Re: Failing to get DHCP After successful 802.1x

haithamnofal · ‎01-08-2007

Hi,

I have implemented 802.1x on 2960 SW trunked to another 4503 SW. Now, the PC connecting to the 2960 switch port where the .1x is enabled passes the authentication successfully but is failing to get a DHCP. I am currently using my 4503 SW as a DHCP server.

When I configure the port of the failing user statically to the same VLAN I need him to be into (VLAN 40), he successfully gets an IP address!! I can see him being sucessfully authenticated in the ACS log but could not figure out why he failed to get DHCP.

Here are the configuration I have on both switches for this part:

In the 2960:

interface GigabitEthernet0/3

switchport mode access

dot1x port-control auto

dot1x reauthentication

spanning-tree portfast

interface Vlan40

no ip address

ip access-group interface_acl in

no ip route-cache

!

ip access-list extended interface_acl

permit udp any any eq 21862

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit ip any host 195.x.x.99

deny ip any any

In the 4503 SW:

ip dhcp pool quarantine

network 195.x.x.0 255.255.255.0

default-router 195.x.x.254

interface Vlan40

ip address 195.x.x.254 255.255.255.0

ip access-group interface_acl in

ip access-list extended interface_acl

permit udp any any eq 21862

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark Allow access to McAfee server

permit ip any host 195.x.x.99

remark Allow ICMP for test purposes

permit icmp any any

remark Implicit Deny

deny ip any any

Any ideas why this is failing?

Thanks,

Haitham

Hieu Cao · ‎01-08-2007

Have you tried "ip-helper address 195.10.40.254" under your VLAN40 in the 2960?

hieu

haithamnofal · ‎01-08-2007

Yea, I tried that but it did not help!

Even, without this command the PC is getting IP address when his port is statically assigned to VLAN 40!

Any other ideas?

Regards,

Haitham

Hieu Cao · ‎01-08-2007

You create the VLAN globaly, but the VLAN membership must be assigned to a specific switch ports.

In the 2960, gig0/3, add the command "switchport access vlan 40" to assign static vlan to the port.

If the port is not a member of the VLAN 40, it's not going to receive the DHCP broadcast from VLAN40...think of it as not having the access rights to the DHCP server on VLAN40 from the main switch.

hieu

sachinraja · ‎01-09-2007

Hello haitham,

This is a problem due to the dot1x timers,for sure, if u have done all basic vlan & dhcp stuffs right. Let me explain what happens here:

with the default dot1x time-out values, the laptop takes around 90 secs to get the guest-vlan assigned. This includes the quiet period, Tx timeout, retransmission timeout etc. Now, when this 90 secs process happens, the DHCP broadcast stops happening, since DHCP server sees broadcast only for around 62 secs. So , after the VLAN assignment (after 90 secs), the users dont get IP address from the DHCP server, until they manually do a "ipconfig/renew". To knock out this issue, we have to tune the dot1x timers a little and somehow make the VLAN assignment below 62 secs. For eg, if we tune the Tx timeout to 15 secs, the total time taking for the VLAN assignment comes down to 45 seconds, and the IP address assignment happens through DHCP.

you can use the command "dot1x timeout tx-period 15" on the switch port,to bring down the total time taken to get the guest vlan to 45 and everything will work fine.

Hope this helps.. all the best . rate replies if found useful.

Raj