Interception of clients’ arps – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Authentication Introduction and Configuration

Software Reference for x310 Series Switches

42.12

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Interception of clients’ ARPs

If the supplicant has been configured with a static IP address, then it is more than likely
that the supplicant’s IP configuration bears no relation to the Web-authentication server
address. A computer’s IP communications will always be preceded by sending out ARP
requests for host addresses in its local subnet, or for its gateway address.

If the IP address and gateway address have been statically configured on the computer,
and the subnet used in this static configuration is different to that on the authenticating
switch, then the ARP requests will receive no reply, and the PC will not begin IP
communication.

To deal with any arbitrary IP configuration on the supplicants, Web-authentication needs a
method for replying to arbitrary ARP requests. This is the ARP interception feature.

ARP interception can operate in three modes.

1.

Intercept – will respond to ARP requests for any IP address that is in the same subnet
as the switch’s own IP address. Will provide its own MAC address in the ARP reply,
irrespective of what IP address (within its own subnet) was being requested.

2.

None – will only respond to ARP requests for its own IP address.

Authenticator

Network

Supplicant

DHCP request is forwarded to

DHCP server on supplicant’s new

VLAN

VLAN236

DHCP Server

After authentication, supplicant’s

port moves to VLAN236

Authenticator

VLAN236

DHCP Server

Network

Supplicant

New lease is for subnet

on VLAN236

IP=10.32.17.89

leasetime=1 day

ARP request. Who has 23.67.0.1?

IP = 23.67.2.9/16

Gateway = 23.67.0.1

The ARP request for 23.67.0.1 will get no reply, as the switch is

configured in a different subnet