5.3.1 Permit communication of pre-authentication terminal
- <Structure of this section>
(1) Authentication-only access list
Unauthenticated terminals must be able to communicate with the DHCP server and DNS server to obtain distributed IP addresses and perform name resolution.
To enable a terminal in the pre-authentication status to communicate with a device outside the Switch (DHCP servers and DNS servers), set the access list dedicated to authentication (hereinafter referred to as the authentication-only access list) to the pre-authentication VLAN.
You can use two types of authentication-only access lists:
-
Authentication-only IPv4 access list (IPv4 packet filter)
-
Authentication-Only MAC Access Lists (MAC Filters)
If an authentication-only IPv4 access list and an authentication-only MAC access list are set to the same interface, and a frame that hits both access lists is received on the corresponding port, the operation of the authentication-only MAC access list filtering criteria takes precedence.
- [Communication example after setting the authentication-only access list]
-
The following describes the communication after configuring an authentication-only access list, using an authentication-only IPv4 access list as an example.
Figure 5-3: Communications after authentication-only IPv4 access lists are set
The authentication IPv4 access list differs from standard access lists (such as those configured by the ip access-group configuration command) in that the filter conditions no longer apply after authentication has taken place.
When DHCP server functions built in the Switch are used to distribute IP addresses to authenticated terminals, and when DHCP addresses are used to distribute IPv4 addresses from external DHCP servers, you must configure the filter conditions in the authentication-only OOD access list so that DHCP packets for the target servers can communicate. Make sure that you include filter conditions like the following in the access list:
- Example of filter conditions required for DHCP access:
-
In this example, the IP address of the DHCP server is 10.10.10.254, and the subnetwork of the terminal being authenticated is 10.10.10.0/24.
permit udp 10.10.10.0 0.0.0.255 host 10.10.10.254 eq bootps permit udp host 0.0.0.0 host 10.10.10.254 eq bootps permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
[Notes on setting an authentication-only access list]
Note the following when using the authentication ip access-group configuration command:
-
You can only specify one authentication IPv4 access list. When using the authentication ip access-group configuration command, make sure that you configure the same settings at each port where authentication will take place.
-
The configuration command does not apply the following filter conditions specified as a permit or deny attribute:
-
TCP port range specification
-
UDP port range specification
-
User-priority
-
vlan
-
-
Because Web authentication IP addresses are excluded from the destination IP addresses of filter conditions for an authentication IPv4 access list, the login operation can be performed with a Web authentication IP address even if a Web authentication IP address is included as a destination IP addresses.
When setting the configuration command authentication mac access-group, note the following:
-
You can specify only one authentication-only MAC access list. Use the configuration command authentication mac access-group to make the same settings for all authenticated ports.
(2) ARP packet-relay function
The Switch does not normally forward ARP packets from unauthorized terminals to external devices. However, you can configure the Switch to forward such packets by using the authentication arp-relay configuration command.
(3) Operational Layer 2 authentication
The relay function of authentication-only access lists and ARP packets can operate on all Layer 2 authentication.
(4) Notes on setting DHCP snooping
If DHCP snooping deems an authenticating port to be an untrusted port, DHCP packets sent from that port will be subject to DHCP snooping even if bootps or bootpc is specified as the protocol name in the authentication IPv4 access list. In this situation, the Switch will only forward DHCP packets allowed by DHCP snooping.
Because the ARP packets sent from the terminal will also be subject to DHCP snooping, the Switches will only forward ARP packets as DHCP snooping permits.