Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring AAA Authentication for DHCP Local Server Standalone Mode

    The DHCP local server enables you to optionally configure AAA-based authentication of standalone mode DHCP clients. In addition to providing increased security, AAA authentication also provides RADIUS-based input to IP address pool selection for standalone mode clients. By default, clients are not authenticated in standalone mode.

    Typically, an incoming DHCP client does not provide a username—therefore, the DHCP local server constructs a username based on the user’s attachment parameters and optional DHCP parameters. AAA uses the constructed username to authenticate the incoming client and create the AAA subscriber record for the client. The information in the AAA subscriber record is then used to determine the IP address pool from which to assign the address for the DHCP client. You can include the following elements in the username:

    Attachment Parameters

    DHCP Parameters

    domain

    circuit ID

    user prefix

    circuit type

    MAC address

    option 82

    virtual router name

    Note: The nondomain portion of a constructed username must contain at least one character. Otherwise, the DHCP local server rejects the DHCP client without performing the AAA authentication request.

    When using authentication, AAA accepts the DHCP client as a subscriber—this enables you to use show commands to monitor configuration information and statistics about the client. You can also use the logout subscriber command to manage subscribers.

    To configure AAA-based authentication for DHCP local server standalone mode clients:

    Caution: Configuring authentication on the DHCP local server requires that you first disable the DHCP local server for standalone mode. Doing so removes your entire DHCP local server configuration. Therefore, if you want to configure authentication, do so before you have otherwise configured the DHCP local server.

    1. Disable the DHCP local server for standalone mode.
      host1(config)#no service dhcp-local standalone
    2. Enable AAA-based authentication for DHCP local server standalone mode clients.
      host1(config)#service dhcp-local standalone authenticate
    3. Specify the password. that authenticates a locally configured DHCP standalone mode client. In DHCP standalone mode, the password is presented to AAA in an authentication request.
      host1(config)#ip dhcp-local auth password to4tooL8
    4. Specify the domain for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request.
      host1(config)#ip dhcp-local auth domain ISP1.com
    5. Specify the user-prefix for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request.
      host1(config)#ip dhcp-local auth user-prefix ERX4-Boston
    6. Include optional information as part of the locally configured username for a DHCP standalone mode client. The optional information becomes part of the AAA subscriber record, and is then used to determine the IP address pool from which to assign the address for the DHCP client.

      Use the following keywords to include specific information:

      • circuit-identifier—Specifies the circuit identifier of the interface on which the DHCP client’s request was received.
      • circuit-type—Specifies the circuit type of the interface on which the DHCP client’s request was received.
      • mac-address—Specifies the DHCP client’s MAC address.
      • option82—Specifies the DHCP client’s option 82 value.
      • virtual-router-name—Specifies the DHCP local server’s virtual router name.
        host1(config)#ip dhcp-local auth include virtual-router-name host1(config)#ip dhcp-local auth include circuit-type host1(config)#ip dhcp-local auth include circuit-identifier
    7. (Optional) Verify your authentication configuration.
      host1(config)#show ip dhcp-local auth config 
      
      DHCP Local Server Authentication Configuration
      User-Prefix          : ERX4-Boston
      Domain               : ISP1.com
      Password             : to4TooL8
      Virtual Router       : included
      Circuit Type         : included
      Circuit ID           : included
      MAC Address          : excluded
      Option 82            : excluded
      DHCP Local Server DHCP Options Configuration
      RADIUS DHCP Options : excluded

    Published: 2014-08-20