Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

DHCP with External Authentication Server

Extended DHCP local server and the extended DHCP relay agent support the use of external AAA authentication services, such as RADIUS, to authenticate DHCP clients. For more information, read this topic.

This topic uses the term extended DHCP application to refer to both the extended DHCP local server and the extended DHCP relay agent.

Using External AAA Authentication Services to Authenticate DHCP Clients

The authentication, authorization, and accounting (AAA) Service Framework provides a single point of contact for all the authentication, authorization, accounting, address assignment, and dynamic request services that the router supports for network access.

In extended DHCP applications, both DHCP server and the DHCP relay agent support the use of external AAA authentication services, such as RADIUS, to authenticate DHCP clients. The support id available for DHCPv6 local server and DHCPv6 relay agent.

Junos OS devices use the AAA infrastructure for authenticating (the DHCP client for DHCP service with the assigned DHCP server. The following high-level steps are involved in DHCP client authentication:

  • DHCP local server or relay agent receives a discover PDU from a client

  • DHCP service contacts the AAA server to authenticate the DHCP client.

  • DHCP service can obtain client addresses and DHCP configuration options from the external AAA authentication server.

The external authentication feature also supports AAA directed logout. If the external AAA service supports a user logout directive, the extended DHCP application honors the logout and views it as if it was requested by a CLI management command.

All of the client state information and allocated resources are deleted at logout. The extended DHCP application supports directed logout using the list of configured authentication servers you specify with the authentication-server statement at the [edit access profile profile-name] hierarchy level.

Steps to Configure DHCP with External Authentication Server

To configure DHCP local server and DHCP relay agent for authentication support:

  1. Specify that you want to configure authentication by including authentication keyword at respective hierarchy levels.
  2. (Optional) Configure optional features to create a unique username.
  3. (Optional) Configure a password that authenticates the username to the external authentication service.

Example:

Client Configuration Information Exchanged Between the External Authentication Server, DHCP Application, and DHCP Client

When the DHCP application receives a response from an external authentication server, the response might include information in addition to the IP address and subnet mask. The DHCP service uses the information and sends it to the DHCP client.

The DHCP application can either send the information in its original form or the application might merge the information with local configuration specifications.

For example, if the authentication response includes an address pool name and a local configuration specifies DHCP attributes for that pool, the DHCP service merges the authentication results and the attributes in the reply that the server sends to the client.

A local configuration is optional—a client can be fully configured by the external authentication service. However, if the external authentication service does not provide client configuration, you must configure the local address assignment pool to provide the configuration for the client.

When a local configuration specifies options, the extended DHCP application adds the local configuration options to the offer PDU the server sends to the client. If the two sets of options overlap, the options in the authentication response from the external service take precedence.

When you use RADIUS to provide the authentication, the additional information might be in the form of RADIUS attributes and Juniper Networks VSAs. Table 1 lists the information that RADIUS might include in the authentication grant. See RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework for a complete list of RADIUS attributes and Juniper Networks VSAs that the extended DHCP applications supports for subscriber access management or DHCP management.

Table 1: Information in Authentication Grant

Attribute Number

Attribute Name

Description

RADIUS attribute 8

Framed-IP-Address

Client IP address

RADIUS attribute 9

Framed-IP-Netmask

Subnet mask for client IP address (DHCP option 1)

Juniper Networks VSA 26-4

Primary-DNS

Primary domain server (DHCP option 6)

Juniper Networks VSA 26-5

Secondary-DNS

Secondary domain server (DHCP option 6)

Juniper Networks VSA 26-6

Primary-WINS

Primary WINS server (DHCP option 44)

Juniper Networks VSA 26-7

Secondary-WINS

Secondary WINS server (DHCP option 44)

RADIUS attribute 27

Session-Timeout

Lease time

RADIUS attribute 88

Framed-Pool

Address assignment pool name

Juniper Networks VSA 26-109

DHCP-Guided-Relay-Server

DHCP relay server

Example-Configuring DHCP with External Authentication Server

To configure authentication at DHCP local server, DHCPv6 local server, DHCP relay agent, and DHCPv6 relay agent levels.

  1. Specify that you want to configure authentication.
  2. (Optional) Specify the optional information you want to include in the username.
  3. Configure an optional password that the extended DHCP application presents to the external AAA authentication service to authenticate the specified username.

The following example shows a sample configuration that creates a unique username. The username is shown after the configuration.

The resulting unique username is:

Specifying Authentication Support

Include the authentication statement at hierarchy levels given in Table 2. You can configure either global authentication support or group-specific support.

Table 2: Supported Hierarchy Levels for Authentication Support

Supported Hierarchy Level

Hierarchy Level

DHCP local server

[edit system services dhcp-local-server]

DHCP relay agent

[edit forwarding-options dhcp-relay]

DHCPv6 local server

[edit system services dhcp-local-server dhcpv6]

DHCPv6 relay agent

[edit forwarding-options dhcp-relay dhcpv6]

Creating Unique Usernames for DHCP Clients

You can configure the extended DHCP application to include additional information in the username that is passed to the external AAA authentication service when the DHCP client logs in. This additional information enables you to construct usernames that uniquely identify subscribers (DHCP clients).

