Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
10652
Views
10
Helpful
1
Comments

Wired Dot1x clients cannot get a DHCP IP address on a 3560 switch

TCC_2
Level 10
Level 10

‎06-22-2009 03:34 PM - edited ‎02-21-2020 09:54 PM

 

Introduction:

This document describes an issue faced by an user where Dot1x clients doesn't get connected to network by using DHCP address configured on 3560.

 

What is Dot1x?

Dot1x or technically known as 802.1X is a standard which was designed to increase the level of security for WLANs. 802.1X platforms the authentication process for wireless LANs, which authenticate the user by using AAA Server(Centeral Authentication) .

 

802.1X uses below mentioned protocol:

EAP stands for Extensible Authentication Protocol.It works on Token Ring, wireless LANs,exchange of massages during authentication, Ethernet

 

Wireless LAN setup is generally implemented in such a manner that all devices are authenticated by 802.1X.Some terms we need to understand:

  • Supplicant: an user request
  • Authenticator: access point

 

Access point directs the user's client software to provide an EAP message while the user remains in an unauthorized state. In return access point recieves an EAP message stating a request that user should enter his/her credentials. Identity is provided to access point by the user's client software and authenticator forwards the identity to AAA server.Authentication server  runs algoritham to check user credentials which in turn sends acception or rejection message back to the access point. If acception is received, client's state is changed to authorized and normal traffic starts.

 

Core issue

This happens when the ip arp inspection vlan and ip dhcp snooping commands are issued on the switch port. Dot1x clients may not get a Dynamic Host Configuration Protocol (DHCP) IP address.

The ip arp inspection vlan command conflicts with the dynamic nature of dot1x and prevents clients from getting a DHCP IP address. The ip dhcp snooping command should not be used when authenticating users through dot1x because there is no point-filtering DHCP on ports in a 100 percent DHCP environment.

 

Resolution

To resolve the problem, issue these commands:

  • Switch(config)# no ip arp inspect. There are no static IP address hosts off the switch.
  • Switch(config)# no ip dhcp snooping. In a 100% DHCP environment , there is no point in filtering DHCP on the ports.

For more information on Dot1x authentication configuration, refer to the Set up the Client for PEAP with Machine Authentication section of Wired Dot1x  Configuration Guide.

Labels:
Comments
mariya.telitsina
Level 1
Level 1
‎09-01-2022 08:50 PM

hi! does this problem exist on wireless clients only?

i'm struggling some strange issues in my DAI+dot1x wired environment with client not getting IP addresses from central DHCP.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents