NPS, DHCP, and multiple VLAN's


Recommended Posts

Hoping BudMan can help me out!

 

I have a client who's network is divided (with VLANs) by floor in their building. With dot1x authentication enabled all users are leasing an IP address from the first DHCP pool regardless of how the port is tagged.

 

So for instance, VLAN 700 is the 2nd floor VLAN. A user on the 3rd floor connects to a port tagged for VLAN 720, they authenticate through NPS and then receive an IP address from 700. (DHCP is installed on the NPS server)

 

Everything I have found online about 802.1x VLAN assignment suggests that you can assign a VLAN during authentication, but I haven't found anything that would help me tell the server which DHCP scope to lease addresses from based on how the port is already tagged on the switch. If there is a way to do this I would appreciate a nudge in the right direction.

 

The environment is all Cisco 3750X switches with Server 2012 R2 for NPS and DHCP. I'm thinking the way they have this network set up is not a supported way to accomplish this, but I need to know for sure. They are talking about using sticky-mac if they can't figure this out and I cringe at the thought of all the help desk issues that is going to cause.

Link to comment
Share on other sites

Usually the DHCP server uses the Address of the IP helper to determine which subnet to allocate from.

 

So rather than the server itself sit in all the Vlans there should be be an DHCP relay on the router/l3 device to forward the DHCP request to the DHCP server

Link to comment
Share on other sites

Yes you can assign vlan based upon auth, so that users get put in whatever vlan you want that user/machine in.

Are you hard coding your switch ports? Can you post a config of one of your switch ports that is tagged for vlan 720? Why would you tag an access port? You using the term tagged to refer to that is the native vlan of the port?

Have you looked at

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html

Link to comment
Share on other sites

if it is set with vlan assignment you will need to configure the access port as dynamic.  You will also need to configure the vmps server. 

 

You are trying to restrict something based on IP, why can't you restrict based on user?

Link to comment
Share on other sites

Sorry for the delay guys, busy day.

Yes you can assign vlan based upon auth, so that users get put in whatever vlan you want that user/machine in.

Are you hard coding your switch ports? Can you post a config of one of your switch ports that is tagged for vlan 720? Why would you tag an access port? You using the term tagged to refer to that is the native vlan of the port?

Have you looked at
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sw8021x.html

Yes I am hard coding the ports. Here is a port for example (third floor is the same, just 720):

interface GigabitEthernet1/0/14
 description "2F Wired Workstation"
 switchport access vlan 700
 switchport mode access
 switchport voice vlan 217
 authentication host-mode multi-host
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 4800
 dot1x pae authenticator
 dot1x timeout quiet-period 30

I have been on that Cisco support site and it doesn't seem like what I'm trying to do is possible, but I wanted to check with other people who may have experience with dot1x. 

 

if it is set with vlan assignment you will need to configure the access port as dynamic.  You will also need to configure the vmps server. 

 

You are trying to restrict something based on IP, why can't you restrict based on user?

We're using NPS, not VMPS. It's basically Microsoft's version. We are authenticating with RADIUS, not IP, but I want to hand out IP's based on the VLAN their switchport is configured for.

Link to comment
Share on other sites

Upon further inspection of BudMan's link to Cisco, I found this snippet. 

 

 

When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment has these characteristics:

?blank.gifIf no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN.

This tells me that the ports should be coming up in the correct access VLAN as assigned on the switchport. However, they are not. Ports configured for switchport access vlan 720 are coming up on VLAN 700 after authentication. If I remove authentication they of course come up on the correct VLAN as assigned.

 

The only other configuration oddity I see is in vCenter. The vSwitch servicing the NPS/DHCP server is not a distributed switch and is tagged only for VLAN 700. Does anyone have any vSphere networking experience and can tell me if that would cause the RADIUS packets to come back tagged with the wrong VLAN?

Link to comment
Share on other sites

Usually the DHCP server uses the Address of the IP helper to determine which subnet to allocate from.

 

So rather than the server itself sit in all the Vlans there should be be an DHCP relay on the router/l3 device to forward the DHCP request to the DHCP server

This. We had a similar setup in my previous job and it worked pretty well. Have you ever considered using or using it now?

Link to comment
Share on other sites

What are you doing with the switches in in esxi/vshpere - they can be 0 untagged or the tag of the vlan you want 1-4094 and or 4095 which is trunked.

Link to comment
Share on other sites

This. We had a similar setup in my previous job and it worked pretty well. Have you ever considered using or using it now?

We are already using IP Helper, does that involve more than just IP Helper pointing at the DHCP server? 

 

What are you doing with the switches in in esxi/vshpere - they can be 0 untagged or the tag of the vlan you want 1-4094 and or 4095 which is trunked.

See the attached image. It looks like we're tagging VLAN 700. The port from the switch is trunked with all the necessary VLAN's allowed. This is a setup that I have fallen in on and to me this does seem to indicate that the the ESXi host will only communicate VLAN 700 traffic, but I don't have enough experience with vSphere networking to say for sure. Can you tell me if that is indeed the case? I assume making it a distributed switch would fix the issue if it is? The reason it's not a distributed switch already is that when they set this up they didn't have Enterprise Plus and thus didn't have the option and they do want to eventually migrate to a distributed switch, but I will be able to hasten that if I can confirm that this is the problem.

post-22691-0-95009600-1406222693.png

Link to comment
Share on other sites

We are already using IP Helper, does that involve more than just IP Helper pointing at the DHCP server?

No it shouldn't. You configure the dhcp server you want to use in in an interface vlan configuration and that should do it. Ex, you want to use ip helper in interface vlan 700.

 

If your are using Nexus the command is a little bit different:

ip dhcp relay address <ip-address of your dhcp server>

Read:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/swipaddr.html#wp1039779

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdhcp82.html#wp1266823

Link to comment
Share on other sites

No it shouldn't. You configure the dhcp server you want to use in in an interface vlan configuration and that should do it. Ex, you want to use ip helper in interface vlan 700.

Yup, that is exactly what we're doing already.

Link to comment
Share on other sites

Yup, that is exactly what we're doing already.

If everything is looks fine in your switch, I am kind of sure it is something in VMWare switch/network setup. I would suggest you focus there instead.

Link to comment
Share on other sites

Yeah those 6 machines in the port group would be tagged 700.. No matter what you did elsewhere. You could create new port groups, or trunk the vswitch or just untag with 0

Link to comment
Share on other sites

Yeah those 6 machines in the port group would be tagged 700.. No matter what you did elsewhere. You could create new port groups, or trunk the vswitch or just untag with 0

I spoke with VMware Tech Support today and got a little lesson on exactly how the vSwitching works. Those VMs should be on 700 so it is fine that they are tagged that way. Also, I removed authentication from the ports that are configured for other than 700 and they are receiving the correct IP from their respective DHCP pools. It looks like NPS is doing something to cause all DHCP requests to go to 700.

 

In NPS we have a Network and Connection Request Policy for each VLAN. This uses a regular expression to determine if an incoming request meets the criteria. We are going to try removing these individual policies and just having a secure wired policy that covers them all and then hopefully they will tag themselves properly based on the access VLAN assigned as quoted in the bullet above from Cisco. That way seems a lot easier and just as secure without having to debug a 100 character regular expression. I'll let you guys know if it works. Thanks so much for all the help thus far.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.