Solved: Re: How does ISE assign an IP address to endpoints in SD-Access

googleboy · ‎07-21-2021

Hi,

Consider this scenario: Joe connected his laptop to an ethernet port on the edge node switch in his corporate network. He had to authenticate using the supplicant installed on his laptop. So he entered his username and password. He got access to the network and was assigned and IP address in VLAN 100 and an SGT tag. Assume that 802.1x was used for authentication then consider the following questions.

1) How did Joe communicate with the edge node switch (the authenticator) without and IP address before he was assigned an IP address?

2) How did ISE (the authentication server) chose to give Joe an IP address in VLAN 100? What was the role of the DHCP server here? Was there any DHCP packet exchanges between Joe's laptop and the DHCP server?

Thanks

Mike.Cifelli · ‎07-21-2021

1) How did Joe communicate with the edge node switch (the authenticator) without and IP address before he was assigned an IP address?

-Joe's client will use EAPOL to initiate the onboarding process. EAPOL will be used between the client supplicant and the switch, RADIUS is then used between the authenticator (switch) and the authentication server (ISE). See the following:

Wired 802.1X Deployment Guide - Cisco

2) How did ISE (the authentication server) chose to give Joe an IP address in VLAN 100? What was the role of the DHCP server here? Was there any DHCP packet exchanges between Joe's laptop and the DHCP server?

-The ISE Radius Policies. Inside these policies there are conditions that you configure to match onboarding for clients that you wish to steer into vlan 100. The authorization profiles are essentially the results that you assign to clients that match your conditions. Inside the authz profile you configure items such as the vlan.

See here for more info: Cisco ISE & NAC Resources - Cisco Community

View solution in original post

Mike.Cifelli · ‎07-21-2021

1) How did Joe communicate with the edge node switch (the authenticator) without and IP address before he was assigned an IP address?

-Joe's client will use EAPOL to initiate the onboarding process. EAPOL will be used between the client supplicant and the switch, RADIUS is then used between the authenticator (switch) and the authentication server (ISE). See the following:

Wired 802.1X Deployment Guide - Cisco

2) How did ISE (the authentication server) chose to give Joe an IP address in VLAN 100? What was the role of the DHCP server here? Was there any DHCP packet exchanges between Joe's laptop and the DHCP server?

-The ISE Radius Policies. Inside these policies there are conditions that you configure to match onboarding for clients that you wish to steer into vlan 100. The authorization profiles are essentially the results that you assign to clients that match your conditions. Inside the authz profile you configure items such as the vlan.

See here for more info: Cisco ISE & NAC Resources - Cisco Community

googleboy · ‎07-21-2021

Thanks @Mike.Cifelli. But you did not explain if any DHCP packet exchange took place or not. I assume that the edge node switch (after receiving authorization information for Joe from ISE) will relay the DHCP request packet from Joe's laptop to the DHCP server. The DHCP server will then assign the client an IP address from the VLAN 100 pool. Is that correct?

Thanks

Mike.Cifelli · ‎07-21-2021

Thanks @Mike.Cifelli. But you did not explain if any DHCP packet exchange took place or not. I assume that the edge node switch (after receiving authorization information for Joe from ISE) will relay the DHCP request packet from Joe's laptop to the DHCP server. The DHCP server will then assign the client an IP address from the VLAN 100 pool. Is that correct?

-From a high level, yes. Using DNAC you will still assign your typical IP helper that will get deployed to your ENs.