Configuring VLAN Interface Username Information for AAA Authentication

You can define interface information that is included in the username that is subsequently passed to the external AAA authentication service (for example, RADIUS) when creating dynamic VLANs or stacked VLANs. The AAA authentication service uses this information to authenticate the VLAN or stacked VLAN physical interface. Once authenticated, the AAA service can send the required routing instance values to the system for use in dynamically creating VLAN or stacked VLAN interfaces.

The username-include statement supports the following statement options:

  • circuit-type—The circuit type used by the client, for example enet.
  • delimiter—The delimiter character that separates components that make up the concatenated username. The default delimiter is a period (.). The semicolon (;) is not supported as a delimiter character.
  • domain-name—The client domain name as a string. The router adds the @ delimiter to the username.
  • interface-name—The interface name as a string. The router appends the interface name and VLAN ID or stacked VLAN ID to the username string used for authentication. The appended information takes the following format:

    • For single VLAN—<interface-name>:<4-digit-vlan-id>
    • For stack VLANs—<interface-name>:<4-digit-svlan-id>-<4-digit-vlan-id>
  • mac-address—The client hardware address (chaddr), obtained from the DHCP discover packet, in a string of the format xxxx.xxxx.xxxx. (Used for DHCPv4 packet authentication only.)
  • option-82—The raw payload of the option 82 from the PDU is concatenated to the username. (Used for DHCPv4 packet authentication only.)
  • radius-realm—A string indicating the RADIUS realm.
  • user-prefix—A string indicating the user prefix.

The username takes the format <user-prefix><mac-address><circuit-type><option–82><interface-name><domain-name><radius-realm> with each component separated by whatever delimiter you choose.

Note: The following example configures username information on VLANs. However, you can also configure dynamic authentication on stacked VLANs by configuring the same statements at the [edit interfaces interface-name auto-configure stacked-vlan-ranges authentication] hierarchy level.

To configure VLAN interface username information:

  1. Access the interface over which you want to configure username information.
    user@host# edit interfaces ge-0/0/0
  2. Edit the auto-configure stanza.
    [edit interfaces ge-0/0/0]user@host# edit auto-configure
  3. Edit the vlan-ranges stanza.
    [edit interfaces ge-0/0/0 auto-configure]user@host# edit vlan-ranges
  4. Edit the authentication stanza.
    [edit interfaces ge-0/0/0 auto-configure vlan-ranges]user@host# edit authentication
  5. Edit the username-include stanza.
  6. Specify the username statements that you want the AAA authentication service to use to authenticate the username.
    [edit interfaces ge-0/0/0 auto-configure vlan-ranges authentication username-include]user@host# set delimiter

Published: 2010-04-15

