The following IPv6 attributes for RADIUS attribute-value (AV) pairs are supported for virtual access:
The Framed-Interface-Id attribute indicates the IPv6 interface identifier to be configured. This per-user attribute is used
during the IPv6CP negotiations and may be used in access-accept packets. If the Interface-Identifier IPv6CP option has been
successfully negotiated, this attribute must be included in an Acc-0Request packet as a hint by the NAS to the server that
it would prefer that value.
The Framed-IPv6-Pool attribute is a per-user attribute that contains the name of an assigned pool that should be used to assign
an IPv6 prefix for the user. This pool should either be defined locally on the router or defined on a RADIUS server from which
pools can be downloaded.
The Framed-IPv6-Prefix attribute performs the same function as the Cisco VSA--it is used for virtual access only and indicates
an IPv6 prefix (and corresponding route) to be configured. This attribute is a per-user attribute and lets the user specify
which prefixes to advertise in Neighbor Discovery Router Advertisement messages. The Framed-IPv6-Prefix attribute may be used
in access-accept packets and can appear multiple times. The NAS will create a corresponding route for the prefix.
To use this attribute for DHCP for IPv6 prefix delegation, create a profile for the same user on the RADIUS server. The username
associated with the second profile has the suffix "-dhcpv6."
The Framed-IPv6-Prefix attribute in the two profiles is treated differently. If a NAS needs both to send a prefix in router
advertisements (RAs) and delegate a prefix to a remote user’s network, the prefix for RA is placed in the Framed-IPv6-Prefix
attribute in the user’s regular profile, and the prefix used for prefix delegation is placed in the attribute in the user’s
The Framed-IPv6-Route attribute performs the same function as the Cisco VSA: It is a per-user attribute that provides routing
information to be configured for the user on the NAS. This attribute is a string attribute and is specified using the ipv6 route command.
You can specify a complete IPv6 access list. The unique name of the access list is generated automatically. The access list
is removed when its user logs out. The previous access list on the interface is reapplied.
The inacl and outacl attributes allow you to a specific existing access list configured on the router. The following example
shows ACL number 1 specified as the access list:
cisco-avpair = "ipv6:inacl#1=permit 2001:DB8:cc00:1::/48",
cisco-avpair = "ipv6:outacl#1=deny 2001:DB8::/10",
For RADIUS authentication, the IPv6 Pool attribute extends the IPv4 address pool attributed to support the IPv6 protocol.
It specifies the name of a local pool on the NAS from which to get the prefix and is used whenever the service is configured
as PPP and whenever the protocol is specified as IPv6. Note that the address pool works in conjunction with local pooling.
It specifies the name of the local pool that has been preconfigured on the NAS.
The IPv6 Prefix# attribute lets you indicate which prefixes to advertise in Neighbor Discovery Router Advertisement messages.
When the IPv6 Prefix# attribute is used, a corresponding route (marked as a per-user static route) is installed in the routing
information base (RIB) tables for the given prefix.
cisco-avpair = "ipv6:prefix#1=2001:DB8::/64",
cisco-avpair = "ipv6:prefix#2=2001:DB8::/64",
The IPv6 route attribute allows you to specify a per-user static route. A static route is appropriate when the Cisco IOS software
cannot dynamically build a route to the destination. See the description of the ipv6 route command for more information about building static routes.
The following example shows the IPv6 route attribute used to define a static route:
cisco-avpair = "ipv6:route#1=2001:DB8:cc00:1::/48",
cisco-avpair = "ipv6:route#2=2001:DB8:cc00:2::/48",
The Login-IPv6-Host attribute is a per-user attribute that indicates the IPv6 system with which to connect the user when the
Login-Service attribute is included.