Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3007
Views
6
Helpful
3
Replies

Authentication first before DHCP

Go to solution
rhuel.phils
Level 1
Level 1

‎01-16-2018 11:22 PM

Hi, In our current deployment we allow endpoint to get IP address then it will authenticate.

is it possible we first allow the device to authenticate then after successful auth they will

get IP.

Any one test this scenario?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎01-17-2018 09:29 AM

It depends on auth type.  Using 802.1X, it is certainly possible to authenticate via L2 protocol and then allow access to DHCP after successful authentication.  This is definitely the case in closed mode where endpoint has no access until auth successful.

For MAB, it is also possible to first authenticate/authorize MAC address prior to IP address assignment.  Of course, it is not possible to perform web authentication until IP address received.  This is why a typical CWA policy will allow DHCP and set redirect as the result of MAC auth.

RADIUS Accounting Interim Update with notify ISE if IP address received after initial authentication and Accounting Start sent.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎01-17-2018 09:29 AM

It depends on auth type.  Using 802.1X, it is certainly possible to authenticate via L2 protocol and then allow access to DHCP after successful authentication.  This is definitely the case in closed mode where endpoint has no access until auth successful.

For MAB, it is also possible to first authenticate/authorize MAC address prior to IP address assignment.  Of course, it is not possible to perform web authentication until IP address received.  This is why a typical CWA policy will allow DHCP and set redirect as the result of MAC auth.

RADIUS Accounting Interim Update with notify ISE if IP address received after initial authentication and Accounting Start sent.

0 Helpful

Go to solution
rhuel.phils
Level 1
Level 1

‎01-17-2018 06:10 PM

Hi chyps,

Do you have link or manual I can refer to apply the information you said?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to rhuel.phils

‎01-17-2018 10:41 PM

See How To: ISE Phased Deployments and How To: Deploy ISE in Closed Mode

and Cisco Live BRKSEC-2691

For Wireless, it requires auth first before DHCP, unless the WLAN setup in open mode.

Customers Also Viewed These Support Documents