For WEP/WPA/WPA2 authencation method, I know that the client can get DHCP IP address first, then we go to entering the password/ pre-shared key for authencation to access in.
Today, one question raised in my mind about DHCP packets and RADIUS/TACACs authentication packets. When 1 client boots up, they send DHCP request message over the air (same for LAN over the wire) to DHCP relay agent - Access Point, then this Agent - AP forwards it to DHCP server.
When the DHCP server receives a message from a relay agent containing a RADIUS Attributes suboption, it extracts the contents of the suboption and uses that information in selecting configuration parameters for the client, this is what I understand.
And Can you help to confirm and answer the question : when does the client get IP address ( DHCP IP address )? before the authencation process execute at RADIUS/ TACAC server (then it will be authenticated later for access permission) or after the authencation process is completed ( it means client can only get DHCP IP address after it successfully authenticated by RADIUS/TACAC). My understand still is DHCP IP address first then RADIUS/ TACAC server authencation.
Thank you in advance.
I think it depends on the configuration, but for me, my stuff is set up where no IP is given until after RADIUS authentication is successful.
Layer 2 authentications, such as those involving EAP, are performed prior to a client obtaining an IP address. This is because no access is given to the access point until after an access-accept message is sent from the RADIUS server. Layer 3 authentications, such as web authentication, obviously requires an IP address and happens afterwards.
This is true, that's why I stated it depends on how you set it up. The only time I use layer 3 authentication right now, is for guest access. Everything else is layer 2 auth for me..... for now.
The question specifically asked about WEP/WAP/WPA2, all of which are layer 2 (as you know.) Therefore, these take place in every case before an IP address is handed out to the client.
Also, don't confuse TACACS+/RADIUS used for management of devices with EAP used for client authentication. Yes, EAP uses RADIUS. And, the DHCP server can get RADUIS attributes from the RADIUS server for that particular client, which it sends back to the RADIUS server to forward to the client. However, the layer 2 authentication via EAP (if using WPA/WPA2 or Dynamic WEP) must be successful in order for that information to be passed on to the client.
Layer 3 authentications, such as web authentication, obviously requires an IP address and happens afterwards.
I would guess that because of this, web authentication should only be used on your guest network.
That's typical. However, there can be different reasons for using it And, you can combine static WEP or WPA/WPA2-PSK with it, if you need layer 2 encryption as well.
I have considered another used for Layer 3 authentication. Currently, we do not allow person devices on our network. The Guest network is set up for Guests and no one else.... We are considering allowing personal devices on our network and I have thought about using layer 3 as an authentication method, just so people don't have to try to configure their devices.
Its been a long discussion and stil continuing. I know that I could use other methods, but this would be one that would be very easy for end users.