Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option
RFC 4014
Document Type RFC - Proposed Standard (February 2005; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4014 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Margaret Cullen
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                           R. Droms
Request for Comments: 4014                                 J. Schnizlein
Category: Standards Track                                  Cisco Systems
                                                           February 2005

          Remote Authentication Dial-In User Service (RADIUS)
                     Attributes Suboption for the
              Dynamic Host Configuration Protocol (DHCP)
                     Relay Agent Information Option

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   The RADIUS Attributes suboption enables a network element to pass
   identification and authorization attributes received during RADIUS
   authentication to a DHCP server.  When the DHCP server receives a
   message from a relay agent containing a RADIUS Attributes suboption,
   it extracts the contents of the suboption and uses that information
   in selecting configuration parameters for the client.

1.  Introduction and Background

   The RADIUS Attributes suboption for the DHCP Relay Agent option
   provides a way in which a NAS can pass attributes obtained from a
   RADIUS server to a DHCP server [1].  IEEE 802.1X [2] is an example of
   a mechanism through which a NAS such as a switch or a wireless LAN
   access point can authenticate the identity of the user of a device
   before providing layer 2 network access with RADIUS as the
   Authentication Service, as specified in RFC 3580 [8].  In IEEE 802.1X
   authenticated access, a device must first exchange some
   authentication credentials with the NAS.  The NAS then supplies these
   credentials to a RADIUS server, which eventually sends either an
   Access-Accept or an Access-Reject in response to an Access-Request.
   The NAS, based on the reply of the RADIUS server, then allows or
   denies network access to the requesting device.

Droms & Schnizlein          Standards Track                     [Page 1]
RFC 4014              RADIUS Attributes Suboption          February 2005

   Figure 1 summarizes the message exchange among the participants in
   IEEE 802.1X authentication.

                        +-----------------+
                        |Device requesting|
                        | network access  |
                        +-----------------+
                         |         ^
                         |         |
                        (1) Request for access
                         |         |
                         |        (4) Success/Failure
                         v         |
                        +-----------------+
                        |       NAS       |
                        |(IEEE 802.1X and |
                        |DHCP relay agent}|
                        +-----------------+
                           |     ^
                           |     |
                          (2) Request for authentication
                           |     |
                           |    (3) Access-Accept/Reject
                           v     |
                        +-----------------+
                        |     RADIUS      |
                        |     Server      |
                        +-----------------+

                             Figure 1

   The access device acts as an IEEE 802.1X Authenticator and adds a
   DHCP relay agent option that includes a RADIUS Attributes suboption
   to DHCP messages.  At the successful conclusion of IEEE 802.1X
   authentication, a RADIUS Access-Accept provides attributes for
   service authorizations to the NAS.  The NAS stores these attributes
   locally.  When the NAS subsequently relays DHCP messages from the
   network device, the NAS adds these attributes in a RADIUS Attributes
   suboption.  The RADIUS Attributes suboption is another suboption of
   the Relay Agent Information option [5].

   The RADIUS Attributes suboption described in this document is not
   limited to use in conjunction with IEEE 802.1X and can be used to
   carry RADIUS attributes obtained by the relay agent for any reason.
   That is, the option is not limited to use with IEEE 802.1X but is
   constrained by RADIUS semantics (see Section 4).

Droms & Schnizlein          Standards Track                     [Page 2]
RFC 4014              RADIUS Attributes Suboption          February 2005

   The scope of applicability of this specification is such that robust
   interoperability is only guaranteed for RADIUS service
   implementations that exist within the same scope as does the DHCP
   service implementation, i.e., within a single, localized
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools