08-19-2014 03:42 AM - edited 03-07-2019 08:26 PM
Hi!
I have a problem with understanding, how 802.1x works with DHCP.
As far i know, 802.1X port allows only EAPOL traffic, before authentication is complete.
For example, i connected my workstation with Windows to 802.1X port.
During startup process, Windows must first obtain DHCP address, and then supplicant software will send my authentication data to Authenticator.
But how then my PC will receive IP address, if DHCP is not allowed? On which stage?
Solved! Go to Solution.
08-19-2014 04:22 AM
You have more then one way to implement it:
In closed mode you are right, the PC won't get an IP-address until the authentication was successfull. Even more, the PC won't have any communication other than EAPoL. But the communication between Supplicant and Authenticator is using EAPoL and is not based on IP. Even if the PC doesn't have an IP address, the authentication can be done.
In low-impact-mode you don't follow the "all or nothing" approach. Instead You typically allow DHCP and DNS (and optionally some other protocols like icmp/echo) to flow without authentication. So there won't be a timeout for the DHCP-process on the PC if authentication takes too long. And after the user and/or PC authenticates, the access-rights are extended to what the user/PC needs.
08-19-2014 04:22 AM
You have more then one way to implement it:
In closed mode you are right, the PC won't get an IP-address until the authentication was successfull. Even more, the PC won't have any communication other than EAPoL. But the communication between Supplicant and Authenticator is using EAPoL and is not based on IP. Even if the PC doesn't have an IP address, the authentication can be done.
In low-impact-mode you don't follow the "all or nothing" approach. Instead You typically allow DHCP and DNS (and optionally some other protocols like icmp/echo) to flow without authentication. So there won't be a timeout for the DHCP-process on the PC if authentication takes too long. And after the user and/or PC authenticates, the access-rights are extended to what the user/PC needs.
08-19-2014 07:49 PM
Karsten, thank you for help!
It was very helpful.
05-09-2023 08:26 AM
Is it the same with wireless PEAP?
05-09-2023 08:31 AM
No, Wireless EAP is comparable to the closed mode. Before the connection is authenticated (and WPA keys are generated) there is no data-communication at all.
05-09-2023 08:41 AM - edited 05-09-2023 08:42 AM
delete
05-09-2023 08:42 AM
Thank you for quick response.
I have one simple question.
In the AP - WLC - ISE - AD design, if the PC does not receive an IP,
Should I check WLC or ISE?
I think it's WLC, but I'm not sure about the answer.
When is DHCP binding performed?
05-09-2023 08:53 AM
The first look could be on the ISE to see if the authentication was successful. If not this problem is first to solve. There you also see if the ISE is applying the correct VLAN. Then on the WLC you can check if the authorisation was applied as expected. Probably you should open a separate Discussion for this problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: