Using External AAA Authentication Services

Both the extended DHCP local server and the extended DHCP relay agent support the use of external AAA authentication services, such as RADIUS, to authenticate DHCP clients. When the extended DHCP local server or relay agent receives a discover PDU from a client, the extended DHCP application contacts the AAA server to authenticate the DHCP client. The extended DHCP application can obtain client addresses and DHCP configuration options from the external AAA authentication server.

Note: This section uses the term extended DHCP application to refer to both the extended DHCP local server and the extended DHCP relay agent.

The external authentication feature also supports AAA directed logout. If the external AAA service supports a user logout directive, the extended DHCP application honors the logout and views it as if it was requested by a CLI management command. All of the client state information and allocated resources are deleted at logout. The extended DHCP application supports directed logout using the list of configured authentication servers you specify with the authentication-server statement at the [edit access profile profile-name] hierarchy level.

To configure authentication support for an extended DHCP application, include the authentication statement at these hierarchy levels. You can configure either global authentication support or group-specific support.

You must configure the username-include statement to enable the use of authentication. The password statement is not required and does not cause DHCP to use authentication if the username-include statement is not included.

Extended DHCP local server hierarchies:

• [edit system services dhcp-local-server]
• [edit system services dhcp-local-server group group-name]
• [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server]
• [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server group group-name]
• [edit logical-systems logical-system-name system services dhcp-local-server]
• [edit logical-systems logical-system-name system services dhcp-local-server group group-name]
• [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server]
• [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server group group-name]
• [edit routing-instances routing-instance-name system services dhcp-local-server]
• [edit routing-instances routing-instance-name system services dhcp-local-server group group-name]

Extended DHCP relay agent hierarchies:

• [edit forwarding-options dhcp-relay]
• [edit forwarding-options dhcp-relay group group-name]
• [edit logical-systems logical-system-name forwarding-options dhcp-relay]
• [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name]
• [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay]
• [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]
• [edit routing-instances routing-instance-name forwarding-options dhcp-relay]
• [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]

The extended DHCP applications enable you to group together a set of interfaces and apply a common DHCP configuration to the named interface group.

To configure an interface group, use the group statement.

You can specify the names of one or more interfaces on which the extended DHCP application is enabled. You can repeat the interface interface-name statement to specify multiple interfaces within a group, but you cannot specify the same interface in more than one group. For example:

You can use the upto option to specify a range of interfaces on which the extended DHCP application is enabled. For example:

You can use the exclude option to exclude a specific interface or a specified range of interfaces from the group. For example:

You can configure an optional password that the extended DHCP application presents to the external AAA authentication service to authenticate the specified username.

To configure a password that authenticates the username, use the password statement. See Configuring Special Requirements for Plain-Text Passwords for information about supported characters in passwords. For example:

You can configure the extended DHCP application to include additional fields in the username passed to the external AAA authentication service when the DHCP client logs in. This additional information enables you to construct usernames that uniquely identify subscribers.

Note: No authentication is performed if you do not include a username in the authentication configuration; however, the IP address is provided by the local pool if it is configured.

To configure unique usernames, use the username-include statement. You can include any or all of the additional statements.

The following list describes the attributes that can be included as part of the username:

• circuit-type—The circuit type used by the DHCP client, for example enet.
• delimiter—The delimiter character that separates components that make up the concatenated username. The semicolon (;) is not supported as a delimiter character.
• domain-name—The client domain name as string. The router adds the @ delimiter to the username.
• logical-system-name—The name of the logical system, if the receiving interface is in a logical system.
• mac-address—The client MAC address, in a string of the format xxxx.xxxx.xxxx.
• option-60—The portion of the option 60 payload that follows the length field.
• option-82 <circuit-id> <remote-id>;—The specified contents of the option 82 payload.
  • circuit-id—The payload of the Agent Circuit ID suboption.
  • remote-id—The payload of the Agent Remote ID suboption.
  • Both circuit-id and remote-id—The payloads of both suboptions, in the format: circuit-id[delimiter]remote-id.
  • Neither circuit-id or remote-id—The raw payload of the option 82 from the PDU is concatenated to the username.
• routing-instance-name—The name of the routing instance, if the receiving interface is in a routing instance.
• user-prefix—A string indicating the user prefix.

The router creates the unique username by including the specified additional information in the following order, with the fields separated by a delimiter. The default delimiter is a period (.). You can specify a different delimiter; however, the semicolon character (;) is not allowed.

This example shows a sample configuration that creates a unique username. The username is shown after the configuration.

Configuration

Resulting Unique Username

When the extended DHCP application receives a response from an external authentication server, the response might include information in addition to the IP address and subnet mask. The extended DHCP application uses the information from the authentication grant for the response the DHCP application sends to the DHCP client. The DHCP application can either send the information in its original form or the application might merge the information with local configuration specifications. For example, if the authentication grant includes an address pool name and a local configuration specifies DHCP attributes for that pool, the extended DHCP application merges the authentication results and the attributes in the reply that the server sends to the client.

A local configuration is optional — a client can be fully configured by the external authentication service. However, if the external authentication service does not provide client configuration, you must configure the local address assignment pool to provide the configuration for the client. When a local configuration specifies options, the extended DHCP application adds the local configuration options to the offer PDU the server sends to the client. If the two sets of options overlap, the options in the authentication response from the external service take precedence.

When you use RADIUS to provide the authentication, the additional information might be in the form of RADIUS attributes and Juniper Networks VSAs. The following list shows the information that RADIUS might include in the authentication grant. See RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework for a complete list of RADIUS attributes and Juniper Networks VSAs that the extended DHCP applications supports for subscriber access management.

• Client IP address—RADIUS attribute 8, Framed-IP-Address
• Subnet mask for client IP address (DHCP option 1)—RADIUS attribute 9, Framed-IP-Netmask
• Primary domain server (DHCP option 6)—VSA 26-4, Primary-DNS
• Secondary domain server (DHCP option 6)—VSA 26-5 Secondary-DNS
• Primary WINS server (DHCP option 44)—VSA 26-6, Primary-WINS
• Secondary WINS server (DHCP option 44)—VSA 26-7, Secondary-WINS
• Address assignment pool name—RADIUS attribute 88, Framed-Pool
• Lease time—RADIUS attribute 27, Session-Timeout
• DHCP relay server—VSA 26-109, DHCP-Guided-Relay-Server

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.