Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring VLAN Interface Username Information for AAA Authentication

 

You can define interface information that is included in the username that is subsequently passed to the external AAA authentication service (for example, RADIUS) when creating dynamic VLANs or stacked VLANs. The AAA authentication service uses this information to authenticate the VLAN or stacked VLAN physical interface. After the interface is authenticated, the AAA service can send the required routing instance values to the system for use in dynamically creating VLAN or stacked VLAN interfaces.

Note

The following example configures username information on VLANs. However, you can also configure dynamic authentication on stacked VLANs by configuring the same statements at the [edit interfaces interface-name auto-configure stacked-vlan-ranges authentication] hierarchy level.

To configure VLAN interface username information:

  1. Access the authentication stanza for the interface over which you want to configure username information.
  2. Specify the username components that you want the AAA authentication service to use to authenticate the username.

    • Include the agent circuit identifier (ACI). The ACI is conveyed by the Access-Loop-Circuit-ID TLV in an out-of-band ANCP Port Up message.

    • Include the circuit type.

    • Specify the character used as the delimiter between the concatenated components of the username.

    • Specify the domain name that is concatenated with the username.

    • Include the interface name and VLAN tags.

    • Include the client hardware address (chaddr) from the incoming DHCP discover packet.

    • Include the option 18 (Interface-ID) information that was received in the innermost DHCPv6 Relay-Forward message header.

    • Include the option 37 (DHCPv6 Relay Agent Remote-ID) information that was received in the innermost DHCPv6 Relay-Forward message header.

    • Include the option 82 information from the client PDU. For DHCPv4, optionally include suboption 1 (Agent Circuit ID) or suboption 2 (Agent Remote ID).

    • Include the user-defined RADIUS realm string to direct the authentication request to a profile that does not allocates addresses.

    • Include the agent remote identifier (ARI). The ARI is conveyed by the Access-Loop-Remote-ID TLV in an out-of-band ANCP Port Up message

    • Specify a user prefix.

    • Include the subscriber VLAN tags. You can use this option instead of the interface-name option when the outer VLAN tag is unique across the system and you do not need the underlying physical interface name to be part of the format.

Related Documentation