topic Re: Authentication first before DHCP in Network Access Control

Authentication first before DHCP

rhuel.phils — Wed, 17 Jan 2018 07:22:38 GMT

Hi, In our current deployment we allow endpoint to get IP address then it will authenticate.

is it possible we first allow the device to authenticate then after successful auth they will

get IP.

Any one test this scenario?

Re: Authentication first before DHCP

Craig Hyps — Wed, 17 Jan 2018 17:29:39 GMT

It depends on auth type. Using 802.1X, it is certainly possible to authenticate via L2 protocol and then allow access to DHCP after successful authentication. This is definitely the case in closed mode where endpoint has no access until auth successful.

For MAB, it is also possible to first authenticate/authorize MAC address prior to IP address assignment. Of course, it is not possible to perform web authentication until IP address received. This is why a typical CWA policy will allow DHCP and set redirect as the result of MAC auth.

RADIUS Accounting Interim Update with notify ISE if IP address received after initial authentication and Accounting Start sent.

Re: Authentication first before DHCP

rhuel.phils — Thu, 18 Jan 2018 02:10:33 GMT

Hi chyps,

Do you have link or manual I can refer to apply the information you said?

Re: Authentication first before DHCP

hslai — Thu, 18 Jan 2018 06:41:43 GMT

See How To: ISE Phased Deployments and How To: Deploy ISE in Closed Mode

and Cisco Live BRKSEC-2691

For Wireless, it requires auth first before DHCP, unless the WLAN setup in open mode.