhcp-pool-class)# address range 10.0.0.1 10.0.0.5

 

Sets an address range for a DHCP class in a DHCP server address pool.

 

Monitoring and Maintaining the DHCP Server

Perform this task to verify and monitor DHCP server information. Once the router is in privileged EXEC mode, you can enter the commands in any order.

SUMMARY STEPS

1.    enable

2.    debug ip dhcp server packet

3.    debug ip dhcp server events

4.    show ip dhcp binding [address]

5.    show ip dhcp server statistics

6.    show ip dhcp pool [name]

7.    show ip route dhcp [address]


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
debug ip dhcp server packet


Example:

Router# debug ip dhcp server packet

 

(Optional) Enables DHCP server debugging.

 
Step 3
debug ip dhcp server events


Example:

Router# debug ip dhcp server events

 

(Optional) Reports DHCP server events, such as address assignments and database updates.

 
Step 4
show ip dhcp binding [address]


Example:

Router# show ip dhcp binding

 

(Optional) Displays a list of all bindings created on a specific DHCP server.

  • Use the show ip dhcp bindingcommand to display the IP addresses that have already been assigned. Verify that the address pool has not been exhausted. If necessary, re-create the pool to create a larger pool of addresses.
  • Use the show ip dhcp binding command to display the lease expiration date and time of the IP address of the host.
 
Step 5
show ip dhcp server statistics


Example:

Router# show ip dhcp server statistics

 

(Optional) Displays count information about server statistics and messages sent and received.

 
Step 6
show ip dhcp pool [name]


Example:

Router# show ip dhcp pool

 

(Optional) Displays the routes added to the routing table by the DHCP server and relay agent.

 
Step 7
show ip route dhcp [address]


Example:

Router# show ip route dhcp [address]

 

(Optional) Displays information about DHCP address pools.

 

Configuration Examples for DHCP Server Radius Proxy

Example Configuring the DHCP Server for RADIUS Proxy

The following example shows how to configure a DHCP server for RADIUS-based authorization of DHCP leases. In this example, DHCP clients can attach to Ethernet interface 4/0/1 and Ethernet subinterface 4/0/3.10. The username string (%c-user1) specifies that the RADIUS server sends the Ethernet address of DHCP client named user1 to the DHCP server.

Router> enable
Router# configure terminal
Router(config)# service dhcp
Router(config)# aaa new-model
Router(config)# aaa group server radius rad1
Router(config-sg)# server 10.1.1.1
Router(config-sg)# server 10.1.5.10
Router(config-sg)# exit
 
Router(config)# aaa authorization network auth1 group group1
Router(config)# aaa accounting network acct1 start-stop group group1
Router(config)# aaa session-id common
Router(config)# ip dhcp database tftp://172.16.1.1/router-dhcp write-delay 100 timeout 5
!
Router(config)# ip dhcp pool pool_common
Router(config-dhcp)# accounting acct1
Router(config-dhcp)# authorization method auth1
Router(config-dhcp)# authorization shared-password cisco
Router(config-dhcp)# authorization username %c-user1
Router(config-dhcp)# exit
! 
Router(config)# interface ethernet 4/0/1
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# exit
Router(config-if)# interface ethernet 4/0/3.10
 
Router(config-if)# encapsulation dot1q 100 second-dot1q 200
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Router(config-if)# exit
Router(config)# radius-server host 10.1.3.2
Router(config)# radius-server key cisco
Router(config)# exit

Example Configuring RADIUS Profiles for RADIUS Proxy

The following example shows how to configure a typical RADIUS user profile to send attributes in an access-accept message to the DHCP server:

DHCP-00059A3C7800 Password = "password"
Service-Type = Framed,
Framed-Ip-Address = 10.3.4.5,
Framed-Netmask = 255.255.255.0,
Framed-Route = "0.0.0.0 0.0.0.0 10.3.4.1",
Session-Timeout = 3600,
Cisco:Cisco-Avpair = "session-duration=7200"

Example Configuring the DHCP Server for RADIUS Proxy Enhancement

The following example shows how to configure a DHCP server for RADIUS-based authorization of classname. In this example, DHCP clients can attach to Ethernet interface 4/0/1 and Ethernet subinterface 4/0/3.10. The username string (%c-user1) specifies that the RADIUS server sends the Ethernet address of DHCP client named user1 to the DHCP server.

