Iniciar sesión
 
InicioBibliotecaAprendizajeDescargaSoporteComunidadForos
Recursos para Profesionales de TI >
NAP 802.1X Enforcement and DHCP

Answered NAP 802.1X Enforcement and DHCP

  • miércoles, 13 de junio de 2012 5:27
     
     
    Inicie sesión para votar
    0

    Hi,

    We want to implement NAP 802.1X Enforcement. In general - if client is compliant it is placed on one VLAN and if not it is placed to another. Everything ok with this part. But I'm not unclear with DHCP part as all of our clients use dhcp to obtain addresses.

    So my question would be - is it possible to do the following thing with only one DHCP server. Thing is - if client is compliant it is placed in lets say VLAN1 and is given IP from DHCP's scope 1 and if its not it is given IP from DHCP server's another scope. We use reservations for all of our clients on DHCP server. And DHCP is on lets say LAN A, VLAN 1 is on LAN B and VLAN 2 is on LAN C. Thanks.

     

Todas las respuestas

  • miércoles, 13 de junio de 2012 19:46
    Propietario
     
     Respondida
    Inicie sesión para votar
    0

    Hi,

    Yes, you can provide different address ranges to different VLANs. When the DHCP request is forwarded to the DHCP server, the switch includes the giaddr which is different based on which VLAN the request came from. See http://technet.microsoft.com/en-us/library/cc958924.aspx.

    Sample switch config:

    vlan 1
       name "Management"
       untagged 2-26
       ip address 10.0.0.2 255.0.0.0
       no untagged 1
       exit
    vlan 2
       name "Compliant"
       ip address 20.0.0.1 255.255.0.0
       ip helper-address 10.0.0.1
       exit
    vlan 3
       name "NonCompliant"
       untagged 1
       ip address 30.0.0.1 255.255.0.0
       ip helper-address 10.0.0.1
       exit

    -Greg

     
  • jueves, 14 de junio de 2012 8:30
     
     
    Inicie sesión para votar
    0

    Greg, can you explain me one more thing I noticed?:)

    I have the following situation. I have a network policy. One of its conditions is health check condition. I have connection request policy. It has "override network policy authentication settings" option checked and it has PEAP enabled in there. All things work great. NPS is able to validate healthy client using my created network policy. BUT... If I remove override option and if client tries to connect it simply skips my network policy. So the question is WHY? Network policy has Authentication Methods configured to PEAP too. So why client skips this policy. If I remove health condition, client is able to use policy again:/ I'm little lost in there.

     
  • jueves, 14 de junio de 2012 16:11
    Propietario
     
     
    Inicie sesión para votar
    0

    Hi,

    I wondered about this too the first time I configured NAP with 802.1X. It wasn't working and someone pointed out that I forgot to select this checkbox. It was explained to me that because of the way that 802.1X works, both health and identity could not be evaluated in a single phase, but needed to be broken into two phases. First identity is evaluated in connection request policy, then health is evaluated in network policy. I hope this explains it for you.

    -Greg