RADIUS Attributes Suboption for the DHCP | tutorialsforu.info

Home

Radius Protocol

RADIUS Attributes Suboption for the DHCP

Language Translator

RADIUS Attributes Suboption for the DHCP

Written by Hemanshu Patel

Thursday, 08 November 2007

Article Index
RADIUS Attributes Suboption for the DHCP
Page 2
Page 3

Page 3 of 3

4. DHCP Relay Agent Behavior

When the DHCP relay agent receives a DHCP message from the client, it
MAY append a DHCP Relay Agent Information option containing the
RADIUS Attributes suboption, along with any other suboptions it is
configured to supply. The RADIUS Attributes suboption MUST only
contain the attributes provided in the RADIUS Access/Accept message.
The DHCP relay agent MUST NOT add more than one RADIUS Attributes
suboption in a message.

The relay agent MUST include the User-Name and Framed-Pool attributes
in the RADIUS Attributes suboption, if they are available, and MAY
include other attributes.

To avoid dependencies between the address allocation and other state
information between the RADIUS server and the DHCP server, the DHCP
relay agent SHOULD include only the attributes in the table below in
an instance of the RADIUS Attributes suboption. The table, based on
the analysis in RFC 3580 [8], lists attributes that MAY be included:

           #   Attribute
         ---   ---------
           1   User-Name (RFC 2865 [3])
           6   Service-Type (RFC 2865)
          26   Vendor-Specific (RFC 2865)
          27   Session-Timeout (RFC 2865)
          88   Framed-Pool (RFC 2869)
         100   Framed-IPv6-Pool (RFC 3162 [7])

5.  DHCP Server Behavior

   When the DHCP server receives a message from a relay agent containing
   a RADIUS Attributes suboption, it extracts the contents of the
   suboption and uses that information in selecting configuration
   parameters for the client.  If the relay agent relays RADIUS
   attributes not included in the table in Section 4, the DHCP server
   SHOULD ignore them.  If the DHCP server uses attributes not specified
   here, it might result in side effects not anticipated in the existing
   RADIUS specifications.

6.  DHCP Client Behavior

   Relay agent options are exchanged only between relay agents and the
   DHCP server, so DHCP clients are never aware of their use.

7.  Security Considerations

   Message authentication in DHCP for intradomain use where the
   out-of-band exchange of a shared secret is feasible is defined in RFC
   3118 [6].  Potential exposures to attack are discussed in section 7
   of the DHCP protocol specification in RFC 2131 [1].

   The DHCP Relay Agent option depends on a trusted relationship between
   the DHCP relay agent and the server, as described in section 5 of RFC
   3046 [5].  Although the introduction of fraudulent relay-agent
   options can be prevented by a perimeter defense that blocks these
   options unless the relay agent is trusted, a deeper defense using the
   authentication option for relay agent options [9] or IPsec [10]
   SHOULD be deployed as well.

8.  IANA Considerations

   IANA has assigned the value of 7 for the DHCP Relay Agent Information
   option suboption code for this suboption.  This document does not
   define any new namespaces or other constants for which IANA must
   maintain a registry.