[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring AAA Authentication for DHCP Local Server Standalone Mode

The DHCP local server enables you to optionally configure AAA-based authentication of standalone mode DHCP clients. In addition to providing increased security, AAA authentication also provides RADIUS-based input to IP address pool selection for standalone mode clients. By default, clients are not authenticated in standalone mode.

Typically, an incoming DHCP client does not provide a username—therefore, the DHCP local server constructs a username based on the user’s attachment parameters and optional DHCP parameters. AAA uses the constructed username to authenticate the incoming client and create the AAA subscriber record for the client. The information in the AAA subscriber record is then used to determine the IP address pool from which to assign the address for the DHCP client. You can include the following elements in the username:

Attachment Parameters

DHCP Parameters

domain

circuit ID

user prefix

circuit type

MAC address

option 82

virtual router name

Note: The nondomain portion of a constructed username must contain at least one character. Otherwise, the DHCP local server rejects the DHCP client without performing the AAA authentication request.

When using authentication, AAA accepts the DHCP client as a subscriber—this enables you to use show commands to monitor configuration information and statistics about the client. You can also use the logout subscriber command to manage subscribers.

To configure AAA-based authentication for DHCP local server standalone mode clients:

Caution: Configuring authentication on the DHCP local server requires that you first disable the DHCP local server for standalone mode. Doing so removes your entire DHCP local server configuration. Therefore, if you want to configure authentication, do so before you have otherwise configured the DHCP local server.

  1. Disable the DHCP local server for standalone mode.
    host1(config)#no service dhcp-local standalone
  2. Enable AAA-based authentication for DHCP local server standalone mode clients.
    host1(config)#service dhcp-local standalone authenticate
  3. Specify the password. that authenticates a locally configured DHCP standalone mode client. In DHCP standalone mode, the password is presented to AAA in an authentication request.
    host1(config)#ip dhcp-local auth password to4tooL8
  4. Specify the domain for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request.
    host1(config)#ip dhcp-local auth domain ISP1.com
  5. Specify the user-prefix for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request.
    host1(config)#ip dhcp-local auth user-prefix ERX4-Boston
  6. Include optional information as part of the locally configured username for a DHCP standalone mode client. The optional information becomes part of the AAA subscriber record, and is then used to determine the IP address pool from which to assign the address for the DHCP client.

    Use the following keywords to include specific information:

  7. (Optional) Verify your authentication configuration. 
    host1(config)#show ip dhcp-local auth config 


    

    DHCP Local Server Authentication Configuration
    

    

    User-Prefix          : ERX4-Boston
Domain               : ISP1.com
Password             : to4TooL8
Virtual Router       : included
Circuit Type         : included
Circuit ID           : included
MAC Address          : excluded
Option 82            : excluded
    

    8. 



Related Topics




[Contents]
[Prev]
[Next]

[Index]

[Report an Error]










Copyright © 2008, Juniper Networks, Inc.
All rights reserved.
	Trademark Notice.