Configuring RADIUS Reauthentication for DHCP Subscribers
You can configure reauthentication as an alternative to RADIUS CoA messages as a means to change characteristics of the subscriber session, such as activating or changing service plans or changing DHCP subscriber attributes. When configured, reauthentication is triggered when the DHCP local server receives a renew, rebind, discover, or solicit message from a DHCP client. The message triggers jdhcpd to request reauthentication from authd, which in turn reissues the RADIUS Access-Request for a second subscriber authentication. Reauthentication is available for DHCPv4, DHCPv6, and dual-stack subscribers.
Starting in Junos OS Release 18.1R1, reauthentication can be triggered by discover and solicit messages in addition to the previously supported renew and rebind messages. The release also introduces reauthentication support for dual-stack, single-session subscribers.
You can use the reauthenticate
statement to configure
reauthentication to occur in response to all DHCP renew, rebind, discover,
or solicit messages or only in response to those messages when they
include a different Agent Remote ID for the DHCP client. The Agent
Remote ID carries information about the subscriber’s service
plan, so a change in ID value corresponds to a change in the subscriber
service plan. The Agent Remote ID is conveyed in option 82, suboption
2 for DHCPv4 clients and in option 37 for DHCPv6 clients.
You can also use the Juniper Networks VSA, Reauthentication-On-Renew
(26-206) as an alternative to the CLI configuration to enable reauthentication.
The VSA is conveyed in the RADIUS Access-Accept message at subscriber
login, and must be configured on your RADIUS server. The reauthenticate
statement overrides the VSA when the VSA is present with a value
of disable.
Configure reauthentication for non-dual-stack, single session DHCP subscribers:
(Optional) Specify reauthentication is triggered by receipt of every renew, rebind, discover, and solicit message.
For DHCPv4 subscribers:
[edit system services dhcp-local-server] user@host# set reauthenticate lease-renewal
For DHCPv6 subscribers:
[edit system services dhcp-local-server dhcpv6] user@host# set reauthenticate lease-renewal
(Optional) Specify reauthentication is triggered only when the Agent Remote ID has changed in the received discover or solicit message.
For DHCPv4 subscribers:
[edit system services dhcp-local-server] user@host# set reauthenticate remote-id-mismatch
For DHCPv6 subscribers:
[edit system services dhcp-local-server dhcpv6] user@host# set reauthenticate remote-id-mismatch
Configure reauthentication for dual-stack, single session DHCP subscribers:
A change in the Agent Remote ID can also initiate a service
change during renew and rebind operations when the remote-id-mismatch
statement is configured. You cannot configure both the remote-id-mismatch
statement and the reauthenticate
statement at the
global level, [edit system services dhcp-local-server]
.
However, DHCP precedence rules do permit you to configure both statements
when they are at different levels. For example, you can configure reauthenticate
at the global level and remote-id-mismatch
for DHCPv6 at
the [edit system services dhcp-local-server dhcpv6]
hierarchy
level or for a specific group at the [edit system services dhcp-local-server
group name]
hierarchy level, and so on.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.