dot1x specification EAPOL-Logoff clarification
Artur Hecker
hecker at wave-storm.com
Wed Apr 30 14:21:19 CEST 2008
Hi
On 30 Apr 2008, at 14:08, Alan DeKok wrote:
> Artur Hecker wrote:
>> Yes, as I said, the dependency in that sense might make sense. We
>> did it
>> in a student project, and I rather see the problem at the network
>> side:
>> the EAP-Server and the DHCP server almost never reside at the same
>> machine
>
> Really? They must be running bad software. :)
>
> There's no reason that the EAP server && DHCP server can't be the
> same
> *binary*.
;-) Yes, right. Freeradius is very cool :-)
But the reason for this is the following. In the current best
practice, the EAP-Server must never be reachable for clients, while
the DHCP server *must* be reachable from client by definition. I.e.
only access controllers (part of your infrastructure) speak to the EAP-
Server, while your clients speak to the DHCP server.
That said, I agree with the underlying strategy. I would have loved to
see DHCP integrated with 802.1X from the very beginning. Actually, I
would have gone farther and rather proposed a virtual and generic
signaling protocol for the session opening, where a client can
negotiate all kinds of options with the network on all layers at the
same time. This can be easily done with TLV, etc. Then, a provisioning
server could not only open the access but also preprovision the client
with IP config, proxies to use, existing printers, available servers
(SMTP, shares, etc.) etc etc etc, even before it gets IP layer access.
That would have been very nice for an enterprise integration. But well.
>> and typically are in different (logical) subnetworks (VLANs,
>> etc.) Imo, no standard protocol exists designed to do such things.
>
> There is interest.
Of course there is :-) But no protocol.
artur
More information about the Freeradius-Users
mailing list