No DHCP IP Adress when authenticating with 802.1x(EAP-TLS)

[Parcival21]

Hi there,

I have a quite confusing problem. We are trying to run 802.1x with eap-tls in our company network. The problem we are confronted with is that as soon as use 802.1x and eap-tls the computer can authenticate to the network but it doesn't get an ip-address(dhcp). I assume the following happens:
Sometime during the boot process the computer sends out an dhcp request to the dhcp server. The request is sent to the 802.1x switchport. Because of the port still being in the controlled state the packet is dropped. This action is repeated a few time until the pc decides that it can't reach the dhcp server and chooses its own IP address(I think it was something like 169...). Some time later(computer is still booting) the 802.1x authentication is started by the computer. Because the packets are eap packets they are forwardes to the authentication server by the switch and the client can authenticate himself.
I don't know when this authentication takes place. Does anybody know? Does it take place before I start to authenticate against the Active Directory? If so I might be able to have someone add another IP-config /renew to the start scripts.
Did anybody experience similar problems yet?
Are there any good solutions for this problem?
Any help would be appreciated,
One more thing, we have a self designed Windows 2000 image. Can that be the problem?


Thanks, busche

 

[JAPeed]

Hey Busche,
Try turning on the PORTFAST setting for the port that the dhcp client is plugging into. One of our local Cisco gurus told me its a good idea to turn this on for ports that service regular servers, clients, printers, plotters, things like that.... but not if a another switch is being plugged in.
Good luck..
Alan

 

[ADB100]

I suggest a couple of things to work out where it is going wrong.

1. Disable 802.1x on a port but make sure it is in the same access VLAN as one of your 802.1x ports. Boot a PC on this and make sure it gets an IP address.

2. With 802.1x enabled when the PC has authenticated but not received an IP address try manually renewing the DHCP address with 'ipconfig /renew' - does this work?

3. Which 802.1x supplicant are you using? Microsofts (included in SP4 for Windows 2000) or is it a 3rd party one?


I have this working and I didn't have any issues with DHCP as the PC sends a DHCP request after it has authenticated.

Good luck

Andy

 

[Parcival21]

Hi there,

Sorry but I wasn't online for a while. Thank's a lot for your input. Alan I will try the portfast configuration.

Andy, point one works out well. Point 2 is also working. To point three yes I'm using the Microsoft client.
The problem has probably to do with our image. This image was specially designed for specific needs and seems to fit for these needs. I heard that Microsoft had some DHCP problems and fixed them in SP 4 or some other patch(don't know if this is true). Maybe the Patch didn't fit to our image. I will contact our scripting guys to see what's possible there. It should at least be possible to add a ipconfig /renew command to the start scripts after the authentication.

Bye,
busche

 

[apishko]

Do you have multiple subnets in your network? If so is your Domain controller on the same subnet as your PC's and the DHCP server on a different subnet? If this is the case try placing an IP-helper address statement where the ip address is that of your dhcp server on your network on each network in your router.