Router> enable
Router# configure terminal
Router(config)# service dhcp
Router(config)# aaa new-model
Router(config)# aaa group server radius rad1
Router(config-sg)# server 10.1.1.1
Router(config-sg)# server 10.1.5.10
Router(config-sg)# exit
Router(config)# aaa authorization network auth1 group group1
Router(config)# aaa accounting network acct1 start-stop group group1
Router(config)# aaa session-id commo
n
Router(config)# ip dhcp database tftp://172.0.2.1/router-dhcp write-delay 100 timeout 5
!
Router(config)# ip dhcp pool pool_common
Router(config-dhcp)# accounting acct1
Router(config-dhcp)# authorization method auth1
Router(config-dhcp)# authorization shared-password password1
Router(config-dhcp)# authorization username %c-user1
Router(config-dhcp)# exit
!
Router(config)# ip dhcp pool pool_subnet
Router(config-dhcp)# network 10.3.4.0 255.255.255.0
Router(config-dhcp)# class class-1
Router(config-dhcp)# address range 10.3.4.1 10.3.4.10
Router(config-dhcp)# exit
!
Router(config)# interface ethernet 4/0/1
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# exit
Router(config-if)# interface ethernet 4/0/3.10
Router(config-if)# encapsulation dot1q 100 second-dot1q 200
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Router(config-if)# exit
Router(config)# radius-server host 10.1.3.2
Router(config)# radius-server key cisco
Router(config)# exit

Example Configuring RADIUS Profiles for RADIUS Proxy Enhancement

The following example shows how to configure a typical RADIUS user profile to send attributes in an access-accept message to the DHCP server:

DHCP-00059A3C7800 Password = "password"
Service-Type = Framed,
Classname = "class-1"
Framed-Route = "0.0.0.0 0.0.0.0 10.3.4.1",
Session-Timeout = 3600,
Cisco:Cisco-Avpair = "session-duration=7200"

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

DHCP relay configuration

Configuring the Cisco IOS DHCP Relay Agent

DHCP commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

Standards

Standards

Title

No new or modified standards are supported, and support for existing standards has not been modified.

--

MIBs

MIBs

MIBs Link

No new or modified MIBs are supported, and support for existing MIBs has not been modified.

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs

Title

No new or modified RFCs are supported, and support for existing RFCs has not been modified.

--

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for DHCP Server RADIUS Proxy

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 3 Feature Information for Cisco IOS DHCP Server Radius Proxy

Feature Name

Releases

Feature Information

DHCP Server RADIUS Proxy

12.2(31)ZV1 12.2(34)SB 12.2(33)XNE 15.0(1)S

The DHCP Server RADIUS Proxy feature enables a server to authorize remote clients and allocate addresses based on replies from the server.

The following commands were modified by this feature: authorization method (DHCP), authorization shared-password , authorization username (DHCP).

DHCP Radius Proxy Enhancement

15.0(1)S

The DHCP Radius Proxy Enhancement feature provides an option to configure the DHCP server to accept either the class name or an IP address to assign to the client.

The following commands were introduced or modified: accounting (DHCP), address range, authorization method (DHCP), authorization shared-password, authorization username (DHCP), class (DHCP), network (DHCP).

Glossary

client --A host trying to configure its interface (obtain an IP address) using DHCP or BOOTP protocols.

DHCP --Dynamic Host Configuration Protocol.

giaddr --gateway IP address. The giaddr field of the DHCP message provides the DHCP server with information about the IP address subnet on which the client is to reside. It also provides the DHCP server with an IP address where the response messages are to be sent.

MPLS --Multiprotocol Label Switching.

relay agent --A router that forwards DHCP and BOOTP messages between a server and a client on different subnets.

server --DHCP or BOOTP server.

VPN --Virtual Private Network. Enables IP traffic to use tunneling to travel securely over a public TCP/IP network.

VRF --VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router. Each VPN instantiated on the PE router has its own VRF.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.