Wired Dot1x clients cannot get a DHCP IP address on a 3560 switch

TCC_2 · ‎06-22-2009

Introduction:

Introduction:

This document describes an issue faced by an user where Dot1x clients doesn't get connected to network by using DHCP address configured on 3560.

What is Dot1x?

Dot1x or technically known as 802.1X is a standard which was designed to increase the level of security for WLANs. 802.1X platforms the authentication process for wireless LANs, which authenticate the user by using AAA Server(Centeral Authentication) .

802.1X uses below mentioned protocol:

EAP stands for Extensible Authentication Protocol.It works on Token Ring, wireless LANs,exchange of massages during authentication, Ethernet

Wireless LAN setup is generally implemented in such a manner that all devices are authenticated by 802.1X.Some terms we need to understand:

Supplicant: an user request
Authenticator: access point

Access point directs the user's client software to provide an EAP message while the user remains in an unauthorized state. In return access point recieves an EAP message stating a request that user should enter his/her credentials. Identity is provided to access point by the user's client software and authenticator forwards the identity to AAA server.Authentication server runs algoritham to check user credentials which in turn sends acception or rejection message back to the access point. If acception is received, client's state is changed to authorized and normal traffic starts.

Core issue

This happens when the ip arp inspection vlan and ip dhcp snooping commands are issued on the switch port. Dot1x clients may not get a Dynamic Host Configuration Protocol (DHCP) IP address.

The ip arp inspection vlan command conflicts with the dynamic nature of dot1x and prevents clients from getting a DHCP IP address. The ip dhcp snooping command should not be used when authenticating users through dot1x because there is no point-filtering DHCP on ports in a 100 percent DHCP environment.

Resolution

To resolve the problem, issue these commands:

Switch(config)# no ip arp inspect. There are no static IP address hosts off the switch.
Switch(config)# no ip dhcp snooping. In a 100% DHCP environment , there is no point in filtering DHCP on the ports.

For more information on Dot1x authentication configuration, refer to the Set up the Client for PEAP with Machine Authentication section of Wired Dot1x Configuration Guide.

mariya.telitsina · ‎09-01-2022

hi! does this problem exist on wireless clients only?

i'm struggling some strange issues in my DAI+dot1x wired environment with client not getting IP addresses from central DHCP.

Jason2005 · ‎05-12-2024

@mariya.telitsina

Did you find an answer for the problem, I'm struggling with the same problem

mariya.telitsina · ‎05-14-2024

Hello @Jason2005 ,
do you have problems with wired or wireless?
yes, i've done many many config changes since then and now it's working OK, but we are still in a monitoring state of Dot1x.
for access points' uplink ports I did the following settings:
authentication host-mode multi-host

for wired switches I upgraded ISE servers, reloaded some of the switches with huge uptime, set up authentication timers, device tracking etc.

we also had some problems with DHCP-server itself, the user dhcp pools were quite full. I was kinda hoping that disabling DAI would help me with dot1x, but they should and they do work together quite well. I can go on and on on this topic, feel free to ask.