Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] DHCP client unable to get address when DHCP discover message has option 50

0

0

Article ID: KB34582 KB Last Updated: 25 Jun 2019Version: 1.0
Summary:

Sometimes users may notice that the DHCP client is unable to get an address because the access-request has been rejected by the RADIUS server with the reason "IP conflict."

This article gives the reason for the request to be rejected and indicates what can be done to succeed with the access request.

 

Symptoms:

Although the MX device is configured as DHCP local-server, DHCP authentication is enabled, and the username and password are set correctly, the RADIUS server is seen to reject DHCP authentication when the DHCP Discover message includes "Requested-IP Option 50," which enables a client to request a particular IP address that may have been used before.

 

Cause:

The DHCP client may add "Requested-IP Option 50" in its Discover message if it wants to get the IP address that is in its cache (the address that has been assigned by the DHCP server before).

PFE proto 2 (ipv4): (tos 0xc0, ttl 255, id 0, offset 0, flags [none], proto: UDP (17), length: 332) 0.0.0.0.68 > 255.255.255.255.67:
[udp sum ok] BOOTP/DHCP, Request from 00:10:94:00:00:03, length 304, xid 0x22, Flags [Broadcast] (0x8000)
    Client-Ethernet-Address 00:10:94:00:00:03
    Vendor-rfc1048 Extensions
      Magic Cookie 0x63825363
      DHCP-Message Option 53, length 1: Discover
      MSZ Option 57, length 2: 576
      Client-ID Option 61, length 7: ether 00:10:94:00:00:03
      Requested-IP Option 50, length 4: 10.0.0.2            <<<<<<<<
      Lease-Time Option 51, length 4: 60
      Hostname Option 12, length 22: "client_Port //2/11-1-0"
      Parameter-Request Option 55, length 6:
        Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
        Static-Route, Netbios-Name-Server
 

Because the MX device is configured as DHCP local-server and also has DHCP authentication enabled, the access-request message will have the "Framed-IP-Address" attribute added.

Jun  6 11:51:16.220761 ###################################################################
Jun  6 11:51:16.220771 ########################### AUTH REQ RCVD #########################
Jun  6 11:51:16.220780 ###################################################################
Jun  6 11:51:16.220789 Auth-FSM: Process Auth-Request for session-id:127349097
Jun  6 11:51:16.220800 Framework: Starting authentication
Jun  6 11:51:16.220812 authd_advance_module_for_aaa_request_msg: result:0
Jun  6 11:51:16.220826 Authd module start session-id:127349097
Jun  6 11:51:16.220836 authd_radius_start_auth: Starting RADIUS authentication session-id:127349097
Jun  6 11:51:16.220847 authd_radius_get_config:Using radius option config from access profile stanza
Jun  6 11:51:16.220881 authd_radius_build_basic_auth_request: session-id:127349097 profile=aust-drcom, username=dhcp_aust
Jun  6 11:51:16.220895 radius-access-request: User-Name added: dhcp_aust
Jun  6 11:51:16.220906 radius-access-request: User-Password added: ""
Jun  6 11:51:16.220929 radius-access-request: Service-Type added: 2
Jun  6 11:51:16.220953 radius-access-request: Chargeable-User-Identity added:
Jun  6 11:51:16.220969 radius-access-request: Acct-Session-Id added: 127349097
Jun  6 11:51:16.221007 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 3d 07 01 2c fd a1 b8 8a 10 32 04 d2 2d 95 78
0c 0f 55 53 45 52 2d 38 38 30 37 37 34 31 4f 45 34 3c 08 4d 53 46 54 20 35 2e 30 37 0e 01 03 06 0f 1f 21 2b 2c 2e 2f 77 79 f9 fc
Jun  6 11:51:16.221034 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: 0010.9400.0003
Jun  6 11:51:16.221054 radius-access-request: Framed-IP-Address added: 10.0.0.2
Jun  6 11:51:16.221070 radius-access-request: NAS-Identifier added: MX960-RE0
Jun  6 11:51:16.221086 radius-access-request: NAS-Port added: 00 00 01 b1
Jun  6 11:51:16.221098 radius-access-request: NAS-Port-Id added: ae1:1101-433
Jun  6 11:51:16.221112 radius-access-request: NAS-Port-Type added: 15
Jun  6 11:51:16.221131 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe 00:10:94:00:00:03
Jun  6 11:51:16.221153 radius-access-request: DHCP-First-Relay-IPv4-Address (Juniper-ERX-VSA) added: 10.0.0.1
 

When the RADIUS server checks this "Framed-IP-Address" attribute value and finds that the IP address is one that has been assigned to another client before, it rejects the access request due to "IP conflict."

Jun  6 11:51:16.224631 authd_radius_callback: RADIUS server sent an ACCESS_REJECT, failing login for session-id:127349097
Jun  6 11:51:16.224644 loadDefaultService:: default service for the subscriber is empty
Jun  6 11:51:16.224654 Radius result is CLIENT_REQ_STATUS_SUCCESS
Jun  6 11:51:16.224674 Parsing RADIUS message for session-id:127349097
Jun  6 11:51:16.224694 radius-access-reject: Reply-Message received: IP conflict !
Jun  6 11:51:16.224711 Framework - module(radius) return: FAILURE
Jun  6 11:51:16.224722 authd_advance_module_for_aaa_response_msg: result:3
Jun  6 11:51:16.224737 setAuthResponseAttributes Reply-Message 'IP conflict !' len 13

 

Solution:

The RADIUS server may ignore the "Framed-IP-Address" attribute and still return an "access accept" message. However, if the RADIUS server's behavior cannot be modified, add the following configuration to exclude the Framed-IP-Address attribute in the access-request message.

#set access profile radius-profile radius attributes exclude framed-ip-address access-request  

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search