|
Page 1 of 3 RADIUS Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) The RADIUS Attributes suboption enables a network element to pass identification and authorization attributes received during RADIUS authentication to a DHCP server. When the DHCP server receives a message from a relay agent containing a RADIUS Attributes suboption, it extracts the contents of the suboption and uses that information in selecting configuration parameters for the client.
1. Introduction and Background
The RADIUS Attributes suboption for the DHCP Relay Agent option
provides a way in which a NAS can pass attributes obtained from a
RADIUS server to a DHCP server [1]. IEEE 802.1X [2] is an example of
a mechanism through which a NAS such as a switch or a wireless LAN
access point can authenticate the identity of the user of a device
before providing layer 2 network access with RADIUS as the
Authentication Service, as specified in RFC 3580 [8]. In IEEE 802.1X
authenticated access, a device must first exchange some
authentication credentials with the NAS. The NAS then supplies these
credentials to a RADIUS server, which eventually sends either an
Access-Accept or an Access-Reject in response to an Access-Request.
The NAS, based on the reply of the RADIUS server, then allows or
denies network access to the requesting device. Figure 1 summarizes the message exchange among the participants in
IEEE 802.1X authentication.
+-----------------+
|Device requesting|
| network access |
+-----------------+
| ^
| |
(1) Request for access
| |
| (4) Success/Failure
v |
+-----------------+
| NAS |
|(IEEE 802.1X and |
|DHCP relay agent}|
+-----------------+
| ^
| |
(2) Request for authentication
| |
| (3) Access-Accept/Reject
v |
+-----------------+
| RADIUS |
| Server |
+-----------------+
Figure 1
The access device acts as an IEEE 802.1X Authenticator and adds a
DHCP relay agent option that includes a RADIUS Attributes suboption
to DHCP messages. At the successful conclusion of IEEE 802.1X
authentication, a RADIUS Access-Accept provides attributes for
service authorizations to the NAS. The NAS stores these attributes
locally. When the NAS subsequently relays DHCP messages from the
network device, the NAS adds these attributes in a RADIUS Attributes
suboption. The RADIUS Attributes suboption is another suboption of
the Relay Agent Information option [5].
The RADIUS Attributes suboption described in this document is not
limited to use in conjunction with IEEE 802.1X and can be used to
carry RADIUS attributes obtained by the relay agent for any reason.
That is, the option is not limited to use with IEEE 802.1X but is
The scope of applicability of this specification is such that robust
interoperability is only guaranteed for RADIUS service
implementations that exist within the same scope as does the DHCP
service implementation, i.e., within a single, localized
administrative domain. Global interoperability of this
specification, across administrative domains, is not required.
|
Radius Protocol 
