Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15S
AAA Support for IPv6
Downloads: This chapterpdf (PDF - 1.34 MB) The complete bookPDF (PDF - 3.84 MB) | The complete bookePub (ePub - 643.0 KB) | The complete bookMobi (Mobi - 1.28 MB) | Feedback

AAA Support for IPv6

AAA Support for IPv6

Authentication, authorization, and accounting (AAA) support for IPv6 is in compliance with RFC 3162. This module provides information about how to configure AAA options for IPv6.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About AAA Support for IPv6

AAA over IPv6

Vendor-specific attributes (VSAs) are used to support Authentication, Authorization and Accounting(AAA) over IPv6. Cisco VSAs are inacl, outacl, prefix, and route.

You can configure prefix pools and pool names by using the AAA protocol. Customers can deploy an IPv6 RADIUS server or a TACACS+ server to communicate with Cisco devices.

AAA Support for IPv6 RADIUS Attributes

The following RADIUS attributes, as described in RFC 3162, are supported for IPv6:

  • Framed-Interface-Id

  • Framed-IPv6-Pool

  • Framed-IPv6-Prefix

  • Framed-IPv6-Route

  • Login-IPv6-Host

The following RADIUS attributes are also supported for IPv6:

  • Delegated-IPv6-Prefix (RFC 4818)

  • Delegated-IPv6-Prefix-Pool

  • DNS-Server-IPv6-Address

  • IPv6 ACL

  • IPv6_DNS_Servers

  • IPv6 Pool

  • IPv6 Prefix#

  • IPv6 Route

The attributes listed above can be configured on a RADIUS server and downloaded to access servers, where they can be applied to access connections.

Prerequisites for Using AAA Attributes for IPv6

AAA attributes for IPv6 are compliant with RFC 3162 and require a RADIUS server capable of supporting RFC 3162.

RADIUS Per-User Attributes for Virtual Access in IPv6 Environments

The following IPv6 attributes for RADIUS attribute-value (AV) pairs are supported for virtual access:

Framed-Interface-Id

The Framed-Interface-Id attribute indicates the IPv6 interface identifier to be configured. This per-user attribute is used during the IPv6CP negotiations and may be used in access-accept packets. If the Interface-Identifier IPv6CP option has been successfully negotiated, this attribute must be included in an Acc-0Request packet as a hint by the NAS to the server that it would prefer that value.

Framed-IPv6-Pool

The Framed-IPv6-Pool attribute is a per-user attribute that contains the name of an assigned pool that should be used to assign an IPv6 prefix for the user. This pool should either be defined locally on the router or defined on a RADIUS server from which pools can be downloaded.

Framed-IPv6-Prefix

The Framed-IPv6-Prefix attribute performs the same function as the Cisco VSA--it is used for virtual access only and indicates an IPv6 prefix (and corresponding route) to be configured. This attribute is a per-user attribute and lets the user specify which prefixes to advertise in Neighbor Discovery Router Advertisement messages. The Framed-IPv6-Prefix attribute may be used in access-accept packets and can appear multiple times. The NAS will create a corresponding route for the prefix.

To use this attribute for DHCP for IPv6 prefix delegation, create a profile for the same user on the RADIUS server. The username associated with the second profile has the suffix "-dhcpv6."

The Framed-IPv6-Prefix attribute in the two profiles is treated differently. If a NAS needs both to send a prefix in router advertisements (RAs) and delegate a prefix to a remote user’s network, the prefix for RA is placed in the Framed-IPv6-Prefix attribute in the user’s regular profile, and the prefix used for prefix delegation is placed in the attribute in the user’s separate profile.

Framed-IPv6-Route

The Framed-IPv6-Route attribute performs the same function as the Cisco VSA: It is a per-user attribute that provides routing information to be configured for the user on the NAS. This attribute is a string attribute and is specified using the ipv6 route command.

IPv6 ACL

You can specify a complete IPv6 access list. The unique name of the access list is generated automatically. The access list is removed when its user logs out. The previous access list on the interface is reapplied.

The inacl and outacl attributes allow you to a specific existing access list configured on the router. The following example shows ACL number 1 specified as the access list:

cisco-avpair = "ipv6:inacl#1=permit 2001:DB8:cc00:1::/48",
cisco-avpair = "ipv6:outacl#1=deny 2001:DB8::/10",
IPv6 Pool

For RADIUS authentication, the IPv6 Pool attribute extends the IPv4 address pool attributed to support the IPv6 protocol. It specifies the name of a local pool on the NAS from which to get the prefix and is used whenever the service is configured as PPP and whenever the protocol is specified as IPv6. Note that the address pool works in conjunction with local pooling. It specifies the name of the local pool that has been preconfigured on the NAS.

