 Feedback
|
Table Of Contents
Configuring DHCP Services for Accounting and Security
Prerequisites for Configuring DHCP Services for Accounting and Security
Information About DHCP Services for Accounting and Security
DHCP Operation in Public Wireless LANs
Security Vulnerabilities in Public Wireless LANs
DHCP Services for Security and Accounting Overview
How to Configure DHCP Services for Accounting and Security
Configuring AAA and RADIUS for DHCP Accounting
Securing ARP Table Entries to DHCP Leases
Configuring a DHCP Lease Limit to Control the Number of Subscribers on an Interface
Configuration Examples for DHCP Services for Accounting and Security
Configuring AAA and RADIUS for DHCP Accounting: Example
Configuring DHCP Accounting: Example
Verifying DHCP Accounting: Example
Configuring a DHCP Lease Limit: Examples
Feature Information for DHCP Services for Accounting and Security
Configuring DHCP Services for Accounting and Security
First Published: May 2, 2005Last Updated: May 4, 2009Cisco IOS XE software supports several capabilities that enhance DHCP security, reliability, and accounting in Public Wireless LANs (PWLANs). This functionality can also be used in other network implementations. This module describes the concepts and tasks needed to configure DHCP services for accounting and security.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for DHCP Services for Accounting and Security" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring DHCP Services for Accounting and Security
•
•
•
•
Prerequisites for Configuring DHCP Services for Accounting and Security
Before you configure DHCP services for accounting and security, you should understand the concepts documented in the "DHCP Overview" module.
Information About DHCP Services for Accounting and Security
Before you configure DHCP services for accounting and security, you should understand the following concepts:
•
•
•
DHCP Operation in Public Wireless LANs
The configuration of DHCP in a public wireless LAN (PWLAN) simplifies the configuration of wireless clients and reduces the overhead necessary to maintain the network. DHCP clients are leased IP addresses by the DHCP server and then authenticated by the Service Selection Gateway (SSG), which allows the clients to access network services. The DHCP server and client exchange DHCP messages for IP address assignments. When a DHCP server assigns an IP address to a client, a DHCP binding is created. The IP address is leased to the client until the client explicitly releases the IP address and disconnects from the network. If the client disconnects without releasing the address, the server terminates the lease after the lease time is over. In either case, the DHCP server removes the binding and the IP address is returned to the pool.
Security Vulnerabilities in Public Wireless LANs
As more people start using PWLANs, security becomes an important concern. Most implementations of PWLANs rely on DHCP for users to obtain an IP address while in a hot spot (such as a coffee shop, airport terminal, hotel, and so on) and use this IP address provided by the DHCP server throughout their session.
IP spoofing is a common technique used by hackers to spoof IP addresses. For example, customer A obtains an IP address from DHCP and has already been authenticated to use the PWLAN, but a hacker spoofs the IP address of customer A and uses this IP address to send and receive traffic. Customer A will still be billed for the service even though he or she is not using the service.
Address Resolution Protocol (ARP) table entries are dynamic by design. Request and reply ARP packets are sent and received by all the networking devices in a network. In a DHCP network, the DHCP server stores the leased IP address to the MAC address or the client-identifier of the client in the DHCP binding. But as ARP entries are learned dynamically, an unauthorized client can spoof the IP address given by the DHCP server and start using that IP address. The MAC address of this unauthorized client will replace the MAC address of the authorized client in the ARP table allowing the unauthorized client to freely use the spoofed IP address.
DHCP Services for Security and Accounting Overview
DHCP security and accounting features have been designed and implemented to address the security concerns in PWLANs but also can be used in other network implementations.
DHCP accounting provides authentication, authorization, and accounting (AAA) and Remote Authentication Dial-In User Service (RADIUS) support for DHCP. The AAA and RADIUS support improves security by sending secure START and STOP accounting messages. The configuration of DHCP accounting adds a layer of security that allows DHCP lease assignment and termination to be triggered for the appropriate RADIUS START and STOP accounting records so that the session state is properly maintained by upstream devices, such as an SSG. This additional security can help to prevent unauthorized clients or hackers from gaining illegal entry to the network by spoofing authorized DHCP leases.
The DHCP Secured IP Address Assignment feature prevents IP spoofing by synchronizing the database of the DHCP server with the ARP table to avoid address hijacking. This secure ARP functionality adds an entry to the ARP table for a client when an address is allocated that can be deleted by the DHCP server only when a binding expires.
DHCP Lease Limits
You can control the number of subscribers globally or on a per-interface basis by configuring a DHCP lease limit. This functionality allows an Internet service provider (ISP) to limit the number of leases available to clients per household or connection.
How to Configure DHCP Services for Accounting and Security
This section contains the following tasks:
•
•
•
Configuring AAA and RADIUS for DHCP Accounting
Perform this task to configure AAA and RADIUS for DHCP accounting.
RADIUS provides the accounting capability for the transmission of secure START and STOP messages. AAA and RADIUS are enabled prior to the configuration of DHCP accounting but can also be enabled to secure an insecure DHCP network. The configuration steps in this section are required for configuring DHCP accounting in a new or existing network.
RADIUS Accounting Attributes
DHCP accounting introduces the attributes shown in Table 1. These attributes are processed directly by the RADIUS server when DHCP accounting is enabled. These attributes can be monitored in the output of the debug radius command. The output will show the status of the DHCP leases and specific configuration details about the client. The accounting keyword can be used with the debug radius command to filter the output and display only DHCP accounting messages.
Table 1 RADIUS Accounting Attributes
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Troubleshooting Tips
To monitor and troubleshoot the configuration of RADIUS accounting, use the following command:
Configuring DHCP Accounting
Perform this task to configure DHCP accounting.
DHCP Accounting
DHCP accounting is enabled with the accounting DHCP pool configuration command. This command configures DHCP to operate with AAA and RADIUS to enable secure START and STOP accounting messages. This configuration adds a layer of security that allows DHCP lease assignment and termination to be triggered for the appropriate RADIUS START and STOP accounting records so that the session state is properly maintained by upstream devices, such as the SSG.
DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis.
Prerequisites
You must configure an SSG for client authentication. AAA and RADIUS must be enabled before DHCP accounting will operate.
Restrictions
The following restrictions apply to DHCP accounting:
•
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
ip dhcp pool pool-name
Example:Router(config)# ip dhcp pool WIRELESS-POOL
Configures a DHCP address pool and enters DHCP pool configuration mode.
Step 4
accounting method-list-name
Example:Router(dhcp-config)# accounting RADIUS-GROUP1
Enables DHCP accounting if the specified server group is configured to run RADIUS accounting.
•
Verifying DHCP Accounting
Perform this task to verify the DHCP accounting configuration.
The debug radius, debug ip dhcp server events, debug aaa accounting, debug aaa id commands do not need to be issued together or in the same session as there are differences in the information that is provided. These commands, however, can be used to display DHCP accounting start and stop events, AAA accounting messages, and information about AAA and DHCP hosts and clients. See the "RADIUS Accounting Attributes" section of this module for a list of AAA attributes that have been introduced by DHCP accounting. The show running-config | begin dhcp command can be used to display the local DHCP configuration including the configuration of DHCP accounting.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Securing ARP Table Entries to DHCP Leases
Perform this task to secure ARP table entries to DHCP leases in the DHCP database.
When the update arp command is used, ARP table entries and their corresponding DHCP leases are secured automatically for all new leases and DHCP bindings. However, existing active leases are not secured. These leases are still insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically. If this command is disabled on the DHCP server, all existing secured ARP table entries will automatically change to dynamic ARP entries.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
ip dhcp pool pool-name
Example:Router(config)# ip dhcp pool WIRELESS-POOL
Configures a DHCP address pool and enters DHCP pool configuration mode.
Step 4
update arp
Example:Router(dhcp-config)# update arp
Secures insecure ARP table entries to the corresponding DHCP leases.
•
Step 5
renew deny unknown
Example:Router(dhcp-config)# renew deny unknown
(Optional) Configures the renewal policy for unknown clients.
