Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option
RFC 4014
Document | Type | RFC - Proposed Standard (February 2005; No errata) | |
---|---|---|---|
Authors | Ralph Droms , John Schnizlein | ||
Last updated | 2013-03-02 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4014 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Margaret Cullen | ||
Send notices to | (None) |
Network Working Group R. Droms Request for Comments: 4014 J. Schnizlein Category: Standards Track Cisco Systems February 2005 Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract The RADIUS Attributes suboption enables a network element to pass identification and authorization attributes received during RADIUS authentication to a DHCP server. When the DHCP server receives a message from a relay agent containing a RADIUS Attributes suboption, it extracts the contents of the suboption and uses that information in selecting configuration parameters for the client. 1. Introduction and Background The RADIUS Attributes suboption for the DHCP Relay Agent option provides a way in which a NAS can pass attributes obtained from a RADIUS server to a DHCP server [1]. IEEE 802.1X [2] is an example of a mechanism through which a NAS such as a switch or a wireless LAN access point can authenticate the identity of the user of a device before providing layer 2 network access with RADIUS as the Authentication Service, as specified in RFC 3580 [8]. In IEEE 802.1X authenticated access, a device must first exchange some authentication credentials with the NAS. The NAS then supplies these credentials to a RADIUS server, which eventually sends either an Access-Accept or an Access-Reject in response to an Access-Request. The NAS, based on the reply of the RADIUS server, then allows or denies network access to the requesting device. Droms & Schnizlein Standards Track [Page 1] RFC 4014 RADIUS Attributes Suboption February 2005 Figure 1 summarizes the message exchange among the participants in IEEE 802.1X authentication. +-----------------+ |Device requesting| | network access | +-----------------+ | ^ | | (1) Request for access | | | (4) Success/Failure v | +-----------------+ | NAS | |(IEEE 802.1X and | |DHCP relay agent}| +-----------------+ | ^ | | (2) Request for authentication | | | (3) Access-Accept/Reject v | +-----------------+ | RADIUS | | Server | +-----------------+ Figure 1 The access device acts as an IEEE 802.1X Authenticator and adds a DHCP relay agent option that includes a RADIUS Attributes suboption to DHCP messages. At the successful conclusion of IEEE 802.1X authentication, a RADIUS Access-Accept provides attributes for service authorizations to the NAS. The NAS stores these attributes locally. When the NAS subsequently relays DHCP messages from the network device, the NAS adds these attributes in a RADIUS Attributes suboption. The RADIUS Attributes suboption is another suboption of the Relay Agent Information option [5]. The RADIUS Attributes suboption described in this document is not limited to use in conjunction with IEEE 802.1X and can be used to carry RADIUS attributes obtained by the relay agent for any reason. That is, the option is not limited to use with IEEE 802.1X but is constrained by RADIUS semantics (see Section 4). Droms & Schnizlein Standards Track [Page 2] RFC 4014 RADIUS Attributes Suboption February 2005 The scope of applicability of this specification is such that robust interoperability is only guaranteed for RADIUS service implementations that exist within the same scope as does the DHCP service implementation, i.e., within a single, localizedShow full document text