Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2008
Views
0
Helpful
3
Replies

IPv6 Prefix Delegation vi RADIUS

derekgaff
Level 1
Level 1

‎09-10-2009 03:39 AM - edited ‎03-01-2019 02:14 PM

Problem related to issueing Prefix Delegations to Customer CPE's via RADIUS. The following document "http://www.cisco.com/en/US/products/ps6553/products_data_sheet09186a008011b68d.html" states " The provider edge receives the DHCPv6 REQUEST message and issues a RADIUS request for the user ("user1-dhcpv6")."

Can you please provide the default password that should be used on this useraccount as the authentication fails with an incorrect password from the RADIUS Server.

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-13-2009 04:14 AM

Hello Derek,

I think that is just an example of user.

You are not tied to use this user1.

Above in the document it says:

>>From the username contained in the PPP negotiation, a RADIUS request is sent to the service provider RADIUS server. If the username/password pair is validated, the result of this request returns a /64 prefix to the provider edge router. This prefix is then included in the router advertisement messages sent on the link connected to the CPE. The corresponding /64 prefix route is injected into the service provider routing system.

This means that the username and password used by the CPE during PPP authentication has to be defined in the Radius server.

An example of configuration for ipv6 prefix delegation is reported in the document and it is:

Auth-Type = Local, Password = "foo"

User-Service-Type = Framed-User,

Framed-Protocol = PPP,

cisco-avpair = "ipv6:prefix#1=2001:db8:1:1::/64",

Another aspect is the authentication of communication between the PE/NAS node and the radius server.

This can be configured with other commands.

Hope to help

Giuseppe

0 Helpful

derekgaff
Level 1
Level 1
In response to Giuseppe Larosa

‎09-13-2009 11:35 AM

Hi Giuseppe

Thank you for the reply, I understand the documentation, and that you can use any username you wish, I just quoted the documentaion. If for example, I have a username called "joe" and a password of "abc" when this username is authenticated against the radius server all is fine, when the username of "joe-dhcpv6" is authenticated what password is used. I have tried user password of "abc" and any other I could think of encluding "cisco", the enable password the even the radius shared key password all without success.

Any ideas.

Derek

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to derekgaff

‎09-13-2009 12:44 PM

Hello Derek,

if your user is "joe" then the cisco AV attributes for ipv6 prefix-delegation has to be under "joe" profile in Radius.

The router has to pass username="joe" , password= "abc".

The Radius in answering to the authentication requests provide also the AV pair of ipv6 prefix.

Documentation may be misleading but

username="joe-dhcpv6" makes radius to look for a user with that name and so you get a failure in AAA authentication.

Another possibility is that the Radius you are using is not aware of the feature IPV6 prefix delegation and treats the modified username in the way I've described above.

Edit:

as mentioned in the document the Radius server should implement

http://www.faqs.org/rfcs/rfc3162.html

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents