Skip navigation
Cisco Learning Home > Certifications > Wireless (CCNP Wireless) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
2543 Views 7 Replies Latest reply: Jun 16, 2011 6:50 PM by Jared RSS

Currently Being Moderated

DHCP IP address and RADIUS/TACAC Server

Jun 16, 2011 9:45 AM

hungtx 7 posts since
Dec 17, 2010

Hi All,

For WEP/WPA/WPA2 authencation method, I know that the client can get DHCP IP address first, then we go to entering the password/ pre-shared key for authencation to access in.

Today, one question raised in my mind about DHCP packets and RADIUS/TACACs authentication packets. When 1 client boots up, they send DHCP request message over the air (same for LAN over the wire) to DHCP relay agent - Access Point, then this Agent - AP forwards it to DHCP server.

When the DHCP server receives a   message from a relay agent containing a RADIUS Attributes suboption,   it extracts the contents of the suboption and uses that information in selecting configuration parameters for the client, this is what I understand.

And Can you help to confirm and answer the question : when does the client get IP address ( DHCP IP address )? before the authencation process execute at RADIUS/ TACAC server (then it will be authenticated later for access permission) or after the authencation process is completed ( it means client can only get DHCP IP address after it successfully authenticated by RADIUS/TACAC). My understand still is DHCP IP address first then RADIUS/ TACAC server authencation.

Thank you in advance.

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    1. Jun 16, 2011 10:58 AM (in response to hungtx)
    Re: DHCP IP address and RADIUS/TACAC Server

    I think it depends on the configuration, but for me, my stuff is set up where no IP is given until after RADIUS authentication is successful.

  • Jason B 178 posts since
    Nov 16, 2008
    Currently Being Moderated
    2. Jun 16, 2011 2:21 PM (in response to Jared)
    Re: DHCP IP address and RADIUS/TACAC Server

    Layer 2 authentications, such as those involving EAP, are performed prior to a client obtaining an IP address.  This is because no access is given to the access point until after an access-accept message is sent from the RADIUS server.  Layer 3 authentications, such as web authentication, obviously requires an IP address and happens afterwards.

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    3. Jun 16, 2011 3:18 PM (in response to Jason B)
    Re: DHCP IP address and RADIUS/TACAC Server

    This is true, that's why I stated it depends on how you set it up.  The only time I use layer 3 authentication right now, is for guest access.  Everything else is layer 2 auth for me..... for now.

  • Jason B 178 posts since
    Nov 16, 2008
    Currently Being Moderated
    4. Jun 16, 2011 3:23 PM (in response to Jared)
    Re: DHCP IP address and RADIUS/TACAC Server

    The question specifically asked about WEP/WAP/WPA2, all of which are layer 2 (as you know.)  Therefore, these take place in every case before an IP address is handed out to the client.

     

    Also, don't confuse TACACS+/RADIUS used for management of devices with EAP used for client authentication.  Yes, EAP uses RADIUS.  And, the DHCP server can get RADUIS attributes from the RADIUS server for that particular client, which it sends back to the RADIUS server to forward to the client.  However, the layer 2 authentication via EAP (if using WPA/WPA2 or Dynamic WEP) must be successful in order for that information to be passed on to the client.

  • Steven Williams 3,266 posts since
    Jan 26, 2009
    Currently Being Moderated
    5. Jun 16, 2011 3:39 PM (in response to Jason B)
    Re: DHCP IP address and RADIUS/TACAC Server

    Layer 3 authentications, such as web authentication, obviously requires an IP address and happens afterwards.


    I would guess that because of this, web authentication should only be used on your guest network.

  • Jason B 178 posts since
    Nov 16, 2008
    Currently Being Moderated
    6. Jun 16, 2011 3:50 PM (in response to Steven Williams)
    Re: DHCP IP address and RADIUS/TACAC Server

    That's typical.  However, there can be different reasons for using it   And, you can combine static WEP or WPA/WPA2-PSK with it, if you need layer 2 encryption as well.

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    7. Jun 16, 2011 6:50 PM (in response to Jason B)
    Re: DHCP IP address and RADIUS/TACAC Server

    Hey Jason,

     

    I have considered another used for Layer 3 authentication.  Currently, we do not allow person devices on our network.  The Guest network is set up for Guests and no one else.... We are considering allowing personal devices on our network and I have thought about using layer 3 as an authentication method, just so people don't have to try to configure their devices.

     

    Its been a long discussion and stil continuing.  I know that I could use other methods, but this would be one that would be very easy for end users.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)