Network Working Group R. Droms
Request for Comments: 4014 J. Schnizlein
Category: Standards Track Cisco Systems
February 2005
Remote Authentication Dial-In User Service (RADIUS)
Attributes Suboption for the
Dynamic Host Configuration Protocol (DHCP)
Relay Agent Information Option
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
The RADIUS Attributes suboption enables a network element to pass
identification and authorization attributes received during RADIUS
authentication to a DHCP server. When the DHCP server receives a
message from a relay agent containing a RADIUS Attributes suboption,
it extracts the contents of the suboption and uses that information
in selecting configuration parameters for the client.
1. Introduction and Background
The RADIUS Attributes suboption for the DHCP Relay Agent option
provides a way in which a NAS can pass attributes obtained from a
RADIUS server to a DHCP server [1]. IEEE 802.1X [2] is an example of
a mechanism through which a NAS such as a switch or a wireless LAN
access point can authenticate the identity of the user of a device
before providing layer 2 network access with RADIUS as the
Authentication Service, as specified in RFC 3580 [8]. In IEEE 802.1X
authenticated access, a device must first exchange some
authentication credentials with the NAS. The NAS then supplies these
credentials to a RADIUS server, which eventually sends either an
Access-Accept or an Access-Reject in response to an Access-Request.
The NAS, based on the reply of the RADIUS server, then allows or
denies network access to the requesting device.
Droms & Schnizlein Standards Track [Page 1]
RFC 4014 RADIUS Attributes Suboption February 2005
Figure 1 summarizes the message exchange among the participants in
IEEE 802.1X authentication.
+-----------------+
|Device requesting|
| network access |
+-----------------+
| ^
| |
(1) Request for access
| |
| (4) Success/Failure
v |
+-----------------+
| NAS |
|(IEEE 802.1X and |
|DHCP relay agent}|
+-----------------+
| ^
| |
(2) Request for authentication
| |
| (3) Access-Accept/Reject
v |
+-----------------+
| RADIUS |
| Server |
+-----------------+
Figure 1
The access device acts as an IEEE 802.1X Authenticator and adds a
DHCP relay agent option that includes a RADIUS Attributes suboption
to DHCP messages. At the successful conclusion of IEEE 802.1X
authentication, a RADIUS Access-Accept provides attributes for
service authorizations to the NAS. The NAS stores these attributes
locally. When the NAS subsequently relays DHCP messages from the
network device, the NAS adds these attributes in a RADIUS Attributes
suboption. The RADIUS Attributes suboption is another suboption of
the Relay Agent Information option [5].
The RADIUS Attributes suboption described in this document is not
limited to use in conjunction with IEEE 802.1X and can be used to
carry RADIUS attributes obtained by the relay agent for any reason.
That is, the option is not limited to use with IEEE 802.1X but is
constrained by RADIUS semantics (see Section 4).
Droms & Schnizlein Standards Track [Page 2]
RFC 4014 RADIUS Attributes Suboption February 2005
The scope of applicability of this specification is such that robust
datatracker.ietf.org