The users can still obtain IP addresses even if they fail to be authenticated

Created: Aug 26, 2019 07:52:06Latest reply: Aug 26, 2019 07:57:24 59 1 0 0
  Rewarded Hi-coins: 0 (problem resolved)

I have configured 802.1x authentication on the S6720. I find that computers can still obtain IP addresses if they fail to be authenticated. ( Although they can't access the Internet.)

Here is the related configuration on the switch, is there any error?

#

radius-server template rd1

radius-server authentication XX.XX.XX.XX 1812

radius-server accounting XX.XX.XX.XX 1813

radius-server shared-key cipher XXXXXX

radius-server authorization XX.XX.XX.XX shared-key cipher XXXXXX

#

aaa

domain do1

authentication-scheme radius

accounting-scheme radius

radius-server rd1

#

dot1x-access-profile name d1

authentication-profile name p1

dot1x-access-profile d1

access-domain do1 force

#

interface gigabitethernet 1/0/0

authentication-profile p1

#

  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Aug 26, 2019 07:57:24 Helpful(0) Helpful(0)

Hi Hobbit,

It's normal. The pre-connection is enabled by default. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Aug 26, 2019 07:57:24 Helpful(0) Helpful(0)

Hi Hobbit,

It's normal. The pre-connection is enabled by default. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login