Using External AAA Authentication Services with DHCP
The extended DHCP local server, including DHCPv6 local server, and the extended DHCP relay agent support the use of external AAA authentication services, such as RADIUS, to authenticate DHCP clients. When the extended DHCP local server or relay agent receives a discover PDU from a client, the extended DHCP application contacts the AAA server to authenticate the DHCP client. The extended DHCP application can obtain client addresses and DHCP configuration options from the external AAA authentication server.
Note: This section uses the term extended DHCP application to refer to both the extended DHCP local server and the extended DHCP relay agent.
The external authentication feature also supports AAA directed logout. If the external AAA service supports a user logout directive, the extended DHCP application honors the logout and responds as though it were requested by a CLI management command. All of the client state information and allocated resources are deleted at logout. The extended DHCP application supports directed logout using the list of configured authentication servers you specify with the authentication-server statement at the [edit access profile profile-name] hierarchy level.
You can configure either global authentication support or group-specific support.
You must configure the username-include statement to enable the use of authentication. The password statement is not required and does not cause DHCP to use authentication if the username-include statement is not included.
To configure DHCP local server and DHCP relay agent authentication support:
- Specify that you want to configure authentication options.
- (Optional) Configure a password that authenticates the username to the external authentication service.
- (Optional) Configure optional features to create a unique username.