IPv6 Prefix

The IPv6 Prefix# attribute lets you indicate which prefixes to advertise in Neighbor Discovery Router Advertisement messages. When the IPv6 Prefix# attribute is used, a corresponding route (marked as a per-user static route) is installed in the routing information base (RIB) tables for the given prefix.

cisco-avpair = "ipv6:prefix#1=2001:DB8::/64",
cisco-avpair = "ipv6:prefix#2=2001:DB8::/64",
IPv6 Route

The IPv6 route attribute allows you to specify a per-user static route. A static route is appropriate when the Cisco IOS software cannot dynamically build a route to the destination. See the description of the ipv6 route command for more information about building static routes.

The following example shows the IPv6 route attribute used to define a static route:

cisco-avpair = "ipv6:route#1=2001:DB8:cc00:1::/48",
cisco-avpair = "ipv6:route#2=2001:DB8:cc00:2::/48",
Login-IPv6-Host

The Login-IPv6-Host attribute is a per-user attribute that indicates the IPv6 system with which to connect the user when the Login-Service attribute is included.

IPv6 Prefix Pools

The function of prefix pools in IPv6 is similar to that of address pools in IPv4. The main difference is that IPv6 assigns prefixes rather than single addresses.

As in IPv4, a pool or a pool definition in IPv6 can be configured locally or it can be retrieved from an AAA server. Overlapping membership between pools is not permitted.

Once a pool is configured, it cannot be changed. If you change the configuration, the pool will be removed and re-created. All prefixes previously allocated will be freed.

Prefix pools can be defined so that each user is allocated a 64-bit prefix or so that a single prefix is shared among several users. In a shared prefix pool, each user may receive only one address from the pool.

How to Configure AAA Support for IPv6

Configuring the RADIUS Server over IPv6

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    radius server name

    5.    address ipv6 {hostname | ipv6address} [acct-port port | alias {hostname | ipv6address} | auth-port port [acct-port port]]

    6.    key {0 string | 7 string} string

    7.    timeout seconds

    8.    retransmit retries

    9.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode. Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 aaa new-model


    Example:
    Device(config)# aaa new-model
     

    Configures the RADIUS server for IPv6 and enters RADIUS server configuration mode.

     
    Step 4 radius server name


    Example:
    Device(config)# radius server myserver
     

    Configures the RADIUS server for IPv6 and enters RADIUS server configuration mode.

     
    Step 5 address ipv6 {hostname | ipv6address} [acct-port port | alias {hostname | ipv6address} | auth-port port [acct-port port]]


    Example:
    Device(config-radius-server)# address ipv6 2001:DB8:1::1 acct-port 1813 auth-port 1812
     

    Configures the IPv6 address for the RADIUS server accounting and authentication parameters.

     
    Step 6 key {0 string | 7 string} string


    Example:
    Device(config-radius-server)# key 0 key1
     

    Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server.

     
    Step 7 timeout seconds


    Example:
    Device(config-radius-server)# timeout 10
     

    Specifies the time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting.

     
    Step 8 retransmit retries


    Example:
    Device(config-radius-server)# retransmit 5
     

    Specifies the number of times a RADIUS request is re-sent to a server when that server is not responding or responding slowly.

     
    Step 9 end


    Example:
    Device(config-radius-server)# end
     

    Exits RADIUS server configuration mode and returns to privileged EXEC mode.

     

    Specifying the Source Address in RADIUS Server

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ipv6 radius source-interface type number

      4.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode. Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ipv6 radius source-interface type number


      Example:
      Device(config)# ipv6 radius source-interface ethernet 0/0
       

      Specifies an interface to use for the source address in RADIUS server.

       
      Step 4 end


      Example:
      Device(config)# end
       

      Exits global configuration mode and returns to privileged EXEC mode.

       

      Configuring RADIUS Server Group Options

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    aaa group server radius group-name

        4.    server name server-name

        5.    server-private {ip-address | name | ipv6-address} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]

        6.    ipv6 radius source-interface type number

        7.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode. Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 aaa group server radius group-name


        Example:
        Device(config)# aaa group server radius group1
         

        Groups different RADIUS server hosts into distinct lists and distinct methods.

         
        Step 4 server name server-name


        Example:
        Device(config-sg-radius)# server name server1
         

        Specifies an IPv6 RADIUS server and enters RADIUS group server configuration mode.

         
        Step 5 server-private {ip-address | name | ipv6-address} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]


        Example:
        Device(config-sg-radius)# server-private 2001:DB8:3333:4::5 port 19 key key1
         

        Configures the IPv6 address of the private TACACS+ server for the group server.

