Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1X and DHCP

Hi!

I have a problem with understanding, how  802.1x works with DHCP.

As far i know, 802.1X port allows only EAPOL traffic, before authentication is complete.

For example, i connected my workstation with Windows  to 802.1X port.

During startup process, Windows must first obtain DHCP address, and then supplicant software will send my authentication data to Authenticator.

 

But how then my PC will receive IP address, if DHCP is not allowed? On which stage?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

You have more then one way to

You have more then one way to implement it:

  • Closed Mode (which is the "traditional" .1x which you are talking about)
  • Low-Impact mode
  • (Monitor Mode)

In closed mode you are right, the PC won't get an IP-address until the authentication was successfull. Even more, the PC won't have any communication other than EAPoL. But the communication between Supplicant and Authenticator is using EAPoL and is not based on IP. Even if the PC doesn't have an IP address, the authentication can be done.

In low-impact-mode you don't follow the "all or nothing" approach. Instead You typically allow DHCP and DNS (and optionally some other protocols like icmp/echo) to flow without authentication. So there won't be a timeout for the DHCP-process on the PC if authentication takes too long. And after the user and/or PC authenticates, the access-rights are extended to what the user/PC needs.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
2 REPLIES
VIP Purple

You have more then one way to

You have more then one way to implement it:

  • Closed Mode (which is the "traditional" .1x which you are talking about)
  • Low-Impact mode
  • (Monitor Mode)

In closed mode you are right, the PC won't get an IP-address until the authentication was successfull. Even more, the PC won't have any communication other than EAPoL. But the communication between Supplicant and Authenticator is using EAPoL and is not based on IP. Even if the PC doesn't have an IP address, the authentication can be done.

In low-impact-mode you don't follow the "all or nothing" approach. Instead You typically allow DHCP and DNS (and optionally some other protocols like icmp/echo) to flow without authentication. So there won't be a timeout for the DHCP-process on the PC if authentication takes too long. And after the user and/or PC authenticates, the access-rights are extended to what the user/PC needs.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Karsten, thank you for help

Karsten, thank you for help!

It was very helpful.

525
Views
0
Helpful
2
Replies
CreatePlease to create content