•
Troubleshooting Tips
In some usage scenarios, such as a wireless hotspot, where both DHCP and secure ARP are configured, a connected client device might go to sleep or suspend for a period of time. If the suspended time period is greater than the secure ARP timeout (default of 91 seconds), but less than the DHCP lease time, the client can awake with a valid lease, but the secure ARP timeout has caused the lease binding to be removed because the client has been inactive. When the client awakes, the client still has a lease on the client side but is blocked from sending traffic. The client will try to renew its IP address but the DHCP server will ignore the request because the DHCP server has no lease for the client. The client must wait for the lease to expire before being able to recover and send traffic again.
To remedy this situation, use the renew deny unknown command in DHCP pool configuration mode. This command forces the DHCP server to reject renewal requests from clients if the requested address is present at the server but is not leased. The DHCP server sends a DHCPNAK denial message to the client, which forces the client back to its initial state. The client can then negotiate for a new lease immediately, instead of waiting for its old lease to expire.
Configuring a DHCP Lease Limit to Control the Number of Subscribers on an Interface
Perform this task to limit the number of DHCP leases allowed on an interface.
This feature allows an ISP to limit the number of leases available to clients per household or connection on an interface.
If this feature is enabled on the Cisco IOS XE DHCP server directly connected to clients through unnumbered interfaces, the server allocates addresses and increments the number of leases per subinterface. If a new client tries to obtain an IP address, the server will not offer an IP address if the number of leases on the subinterface has already reached the configured lease limit.
Restrictions
This feature is not supported on numbered interfaces. The lease limit can be applied only to ATM with RBE unnumbered interfaces or serial unnumbered interfaces.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Troubleshooting Tips
You can use the debug ip dhcp server packet and debug ip server events commands to troubleshoot the DHCP lease limit.
Configuration Examples for DHCP Services for Accounting and Security
This section provides the following configuration examples:
•
•
•
•
•
•
Configuring AAA and RADIUS for DHCP Accounting: Example
The following example shows how to configure AAA and RADIUS for DHCP accounting:
aaa new-modelaaa group server radius RGROUP-1server 10.1.1.1 auth-port 1645 acct-port 1646exitaaa accounting network RADIUS-GROUP1 start-stop group RGROUP-1aaa session-id commonip radius source-interface GigabitEthernet0/0/0radius-server host 10.1.1.1 auth-port 1645 acct-port 1646radius-server retransmit 3exitConfiguring DHCP Accounting: Example
DHCP accounting is configured on a per-client or per-lease basis. Separate DHCP accounting processes can be configured on a per-pool basis. The following example shows how to configure DHCP accounting START and STOP messages to be sent if RADIUS-GROUP1 is configured as a start-stop group.
ip dhcp pool WIRELESS-POOLaccounting RADIUS-GROUP1exitVerifying DHCP Accounting: Example
DHCP accounting is enabled after both RADIUS and AAA for DHCP are configured. DHCP START and STOP accounting generation information can be monitored with the debug radius accounting and debug ip dhcp server events commands. See the "RADIUS Accounting Attributes" section of this module for a list of AAA attributes that have been introduced by DHCP accounting.
The following is sample output from the debug radius accounting command. The output shows the DHCP lease session ID, the MAC address, and the IP address of the client interface.
