Processing DNS Addresses from Microsoft RADIUS VSAs for PPP Clients During IPCP

The RADIUS client, which is a B-RAS router, supports the processing and parsing of Microsoft RADIUS VSAs for the primary and secondary DNS addresses that are returned in the Access-Accept messages from the RADIUS server in an environment that contains PPP clients. The AAA application running on the router, which is the RADIUS client, transmits the DNS addresses to the PPP application in the authentication response message. PPP includes these DNS addresses in the Internet Protocol Control Protocol (IPCP) packets that are negotiated between the PPP client and the router.

The RADIUS client services the Microsoft vendor ID, 311, and does not discard the DNS server addresses that the Microsoft VSAs contain in the Access-Accept messages.

The PPP application uses Link Control Protocol (LCP) negotiations to establish the connection with the subscriber. PPP sends Network Control Protocol (NCP) packets to establish and configure the session with the client. After a link has been established and optional facilities have been negotiated as needed by the Link Control Protocol (LCP) between the customer premises equipment (CPE) and the provider edge (PE) device, PPP running on the PE device or the B-RAS server sends Network Control Protocol (NCP) packets. When the CPE sends an IPCP negotiation, it negotiates IPv4 addresses, IPv6 addresses, or both.

After the PE device or the router receives an IPCP configuration request from the CPE, which starts the IPCP negotiation process, the B-RAS application running on the router requests a new IPv4 address from the RADIUS server. After successful authentication, the RADIUS server sends the Access-Accept message with all of the supported attributes for all established sessions.

If the Access-Accept message contains the MS-Primary-DNS-Server [311-28] and MS-Secondary-DNS-Server [311-29] RADIUS VSA attributes, which denote the primary and secondary DNS server addresses that can be requested by PPP clients from the B-RAS server during IPCP negotiations, the RADIUS client or the B-RAS server sends the values of the VSAs to the CPE in the IPCP packet that is negotiated.

During IPCPv4 negotiations, if the Access-Accept message contains both the Juniper Networks VSAs related to the DNS addresses (Primary-DNS [26-4] and Secondary-DNS [26-5]) and the Microsoft VSAs related to DNS addresses (MS-Primary-DNS-Server [311-28] and the MS-Secondary-DNS-Server [311-29]), the Juniper Networks VSAs take precedence over the Microsoft VSAs.

During IPCPv6 negotiations, if the Access-Accept message contains both the Juniper Networks VSAs related to the DNS addresses (Ipv6-Primary-DNS [26-47] and Ipv6-Secondary-DNS [26-48]) and the Microsoft VSAs related to DNS addresses (MS-Primary-DNS-Server [311-28] and the MS-Secondary-DNS-Server [311-29]), the Juniper Networks VSAs take precedence over the Microsoft VSAs.

With the capability to validate the Microsoft VSAs for primary and secondary DNS addresses enabled, the order of precedence of the RADIUS attributes in the Access-Accept messages to be used for IPCP negotiations is as follows:

  1. Juniper Networks VSAs
  2. RADIUS IETF attributes
  3. Microsoft VSAs

Related Documentation