To configure unique usernames, use the username-include statement. You can include any or all of the additional statements.

Note:

If you do not include a username in the authentication configuration, the router (or switch) does not perform authentication; however, the IP address is provided by the local pool if it is configured.

When you use the DHCPv6 local server, you must configure authentication and the client username; otherwise client login fails.

The following list describes the optional information that you can include as part of the username:

  • circuit-type—The circuit type used by the DHCP client, for example enet.

  • client-id—The client identifier option (option 1). (DHCPv6 local server DHCPv6 relay agent only)

  • delimiter—The delimiter character that separates components that make up the concatenated username. The default delimiter is a period (.). The semicolon (;) is not supported as a delimiter character.

  • domain-name—The client domain name as a string. The router adds the @ delimiter to the username.

  • interface-description—The description of the device (physical) interface or the logical interface.

  • interface-name—The interface name, including the interface device and associated VLAN IDs.

  • logical-system-name—The name of the logical system, if the receiving interface is in a logical system.

  • mac-address—The client MAC address, in a string of the format xxxx.xxxx.xxxx.

  • option-60—The portion of the option 60 payload that follows the length field. (Not supported for DHCPv6 local server)

  • option-82 <circuit-id> <remote-id>—The specified contents of the option 82 payload. (Not supported for DHCPv6 local server)

    • circuit-id—The payload of the Agent Circuit ID suboption.

    • remote-id—The payload of the Agent Remote ID suboption.

    • Both circuit-id and remote-id—The payloads of both suboptions, in the format: circuit-id[delimiter]remote-id.

    • Neither circuit-id or remote-id—The raw payload of the option 82 from the PDU is concatenated to the username.

    Note:

    For DHCP relay agent, the option 82 value used in creating the username is based on the option 82 value that is encoded in the outgoing (relayed) PDU.

  • relay-agent-interface-id—The Interface-ID option (option 18). (DHCPv6 local server or DHCPv6 relay agent only)

  • relay-agent-remote-id—The DHCPv6 Relay Agent Remote-ID option (option 37). (DHCPv6 local server or DHCPv6 relay agent only)

  • relay-agent-subscriber-id—(On routers only) The DHCPv6 Relay Agent Subscriber-ID option (option 38). (DHCPv6 local server or DHCPv6 relay agent only)

  • routing-instance-name—The name of the routing instance, if the receiving interface is in a routing instance.

  • user-prefix—A string indicating the user prefix.

  • vlan-tags—The subscriber VLAN tags. Includes the outer VLAN tag and, if present, the inner VLAN tag. You can use this option instead of the interface-name option when the outer VLAN tag is unique across the system and you do not need the underlying physical interface name to be part of the format.

For DHCPv6 clients, because the DHCPv6 packet format has no specific field for the client MAC address, the MAC address is derived from among several sources with the following priority:

  • Client DUID Type 1 or Type 3.

  • Option 79 (client link-layer address), if present.

  • The packet source address if the client is directly connected.

  • The link local address.

The router (switch) creates the unique username by including the specified additional information in the following order, with the fields separated by a delimiter.

For DHCP local server and DHCP relay agent:

For DHCPv6 local server:

Grouping Interfaces with Common DHCP Configurations

You use the group feature to group a set of interfaces and then apply a common DHCP configuration to the named interface group. The extended DHCP local server, DHCPv6 local server, DHCP relay agent, and DHCPv6 relay agent all support interface groups.

The following steps create a DHCP local server group; the steps are similar for the DHCPv6 local server, DHCP relay agent, and DHCPv6 relay agent.

To configure a DHCP local server interface group:

  1. Specify that you want to configure DHCP local server.
  2. Create the group and assign a name.

  3. Specify the names of one or more interfaces on which the extended DHCP application is enabled. You can repeat the interface interface-name statement to specify multiple interfaces within the group, but you cannot use the same interface in more than one group.
  4. (Optional) You can use the upto option to specify a range of interfaces for a group.
  5. (Optional) You can use the exclude option to exclude a specific interface or a specified range of interfaces from the group. For example:

Example- 2

To configure an interface group, use the group statement.

You can specify the names of one or more interfaces on which the extended DHCP application is enabled. You can repeat the interface interface-name statement to specify multiple interfaces within a group, but you cannot specify the same interface in more than one group. For example:

  1. The extended DHCP applications enable you to group together a set of interfaces and apply a common DHCP configuration to the named interface group.

  2. You can use the upto option to specify a range of interfaces on which the extended DHCP application is enabled. For example:

  3. You can use the exclude option to exclude a specific interface or a specified range of interfaces from the group. For example:

Example:

Related Documentation