         
        Step 6 ipv6 radius source-interface type number


        Example:
        Device(config-sg-radius)# ipv6 radius source-interface ethernet 0/0
         

        Specifies an interface to use for the source address in RADIUS server under the RADIUS group server configuration.

         
        Step 7 end


        Example:
        Device(config-sg-radius)# end
         

        Exits RADIUS group server configuration mode and returns to privileged EXEC mode.

         

        Configuring the DHCPv6 Server to Obtain Prefixes from RADIUS Servers

        Before You Begin

        Before you perform this task, you must configure the AAA client and PPP on the router.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    interface type number

          4.    ipv6 nd prefix framed-ipv6-prefix


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example:
          Router# configure terminal
           

          Enters global configuration mode.

           
          Step 3 interface type number


          Example:
          Router(config)# interface ethernet 0/0
           

          Specifies an interface type and number, and places the router in interface configuration mode.

           
          Step 4 ipv6 nd prefix framed-ipv6-prefix


          Example:
          Router(config-if)# ipv6 nd prefix framed-ipv6-prefix
           

          Adds the prefix in a received RADIUS framed IPv6 prefix attribute to the interface’s neighbor discovery prefix queue.

           

          Configuration Examples for AAA Support for IPv6

          Example: Configuring RADIUS Server over IPv6

          Device> enable
          Device# show radius server-group all 
          
          Server group radius
          		Sharecount = 1 sg_unconfigured = FALSE
          		Type = standard Memlocks = 1
          		Server(2001:DB8:3333:4::5,6) Transactions:
          		Authen: 0 Author: 0 Acct: 0
          		Server_auto_test_enabled: FALSE
          			Keywrap enabled: FALSE
          Server group rad_ser1
          		Sharecount = 1 sg_unconfigured = FALSE
          		Type = standard Memlocks = 1
          		Server(2001:DB8:3333:4::5,6) Transactions:
          		Authen: 0 Author: 0 Acct: 0
          		Server_auto_test_enabled: FALSE
          			Keywrap enabled: FALSE
          
          

          Example: RADIUS Configuration

          The following sample RADIUS configuration shows the definition of AV pairs to establish static routes:

          campus1 Auth-Type = Local, Password = "mypassword"
                          User-Service-Type = Framed-User,
                          Framed-Protocol = PPP,
                          cisco-avpair = "ipv6:inacl#1=permit 2001:DB8:1::/64 any",
                          cisco-avpair = "ipv6:route=2001:DB8:2::/64",
                          cisco-avpair = "ipv6:route=2001:DB8:3::/64",
                          cisco-avpair = "ipv6:prefix=2001:DB8:2::/64 0 0 onlink autoconfig",
                          cisco-avpair = "ipv6:prefix=2001:DB8:3::/64 0 0 onlink autoconfig",
                          cisco-avpair = "ip:route=10.0.0.0 255.0.0.0",

          Additional References

          Related Documents

          Related Topic

          Document Title

          IPv6 addressing and connectivity

          IPv6 Configuration Guide

          Cisco IOS commands

          Cisco IOS Master Commands List, All Releases

          IPv6 commands

          Cisco IOS IPv6 Command Reference

          Cisco IOS IPv6 features

          Cisco IOS IPv6 Feature Mapping

          Standards and RFCs

          Standard/RFC

          Title

          RFCs for IPv6

          IPv6 RFCs

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for AAA Support for IPv6

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 1 Feature Information for AAA Support for IPv6

          Feature Name

          Releases

          Feature Information

          AAA Support for Cisco VSA IPv6 Attributes

          12.2(33)SRC

          12.2(13)T

          12.3

          12.3(2)T

          12.4

          12.4(2)T

          VSAs were developed to support AAA for IPv6.

          IPv6 Access Services: AAA Support for RFC 3162 IPv6 RADIUS Attributes

          12.3(4)T

          12.4

          12.2(58)SE

          12.2(33)SRC

          The AAA attributes for IPv6 are compliant with RFC 3162 and require a RADIUS server capable of supporting RFC 3162.

          The following commands were introduced or modified: ipv6 nd prefix framed-ipv6-prefix.

          IPv6 Access Services: Prefix Pools

          12.2(13)T

          This feature is supported.

          RADIUS over IPv6

          15.2(1)T

          12.2(58)SE

          15.1(1)SY

          Authentication, authorization, and accounting (AAA) support for IPv6 is in compliance with RFC 3162. This feature provides information about how to configure AAA options for IPv6.