00:00:53: RADIUS: Pick NAS IP for uid=2 tableid=0 cfg_addr=10.0.18.3 best_addr=0.0.0.0 00:00:53: RADIUS(00000002): sending 00:00:53: RADIUS(00000002): Send to unknown id 21645/1 10.1.1.1 :1646, Accounting-Request, len 76 00:00:53: RADIUS: authenticator C6 FE EA B2 1F 9A 85 A2 - 9A 5B 09 B5 36 B5 B9 27 00:00:53: RADIUS: Acct-Session-Id [44] 10 "00000002" 00:00:53: RADIUS: Framed-IP-Address [8] 6 10.0.0.10 00:00:53: RADIUS: Calling-Station-Id [31] 16 "00000c59df76" 00:00:53: RADIUS: Acct-Status-Type [40] 6 Start [1] 00:00:53: RADIUS: Service-Type [6] 6 Framed [2] 00:00:53: RADIUS: NAS-IP-Address [4] 6 10.0.18.3 00:00:53: RADIUS: Acct-Delay-Time [41] 6 0The following is sample output from the debug ip dhcp server events command. The output was generated on a DHCP server and shows an exchange of DHCP messages between the client and server to negotiate a DHCP lease. The acknowledgment that confirms to the DHCP server that the client has accepted the assigned IP address triggers the accounting START message. It is shown in the last line of the following output:
00:45:50:DHCPD:DHCPDISCOVER received from client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31 oninterface GigabitEthernet0/0/0.00:45:52:DHCPD:assigned IP address 10.10.10.16 to client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31.00:45:52:DHCPD:Sending DHCPOFFER to client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31(10.10.10.16)00:45:52:DHCPD:broadcasting BOOTREPLY to client 0001.42c9.ec75.00:45:52:DHCPD:DHCPREQUEST received from client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31.00:45:52:DHCPD:Sending DHCPACK to client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31(10.10.10.16).00:45:52:DHCPD:broadcasting BOOTREPLY to client 0001.42c9.ec75.00:45:52:DHCPD:triggered Acct Start for 0001.42c9.ec75 (10.10.10.16).The following is sample output from the debug ip dhcp server events command. The output was generated on a DHCP server and shows the receipt of an explicit release message from the DHCP client. The DHCP server triggers an accounting STOP message and then returns the IP address to the DHCP pool. Information about the accounting STOP message is shown in the third line of the following output:
00:46:26:DHCPD:DHCPRELEASE message received from client0063.6973.636f.2d30.3030.312e.3432.6339.2e65.6337.352d.4574.31 (10.10.10.16)00:46:26:DHCPD:triggered Acct Stop for (10.10.10.16).00:46:26:DHCPD:returned 10.10.10.16 to address pool WIRELESS-POOL.Configuring a DHCP Lease Limit: Examples
In the following example, 5 DHCP clients are allowed to receive IP addresses. If a sixth client tries to obtain an IP address, the DHCPDISCOVER messages will not be forwarded to the DHCP server and a trap will be sent to the SNMP manager.
ip dhcp limit lease log!ip dhcp pool pool1network 10.1.1.0 255.255.255.0!interface loopback0ip address 10.1.1.1 255.255.255.0!interface serial 0/0.2 point-to-pointip dhcp limit lease 5ip unnumbered loopback0exitsnmp-server enable traps dhcp interfaceAdditional References
The following sections provide references related to configuring DHCP services for accounting and security.
Related Documents
ARP commands: complete command syntax, command modes, defaults, usage guidelines, and examples
DHCP commands: complete command syntax, command modes, defaults, usage guidelines, and examples
DHCP conceptual information
"DHCP Overview" module
DHCP server configuration
DHCP ODAP configuration
"Configuring the DHCP Server On-Demand Address Pool Manager" module
DHCP client configuration
DHCP relay agent configuration
AAA and RADIUS configuration tasks
Cisco IOS Security Configuration Guide
AAA and RADIUS commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Standards
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Feature Information for DHCP Services for Accounting and Security
Table 2 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 2 Feature Information for DHCP Services for Accounting and Security
DHCP Per Interface Lease Limit and Statistics
Cisco IOS XE Release 2.1
This feature limits the number of DHCP leases offered to DHCP clients on an interface. DHCP server statistics reporting was enhanced to display interface-level statistics.
The following sections provide information about this feature:
•
•
The following commands were introduced or modified by this feature: ip dhcp limit lease, ip dhcp limit lease log, clear ip dhcp limit lease, show ip dhcp limit lease, and show ip dhcp server statistics.
DHCP Accounting
Cisco IOS XE Release 2.1
DHCP accounting introduces AAA and RADIUS support for DHCP configuration.
The following sections provide information about this feature:
•
The following command was introduced by this feature: accounting.
DHCP Secured IP Address Assignment
Cisco IOS XE Release 2.3
DHCP secure IP address assignment provides the capability to secure ARP table entries to DHCP leases in the DHCP database. This feature secures and synchronizes the MAC address of the client to the DHCP binding, preventing unauthorized clients or hackers from spoofing the DHCP server and taking over a DHCP lease of an authorized client.
The following sections provide information about this feature:
•
•
The following command was introduced by this feature: update arp.
The following command was modified by this feature: show ip dhcp server statistics.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
