dot1x specification EAPOL-Logoff clarification

Alan DeKok aland at deployingradius.com
Wed Apr 30 15:21:04 CEST 2008


Artur Hecker wrote:
> But the reason for this is the following. In the current best practice,
> the EAP-Server must never be reachable for clients, while the DHCP
> server *must* be reachable from client by definition. I.e. only access
> controllers (part of your infrastructure) speak to the EAP-Server, while
> your clients speak to the DHCP server.

  Yes.  That simplifies security a little.

> That said, I agree with the underlying strategy. I would have loved to
> see DHCP integrated with 802.1X from the very beginning. Actually, I
> would have gone farther and rather proposed a virtual and generic
> signaling protocol for the session opening, where a client can negotiate
> all kinds of options with the network on all layers at the same time.
> This can be easily done with TLV, etc. Then, a provisioning server could
> not only open the access but also preprovision the client with IP
> config, proxies to use, existing printers, available servers (SMTP,
> shares, etc.) etc etc etc, even before it gets IP layer access. That
> would have been very nice for an enterprise integration. But well.

  That's called EAP-TTLS, with extra stuff inside of the tunnel. :)

  Alan DeKok.



More information about the Freeradius-Users mailing list