DHCP Client Authentication With An External AAA Authentication Service

Include the authentication statement at hierarchy levels given in Table 1. You can configure either global authentication support or group-specific support.

You can configure the extended DHCP application to include additional information in the username that is passed to the external AAA authentication service when the DHCP client logs in. This additional information enables you to construct usernames that uniquely identify subscribers (DHCP clients).

To configure unique usernames, use the username-include statement. You can include any or all of the additional statements.

The following list describes the optional information that you can include as part of the username:

• circuit-type—The circuit type used by the DHCP client, for example enet.

• client-id—The client identifier option (option 1). (DHCPv6 local server DHCPv6 relay agent only)

• delimiter—The delimiter character that separates components that make up the concatenated username. The default delimiter is a period (.). The semicolon (;) is not supported as a delimiter character.

• domain-name—The client domain name as a string. The router adds the @ delimiter to the username.

• interface-description—The description of the device (physical) interface or the logical interface.

• interface-name—The interface name, including the interface device and associated VLAN IDs.

• logical-system-name—The name of the logical system, if the receiving interface is in a logical system.

• mac-address—The client MAC address, in a string of the format xxxx.xxxx.xxxx.

• option-60—The portion of the option 60 payload that follows the length field. (Not supported for DHCPv6 local server)

• option-82 <circuit-id> <remote-id>—The specified contents of the option 82 payload. (Not supported for DHCPv6 local server)

  • circuit-id—The payload of the Agent Circuit ID suboption.

  • remote-id—The payload of the Agent Remote ID suboption.

  • Both circuit-id and remote-id—The payloads of both suboptions, in the format: circuit-id[delimiter]remote-id.

  • Neither circuit-id or remote-id—The raw payload of the option 82 from the PDU is concatenated to the username.

  Note:

  For DHCP relay agent, the option 82 value used in creating the username is based on the option 82 value that is encoded in the outgoing (relayed) PDU.

• relay-agent-interface-id—The Interface-ID option (option 18). (DHCPv6 local server or DHCPv6 relay agent only)

• relay-agent-remote-id—The DHCPv6 Relay Agent Remote-ID option (option 37). (DHCPv6 local server or DHCPv6 relay agent only)

• relay-agent-subscriber-id—(On routers only) The DHCPv6 Relay Agent Subscriber-ID option (option 38). (DHCPv6 local server or DHCPv6 relay agent only)

• routing-instance-name—The name of the routing instance, if the receiving interface is in a routing instance.

• user-prefix—A string indicating the user prefix.

• vlan-tags—The subscriber VLAN tags. Includes the outer VLAN tag and, if present, the inner VLAN tag. You can use this option instead of the interface-name option when the outer VLAN tag is unique across the system and you do not need the underlying physical interface name to be part of the format.

For DHCPv6 clients, because the DHCPv6 packet format has no specific field for the client MAC address, the MAC address is derived from among several sources with the following priority:

• Client DUID Type 1 or Type 3.

• Option 79 (client link-layer address), if present.

• The packet source address if the client is directly connected.

• The link local address.

The router (switch) creates the unique username by including the specified additional information in the following order, with the fields separated by a delimiter.

For DHCP local server and DHCP relay agent:

For DHCPv6 local server:

To configure authentication at DHCP local server, DHCPv6 local server, DHCP relay agent, and DHCPv6 relay agent levels.