Support for Framed IP Address in RADIUS requests

The framed IPv4 address is one of the many RADIUS attributes and it indicates the address assigned to the client. The attribute may be included in the access-request packet. When sent in an access-request packet, the IP address is sent as a hint to the RADIUS server. The Framed-IP-Address field is included in the access-request packets sent to RADIUS servers during authentication.

  • Configuration is enabled using the following CLI command:

    radius-server access-request include <framed-ip-address>

    no radius-server access-request include <framed-ip-address>

  • If Framed IP is enabled in the switch, then the switch can learn the IP address of the authenticated client using two methods.
    • DHCP snooping: By snooping the DHCP packets sent by the client after authentication.
    • IP Client tracker: By sending ARP probes to the client.
NOTE: If the IP address of the client known to the switch while sending the access-request packet. The "Framed-IP-Address" attribute will not be included in the RADIUS access-request packet if the CLI is not configured.

The framed-ip-address is sent to access-request packets for the following scenarios:

End clients that support user and machine authentication

For instance windows client that supports machine and user authentication is connected to a port where 802.1x authentication is enabled. The sequence of authentication is as follows:

  1. Windows client initiates machine authentication. Since, it is initial authentication, access-request packet will not include framed-ip-address attribute.
  2. Machine authentication is successful.

  3. Client gets successfully authenticated and receives an IP Address from DHCP Server.

  4. User tries to log in using credentials, which triggers user authentication.

  5. Access request packet with framed-ip-address is sent to the RADIUS server.

Reauthentication of client

  1. End client is connected to a port where MAC or 802.1x authentication is enabled with a reauthentication period.
  2. Client gets successfully authenticated.

  3. Client receives an IP address from DHCP server.

  4. Upon reauthentication period expiry, a new access-request message will be sent from NAS to RADIUS server.

  5. If configured, the new access-request packet will contain framed-ip-address attribute.

Limitations

  1. Framed-IPv6-Address RADIUS access-request attribute is not supported (RFC6911).