Technical Documentation
New
Configuring AAA Authentication for DHCP Local Server Standalone Mode
The DHCP local server enables you to optionally configure AAA-based authentication of standalone mode DHCP clients. In addition to providing increased security, AAA authentication also provides RADIUS-based input to IP address pool selection for standalone mode clients. By default, clients are not authenticated in standalone mode.
Typically, an incoming DHCP client does not provide a username—therefore, the DHCP local server constructs a username based on the user’s attachment parameters and optional DHCP parameters. AAA uses the constructed username to authenticate the incoming client and create the AAA subscriber record for the client. The information in the AAA subscriber record is then used to determine the IP address pool from which to assign the address for the DHCP client. You can include the following elements in the username:
Attachment Parameters | DHCP Parameters |
|---|---|
domain | circuit ID |
user prefix | circuit type |
– | MAC address |
– | option 82 |
– | virtual router name |
 | Note: The nondomain portion of a constructed username must contain at least one character. Otherwise, the DHCP local server rejects the DHCP client without performing the AAA authentication request. |
When using authentication, AAA accepts the DHCP client as a subscriber—this enables you to use show commands to monitor configuration information and statistics about the client. You can also use the logout subscriber command to manage subscribers.
To configure AAA-based authentication for DHCP local server standalone mode clients:
 | Caution: Configuring authentication on the DHCP local server requires that you first disable the DHCP local server for standalone mode. Doing so removes your entire DHCP local server configuration. Therefore, if you want to configure authentication, do so before you have otherwise configured the DHCP local server. |
- Disable the DHCP local server for standalone mode.host1(config)#no service dhcp-local standalone
- Enable AAA-based authentication for DHCP local server
standalone mode clients.host1(config)#service dhcp-local standalone authenticate
- Specify the password. that authenticates a locally configured
DHCP standalone mode client. In DHCP standalone mode, the password
is presented to AAA in an authentication request.host1(config)#ip dhcp-local auth password to4tooL8
- Specify the domain for a username that is locally configured
for a DHCP standalone mode client. The locally configured username
is presented to AAA in an authentication request. host1(config)#ip dhcp-local auth domain ISP1.com
- Specify the user-prefix for a username that is locally
configured for a DHCP standalone mode client. The locally configured
username is presented to AAA in an authentication request.host1(config)#ip dhcp-local auth user-prefix ERX4-Boston
- Include optional information as part of the locally configured
username for a DHCP standalone mode client. The optional information
becomes part of the AAA subscriber record, and is then used to determine
the IP address pool from which to assign the address for the DHCP
client.
Use the following keywords to include specific information:
- circuit-identifier—Specifies the circuit identifier of the interface on which the DHCP client’s request was received.
- circuit-type—Specifies the circuit type of the interface on which the DHCP client’s request was received.
- mac-address—Specifies the DHCP client’s MAC address.
- option82—Specifies the DHCP client’s option 82 value.
- virtual-router-name—Specifies
the DHCP local server’s virtual router name.host1(config)#ip dhcp-local auth include virtual-router-name host1(config)#ip dhcp-local auth include circuit-type host1(config)#ip dhcp-local auth include circuit-identifier
- (Optional) Verify your authentication configuration.
host1(config)#show ip dhcp-local auth config
DHCP Local Server Authentication Configuration
User-Prefix : ERX4-Boston Domain : ISP1.com Password : to4TooL8 Virtual Router : included Circuit Type : included Circuit ID : included MAC Address : excluded Option 82 : excluded
DHCP Local Server DHCP Options Configuration
RADIUS DHCP Options : excluded
