dot1x specification EAPOL-Logoff clarification
Artur Hecker
hecker at wave-storm.com
Wed Apr 30 14:07:44 CEST 2008
Hi Alan
On 30 Apr 2008, at 13:50, Alan DeKok wrote:
> Artur Hecker wrote:
>> Imo, there are no dependencies between DHCP and dot1X.
>
> That can be fixed. EAP methods can be leveraged to push keys to the
> client, which can sign the DHCP packet (RFC 3118). This also lets the
> client know it's talking to the correct DHCP server.
Yes, as I said, the dependency in that sense might make sense. We did
it in a student project, and I rather see the problem at the network
side: the EAP-Server and the DHCP server almost never reside at the
same machine and typically are in different (logical) subnetworks
(VLANs, etc.) Imo, no standard protocol exists designed to do such
things.
Obviously, it is possible but a bit cumbersome in practice. One might
ask oneself if it makes sense.
>> My personal perception is completely inverse to yours: I think that
>> 802.1X is more used in wireless (WiFi) than in wired LANs. But
>> maybe you
>> have some statistics on that? That would be interesting to know :-)
>
> A lot of people are starting to look into 802.1X for wired LANs. It
> can help satisfy regulatory issues in some countries...
:-) These days, if you do not have access control, people look at you
like you were an alien. However, everybody agrees that the security
problems come once you let people in... and NAC is mostly nonsense.
artur
More information about the Freeradius-Users
mailing list