Table Of Contents
Prerequisites for DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
Restrictions for DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
Information About DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
ISA Automatic Subscriber Logon
Authorization Based on Option 60 and Option 82
DHCP Option 82 with VPN-ID Suboption
How to Configure DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
Configuring an ISG Control Policy Using Option 60 and Option 82
Configuring an ISG Control Policy Using NAS-Port-ID
Configuring NAS-Port-ID to Include Option 60 and Option 82
ISG: Authentication: DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
First Published: October 20, 2008Last Updated: October 20, 2008The ISG: Authentication: DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon feature enables service providers to provision triple-play services to households by supporting transparent automatic logon (TAL) through Dynamic Host Configuration Protocol (DHCP) option 60 and option 82, and wholesale IP sessions through virtual private network (VPN) ID extension to option 82.
The feature is platform-independent and is supported on Cisco 7600 routers as well as on Cisco 7200 routers and Cisco 7301 routers.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ISG: Authentication: DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
•
•
Prerequisites for DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
For vendor-class ID (option 60) to be used for authorization, the vendor-class ID must be inserted by the customer appliance (that is, the PC, phone, or set-top box) in the DHCP option 60 information.
For provisioning of wholesale IP sessions, the VPN-ID must be inserted in the DHCP option 82 information along with the circuit ID and the remote ID.
Restrictions for DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
RADIUS proxy users are not supported by this feature.
Information About DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
To configure an Intelligent Services Gateway (ISG) policy for TAL, you should understand the following concepts:
•
•
•
ISA Automatic Subscriber Logon
TAL enables a specified identifier to be used in place of the username in authorization requests. Enabling the Authentication, Authorization, and Accounting (AAA) server to authorize subscribers on the basis of a specified identifier allows subscriber profiles to be downloaded from the AAA server as soon as packets are received from subscribers.
Session start is the event that triggers TAL. For DHCP-initiated IP sessions, session start occurs when a DHCP DISCOVER request is received.
Authorization Based on Option 60 and Option 82
The circuit ID and remote ID fields (option 82) are part of the DHCP relay agent information option. A digital subscriber line access multiplexer (DSLAM) inserts the option 82 fields into DHCP messages; the customer appliance inserts the option 60 fields.
You can configure an Integrated Services Gateway (ISG) policy to use the circuit ID, remote ID, or vendor class ID, or a combination of the three, as the username in authorization requests. Alternatively, you can configure an ISG policy to use NAS-Port-ID as the identifier for authorization. When you use the NAS-Port-ID as the identifier, you can configure it to include a combination of circuit ID, remote ID, and vendor-class ID.
By default, the ISG uses the circuit ID and remote ID that are provided by the Layer 2 edge-access device for authorization. The configuration of the ip dhcp relay information option command determines whether the ISG uses the option 82 information received, generates its own, or (when the encapsulate keyword is specified) encapsulates a prior option 82 along with its own option 82. For more information, see the "Configuring the Cisco IOS DHCP Relay Agent" section of the Cisco IOS IP Addressing Services Configuration Guide.
If NAS-Port is not configured to include option 60 and option 82, the NAS-Port-ID will be populated with the ISG interface that received the DHCP relay agent information packet; for example, Ethernet1/0.
DHCP Option 82 with VPN-ID Suboption
In order to support wholesale services for IP sessions, the VPN-ID, together with the circuit ID and the remote ID, must be specified in authorization requests. The DHCP option 60 and option 82 with VPN-ID Support for Transparent Automatic Logon feature enables you to include two sets of option 82 information in a single message so that devices within a household can be differentiated:
•
•
The DHCP server processes the option 82 information, forwarded by the relay, with the VPN-ID, remote ID, circuit ID, and option 60 information to allocate an address.
How to Configure DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
You can configure an ISG policy for TAL using either a username or the NAS-Port-ID for authorization.
This section contains the following tasks
•
•
•
Configuring an ISG Control Policy Using Option 60 and Option 82
Perform this task to configure an ISG control policy that initiates subscriber authorization and inserts a specified identifier into the username field of the authorization request.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
policy-map type control policy-map-name
Example:Router(config)# policy-map type control TAL
Creates or modifies a control policy map, which is used to define a control policy.
Step 4
class type control {class-map-name | always} event session-start
Example:Router(config-control-policymap)# class type control TAL-subscribers event session-start
Specifies a control class, which defines the conditions that must be met in order for an associated set of actions to be executed.
•
Step 5
action-number authorize [aaa list {list-name | default}] [password password] identifier {auto-detect | circuit-id [plus remote-id] | [plus vendor-class-id] | mac-address | source-ip-address | remote-id [plus circuit-id] | [plus vendor-class-id] | vendor-class-id [plus remote-id] [plus circuit-id]}
Example:Router(config-control-policymap-class-control)# 1 authorize aaa list TAL_LIST password cisco identifier source-ip-address vendor-class-id plus circuit-id plus remote-id
Inserts the specified identifier into the username field of authorization requests.
•
•
Configuring an ISG Control Policy Using NAS-Port-ID
Perform this task to configure an ISG control policy that uses NAS-Port-ID in the authorization request.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
policy-map type control policy-map-name
Example:Router(config)# policy-map type control TAL
Creates or modifies a control policy map, which is used to define a control policy.
Step 4
class type control {class-map-name | always} event session-start
Example:Router(config-control-policymap)# class type control TAL-subscribers event session-start
Specifies a control class, which defines the conditions that must be met in order for an associated set of actions to be executed.
•
Step 5
action-number authorize [aaa list {list-name | default}] [password password] identifier {auto-detect | circuit-id [plus remote-id]| mac-address | nas-port-id | remote-id [plus circuit-id] | [plus vendor-class-id] | vendor-class-id [plus remote-id] [plus circuit-id]}
Example:Router(config-control-policymap-class-control)# 1 authorize aaa list TAL_LIST password cisco identifier nas-port
Inserts the specified identifier into the username field of authorization requests.
•
•
Configuring NAS-Port-ID to Include Option 60 and Option 82
Perform this task to configure NAS-Port-ID to include option 60 and option 82.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
The following example uses the radius-server attribute nas-port-id include command to configure option 60 and option 82 authorization using circuit ID, remote ID, and vendor-class ID:
interface Ethernet0/0service-policy type control RULEAinterface Ethernet1/0service-policy type control RULEBclass-map type control match-all CONDAmatch source-ip-address 10.1.1.0 255.255.255.0!class-map type control match-all CONDBmatch vendor-class-id vendor1!policy-map type control RULEAclass type control CONDA event session-start1 authorize aaa list TAL_LIST password cisco identifier vendor-class-id!policy-map type control RULEBclass type control CONDB event session-start1 authorize aaa list TAL_LIST password cisco identifier nas-port!radius-server attribute nas-port-id include circuit-id plus remote-id plus vendor-class-id separator #Additional References
The following sections provide references related to the DHCP option 60 and option 82 with VPN-ID Support for Transparent Automatic Logon feature.
Related Documents
Configuring ISG policies for automatic subscriber logon
"Configuring ISG Policies for Automatic Subscriber Logon" section of the Cisco IOS Intelligent Services Gateway Configuration Guide.
Configuring a DHCP relay agent
"Configuring the Cisco IOS DHCP Relay Agent" section of Configuring the Cisco IOS DHCP Relay Agent.
Standards
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Intelligent Services Gateway Command Reference at http://www.cisco.com/en/US/docs/ios/isg/command/reference/
isg_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html.•
Feature Information for ISG: Authentication: DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
Guest
