Solved: Re: UAC and 802.1x questions

aeroplane_ · ‎08-25-2009

Hello freinds

Below are some my querries with respect to IC and 802.1x authentication

Q1-When the user is authenticated then how ICcommunicates with end point PC to check it end point security? I mean after authentication of user, end point PC dont have any IP address then how IC communicates with end point PC?

Q2-When the user authenticated, its end point security status is OK then IC map this user to some role and radius attribute policy returns the vlan tag say vlan 2. My questions are:

1- Now switch port connected to that user is in vlan 2. If we have many VLAN lets say 8 then should we have to make 8 roles on IC?

2- Suppose we decided vlan 2 has subnet 192.168.1.0/24. When switch port connected to user get vlan 2 tag and user tries to get IP address from DHCP server then how DHCP server knows the request is from vlan 2 user and it should give IP from 192.168.1.0/24 subnet?

Many thanks

ManojReddy_ · ‎08-30-2009

Answer to Q1: communication between OAC and switch happens on EAPoL messages. switch converts these messages to EAP over RADIUS and sends the messages to IC. EAPoL works at Layer2 and doesn't need IP for the machine to talk EAPoL. in EAP over RADIUS communication, switch's IP and IC's IP will used in IP header. all the communication that is required for IC to check endpoint integrity happens this way, before machine gets IP address.

Yes, you need 8 roles minimum, if your IC is assigning 8 VLANs to different users.

DHCP relay is the way to go if you want the same DHCP server to issue IP Addresses to different VLANs.

Message Edited by ManojReddy on 08-30-2009 11:46 PM

View solution in original post

lto_ · ‎08-26-2009

Hi aeroplane,

I can respond for the Q2 part 2 question. If a DHCP server is used for several subnets, your will have to use a DHCP relay to forward the DHCP discover messages. Usually, the router which acts as the gateway for the subnet will have this role. See http://en.wikipedia.org/wiki/Dhcp#DHCP_Relaying for more info.

ManojReddy_ · ‎08-30-2009

Answer to Q1: communication between OAC and switch happens on EAPoL messages. switch converts these messages to EAP over RADIUS and sends the messages to IC. EAPoL works at Layer2 and doesn't need IP for the machine to talk EAPoL. in EAP over RADIUS communication, switch's IP and IC's IP will used in IP header. all the communication that is required for IC to check endpoint integrity happens this way, before machine gets IP address.

Yes, you need 8 roles minimum, if your IC is assigning 8 VLANs to different users.

DHCP relay is the way to go if you want the same DHCP server to issue IP Addresses to different VLANs.

Message Edited by ManojReddy on 08-30-2009 11:46 PM

aeroplane_ · ‎08-30-2009

Hi Manooj

Thanks for help. Can you plz guide me how single DHCP server offer gives IP to endpoint on the basis of VLAN tag i mean if one PC in vlan 2 give request to DHCP server how DHCP server will recognize request is from vlan 2 client and give IP address from vlan 2 subnet accordingly.

Many thanks

ManojReddy_ · ‎08-31-2009

please look at the link LTO has suggested.

following links also might help you in understanding how DHCP relay works.

http://www.juniper.net/techpubs/en_US/junos9.3/topics/task/configuration/dhcp-subscriber-access-dhcp-relay-interaction.pdf

http://support.microsoft.com/kb/120932

http://www.serverwatch.com/tutorials/article.php/2193031/Back-to-Basics-The-DHCP-Relay-Agent.htm

to put it simple, DHCP relay agent(typically a router) will insert IP Address of its interface on which it recieved the DHCP discover message into the DHCP message and relays it to DHCP server. DHCP server looks at the IP of router in DHCP message and identifies from which subnet the request is coming and allocates an IP from that subnet.

a simple search on your fav search engine will give you lot of results with good amount of information.