[Contents] [Prev] [Next] [Index] [Report an Error]

Using External AAA Authentication Services

Both the extended DHCP local server and the extended DHCP relay agent support the use of external AAA authentication services, such as RADIUS, to authenticate DHCP clients. When the extended DHCP local server or relay agent receives a discover PDU from a client, the extended DHCP application contacts the AAA server to authenticate the DHCP client. The extended DHCP application can obtain client addresses and DHCP configuration options from the external AAA authentication server.

Note: This section uses the term extended DHCP application to refer to both the extended DHCP local server and the extended DHCP relay agent.

The external authentication feature also supports AAA directed logout. If the external AAA service supports a user logout directive, the extended DHCP application honors the logout and views it as if it was requested by a CLI management command. All of the client state information and allocated resources are deleted at logout. The extended DHCP application supports directed logout using the list of configured authentication servers you specify with the authentication-server statement at the [edit access profile profile-name] hierarchy level.

To configure authentication support for an extended DHCP application, include the authentication statement at these hierarchy levels. You can configure either global authentication support or group-specific support.

You must configure the username-include statement to enable the use of authentication. The password statement is not required and does not cause DHCP to use authentication if the username-include statement is not included.

Extended DHCP local server hierarchies:

[edit system services dhcp-local-server]
[edit system services dhcp-local-server group group-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server]
[edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server group group-name]
[edit logical-systems logical-system-name system services dhcp-local-server]
[edit logical-systems logical-system-name system services dhcp-local-server group group-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server]
[edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server group group-name]
[edit routing-instances routing-instance-name system services dhcp-local-server]
[edit routing-instances routing-instance-name system services dhcp-local-server group group-name]

Extended DHCP relay agent hierarchies:

[edit forwarding-options dhcp-relay]
[edit forwarding-options dhcp-relay group group-name]
[edit logical-systems logical-system-name forwarding-options dhcp-relay]
[edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay]
[edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]
[edit routing-instances routing-instance-name forwarding-options dhcp-relay]
[edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]




authentication {

password password-string;



username-include {

circuit-type;

delimiter delimiter-character;

domain-name domain-name-string;

logical-system-name;

mac-address;

option-60;

option-82 <circuit-id>
<remote-id>;

routing-instance-name;

user-prefix user-prefix-string;
}


}

[Contents] [Prev] [Next] [Index] [Report an Error]