dot1x specification EAPOL-Logoff clarification
Alan DeKok
aland at deployingradius.com
Wed Apr 30 14:08:35 CEST 2008
Artur Hecker wrote:
> Yes, as I said, the dependency in that sense might make sense. We did it
> in a student project, and I rather see the problem at the network side:
> the EAP-Server and the DHCP server almost never reside at the same
> machine
Really? They must be running bad software. :)
There's no reason that the EAP server && DHCP server can't be the same
*binary*.
> and typically are in different (logical) subnetworks (VLANs,
> etc.) Imo, no standard protocol exists designed to do such things.
There is interest.
> Obviously, it is possible but a bit cumbersome in practice. One might
> ask oneself if it makes sense.
The answer is: Yes.
> :-) These days, if you do not have access control, people look at you
> like you were an alien. However, everybody agrees that the security
> problems come once you let people in... and NAC is mostly nonsense.
I agree. Hence the need for a real DHCP server that is integrated
with the rest of your access control.
Alan DeKok.
More information about the Freeradius-Users
mailing list