dot1x specification EAPOL-Logoff clarification

Artur Hecker hecker at wave-storm.com
Wed Apr 30 14:21:19 CEST 2008


Hi


On 30 Apr 2008, at 14:08, Alan DeKok wrote:

> Artur Hecker wrote:
>> Yes, as I said, the dependency in that sense might make sense. We  
>> did it
>> in a student project, and I rather see the problem at the network  
>> side:
>> the EAP-Server and the DHCP server almost never reside at the same
>> machine
>
>  Really?  They must be running bad software. :)
>
>  There's no reason that the EAP server && DHCP server can't be the  
> same
> *binary*.

;-) Yes, right. Freeradius is very cool :-)

But the reason for this is the following. In the current best  
practice, the EAP-Server must never be reachable for clients, while  
the DHCP server *must* be reachable from client by definition. I.e.  
only access controllers (part of your infrastructure) speak to the EAP- 
Server, while your clients speak to the DHCP server.

That said, I agree with the underlying strategy. I would have loved to  
see DHCP integrated with 802.1X from the very beginning. Actually, I  
would have gone farther and rather proposed a virtual and generic  
signaling protocol for the session opening, where a client can  
negotiate all kinds of options with the network on all layers at the  
same time. This can be easily done with TLV, etc. Then, a provisioning  
server could not only open the access but also preprovision the client  
with IP config, proxies to use, existing printers, available servers  
(SMTP, shares, etc.) etc etc etc, even before it gets IP layer access.  
That would have been very nice for an enterprise integration. But well.


>> and typically are in different (logical) subnetworks (VLANs,
>> etc.) Imo, no standard protocol exists designed to do such things.
>
>  There is interest.

Of course there is :-) But no protocol.



artur



More information about the Freeradius-Users mailing list