PXE and 802.1x

rhub · ‎01-06-2011

Hi all,

I've defined 802.1x on all access-ports of our Catalyst 3560 (12.2.(53)SE2.

Everything works fine until it comes to PXE. I see from traces and "show"-cmds that the client using PXE is moved from the data-vlan (vlan_id 4) to the guest-vlan (vlan_id 996); it sends a DHCPREQUEST, but never gets an ip_address out of the defined scope.

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   4    001c.2343.b63b    STATIC      Drop
Total Mac Addresses for this criterion: 1

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
996    001c.2343.b63b    DYNAMIC     Gi0/45
Total Mac Addresses for this criterion: 1

********************************************

Configs:

Global:

!

dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol

!

Interface:
interface GigabitEthernet0/45
switchport access vlan 4
switchport mode access
switchport voice vlan 504
switchport port-security maximum 5
switchport port-security aging time 360
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
authentication control-direction in
authentication event fail action authorize vlan 996
authentication event server dead action authorize vlan 996
authentication event no-response action authorize vlan 996
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 5
dot1x max-req 5
dot1x max-reauth-req 5
storm-control broadcast level 2.00 1.00
storm-control multicast level 3.00 0.50
storm-control action trap
no cdp enable
spanning-tree portfast
service-policy input map_ipphone
ip dhcp snooping limit rate 25
end

As soon as I disable dot1x the client immediately gets an ip_address out of the defines scope.

Any hints are very much appreciated.

Best regards

Roman

Bastien Migette · ‎01-07-2011

Hello,

I think that PXE client are not Dot1X supplicant right ?

In such case you can use open1x:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1431587

with downloadable ACLs:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1491187

so that you will have a pre-authentication ACL permitting both DHCP and PXE Traffic, and after authentication you will get an ACL from your radius server which will allow other traffic for authenticated clients.

minimal config should look like this:

ip device-tracking

radius-server vsa send authentication !for dACL

access-list 100 permit udp any any eq bootp

access-list 100 permit udp any any eq bootps

access-list 100 permit udp any any eq {PXEPORT}

int F0/0

authentication open

ip access-group 100 in

authentication port-control auto

Hope this help

rhub · ‎01-07-2011

Hello Bastien

many thanks for your reply. I will test it and in any case let you know about the results.

Regards

Roman

Bastien Migette · ‎01-07-2011

Hello Roman,

If your tests are successful, don't forget to mark the topic as answered and/or rate the posts that helped you

Thanks,

bastien.

bthuer · ‎01-11-2011

Hello Bastien,

The behaviour is very strange in fact. Sometimes the client gets an IP-Address out of the Quarantine_VLAN (in my case 996) and sometimes it doesn't.

I also upgraded the 3560 to the newest IOS release but unfortunately it didn't bring me any further. So basically I'm at the same starting-point where I was before the discussion.

Any further infos are still very appreciated.

Regards

Roman

Bastien Migette · ‎01-11-2011

Hello Benno,

Are you saying that sometime client in the guest VLANS getting an IP from another VLANs ?

Did you check if these client were authenticated or not ? (show authentication sess interf FX/X)

bthuer · ‎01-11-2011

Hello Bastien,

obvoiusly we have some kind of misunderstanding. You're absolutely correct: PXE does not support 802.1x. My goal is to bring a new client (which has never been connected to our netwok before) to the quarantine VLAN, where it shuld get an IP address from via DHCP and afterwards gets staged. So from this point of view there is no 802.1x in process after the client has been moved from the data VLAN to the quarantine VLAN.

When doing a "show mac-address int x/x" I see that the client perfectly has been moved to the quarantine VLAN, where sometimes it gets an IP address and sometimes not.

Sorry for confusing

Regards

Roman

Bastien Migette · ‎01-11-2011

ok I got it now.

I assume you have set up the command provided, (the acl, ip access-group and authentication open on the int).

So some clients gets an ip, some don't. Is that the same clients everytime or is this appearing in a random way ? I guess best way to check what happen would be to capture packets using wireshark on computer and on DHCP Server side + with a SPAN on the SW to see where packets are dropped, also, you can use an ACL like this to see packets:

access-list 101 permit udp any any bootp log

access-list 101 permit udp any any bootps log

access-list 101 permit udp any any {PXEPORT}

access-list 101 deny ip any any log

(beware it can be verbose).

bthuer · ‎01-11-2011

Hello Bastien,

many thanks again for your reply. I did already traces using Wireshark. It was exactly the same client, who sometimes got an IP address and sometimes not.

If it does not work - I clearly see that the client send DHCPDISCOVERS but never get a reply from the DHCP-Server.

If it works - I see the DHCPOFFERS etc.

I will build up today a test-environment to see what happens exactly.

have a nice day

Regards

Roman

Bastien Migette · ‎01-12-2011

Hi Benno, you're welcome.

Next steps would be to see where the discover frame is blocked, so check the ACL hit (or use log + acl as stated above) and capture after the switch.