DHCPv6 pd with radius

nelfou · January 7, 2019, 11:29am

I can’t get DHCPv6 to work with radius.
Long story short :

I have a working setup with use-radius=no. The client gets its prefix and a dynamic route is added in the server.
once I set use-radius=yes, all happens as expected except for one thing : the route added by the DHCPv6 server has no gateway (it reads “:: unreachable”).

More details :
Both routers are Mikrotik routers running v6.43.8.

RouterA (server):
/add interface=bridge name=vlan1000 vlan-id=1000
/ipv6 dhcp-server add interface=vlan1000 lease-time=10m name=dhcp-vlan1000 use-radius=yes
/radius add service=dhcp address=x.x.x.x secret=**** src-address=x.x.x.x

RouterB (client):
/ipv6 dhcp-client add interface=bridge-wan request=prefix pool-name=dhcp-pool add-default-route=yes
/ipv6 address add address=::1 from-pool=dhcp-pool interface=bridge-lan

Radius :
Check:
Auth-Type:=Accept
Called-Station-Id==dhcp-vlan1000
Reply:
Delegated-IPv6-Prefix=2axx:xxxx:1::/56

With such configuration :

the client gets it’s /56 prefix and assigns a /64 to the lan :
interface=bridge-wan status=bound duid=“0x000300016c3b6beexxxx” dhcp-server-v6=fe80::66d1:54ff:fe1d:xxxx request=prefix add-default-route=yes default-route-distance=1 use-peer-dns=yes pool-name=“dhcp-pool” pool-prefix-length=64 prefix-hint=::/0 dhcp-options=“” prefix=2axx:xxxx:1::/56, 5m5s
RouterA(server) shows the binding:
RD address=2axx:xxxx:1::/56 duid=“0x6c3b6beexxxx” iaid=23 server=dhcp-vlan1000 life-time=10m active-server=dhcp-vlan1000 status=bound expires-after=7m58s last-seen=2m2s dhcp-option=“”
an incomplete route is added on RouterA :
DS dst-address=2axx:xxxx:1::/56 gateway=:: gateway-status=:: unreachable distance=1 scope=30 target-scope=10

When I set use-radius=no address-pool=mypool on the dhcp server and reload the dhcp-client, it works as expected :

the client gets it’s /56 prefix and assigns a /64 to the lan (no visible difference)
the server shows the binding:
D address=2axx:xxxx:1::/56 duid=“0x6c3b6beexxxx” iaid=23 server=dhcp-vlan1000 life-time=10m prefix-pool=pool6-c1000 active-server=dhcp-vlan1000 status=bound expires-after=6m43s last-seen=3m17s dhcp-option=“”
a route is added on RouterA :
ADS dst-address=2axx:xxxx:1::/56 gateway=fe80::6e3b:6bff:feee:xxxx%vlan1000 gateway-status=fe80::6e3b:6bff:feee:xxxx%vlan1000 reachable distance=1 scope=30 target-scope=10

Any idea what’s going wrong ?
Did someone get it to work and with which configuration?

nelfou · August 21, 2019, 10:03am

Looks like this is fixed with v6.45 (tested with 6.45.3).
Thank

nelfou · September 30, 2019, 10:07am

FYI
when allow-dual-stack-queue is checked on the DHCPv6 server, the radius username is the client’s mac address separated by colons
when it is disabled, the username is different (!?) it’s still the client’s mac address but with no separator.

Edit : looks like it’s fixed as of v6.46; the username is always the mac separated by colons.

nelfou · October 4, 2019, 9:01am

FYI
Took me a while to figure that one out.
If you are using Session-Timeout in radius (which I need for the router to authenticate again against the radius server, otherwise the lease is renewed by host without checking if it is still allowed), beware !

I have Session-Timeout set to 20 minutes on radius.
On the router running DHCPv6 server, if I set the default Lease Time to anything above 25 minutes, then the DHCPv6 client will be stuck in “Searching…”. The binding appears on the server side but the client is not receiving it.
As soon as I modified the Lease Time on the dhcp server to anything from 1 minute to 25 minutes (why 25?), the client received the lease.