Solved: Re: You have more then one way to

Evgeniy Ivanov · ‎08-19-2014

Hi!

I have a problem with understanding, how 802.1x works with DHCP.

As far i know, 802.1X port allows only EAPOL traffic, before authentication is complete.

For example, i connected my workstation with Windows to 802.1X port.

During startup process, Windows must first obtain DHCP address, and then supplicant software will send my authentication data to Authenticator.

But how then my PC will receive IP address, if DHCP is not allowed? On which stage?

Karsten Iwen · ‎08-19-2014

You have more then one way to implement it:

Closed Mode (which is the "traditional" .1x which you are talking about)
Low-Impact mode
(Monitor Mode)

In closed mode you are right, the PC won't get an IP-address until the authentication was successfull. Even more, the PC won't have any communication other than EAPoL. But the communication between Supplicant and Authenticator is using EAPoL and is not based on IP. Even if the PC doesn't have an IP address, the authentication can be done.

In low-impact-mode you don't follow the "all or nothing" approach. Instead You typically allow DHCP and DNS (and optionally some other protocols like icmp/echo) to flow without authentication. So there won't be a timeout for the DHCP-process on the PC if authentication takes too long. And after the user and/or PC authenticates, the access-rights are extended to what the user/PC needs.

View solution in original post

Karsten Iwen · ‎08-19-2014

You have more then one way to implement it:

Closed Mode (which is the "traditional" .1x which you are talking about)
Low-Impact mode
(Monitor Mode)

In closed mode you are right, the PC won't get an IP-address until the authentication was successfull. Even more, the PC won't have any communication other than EAPoL. But the communication between Supplicant and Authenticator is using EAPoL and is not based on IP. Even if the PC doesn't have an IP address, the authentication can be done.

In low-impact-mode you don't follow the "all or nothing" approach. Instead You typically allow DHCP and DNS (and optionally some other protocols like icmp/echo) to flow without authentication. So there won't be a timeout for the DHCP-process on the PC if authentication takes too long. And after the user and/or PC authenticates, the access-rights are extended to what the user/PC needs.

Evgeniy Ivanov · ‎08-19-2014

Karsten, thank you for help!

It was very helpful.

JustTakeTheFirstStep · ‎05-09-2023

@Karsten Iwen

Is it the same with wireless PEAP?

Karsten Iwen · ‎05-09-2023

No, Wireless EAP is comparable to the closed mode. Before the connection is authenticated (and WPA keys are generated) there is no data-communication at all.

JustTakeTheFirstStep · ‎05-09-2023

delete

JustTakeTheFirstStep · ‎05-09-2023

@Karsten Iwen

Thank you for quick response.
I have one simple question.
In the AP - WLC - ISE - AD design, if the PC does not receive an IP,
Should I check WLC or ISE?
I think it's WLC, but I'm not sure about the answer.
When is DHCP binding performed?

Karsten Iwen · ‎05-09-2023

The first look could be on the ISE to see if the authentication was successful. If not this problem is first to solve. There you also see if the ISE is applying the correct VLAN. Then on the WLC you can check if the authorisation was applied as expected. Probably you should open a separate Discussion for this problem.

802.1X and DHCP