cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
0
Helpful
4
Replies

802.1x and DHCP assigned addresses

yrichard
Level 1
Level 1

I've done a lot of reading on this but I am still confused. I'm not a Microsoft guru so I don't really know waht is going on with login scripts, or cached user/pass.

Scenario 1

==========

I have 802.1x implemented and Joe the contractor comes into the office and plugs in his laptop. He is a guest. I allow guests to have access to a guest VLAN. How can Joe automatically get an IP address, or does he have to do ipconfig /renew?

Scenario 2

==========

What is the behind the scenes process that takes place for my corporate users that login to a domain....how do they get DHCP assigned addresses?

Thanks

1 Accepted Solution

Accepted Solutions

I assume from what you have written 'Joe' doesn't have an 802.1x supplicant on his PC? Therefore the switchport eapol frames are ignored by the PC and after a timeout the port is placed in the guest vlan. You need to make sure DHCP is enabled for the guest vlan - either add the appropriate entried to the protecting ACL or add a scope on the router? Depending on the timeouts you may have some delay issues here; I would test this before you roll it out.

For clients with 802.1x supplicants what happens is the PC effectively thinks it is disconnected from the network until the supplicant has authenticated. Once it has authenticated the PC thinks the network adapter is then connected and it will attempt to lease an IP address by broadcasting a DHCP request.

There are however a few 802.1x supplicants and I am not sure how they all integrate with the host O/S. I know the built-in Microsoft one operates as I have described.

HTH

Andy

View solution in original post

4 Replies 4

thomas.chen
Level 6
Level 6

When a corporate user logs in to his domain, his PC needs to be configured with the default gateway address of DHCP server.This DHCP server needs to be configured with a pool of addresses that can be dynamically sent to the logging in PC.This process works as follows;

While a PC boots in first , An ARP broadcast is sent to the DHCP server with the destination IP as DHCP server ip address requesting for DHCP layer2 adress to be used for requesting the DHCP server for a valid IP address to itself.

Once the IP request is made, DHCP response packet is sent by DHCP server with a dynamic ip address to the requested client(PC).

Sorry....I didn't clearly state that it was DHCP in relation to 802.1x that I was having trouble understanding. Thanks for your response.

I assume from what you have written 'Joe' doesn't have an 802.1x supplicant on his PC? Therefore the switchport eapol frames are ignored by the PC and after a timeout the port is placed in the guest vlan. You need to make sure DHCP is enabled for the guest vlan - either add the appropriate entried to the protecting ACL or add a scope on the router? Depending on the timeouts you may have some delay issues here; I would test this before you roll it out.

For clients with 802.1x supplicants what happens is the PC effectively thinks it is disconnected from the network until the supplicant has authenticated. Once it has authenticated the PC thinks the network adapter is then connected and it will attempt to lease an IP address by broadcasting a DHCP request.

There are however a few 802.1x supplicants and I am not sure how they all integrate with the host O/S. I know the built-in Microsoft one operates as I have described.

HTH

Andy

Thanks for your response. Yes, you assumed correctly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco