802.1x and DHCP

Similar Messages

• 802.1x and DHCP assigned addresses

  I've done a lot of reading on this but I am still confused. I'm not a Microsoft guru so I don't really know waht is going on with login scripts, or cached user/pass.
  Scenario 1
  ==========
  I have 802.1x implemented and Joe the contractor comes into the office and plugs in his laptop. He is a guest. I allow guests to have access to a guest VLAN. How can Joe automatically get an IP address, or does he have to do ipconfig /renew?
  Scenario 2
  ==========
  What is the behind the scenes process that takes place for my corporate users that login to a domain....how do they get DHCP assigned addresses?
  Thanks

  I assume from what you have written 'Joe' doesn't have an 802.1x supplicant on his PC? Therefore the switchport eapol frames are ignored by the PC and after a timeout the port is placed in the guest vlan. You need to make sure DHCP is enabled for the guest vlan - either add the appropriate entried to the protecting ACL or add a scope on the router? Depending on the timeouts you may have some delay issues here; I would test this before you roll it out.
  For clients with 802.1x supplicants what happens is the PC effectively thinks it is disconnected from the network until the supplicant has authenticated. Once it has authenticated the PC thinks the network adapter is then connected and it will attempt to lease an IP address by broadcasting a DHCP request.
  There are however a few 802.1x supplicants and I am not sure how they all integrate with the host O/S. I know the built-in Microsoft one operates as I have described.
  HTH
  Andy

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• What are the endpoints attributes collected by NAC Profiler through SNMP and DHCP?

  Hi Everyone,
  Please help on this.
  I want to know what are the endpoints attributes collected by NAC Profiler to discover and profile the endpoints.through SNMP protocol and DHCP protocol.
  Also if anybody can explain a simple used case on this.
  Please guide me on this.
  Thanks in advance.
  Thanks,
  Abuzar.

  Hi,
  SNMP
  =====
  NetMap queries network devices via SNMP for:
  System information
  Interface information
  Bridge information
  802.1X information (PAE MIB)
  Routing/IP information
  CDP MIB Information
  This information is used to Build and maintain a model of the network topology and endpoint discovery.
  NetMap uses SNMP Get, GetNext and GetBulk (when available) requests to  query the SNMP agents running on the network infrastructure devices to  gather specific Management Information Base (MIB) objects about their  status based on device type (Layer 2 or Layer 3).
  In addition to polling each network device for all MIB data at a regular  interval, NetMap may also be commanded to poll port-specific  information when the NAC Profiler system is notified that an endpoint  has joined or left the network via SNMP traps sent by devices at the  network edge, switches typically.
  Upon receipt and verification of a link state (link up, link down) or  MAC notification trap, NetTrap will notify the NAC Profiler Server that a  change has occurred on the network edge (endpoint joined or left a  network port). If the trapping device is in the NAC Profiler  configuration, the NetMap component module assigned to poll the device  that sent the trap will be commanded by the Server module to initiate a  poll of the device's port information to determine the change to the  endpoint topology that resulted in the trap being sent by the network  device.
  The information gathered by NetMap is processed by the Server  accordingly to update the network topology, noting the endpoint joining  or leaving a port. Note that NetMap SNMP polling of network devices  resulting from a trap is localized to the port specified in the trap.  This is unlike the regular polling that occurs at the frequency  specified for each device type (L2 and L3) which gathers all SNMP  information from the device used by the NAC Profiler system.
  DHCP:
  =====
  The NetWatch module listens for traffic including DHCP traffic.
  The module will collect all the DHCP information on the traffic collected, like mac address, ip address,  DHCP Vendor Class Identifier in DHCP request, host name in DHCP request, requested specified options in DHCP request (option 55) and full list of DHCP options supported by the DHCP client as specified in the DHCP request.
  All the endpointe data can then be used to map endpoints with profiles.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Manual IP and DHCP conflicts

  My Barricade g died (SMC2804WBRP-G). I replaced it with an Airport Extreme (802.11g).
  With the Barricade g, I had manually assigned IP address to all the computers on the LAN (range 192.168.x.1-192.168.x.99). The router distributed IP addresses to the wireless clients via DHCP range (192.162.x.100-192.168.x.200)
  I've setup the AEBS to Distribute IP addresses and selected Share a single IP address (using DHCP and NAT).
  BUT, the AEBS is assigning some of the manual addresses to wireless client IP requests. Then the computer that is supposed to have a manual IP address doesn't have one. Basically, the manual and DHCP addresses are coming from the same pool and causing conflicts.
  How do I deal with manual IP addresses AND DHCP with this router?
  Thanks

  David,
  Thanks for the input. But, I may have misread my post.
  From my original post.
  'With the Barricade g, I had manually assigned IP address to all the computers on the LAN (range 192.168.x.1-192.168.x.99). The router distributed IP addresses to the wireless clients via DHCP range (192.162.x.100-192.168.x.200).'
  In other words, on the network, LAN=static IPs, Wireless clients=DHCP.
  You can have both static and DHCP on the same network.

• I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

  Not sure if I am doing this right. This is my first time in the support community.
  I imagine what I put in my heading was supposed to go in here.
  I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
  Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

  Why do ISPs insist upon making things so difficult for their customers?
  If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
  http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
  Scroll down to DHCP Settings
  You will need to log in with proper "technician" credentials. They are provided in the above link as
  Username: tech
  Password: t3lu5tv
  ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

• Cisco Systems vs "CSIRO" 802.11a and 802.11g infringed upon the '069 patent

  Hi,
  any news about Cisco Systems and the "CSIRO" 802.11a and 802.11g infringed upon the '069 patent ?
  http://www.buffalotech.com/products/wireless/
  Dear Customer
  As you may be aware, Commonwealth Scientific and Industrial Research Organisation ("CSIRO") sued Buffalo, Inc. and Buffalo Technology (USA), Inc. ("Buffalo"), for alleged infringement of United States Patent No. 5,487,069 ("the '069 patent"). Subsequently, CSIRO also asserted its patent against the entire wireless LAN industry, including, Microsoft, Intel, Accton, SMC and Netgear.
  In it's lawsuit against Buffalo, CSIRO claimed certain Buffalo wireless networking products compliant with IEEE standards 802.11a and 802.11g infringed upon the '069 patent. Buffalo believed at that time and continues to believe that there are no grounds for CSIRO's allegations of infringement. The United States district court, however, found Buffalo to infringe the '069 patent and enjoined the importation and sale of Buffalo's IEEE 802.11a and 802.11g compliant products.
  CSIRO's lawsuits are against the entire wireless LAN industry and could affect the supply of wireless LAN products by any manufacturer, not just Buffalo. The entire industry is resisting CSIRO's attempts to enjoin the sale of wireless LAN products. Recently, Microsoft, 3COM Corporation, SMC Networks, Accton Technology Corporation, Intel, Atheros Communications, Belkin International, Dell, Hewlett-Packard, Nortel Networks, Nvidia Corporation, Oracle Corporation, SAP AG, Yahoo, Nokia, and the Consumer Electronics Association filed briefs in support of Buffalo's position that injunctive relief is inappropriate in this case.
  During the period of time that the injunction is in effect (10/1/2007), Buffalo cannot offer for sale, sell, import, or use its IEEE 802.11a and 802.11g compliant products in the United States. A list of the products covered by the injunction is attached here . The injunction does not prohibit sales of pre-existing inventories of products by Buffalo's customers. In addition, Buffalo has secured CSIRO's agreement to permit the replacement of defective products under warranty. None of Buffalo's other products are currently affected by this injunction.
  While Buffalo believes that it will be successful in reversing the district court's decision and will obtain a stay of the injunction pending a decision on the merits, the Court of Appeals has not yet issued a decision. Should the Court of Appeals issue a decision staying the injunction, you will be promptly notified. After the stay is issued or a favorable decision on the merits is obtained, Buffalo will be able to resume the supply of IEEE 802.11a and 802.11g products
  Please rest assured that Buffalo continues to stand behind their products and will continue to support all of our loyal customers as it relates to product warranties, technical support and the like without interruption.

  I suspect after reading the patent and the litigation that you mentioned above, that the US District Court decision will be reversed as the patent appears to be very vague in its contsruction and verbage. Furthermore, the intent to hold the IEEE hostage on the ratification of 802.11n will not bode well in the court's eyes. If in fact the case is reversed, I believe that the members of CSIRO will be in danger of lost profits litigation from Buffalo. Stay tuned to this bat channel.

