DHCP RADIUS Proxy for ISG

The DHCP RADIUS Proxy for ISG feature enables the support for downloading DHCP parameters from RADIUS and use these parameters to configure the DHCP client.

Information About DHCP RADIUS Proxy for ISG

DHCP RADIUS Proxy for ISG

When ISG is in the path of DHCP requests, ISG can influence the IP address pool and DHCP servers that are used to assign subscriber IP addresses. This is achieved by configuring a DHCP address pool. As a result on a per-request basis, an IP address is either provided by local DHCP server or relayed to a remote DHCP server that is defined in selected pool.

The DHCP RADIUS Proxy with ISG feature enables downloading of the DHCP parameters like IPv4 address, mask, lease time, and so on from RADIUS as part of the Access-Accept message. DHCP RADIUS Proxy with ISG feature supports allocation of client IP addresses using parameters that are downloaded using RADIUS or using locally configured pool.


Note

If static IP is provided by RADIUS, then it must be used to configure the client. If Static IP is not provided, IP is allocated dynamically using the locally configured pool or using Relay.

DHCP RADIUS Proxy for ISG Topology

Figure 1. DHCP RADIUS Proxy for ISG Topology

In the above figure:

  • End user sends DHCP-Discover message to ISG.

  • To initiate session based on DHCP, ISG asks RADIUS with Access-Request

  • RADIUS answers with Access-Accept and sends static IP address (RADIUS Attribute 8 Framed-IP-Address) and other parameters like lease time, gateway, and so on.

  • ISG receives this Accept message, parses the address, adds DHCP binding for this subscriber, and sends DHCP Offer with proposed IP address and other DHCP parameters (Lease Time and Gateway).

  • ISG starts the new subscriber session.

Prerequisites for DHCP RADIUS Proxy for ISG

  • The downloaded IP must confine to the following:

    • The downloaded IP address subnet mask must be part of an address-pool.

    • The client interface must be on the same subnet as that of the downloaded IP for non-VRF case.

  • The IP addresses that are provided by RADIUS must be part of the configured range of excluded address, so as to to prevent dynamic DHCP from allocating the same IP address vice-versa.

  • All parameters provided by RADIUS must override the same options present in the locally configured pool on the interface.

Restrictions for DHCP RADIUS Proxy for ISG

  • VRF transfer with DHCP Radius Proxy is not supported. VRF transfer in ISG is achieved using ISG service login. Per-user DHCP data like IP Address, Subnet Mask, Lease-time, Gateway, and so on cannot be defined or passed using service definition.

  • Service is global and can be applied to multiple customers.

  • Only Layer 2-connected DHCP sessions are supported.

  • Dual stack sessions are not supported.

How to Configure DHCP RADIUS Proxy for ISG

Configuring DHCP RADIUS Proxy

The following RADIUS parameters can be downloaded to trigger DHCP Radius Proxy feature:

Cleartext-Password := "cisco"
               Service-Type = Framed-User,
               Framed-IP-Address = 10.0.0.3,
               Framed-IP-Netmask = 255.255.0.0,
               Framed-Route += "192.0.2.1 255.255.255.0 203.0.113.1",
               Cisco-AVPair += "ip:lease-duration=600",
               Cisco-AVPair += "ip:default-ipv4-gateway=10.0.0.1",
               Cisco-AVPair += "ip:primary-dns=10.40.0.1",
               Cisco-AVPair += "ip:secondary-dns=10.0.0.2",
               Cisco-AVPair += "ip:vrf-id=RED",
               Cisco-AVPair += "subscriber:classname=dhcp-red-class",

Verifying RADIUS-Based Policing

Use the following command to find if the DHCP IP Address is assigned dynamically or through RADIUS Proxy.


Note

The Type field for RADIUS Proxy is ISG if IP address is obtained from RADIUS. If IP address is assigned from local pool, the Type field is Automatic. 

Device# show ip dhcp binding
Bindings from VRF pool RED:
IP address      Client-ID/                     Lease expiration            Type       State      Interface Hardware address/ User name

10.0.0.3        0100.0000.0000.03       	May 21 2017 02:56 AM         ISG        Active     multiservice0

Additional References for DHCP RADIUS Proxy for ISG

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

MIBs

MIB

MIBs Link

  • CISCO-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for DHCP RADIUS Proxy for ISG

Table 1. Feature Information for DHCP RADIUS Proxy for ISG

Feature Name

Releases

Feature Information

DHCP RADIUS Proxy for ISG

Cisco IOS XE Gibraltar 16.10.1

The DHCP RADIUS Proxy for ISG feature enables the support for downloading DHCP parameters from RADIUS and use these parameters to configure the DHCP client.