Configure IP Authorization DHCP Server Mode

Network Requirements

• PC is connected to IP Network via Device; Device enables the 802.1X access control;
• Authentication mode adopts RADIUS authentication.
• PC1 gets the IP address via the specified DHCP server, and then can access IP Network.
• After being configured to carry the static IP address authentication, PC2 cannot access IP Network.

Network Topology

Figure 12-10 Networking of configuring 802.1X IP authorization DHCP Server mode

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on Device.

#Create VLAN2 and VLAN4 on Device, configure the port link type as Hybrid on gigabitethernet0/2, permit the services of VLAN2 to pass and configure PVID as 2.

#On gigabitethernet0/5 of Device, configure the port link type as Access, permit the services of VLAN2 to pass (omitted).

#Configure the port link type as Access on gigabitethernet0/4 of Device, permit the services of VLAN4 to pass (omitted).

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN4 as 130.255.167.1/24.

Step 3: Configure the AAA authentication.

#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.

Step 4: Configure the AAA server.

#On the AAA server, configure the user name and password and key value as admin (omitted).

Step 5: Configure the DHCP server.

#On the DHCP server, configure the distributed IP address segment as 199.0.0.2-199.0.0.10 and the subnet mask as 255.255.255.0 (omitted).

Step 6: Enable the DHCP Snooping function on Device and configure the port gigabitethernet0/5 of Device as trust port.

Step 7: Configure the 802.1X authentication on Device.

#Enable the 802.1X authentication of gigabitethernet0/2.

#Configure the IP authorization of gigabitethernet0/2 as DHCP server mode.

#Enable the ARP keepalive of gigabitethernet0/2.

Step 8: Check the result.

#PC1 user can authenticate successfully and can get the IP address from the DHCP server and access IP Network.

Device#show dot1x user 
------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS=     Authorized   USER_NAME= admin
         VLAN=    2       INTERFACE= gi0/2          USER_TYPE= DOT1X
         AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE           IP_ADDRESS= 199.0.0.3
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hours 0 minutes 36 seconds

Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0

#After PC2 user authenticates, it is in the GET-IP state and cannot get the IP address.

NO 1 : MAC_ADDRESS= 3883.45ef.f381 STATUS=     Unauthorized   USER_NAME= admin
         VLAN=    2       INTERFACE= gi0/2            USER_TYPE= DOT1X
         AUTH_STATE= GET_IP         BACK_STATE= IDLE             IP_ADDRESS= Unknown
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hour 0 minute 34 seconds

Total: 1 Authorized: 0 Unauthorized/guest/critical: 1/0/0 Unknown: 0

#After checking, PC2 cannot access IP Network.