RADIUS authentication

When a valid Ethernet frame is received on a dynamic services data trigger capture SAP, it is sent to the control plane for authentication. The dynamic services policy configured at the capture SAP specifies the RADIUS authentication parameters, as shown in the following example:

configure service
        vpls 10 customer 1 create
            sap 1/1/4:1214.* capture-sap create
                description "Dynamic Services Data Trigger capture-sap"
                dynamic-services
                    dynamic-services-policy "dyn-svc-1"
                    no shutdown
                exit
                no shutdown
            exit
            no shutdown
        exit
        dynamic-services
            dynamic-services-policy "dyn-svc-1" create
                ---snip---
                authentication
                    password "RwXx4x0jao776C3CGlDBKVaNOd//ySXw" hash2
                    server-policy "aaa-server-policy-1"
                exit
                ---snip---
            exit
        exit

Local authentication and RADIUS authentication are mutually exclusive and cannot be configured simultaneously in a config>service>dynsvc>plcy>authentication context.

The server-policy CLI command references the config>aaa>radius-server-policy policy-name to be used for authentication.

The password CLI command specifies the password that is used in all RADIUS Access-Request messages.

Table: RADIUS access-request message attributes specifies the attributes that are included in the RADIUS Access-Request message for dynamic services data triggers.

Table: RADIUS access-request message attributes
RADIUS attribute	Description
[1] User-Name	The username format for dynamic services data trigger authentication is fixed to `nas-port-id` (SAP).
[2] Password	The password as configured in the authentication section of the dynamic-services-policy.
[4] NAS-IP-Address	The outband management interface or system interface IPv4 address. Only included if the RADIUS server is reachable via an IPv4 address.
[95] NAS-IPv6-Address	The outband management interface or system interface IPv6 address. Only included if the RADIUS server is reachable via an IPv6 address.
[44] Acct-Session-Id	A unique accounting session ID (number format) per dynamic service data trigger. Included as [50] Acct-Multi-Session-Id in radius accounting for all dynamic services that are associated with this data trigger.
[87] NAS-Port-Id	The dynamic service data trigger sap-id
[32] NAS-Identifier	The system name of the router
[26-6527-27] Alc-Client-Hardware-Addr	The MAC address of the data trigger frame that resulted in the authentication. Fixed format (xx:xx:xx:xx:xx:xx)
[8] Framed-IP-Address	The IPv4 source address of the IPv4 data trigger frame that resulted in the authentication. Not included if the data trigger frame is not an IPv4 packet.
[26-6527-99] Alc-Ipv6-Address	The IPv6 source address of the IPv6 data trigger frame that resulted in the authentication. Not included if the data trigger frame is not an IPv6 packet.

The attributes that must be returned in the Access-Accept message are the same as for RADIUS-triggered Dynamic Data Services associated with an IPoE or PPPoE session as a control channel.