Support for Framed IP Address in RADIUS requests

The framed IPv4 address is one of the many RADIUS attributes and it indicates the address assigned to the client. The attribute may be included in the access-request packet. When sent in an access-request packet, the IP address is sent as a hint to the RADIUS server. The Framed-IP-Address field is included in the access-request packets sent to RADIUS servers during authentication.

  • Configuration is enabled using the following CLI command:

    radius-server access-request include <framed-ip-address>

    no radius-server access-request include <framed-ip-address>

  • If Framed IP is enabled in the switch, then the switch can learn the IP address of the authenticated client using the following methods.
    • DHCP snooping: By snooping the DHCP packets sent by the client after authentication. This method does not work for clients with static IP address, resulting in clients with static IP address not being visible on the RADIUS server.
    • Learning IP: By snooping the initial data packets, learns, and updates the accounting packet for client IP address irrespective of the client IP being static or dynamic. This method enables visibility of all clients on the RADIUS server.
    • Tracking change of IP: By sending Address Resolution Protocol (ARP) probes to the client. Address Resolution Protocol (ARP) is a procedure for mapping a dynamic Internet Protocol address (IP address) to a MAC address.

Learning IP

After a client completes authentication, switch performs the following to learn IP address of the authenticated client:

  • If DHCP snooping or Neighbor discovery (ND) snooping are enabled, then switch queries Binding State Table (BST) for IPV4 and IPV6 addresses respectively to learn the client IP.

  • If DHCP or ND snooping are not enabled, then switch performs ARP lookup to identify the IP address associated with client MAC address.

  • If ARP lookup fails, then switch inserts an Access Control List (ACL) rule with set of rules to send a copy of packets belonging to the client's MAC address and port to the CPU, and then forward the packets. These packets in the CPU are used to learn the client's IP address.

    NOTE:

    Only IP packets of the client MAC address are copied to the CPU.

Tracking change of IP

Once switch learns the client IP address, the corresponding MAC and IP entries are programmed in the ARP table for tracking the change in IP. After the entry ages out, switch sends an ARP probe to the client and the following scenarios occur:

  • There is no change in IP address. Switch receives the same MAC address for the ARP probe and maintains the entry unchanged in the ARP table.
  • There is a change in IP address and leads to one of the following two scenarios:
    • IP is changed and the old IP is not assigned to any other MAC address. In this case, ARP probe fails as the probe happens for the old IP address and switch initiates the learning IP process by programming the ACL rule.
    • IP is changed and the old IP is assigned to another MAC address. In this case, ARP probe succeeds with a different MAC address resulting in actual client MAC address not having an ARP entry and switch triggers the learning IP process.

Learning IP and ARP probing happens in a loop to track the IP address of the client.

NOTE:

IP address change detection is bound by ARP age out time and the default ARP age out time is 20 minutes.

NOTE: If CLI is not configured and switch knows the client IP address while sending the access-request packet, the framed-ip-address attribute will not be included in the RADIUS access-request packet.
The framed-ip-address is included with access-request packets for the following scenarios:

  • End clients that support user and machine authentication

  • Reauthentication of client

End clients that support user and machine authentication

For instance, windows client that supports machine and user authentication is connected to a port where 802.1x authentication is enabled. The sequence of authentication is as follows:

  1. Windows client initiates machine authentication. Since, it is initial authentication, access-request packet will not include framed-ip-address attribute.

  2. Machine authentication is successful.

  3. Client gets successfully authenticated and receives an IP Address from DHCP Server.

  4. User tries to log in using credentials, which triggers user authentication.

  5. Access request packet with framed-ip-address is sent to the RADIUS server.

Reauthentication of client

  1. End client is connected to a port where MAC or 802.1x authentication is enabled with a reauthentication period.

  2. Client gets successfully authenticated.

  3. Client receives an IP address from DHCP server.

  4. Upon reauthentication period expiry, a new access-request message will be sent from NAS to RADIUS server.

  5. If configured, the new access-request packet will contain framed-ip-address attribute.

Limitations

Framed-IPv6-Address RADIUS access-request attribute is not supported (RFC6911).