5.3.2 Permit communication of pre-authentication terminal

<Structure of this section>

(1) Authentication-only IPv4 access list

Unauthenticated terminals must be able to communicate with the DHCP server and DNS server to obtain distributed IP addresses and perform name resolution.

To enable a terminal in the pre-authentication status to communicate with a device outside the Switch (DHCP servers and DNS servers), set the authentication-only IPv4 access list (hereinafter referred to as the authentication-only IPv4 access list) to the pre-authentication VLAN.

Figure 5-5: Communication performed after the authentication-only IPv4 access list has been set

The authentication IPv4 access list differs from standard access lists (such as those configured by the ip access-group configuration command) in that the filter conditions no longer apply after authentication has taken place. Note that the filter conditions defined in standard access lists take priority over those in the authentication IPv4 access list. If you configure a standard access list and an authentication IPv4 access list for an authenticating port, the filter conditions in the standard access list will apply before and after authentication.For this reason, make sure that you include the filter conditions of the authentication IPv4 access list in the standard access list.

Before an unauthenticated terminal can obtain an IP address distributed from an external DHCP server or the Switch's internal DHCP server, the authentication IPv4 access list must permit the transmission of DHCP packets to the DHCP server. Make sure that you include filter conditions like the following in the access list:

Example of filter conditions required for DHCP access:

In this example, the IP address of the DHCP server is 10.10.10.254, and the subnetwork of the terminal being authenticated is 10.10.10.0/24.

permit udp 10.10.10.0 0.0.0.255 host 10.10.10.254 eq bootps
permit udp host 0.0.0.0 host 10.10.10.254 eq bootps
permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

Notes on configuring the authentication IPv4 access list:

Note the following when using the authentication ip access-group configuration command:

You can only specify one authentication IPv4 access list. When using the authentication ip access-group configuration command, make sure that you configure the same settings at each port where authentication will take place.
If the authentication IPv4 access list contains more than the maximum number of filter conditions, the configuration command ignores the excess conditions.
The configuration command does not apply the following filter conditions specified as a permit or deny attribute:
- TCP port range specification
- UDP port range specification
- User-priority
- vlan
Authentication programs implicitly discard all packets that are not expressly permitted. This does not count in the number of filtering conditions.
If you use the permit ip host <ip address> configuration command to add the IP address of a terminal to the authentication IPv4 access list as a filtering condition, the Switch will relay ARP packets from that terminal regardless of its authentication status without an authentication arp-relay command.
Because Web authentication IP addresses are excluded from the destination IP addresses of filter conditions for an authentication IPv4 access list, the login operation can be performed with a Web authentication IP address even if a Web authentication IP address is included as a destination IP addresses.

(2) ARP packet-relay function

The Switch does not normally forward ARP packets from unauthorized terminals to external devices. However, you can configure the Switch to forward such packets by using the authentication arp-relay configuration command.

(3) Operational Layer 2 authentication

The following table describes which Layer 2 authentication types support authentication IPv4 access list and ARP packet relay functionality.

Table 5-10: Layer 2 authentication in which the authentication-only IPv4 access list and ARP packet-relay functionality operate
Functionality	IEEE802.1X			Web Authentication			MAC-based Authentication
Functionality	Port-based authentication	VLAN-based authentication (static)	VLAN-based authentication (dynamic)	Fixed VLAN mode	Dynamic VLAN mode	Legacy mode	Fixed VLAN mode	Dynamic VLAN mode
Authentication IPv4 access list	OK	OK	OK	OK	OK	NG	OK	OK
ARP packet relay functionality	OK	OK	OK	OK	OK	NG	OK	OK

Legend: OK: Operable; NG: Inoperable

(4) Notes on setting DHCP snooping

If DHCP snooping deems an authenticating port to be an untrusted port, DHCP packets sent from that port will be subject to DHCP snooping even if bootps or bootpc is specified as the protocol name in the authentication IPv4 access list. In this situation, the Switch will only forward DHCP packets allowed by DHCP snooping.

Because the ARP packets sent from the terminal will also be subject to DHCP snooping, the Switches will only forward ARP packets as DHCP snooping permits.