Propagation of LAG Subscriber Information to AAA and RADIUS

The RADIUS application sends the link aggregation group (LAG) interface ID to the RADIUS server when the subscriber is connected over LAG in DHCP standalone authenticate mode. In DHCP standalone authenticate mode, the DHCP local server enables you to configure AAA-based authentication of standalone mode DHCP clients. In addition to providing increased security, AAA authentication also provides RADIUS-based input to IP address pool selection for standalone mode clients. The RADIUS applications use the LAG interface ID to create the Acct-Session-Id, Nas-Port-Type, Nas-Port-Id, Nas-Port, and Calling-Station-Id attributes and send them to the RADIUS server in the Access-Request, Acct-Start, and Acct-Stop messages.

The RADIUS client uses one of the following LAG interface ID formats:

lag lag-name [.subinterface [:vlan]]

or

lag lag-name [.subinterface [:svlan-vlan]]

where:

The RADIUS application sends the LAG interface ID to the RADIUS server for all types of subscribers, such as PPP or DHCP subscribers. In this case, the LAG interface ID is displayed in the output of the show subscribers interface command.

The RADIUS client application creates the following RADIUS attributes based on the LAG interface ID:

[44] Acct-Session-Id—When you issue the radius acct-session-id-format description command, the RADIUS client uses the generic format: erx <interface type> <interface identifier>: <hex number> with the LAG interface ID as the interface identifier.

[61] Nas-Port-Type— When you issue the radius ethernet-port-type command from Global Configuration mode or the nas-port-type ethernet command from AAA Profile Configuration mode, RADIUS calculates the value of the Nas-Port-Type attribute. If you use neither of these commands, RADIUS uses the default [15] Nas-Port-Ethernet value for this attribute.

[5] Nas-Port— RADIUS derives a unique value from the subscriber’s profileHandle and uses the value for the Nas-Port attribute. The radius nas-port-format, radius vlan nas-port-format stacked, and radius pppoe nas-port-format commands do not affect the value of the Nas-Port attribute.

[87] Nas-Port-Id— The radius override nas-port-id remote-circuit-id command configures RADIUS to use the PPPoE remote circuit ID for the Nas-Port-Id attribute. By default, RADIUS uses the LAG interface ID for the Nas-Port-Id attribute. Use the aaa intf-desc-format include sub-intf disable command to exclude the subinterface and S-VLAN ID in the LAG interface ID. By default, the subinterface and S-VLAN ID are included in the LAG interface ID.

[31] Calling-Station-Id—The radius override calling-station-id remote-circuit-id command enables RADIUS to use the PPPoE remote circuit ID for the Calling-Station-Id attribute. By default, RADIUS uses a delimited format for the interface description. The radius calling-station-format command does not affect the value of the Calling-Station-Id attribute.

For example, a subscriber with the default AAA or RADIUS configuration who is connected over a LAG interface lag1, with subinterface-1, VLAN ID 10, S-VLAN ID 1, and router named asterix uses the following values for RADIUS attributes in RADIUS authentication and accounting messages:

Table 16: RADIUS Attributes Specifying LAG Interface

Field Name

Field Description

Acct-Session-Id

erx lag lag1.1:1-10:0001048620

Nas-Port-Type

15

Nas-Port

2148532268

Nas-Port-Id

lag lag1.1:1-10

Calling-Station-Id

#asterix#lag1#10

Related Documentation