dot1x specification EAPOL-Logoff clarification

Alan DeKok aland at deployingradius.com
Wed Apr 30 17:02:24 CEST 2008


Artur Hecker wrote:
> That's what I meant. You could actually map this to a virtual interface
> (a signaling channel) and put the whole mobility things, network and
> service discovery, etc. on it: handoffs, mDNS, UPnP, whatever, to
> discover where you are and what it is. All that signed / encrypted with
> the authentication keys, previously established.

  Yes.  There are limitations, of course, but it should pretty much work...

> 1. The IETF's EAP-WG does not want it. EAP is authentication, not a
> generic transport.

  Yes, but... if it works, people will use it.  I'm also the co-chair of
the EAP Method Update (EMU) WG, though I can't (of course) use that
position for nefarious gains...

> 2. Even if it is ok for an Enterprise network, it is not ok for the
> Internet, which IETF is responsible for. It means indeed a different
> access model. The local provider becomes a bit too mighty in this
> configuration, so it cannot become a generic standard. This has been
> recently discussed at HOKEY, I believe.

  The NEA WG is chartered *specifically* for the enterprise.
Realistically, the difference between the Internet and the corporate net
is disappearing.

  Alan DeKok.



More information about the Freeradius-Users mailing list