Technical Documentation

Using External AAA Authentication Services to Authenticate DHCP Clients

Both the extended DHCP local server and the extended DHCP relay agent support the use of external AAA authentication services, such as RADIUS, to authenticate DHCP clients. When the extended DHCP local server or relay agent receives a discover PDU from a client, the extended DHCP application contacts the AAA server to authenticate the DHCP client. The extended DHCP application can obtain client addresses and DHCP configuration options from the external AAA authentication server.

Note: This topic uses the term extended DHCP application to refer to both the extended DHCP local server and the extended DHCP relay agent.

The external authentication feature also supports AAA directed logout. If the external AAA service supports a user logout directive, the extended DHCP application honors the logout and views it as if it was requested by a CLI management command. All of the client state information and allocated resources are deleted at logout. The extended DHCP application supports directed logout using the list of configured authentication servers you specify with the authentication-server statement at the [edit access profile profile-name] hierarchy level.

Tasks for configuring External AAA authentication services are:

  1. Configuring Authentication Support for an Extended DHCP Application
  2. Grouping Interfaces with Common DHCP Configurations
  3. Configuring Passwords for Usernames the DHCP Application Presents to the External AAA Authentication Service
  4. Creating Unique Usernames the Extended DHCP Application Passes to the External AAA Authentication Service

Configuring Authentication Support for an Extended DHCP Application

To configure authentication support for an extended DHCP application, include the authentication statement at these hierarchy levels. You can configure either global authentication support or group-specific support.

You must configure the username-include statement to enable the use of authentication. The password statement is not required and does not cause DHCP to use authentication if the username-include statement is not included.

Extended DHCP local server hierarchies:

  • [edit system services dhcp-local-server]
  • [edit system services dhcp-local-server group group-name]
  • [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server]
  • [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server group group-name]
  • [edit logical-systems logical-system-name system services dhcp-local-server]
  • [edit logical-systems logical-system-name system services dhcp-local-server group group-name]
  • [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server]
  • [edit logical-systems logical-system-name routing-instances routing-instance-name system services dhcp-local-server group group-name]
  • [edit routing-instances routing-instance-name system services dhcp-local-server]
  • [edit routing-instances routing-instance-name system services dhcp-local-server group group-name]

Extended DHCP relay agent hierarchies:

  • [edit forwarding-options dhcp-relay]
  • [edit forwarding-options dhcp-relay group group-name]
  • [edit logical-systems logical-system-name forwarding-options dhcp-relay]
  • [edit logical-systems logical-system-name forwarding-options dhcp-relay group group-name]
  • [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay]
  • [edit logical-systems logical-system-name routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]
  • [edit routing-instances routing-instance-name forwarding-options dhcp-relay]
  • [edit routing-instances routing-instance-name forwarding-options dhcp-relay group group-name]
authentication {password password-string;username-include {circuit-type;delimiter delimiter-character;domain-name domain-name-string;logical-system-name;mac-address;option-60;option-82 <circuit-id> <remote-id>;routing-instance-name;user-prefix user-prefix-string;}}

Grouping Interfaces with Common DHCP Configurations

The extended DHCP applications enable you to group together a set of interfaces and apply a common DHCP configuration to the named interface group.

To configure an interface group, use the group statement.

group group-name {authentication {password password-string;username-include {circuit-type;delimiter delimiter-character;domain-name domain-name-string;logical-system-name;mac-address;option-60;option-82 <circuit-id> <remote-id>;routing-instance-name;user-prefix user-prefix-string;}}interface interface-name <upto upto-interface-name> <exclude>;}

You can specify the names of one or more interfaces on which the extended DHCP application is enabled. You can repeat the interface interface-name statement to specify multiple interfaces within a group, but you cannot specify the same interface in more than one group. For example:

group boston {interface 192.168.10.1;interface 192.168.15.5;}

You can use the upto option to specify a range of interfaces on which the extended DHCP application is enabled. For example:

group quebec {interface 192.168.10.1 upto 192.168.10.255;}

You can use the exclude option to exclude a specific interface or a specified range of interfaces from the group. For example:

group paris {interface 192.168.100.1 exclude;interface 192.168.100.100 upto 192.168.100.125 exclude;}

Configuring Passwords for Usernames the DHCP Application Presents to the External AAA Authentication Service

You can configure an optional password that the extended DHCP application presents to the external AAA authentication service to authenticate the specified username.

To configure a password that authenticates the username, use the password statement. See Special Requirements for JUNOS Software Plain-Text Passwords for information about supported characters in passwords. For example:

authentication {password myPassworD1234;}

Creating Unique Usernames the Extended DHCP Application Passes to the External AAA Authentication Service

You can configure the extended DHCP application to include additional fields in the username passed to the external AAA authentication service when the DHCP client logs in. This additional information enables you to construct usernames that uniquely identify subscribers.

Note: No authentication is performed if you do not include a username in the authentication configuration; however, the IP address is provided by the local pool if it is configured.

To configure unique usernames, use the username-include statement. You can include any or all of the additional statements.

authentication {username-include {circuit-type;delimiter delimiter-character;domain-name domain-name-string;logical-system-name;mac-address;option-60;option-82 <circuit-id> <remote-id>;routing-instance-name;user-prefix user-prefix-string;}}

The following list describes the attributes that can be included as part of the username:

  • circuit-type—The circuit type used by the DHCP client, for example enet.
  • delimiter—The delimiter character that separates components that make up the concatenated username. The semicolon (;) is not supported as a delimiter character.
  • domain-name—The client domain name as string. The router adds the @ delimiter to the username.
  • logical-system-name—The name of the logical system, if the receiving interface is in a logical system.
  • mac-address—The client MAC address, in a string of format xxxx.xxxx.xxxx.
  • option-60—The portion of the option 60 payload that follows the length field.
  • option-82 <circuit-id> <remote-id>—The specified contents of the option 82 payload.
    • circuit-id—The payload of the agent circuit ID suboption.
    • remote-id—The payload of the Agent Remote ID suboption.
    • Both circuit-id and remote-id—The payloads of both suboptions, in the format: circuit-id[delimiter]remote-id.
    • Neither circuit-id or remote-id—The raw payload of the option 82 from the PDU is concatenated to the username.
  • routing-instance-name—The name of the routing instance, if the receiving interface is in a routing instance.
  • user-prefix—A string indicating the user prefix.

The router creates the unique username by including the specified additional information in the following order, with the fields separated by a delimiter. The default delimiter is a period (.). You can specify a different delimiter; however, the semicolon character (;) is not allowed.

user-prefix[delimiter]mac-address[delimiter]logical-system-name[delimiter]
routing-instance-name[delimiter]circuit-type[delimiter]option-82[delimiter]
option-60@domain-name

The following example shows a sample configuration that creates a unique username. The username is shown after the configuration.

authentication {username-include {circuit-type;domain-name isp55.com;mac-address;user-prefix wallybrown;}}

The resulting unique username is:

wallybrown.0090.1a01.1234.enet@isp55.com

Published: 2010-04-26