Authentication and Accounting of IPv6 Subscribers Using the DHCPv6 Local Server Overview

You can use the DHCPv6 local server to perform authentication and accounting of IPv6 subscribers that are directly connected using Ethernet VLAN links to the router. For PPP subscribers, authentication and accounting operations are performed by the underlying PPP module; the DHCPv6 local server only delegates IPv6 prefixes to requesting clients. IPv6 subscribers that are connected over PPP links and IPv6 subscribers that are connected over Ethernet and VLAN interfaces can coexist on a virtual router when you configure the DHCPv6 local server for standalone mode with AAA authentication.

For PPP subscribers, the PPP module authenticates users during the establishment of the PPP session and sends the authentication token to the DHCPv6 local server for allocation of IPv6 prefixes. For IPv6 subscribers, the DHCPv6 local server performs the AAA authentication of clients that are logging in. Prefix delegation for IPv6 subscribers occurs only if the prefix is configured on the interface or if the interface address matches with any of the prefix ranges configured in the IPv6 local address pool on the router. When you configure standalone mode with AAA authentication for the DHCPv6 local server, delegation of prefixes is performed based on the Access-Accept and Access-Reject messages the AAA server sends in response to the client authentication request.

The DHCPv6 local server enables you to optionally configure AAA-based authentication of standalone mode DHCPv6 clients. By default, clients are not authenticated in standalone mode. Typically, an incoming DHCPv6 client does not provide a username—therefore, the DHCPv6 local server constructs a username based on the user’s attachment parameters and optional DHCP parameters. AAA uses the constructed username to authenticate the incoming client and create the AAA subscriber record for the client. The information in the AAA subscriber record is then used to determine the IP address pool from which to assign the address for the DHCP client.

You can include the following parameters in the username:

The complete format of the username is as follows:

user-prefix.circuit-type.circuit-identifier@domain

The elements of the username are defined as follows:

You can construct the username by using only the user-prefix attribute, using a combination of the user-prefix and domain attributes, or using other optional attributes that are specified. If you remove the domain configuration, the '@' character is removed from the username. The username is valid only when the nondomain portion consists of at least one character, either using the configuration of a non-null user-prefix or using the inclusion of at least one optional username parameter.

The authentication process starts before the Advertise message is sent from the DHCPv6 local server to the client. If the authentication of the subscriber is successful, the DHCPv6 local server sends the Advertise packet to the client in response to DHCPv6 Solicit messages that are received from the client. When the authentication request is sent to the AAA server, the DHCPv6 local server includes the constructed username, password, interface ID, authentication type, and the interface on which the request was received from the user. The AAA server uses this information during authentication and accounting updates. The authentication and accounting attributes that are sent to the RADIUS server are based on RADIUS attributes configured for inclusion in RADIUS messages using the radius include command.

This mode of operation for the DHCPv6 local server is called standalone mode with AAA authentication. The default mode of operation for the DHCPv6 local server is standalone mode without AAA authentication that interoperates with the existing capabilities of PPP and non-PPP subscribers.

Accounting for IPv6 Subscribers with DHCPv6 Local Server Standalone Mode

The PPP application handles the transmission of accounting information to the AAA server. The DHCPv6 local server uses the authentication token that the AAA server generates while authenticating the IPv6 user to send the interim accounting updates to the AAA server. The starting and termination of accounting is performed during the authentication phase based on the receipt of the DHCP release packets from clients or the lease expiration of the assigned address.

The Acct-Start message is sent to the RADIUS server after the AAA server receives the message about successful authentication. You can use the aaa service accounting interval command to specify the default service interim accounting interval. Service Manager uses this interval value for service accounting when the Service-Interim-Acct-Interval attribute is not configured. Based on the configured interval, the DHCPv6 local server generates interim accounting information. The Acct-Stop message is sent to the RADIUS server when a client binding is removed. The accounting functionality of the DHCPv6 local server is similar to the accounting operations of the DHCPv4 local server.

Related Documentation