5.3.2 Permit communication of pre-authentication terminal
- <Structure of this section>
(1) Authentication-only IPv4 access list
Unauthenticated terminals must be able to communicate with the DHCP server and DNS server to obtain distributed IP addresses and perform name resolution.
To enable a terminal in the pre-authentication status to communicate with a device outside the Switch (DHCP servers and DNS servers), set the authentication-only IPv4 access list (hereinafter referred to as the authentication-only IPv4 access list) to the pre-authentication VLAN.
|
The authentication IPv4 access list differs from standard access lists (such as those configured by the ip access-group configuration command) in that the filter conditions no longer apply after authentication has taken place. Note that the filter conditions defined in standard access lists take priority over those in the authentication IPv4 access list. If you configure a standard access list and an authentication IPv4 access list for an authenticating port, the filter conditions in the standard access list will apply before and after authentication.For this reason, make sure that you include the filter conditions of the authentication IPv4 access list in the standard access list.
Before an unauthenticated terminal can obtain an IP address distributed from an external DHCP server or the Switch's internal DHCP server, the authentication IPv4 access list must permit the transmission of DHCP packets to the DHCP server. Make sure that you include filter conditions like the following in the access list:
- Example of filter conditions required for DHCP access:
-
In this example, the IP address of the DHCP server is 10.10.10.254, and the subnetwork of the terminal being authenticated is 10.10.10.0/24.
permit udp 10.10.10.0 0.0.0.255 host 10.10.10.254 eq bootps permit udp host 0.0.0.0 host 10.10.10.254 eq bootps permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
Notes on configuring the authentication IPv4 access list:
Note the following when using the authentication ip access-group configuration command:
-
You can only specify one authentication IPv4 access list. When using the authentication ip access-group configuration command, make sure that you configure the same settings at each port where authentication will take place.
-
If the authentication IPv4 access list contains more than the maximum number of filter conditions, the configuration command ignores the excess conditions.
-
The configuration command does not apply the following filter conditions specified as a permit or deny attribute:
-
TCP port range specification
-
UDP port range specification
-
User-priority
-
vlan
-
-
Authentication programs implicitly discard all packets that are not expressly permitted. This does not count in the number of filtering conditions.
-
If you use the permit ip host <ip address> configuration command to add the IP address of a terminal to the authentication IPv4 access list as a filtering condition, the Switch will relay ARP packets from that terminal regardless of its authentication status without an authentication arp-relay command.
-
Because Web authentication IP addresses are excluded from the destination IP addresses of filter conditions for an authentication IPv4 access list, the login operation can be performed with a Web authentication IP address even if a Web authentication IP address is included as a destination IP addresses.
(2) ARP packet-relay function
The Switch does not normally forward ARP packets from unauthorized terminals to external devices. However, you can configure the Switch to forward such packets by using the authentication arp-relay configuration command.
(3) Operational Layer 2 authentication
The following table describes which Layer 2 authentication types support authentication IPv4 access list and ARP packet relay functionality.
Functionality |
IEEE802.1X |
Web Authentication |
MAC-based Authentication |
|||||
---|---|---|---|---|---|---|---|---|
Port-based authentication |
VLAN-based authentication (static) |
VLAN-based authentication (dynamic) |
Fixed VLAN mode |
Dynamic VLAN mode |
Legacy mode |
Fixed VLAN mode |
Dynamic VLAN mode |
|
Authentication IPv4 access list |
OK |
OK |
OK |
OK |
OK |
NG |
OK |
OK |
ARP packet relay functionality |
OK |
OK |
OK |
OK |
OK |
NG |
OK |
OK |
Legend: OK: Operable; NG: Inoperable
(4) Notes on setting DHCP snooping
If DHCP snooping deems an authenticating port to be an untrusted port, DHCP packets sent from that port will be subject to DHCP snooping even if bootps or bootpc is specified as the protocol name in the authentication IPv4 access list. In this situation, the Switch will only forward DHCP packets allowed by DHCP snooping.
Because the ARP packets sent from the terminal will also be subject to DHCP snooping, the Switches will only forward ARP packets as DHCP snooping permits.