In many networks, the username has specific meaning with respect to the domain (ISP) where the user should be authenticated. To identify the user correctly, the username in an authentication-request message should contain a domain name. The domain name can be derived from different places. In PPPoE authentication the domain name is provided by the PPPoE client with the username used in PAP or CHAP authentication. For DHCP hosts similar functionality is implemented by a ‟pre-authentication” lookup in a local user database before performing the RADIUS request.
For example, it can be derived from option60 which contains the vendor-specific string identifying the ISP the set-box has been commissioned by.
To append a domain name to a DHCP host, the following configuration steps should be taken:
Under the (group or IP) interface of the service, a local user database should be configured in the DHCP node and no authentication policy should be configured.
In the local user database, there should be a host entry containing both the domain name to be appended and an authentication policy that should be used for RADIUS authentication of the host. The host entry should contain no other information needed for setting up the host (IP address, ESM string), otherwise the DHCP request is dropped.
In the authentication policy, the user-name-format command should contain the parameter append domain-name.