09-10-2009 03:39 AM - edited 03-01-2019 02:14 PM
Problem related to issueing Prefix Delegations to Customer CPE's via RADIUS. The following document "http://www.cisco.com/en/US/products/ps6553/products_data_sheet09186a008011b68d.html" states " The provider edge receives the DHCPv6 REQUEST message and issues a RADIUS request for the user ("user1-dhcpv6")."
Can you please provide the default password that should be used on this useraccount as the authentication fails with an incorrect password from the RADIUS Server.
09-13-2009 04:14 AM
Hello Derek,
I think that is just an example of user.
You are not tied to use this user1.
Above in the document it says:
>>From the username contained in the PPP negotiation, a RADIUS request is sent to the service provider RADIUS server. If the username/password pair is validated, the result of this request returns a /64 prefix to the provider edge router. This prefix is then included in the router advertisement messages sent on the link connected to the CPE. The corresponding /64 prefix route is injected into the service provider routing system.
This means that the username and password used by the CPE during PPP authentication has to be defined in the Radius server.
An example of configuration for ipv6 prefix delegation is reported in the document and it is:
Auth-Type = Local, Password = "foo"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ipv6:prefix#1=2001:db8:1:1::/64",
Another aspect is the authentication of communication between the PE/NAS node and the radius server.
This can be configured with other commands.
Hope to help
Giuseppe
09-13-2009 11:35 AM
Hi Giuseppe
Thank you for the reply, I understand the documentation, and that you can use any username you wish, I just quoted the documentaion. If for example, I have a username called "joe" and a password of "abc" when this username is authenticated against the radius server all is fine, when the username of "joe-dhcpv6" is authenticated what password is used. I have tried user password of "abc" and any other I could think of encluding "cisco", the enable password the even the radius shared key password all without success.
Any ideas.
Derek
09-13-2009 12:44 PM
Hello Derek,
if your user is "joe" then the cisco AV attributes for ipv6 prefix-delegation has to be under "joe" profile in Radius.
The router has to pass username="joe" , password= "abc".
The Radius in answering to the authentication requests provide also the AV pair of ipv6 prefix.
Documentation may be misleading but
username="joe-dhcpv6" makes radius to look for a user with that name and so you get a failure in AAA authentication.
Another possibility is that the Radius you are using is not aware of the feature IPV6 prefix delegation and treats the modified username in the way I've described above.
Edit:
as mentioned in the document the Radius server should implement
http://www.faqs.org/rfcs/rfc3162.html
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: