Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring RADIUS Reauthentication for DHCP Subscribers

You can configure reauthentication as an alternative to RADIUS CoA messages as a means to change characteristics of the subscriber session, such as activating or changing service plans or changing DHCP subscriber attributes. When configured, reauthentication is triggered when the DHCP local server receives a renew, rebind, discover, or solicit message from a DHCP client. The message triggers jdhcpd to request reauthentication from authd, which in turn reissues the RADIUS Access-Request for a second subscriber authentication. Reauthentication is available for DHCPv4, DHCPv6, and dual-stack subscribers.

Starting in Junos OS Release 18.1R1, reauthentication can be triggered by discover and solicit messages in addition to the previously supported renew and rebind messages. The release also introduces reauthentication support for dual-stack, single-session subscribers.

You can use the reauthenticate statement to configure reauthentication to occur in response to all DHCP renew, rebind, discover, or solicit messages or only in response to those messages when they include a different Agent Remote ID for the DHCP client. The Agent Remote ID carries information about the subscriber’s service plan, so a change in ID value corresponds to a change in the subscriber service plan. The Agent Remote ID is conveyed in option 82, suboption 2 for DHCPv4 clients and in option 37 for DHCPv6 clients.

You can also use the Juniper Networks VSA, Reauthentication-On-Renew (26-206) as an alternative to the CLI configuration to enable reauthentication. The VSA is conveyed in the RADIUS Access-Accept message at subscriber login, and must be configured on your RADIUS server. The reauthenticate statement overrides the VSA when the VSA is present with a value of disable.

Configure reauthentication for non-dual-stack, single session DHCP subscribers:

  • (Optional) Specify reauthentication is triggered by receipt of every renew, rebind, discover, and solicit message.

    For DHCPv4 subscribers:

    For DHCPv6 subscribers:

  • (Optional) Specify reauthentication is triggered only when the Agent Remote ID has changed in the received discover or solicit message.

    For DHCPv4 subscribers:

    For DHCPv6 subscribers:

Configure reauthentication for dual-stack, single session DHCP subscribers:

  1. Configure addresses to be allocated on demand for subscribers in the dual-stack group.
  2. (Optional) Specify reauthentication is triggered for every subscriber in the dual-stack group by receipt of every renew, rebind, discover, and solicit message.
  3. (Optional) Specify reauthentication is triggered for every subscriber in the dual-stack group only when the Agent Remote ID has changed in the received discover or solicit message.

A change in the Agent Remote ID can also initiate a service change during renew and rebind operations when the remote-id-mismatch statement is configured. You cannot configure both the remote-id-mismatch statement and the reauthenticate statement at the global level, [edit system services dhcp-local-server]. However, DHCP precedence rules do permit you to configure both statements when they are at different levels. For example, you can configure reauthenticate at the global level and remote-id-mismatch for DHCPv6 at the [edit system services dhcp-local-server dhcpv6] hierarchy level or for a specific group at the [edit system services dhcp-local-server group name] hierarchy level, and so on.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.1R1
Starting in Junos OS Release 18.1R1, reauthentication can be triggered by discover and solicit messages in addition to the previously supported renew and rebind messages. The release also introduces reauthentication support for dual-stack, single-session subscribers.