Table Of Contents
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
Supported Standards, MIBs, and RFCs
Configuring RADIUS Attribute 8 in Access Requests
Verifying RADIUS Attribute 8 in Access Requests
radius-server attribute 8 include-in-access-req
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
This feature module describes the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature and includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of usernames and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.
How It Works
When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
•
•
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and stop packets will also include the same IP address provided in attribute 8.
Benefits
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible to run applications on the RADIUS server that build mapping tables of users and IP addresses. The server can then use the mapping table information in other applications, such as preparing customized user login pages in advance of a successful user authentication with the RADIUS server.
Related Documents
•
•
Supported Platforms
•
•
•
•
•
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of MIBs supported by platform and Cisco IOS release and to download MIB modules, go to the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Sending RADIUS attribute 8 in the RADIUS access requests assumes that the login host has been configured to request its IP address from the NAS server. It also assumes that the login host has been configured to accept an IP address from the NAS.
The NAS must be configured with a pool of network addresses on the interface supporting the login hosts.
Configuration Tasks
See the following section for the configuration task for the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature: Configuring RADIUS Attribute 8 in Access Requests (required).
Configuring RADIUS Attribute 8 in Access Requests
To send RADIUS attribute 8 in the access request, use the following global configuration command:
Router(config)# radius-server attribute 8 include-in-access-req
Sends RADIUS attribute 8 in access-request packets.
Verifying RADIUS Attribute 8 in Access Requests
To verify that RADIUS attribute 8 is being sent in access requests, use the following privileged EXEC commands. Attribute 8 should be present in all PPP access requests.
Configuration Examples
The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.
aaa new-modelaaa authentication login default group radiusaaa authentication ppp default group radiusaaa authorization network default group radiusaaa accounting network default start-stop group radius!ip address-pool local!interface Async1peer default ip address pool async1-pool!ip local pool async1-pool 192.168.200.225 192.168.200.229!radius-server host 172.16.71.146 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server attribute 8 include-in-access-reqradius-server key radhostCommand Reference
This section documents the new command that configures the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
radius-server attribute 8 include-in-access-req
To send the IP address of a user to the RADIUS server in the access request, use the radius-server attribute 8 include-in-access-req global configuration command. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command.
radius-server attribute 8 include-in-access-req
no radius-server attribute 8 include-in-access-req
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled.
Command Modes
Global configuration mode
Command History
12.1(3)AA
This command was introduced.
12.1(5)T
This command was integrated in the T train.
Usage Guidelines
Using the radius-server attribute 8 include-in-access-req command makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of usernames and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.
When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
•
•
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and stop packets will also include the same IP address as in attribute 8.
Note
Examples
The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.
aaa new-modelaaa authentication login default group radiusaaa authentication ppp default group radiusaaa authorization network default group radiusaaa accounting network default start-stop group radius!ip address-pool local!interface Async1peer default ip address pool async1-pool!ip local pool async1-pool 192.168.200.225 192.168.200.229!radius-server host 172.16.71.146 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server attribute 8 include-in-access-reqradius-server key radhost
Guest
