Wired Networks

How to configure Deny DHCP Role for 802.1x Authentication in Mobility Access Switch
Deny DHCP is an enhancement added to the 802.1x profile to ensure that the 802.1x clients obtain the correct IP addresses in the correct VLANs/subnets by denying DHCP requests from the clients till the dot1x authentication is complete. If this feature is enabled, the Mobility Access Switch enforces the denydhcp role to the 802.1x clients till the authentication is complete.

In the meantime if there are any DHCP requests from the client, the Mobility Access Switch drops the requests until the client derives the final role. After the 802.1x authentication is complete, the client derives the final role and overwrites the denydhcp role. After the final VLAN is assigned, if the final role of the client allows DHCP, the client will get an IP address in the correct subnet

 

Environment :

 

To avoid 802.1x clients obtain the correct IP addresses in the correct VLANs/subnets by denying DHCP requests from the clients till the dot1x authentication is complete.

Network Topology : Mobility Access Switch with dot1x client

 

 

Configuring Deny DHCP Role:
 

 

You can configure the denydhcp role in the aaa authentication dot1x profile using the following commands:
 

 

(host) (config) #aaa authentication dot1x <profile-name>

 

(host) (802.1X Authentication Profile "<profile-name>") #deny-dhcp

Sample Configuration
 
(host) (config) #aaa authentication dot1x Profile1
(host) (802.1X Authentication Profile "Profile1") #deny-dhcp
 
Verifying Deny DHCP Configuration:
 
Use the following command to verify if dhcpdeny role is enabled on a dot1x profile:
 
(host) #show aaa authentication dot1x Profile1
802.1X Authentication Profile "Profile1"
-------------------------------------
Parameter Value
--------- -----
...
Deny DHCP Enabled

 

Version history
Revision #:
1 of 1
Last update:
‎11-04-2014 12:56 PM
Updated by:
 
Labels (1)
Contributors
Comments
charles_h

Has this command been removed from 6.4.4.6?  I am attempting to implement this for a client and do not have this option on their 7210 WLC.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.