• Solaris 10 zone configuration with sysidcfg and dhcp and hostname

  Hi
  Excuse me if I look like a n00b... it's probably because I'm a n00b.
  I've been struggling in the dark for more than 2 days now and I'm wondering if I'm thinking about this all wrong...
  I have stand-alone server where I need to run zones. I want to create zones and automagically configure them at boot (read: by running a script). So here's what I need...
  A zone
  starting from unconfigured state
  whose hostname is not the same as the zone name
  using corporate DHCP to get its IP address
  with DNS config coming from the DHCP server
  registering its address the DNS
  with a preconfigured root password
  (I don't own the corporate DHCP or DNS servers, I can't put my own DHCP or DNS servers on the network.)
  I would lke to create the zone, throw some config at it, then boot the zone and walk away. I am using zones with exclusive-IP. I can construct the zones and manually configure them once they're started to have DHCP, my own name, registered IP address with DNS and everything else I have specified above. But I don't want to do it manually...
  Sysidcfg seems to do some of what I want but not entirely.
  In sysidcfg I can set the root_password, the primary interface using DHCP, DNS server. I can't set a hostname in sysidcfg AND use configure it for DHCP. So the hostname is not what I want it to be after the zone is started and ready to go. The DHCP server is providing the DNS configuration, Solaris does not seem to honour it, but i'll ignore that for the moment.
  I have tried various combinations of using sysidcfg, /etc/nodename, /etc/hostname.+interface+ and /etc/dhcp.+interface+ but I can't find any combination that actually works.
  I can write to the zonestorage/etc/nodename to set the nodename, that works. But it does not match the DHCP address, so I get prompted for a new name service because it can't find a DNS entry for the name.
  I can write to the zonestorage/etc/hostname.+interface+ and /etc/dhcp.+interface+ (to get the system to register its name with the DNS server after getting its DHCP address) but then I get a system with no root password and no DNS configuration, even though they are set in the sysidcfg file.
  I can write a script that gets part of the way using sysidcfg and /etc/... files, then boots the zone and then runs a bunch of voodoo via zlogin commands to fix all the stuff that couldn't be done 'properly', but that's not a 'boot and walk away' environment. I can write a script that uses sysidcfg and hacks around with other files in /etc (like nsswitch.conf, resolv.conf), but that just feels likes a dirty hack to fix something that wasn't done properly in the first place.
  So where am I going wrong and how do I do it right (within the constraints defined)? Why can't I configure, boot and walk away?
  Thanks

  Thanks abrante
  Thanks for your response!
  I don't think the config is messed up after the installation. I think the installation is fine, it's just not what I want :-)
  I'm trying to decouple the zonename from the system name and get DNS registrations working. After installation, a DHCP client can get its hostname from DNS but I'm trying to do it the other way around. I want the DHCP client specify its own hostname, get an address from the DHCP server and then register its hostname with DNS. If the system gets its name from DNS/DHCP then I have to configure those to provide the system name and I don't own the DHCP/DNS infrastructure. These zones are for a development/QA environment, so we create and reconfigure these frequently. Hence the need to specify the system name within the zone and register that name in the DNS.
  I have tried fiddling with the PARAM_REQUEST_LIST but it does not seem to be working as I expect. :-$ Removing 12 did not help with setting the hostname from the system. DNS does not have a registered name for this system anyway, so even if it tried to get a name for this system, it would get nothing.
  I also do want the DHCP to change the DNS server and domain name, but this does not happen even though my dhcpagent includes 6 and 15 in the PARAM_REQUEST_LIST. I still have to set them in the sysidcfg file because it is always ignored in Solaris (S10u8 with 10_Recommended 30-Jul-2010)
  As stated, I know I can hack around with the system after it has booted. But I'm trying to configure the system before it starts and let it take care of itself and not have to touch it. Frankly I'm surprised that the sysidcfg does not allow you to set a hostname name when you are using DHCP, that the default DHCP configuration does not register the system name with the DNS server, and the DNS config from the DHCP response is ignored. Even a sys-unconfiged system requires DNS configuration during initial boot, when I know that the DHCP response contains DNS information.
  FYI: Windows systems using DHCP work as expected in this respect by default, i.e. set system name, use DHCP --> system gets address from corporate DHCP, DNS settings are set from DHCP information, DNS registration is made for system name.
  I'm working around this at the moment... I call my zone by the system name I want, I hardcode the DNS settings in the sysidcfg file and I create the hostname.+nic+ and dhcp.+nic+ files in the zone storage to get the system to register its name with DNS, them boot.
  Edited by: cydonian on Aug 19, 2010 7:45 PM

• MAB/802.1x and Alkatel IP Phones

  Hi All
  We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
  Thanks
  G

  Hi Tarik,
  Thanks for the reply, please find below the switch  port config lines, its a 370x switch, IPbase  and universalon 15.2-1.E1 image
  Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch  goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
  Interface gi x/y
  switchport access vlan xx
   switchport mode access
   switchport voice vlan yy
   ip access-group ACL_ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan xx
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast

• MAB, 802.1x and ACS 4.2

  Hi all,
  Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
  Logic connection is:   users laptop---->ipphone---->switch---->radius
  What i need is:
  if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
  if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
  I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster  way ( 802.1x and MAB ).
  i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth)  but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1"  is configured.
  I used the dot1x auth-fail vlan  because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
  In both case the "consultant" remain in "auth failed"
  Here my current configuration
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  identity profile default
  interface GigabitEthernet1/0/1
   switchport mode access
   switchport voice vlan 30
   authentication host-mode multi-auth
  authentication event fail action authorize vlan 1
   authentication order mab dot1x
   authentication port-control auto
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 2
   dot1x max-reauth-req 1
   storm-control broadcast level 2.00
   storm-control multicast level 2.00
   spanning-tree portfast
  On ACS side i have 2 groups
  first Group authenticate the iphone and supply the voice vlan ( vlan 30)
  Second Group authenticate using MAB and supply the vlan 58
  is there a different way to accomplish this task?
  Thank you in advance

  hi,
  any ideas?
  thx

• 802.1x and IP Phone

  Is it possible to enable dot1x and voice on the same interface? If so which switches and IOS support this feature ?
  Any references to documents ?
  Commands that cannot be configured together :-
  switch voice vlan xxx
  dot1x port-control auto

  It is possible to enable 802.1X and voice on the same port. If the phone does CDP, it is allowed through, regardless of the 802.1X state of the port with this config. Here's the following switches that support this, with the minimum required releases:
  CatOS (6500) - 7.6(1)
  IOS (4500) - 12.1(20)EWA
  IOS (3750) - 12.2(25)SEA
  IOS (3560) - 12.2(25)SEA
  IOS (3550) - 12.1(12c)EA1
  IOS (2960) - 12.2(25)FX
  IOS (2950) - 12.1(12c)EA1
  IOS (2940) - 12.1(13)AY
  Hope this helps,

• 802.1X and CAT Express 500

  Hi guys,
  I want to know if the Cat Express 500 support dynamic vlan assigment through 802.1X.

  Hi,
  You can do the vlan arrisgnment using 802.1x on CE500. The configuration for 802.1X and Radius authentication server can be done with the help of Cisco Network Assistant (CNA). In the menu Network Security Settings you have to put the
  security level on high. There is the possibility to configure the IP address of the RADIUS server and the RADIUS key.
  In case you don?t have the CNA, you can download it for free from:
  http://www.cisco.com/cgi-bin/tablebuild.pl/NetworkAssistant
  HTH, Please rate if it does.
  -amit singh

• 802.1x and Voice VLAN

  I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
  I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
  interface GigabitEthernet9/48
  description temporary port
  switchport
  switchport access vlan 12
  switchport mode access
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  CIG01-ENT-SW1(config-if)#switchport voice vlan 14
  Command rejected: Gi9/48 is Dot1x enabled port.

  Using IEEE 802.1x Authentication with Voice VLAN Ports
  A voice VLAN port is a special access port associated with two VLAN identifiers:
  ?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
  ?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
  In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
  A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
  When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
  Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
  interface FastEthernet0/1
  switchport access vlan 3
  switchport mode access
  switchport voice vlan 2
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  end
  Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
  under the interface configure "dot1x host-mode multi-host"
  Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

• DNS and DHCP Roles

  Hi
  does Snow Leopard have DNS & DHCP services in it ? how to make those role run and configure them ?
  and how to make a server a domain controller "silly Windows History in my mind"

  does Snow Leopard have DNS & DHCP services in it
  You mean Snow Leopard Server, right? In which case, yes.
  how to make those role run and configure them ?
  Click a checkbox or two in Server Admin (and add your domain/network-specific data, of course).
  and how to make a server a domain controller "silly Windows History in my mind
  Do you intend to make a Windows domain controller? If so, you can't. Mac OS X Server includes a Samba server which can handle parts of a Windows directory system, but it can't emulate a full Windows Active Directory server which has way more elements.
  On the other hand, if you just mean to create a directory server for your network then, just like the DNS and DHCP server response above, you click a couple of checkboxes in Server Admin and add your directory-specific data via Workgroup Manager (one of the bundled Server apps).

• How to synchronize between DHCP binding table and DHCP snooping table ?

  I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
  dhcp-test#sh ip dhcp bind
  IP address Client-ID/ Lease expiration Type
  Hardware address
  99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
  99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
  dhcp-test#sh ip dhcp snooping binding
  MacAddress IpAddress Lease(sec) Type VLAN Interface
  Total number of bindings: 0
  thanks!

  ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
  Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
  Enter the above command for each entry that you add
  To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.