Showing results for 
Search instead for 
Did you mean: 

Wired Dot1x clients cannot get a DHCP IP address on a 3560 switch




This document describes an issue faced by an user where Dot1x clients doesn't get connected to network by using DHCP address configured on 3560.


What is Dot1x?

Dot1x or technically known as 802.1X is a standard which was designed to increase the level of security for WLANs. 802.1X platforms the authentication process for wireless LANs, which authenticate the user by using AAA Server(Centeral Authentication) .


802.1X uses below mentioned protocol:

EAP stands for Extensible Authentication Protocol.It works on Token Ring, wireless LANs,exchange of massages during authentication, Ethernet


Wireless LAN setup is generally implemented in such a manner that all devices are authenticated by 802.1X.Some terms we need to understand:

  • Supplicant: an user request
  • Authenticator: access point


Access point directs the user's client software to provide an EAP message while the user remains in an unauthorized state. In return access point recieves an EAP message stating a request that user should enter his/her credentials. Identity is provided to access point by the user's client software and authenticator forwards the identity to AAA server.Authentication server  runs algoritham to check user credentials which in turn sends acception or rejection message back to the access point. If acception is received, client's state is changed to authorized and normal traffic starts.


Core issue

This happens when the ip arp inspection vlan and ip dhcp snooping commands are issued on the switch port. Dot1x clients may not get a Dynamic Host Configuration Protocol (DHCP) IP address.

The ip arp inspection vlan command conflicts with the dynamic nature of dot1x and prevents clients from getting a DHCP IP address. The ip dhcp snooping command should not be used when authenticating users through dot1x because there is no point-filtering DHCP on ports in a 100 percent DHCP environment.



To resolve the problem, issue these commands:

  • Switch(config)# no ip arp inspect. There are no static IP address hosts off the switch.
  • Switch(config)# no ip dhcp snooping. In a 100% DHCP environment , there is no point in filtering DHCP on the ports.

For more information on Dot1x authentication configuration, refer to the Set up the Client for PEAP with Machine Authentication section of Wired Dot1x  Configuration Guide.

Content for Community-Ad