Configuring AAA Authentication for DHCP Local Server Standalone Mode
The DHCP local server enables you to optionally configure AAA-based authentication of standalone mode DHCP clients. In addition to providing increased security, AAA authentication also provides RADIUS-based input to IP address pool selection for standalone mode clients. By default, clients are not authenticated in standalone mode.
Typically, an incoming DHCP client does not provide a username—therefore, the DHCP local server constructs a username based on the user's attachment parameters and optional DHCP parameters. AAA uses the constructed username to authenticate the incoming client and create the AAA subscriber record for the client. The information in the AAA subscriber record is then used to determine the IP address pool from which to assign the address for the DHCP client. You can include the following elements in the username:
 |
NOTE: The nondomain portion of a constructed username must contain at least one character. Otherwise, the DHCP local server rejects the DHCP client without performing the AAA authentication request. |
When using authentication, AAA accepts the DHCP client as a subscriber—this enables you to use show commands to monitor configuration information and statistics about the client. You can also use the logout subscriber command to manage subscribers.
To configure AAA-based authentication for DHCP local server standalone mode clients:
- Disable the DHCP local server for standalone mode.
- Enable AAA-based authentication for DHCP local server standalone mode clients.
- Specify the password. that authenticates a locally configured DHCP standalone mode client. In DHCP standalone mode, the password is presented to AAA in an authentication request.
- Specify the domain for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request.
- Specify the user-prefix for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request.
- Include optional information as part of the locally configured username for a DHCP standalone mode client. The optional information becomes part of the AAA subscriber record, and is then used to determine the IP address pool from which to assign the address for the DHCP client.
host1(config)#no service dhcp-local standalone
host1(config)#service dhcp-local standalone authenticate
host1(config)#ip dhcp-local auth password to4tooL8
host1(config)#ip dhcp-local auth domain ISP1.com
host1(config)#ip dhcp-local auth user-prefix ERX4-Boston
Use the following keywords to include specific information:
- circuit-identifier—Specifies the circuit identifier of the interface on which the DHCP client's request was received.
- circuit-type—Specifies the circuit type of the interface on which the DHCP client's request was received.
- mac-address—Specifies the DHCP client's MAC address.
- option82—Specifies the DHCP client's option 82 value.
- virtual-router-name—Specifies the DHCP local server's virtual router name.
host1(config)#ip dhcp-local auth include virtual-router-name
host1(config)#ip dhcp-local auth include circuit-type
host1(config)#ip dhcp-local auth include circuit-identifier
- (Optional) Verify your authentication configuration.
host1(config)#show ip dhcp-local auth config
DHCP Local Server Authentication Configuration
User-Prefix : ERX4-Boston
Domain : ISP1.com
Password : to4TooL8
Virtual Router : included
Circuit Type : included
Circuit ID : included
MAC Address : excluded
Option 82 : excluded