When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the user name, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
If the user profile on the RADIUS server already includes attribute 8, the RADIUS server can override the IP address sent by the NAS with the IP address defined as attribute 8 in the user profile. The address defined in the user profile is returned to the NAS.
If the user profile does not include attribute 8, the RADIUS server can accept attribute 8 from the NAS, and the same address is returned to the NAS.
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and stop packets will also include the same IP address provided in attribute 8.
However, the RADIUS attribute 8 (Framed-IP-Address) is not included in the accounting start packets in the following two conditions:
If the user is a dual-stack (IPv4 or IPv6) subscriber.
If the IP address is from a local pool and not from the RADIUS server.
In both these conditions, use the aaa accounting delay-start extended-time delay-value command to delay the Internet Protocol Control Protocol version 6 (IPCPv6) address negotiation using the configured delay value. During the delay, the IPCPv4 address is posted and the framed IPv4 address is added to the accounting start packet.