dot1x specification EAPOL-Logoff clarification
Alan DeKok
aland at deployingradius.com
Wed Apr 30 15:21:04 CEST 2008
Artur Hecker wrote:
> But the reason for this is the following. In the current best practice,
> the EAP-Server must never be reachable for clients, while the DHCP
> server *must* be reachable from client by definition. I.e. only access
> controllers (part of your infrastructure) speak to the EAP-Server, while
> your clients speak to the DHCP server.
Yes. That simplifies security a little.
> That said, I agree with the underlying strategy. I would have loved to
> see DHCP integrated with 802.1X from the very beginning. Actually, I
> would have gone farther and rather proposed a virtual and generic
> signaling protocol for the session opening, where a client can negotiate
> all kinds of options with the network on all layers at the same time.
> This can be easily done with TLV, etc. Then, a provisioning server could
> not only open the access but also preprovision the client with IP
> config, proxies to use, existing printers, available servers (SMTP,
> shares, etc.) etc etc etc, even before it gets IP layer access. That
> would have been very nice for an enterprise integration. But well.
That's called EAP-TTLS, with extra stuff inside of the tunnel. :)
Alan DeKok.
More information about the Freeradius-Users
mailing list