Technical Documentation
New
Propagation of LAG Subscriber Information to AAA and RADIUS
The RADIUS application sends the link aggregation group (LAG) interface ID to the RADIUS server when the subscriber is connected over LAG in DHCP standalone authenticate mode. In DHCP standalone authenticate mode, the DHCP local server enables you to configure AAA-based authentication of standalone mode DHCP clients. In addition to providing increased security, AAA authentication also provides RADIUS-based input to IP address pool selection for standalone mode clients. The RADIUS applications use the LAG interface ID to create the Acct-Session-Id, Nas-Port-Type, Nas-Port-Id, Nas-Port, and Calling-Station-Id attributes and send them to the RADIUS server in the Access-Request, Acct-Start, and Acct-Stop messages.
The RADIUS client uses one of the following LAG interface ID formats:
lag lag-name [.subinterface [:vlan]]
or
lag lag-name [.subinterface [:svlan-vlan]]
where:
- lag-name—Name of the LAG bundle
- subinterface—Number of the LAG subinterface, in the range 1–2147483647
- vlan—VLAN ID number
- svlan-vlan—S-VLAN ID number in the range 0–4095
The RADIUS application sends the LAG interface ID to the RADIUS server only when the subscribers in DHCP standalone authenticate mode are initialized. When other subscribers such as PPP subscribers and DHCP equal-access mode subscribers initialize over a LAG interface, the RADIUS application sends only the name of the first Ethernet interface in the LAG bundle, and not the LAG interface ID. In this case, the Ethernet interface ID is displayed in the output of the show subscribers interface command.
The RADIUS client application creates the following RADIUS attributes based on the LAG interface ID:
[44] Acct-Session-Id—When you issue the radius acct-session-id-format description command, the RADIUS client uses the generic format: erx <interface type> <interface identifier>: <hex number> with the LAG interface ID as the interface identifier.
[61] Nas-Port-Type— When you issue the radius ethernet-port-type command from Global Configuration mode or the nas-port-type ethernet command from AAA Profile Configuration mode, RADIUS calculates the value of the Nas-Port-Type attribute. If you use neither of these commands, RADIUS uses the default [15] Nas-Port-Ethernet value for this attribute.
[5] Nas-Port— RADIUS derives a unique value from the subscriber’s profileHandle and uses the value for the Nas-Port attribute. The radius nas-port-format, radius vlan nas-port-format stacked, and radius pppoe nas-port-format commands do not affect the value of the Nas-Port attribute.
[87] Nas-Port-Id— The radius override nas-port-id remote-circuit-id command configures RADIUS to use the PPPoE remote circuit ID for the Nas-Port-Id attribute. By default, RADIUS uses the LAG interface ID for the Nas-Port-Id attribute. Use the aaa intf-desc-format include sub-intf disable command to exclude the subinterface and S-VLAN ID in the LAG interface ID. By default, the subinterface and S-VLAN ID are included in the LAG interface ID.
[31] Calling-Station-Id—The radius override calling-station-id remote-circuit-id command enables RADIUS to use the PPPoE remote circuit ID for the Calling-Station-Id attribute. By default, RADIUS uses a delimited format for the interface description. The radius calling-station-format command does not affect the value of the Calling-Station-Id attribute.
For example, a subscriber with the default AAA or RADIUS configuration who is connected over a LAG interface lag1, with subinterface-1, VLAN ID 10, S-VLAN ID 1, and router named asterix uses the following values for RADIUS attributes in RADIUS authentication and accounting messages:
Table 1: RADIUS Attributes Specifying LAG Interface
Field Name | Field Description |
|---|---|
Acct-Session-Id | erx lag lag1.1:1-10:0001048620 |
Nas-Port-Type | 15 |
Nas-Port | 2148532268 |
Nas-Port-Id | lag lag1.1:1-10 |
Calling-Station-Id | #asterix#lag1#10 |
