Hi Alan
On 30 Apr 2008, at 13:50, Alan DeKok wrote:
Artur Hecker wrote:
Imo, there are no dependencies between DHCP and dot1X.
That can be fixed. EAP methods can be leveraged to push keys to the
client, which can sign the DHCP packet (RFC 3118). This also lets the
client know it's talking to the correct DHCP server.
Yes, as I said, the dependency in that sense might make sense. We did
it in a student project, and I rather see the problem at the network
side: the EAP-Server and the DHCP server almost never reside at the
same machine and typically are in different (logical) subnetworks
(VLANs, etc.) Imo, no standard protocol exists designed to do such
things.
Obviously, it is possible but a bit cumbersome in practice. One might
ask oneself if it makes sense.
My personal perception is completely inverse to yours: I think that
802.1X is more used in wireless (WiFi) than in wired LANs. But
maybe you
have some statistics on that? That would be interesting to know :-)
A lot of people are starting to look into 802.1X for wired LANs. It
can help satisfy regulatory issues in some countries...
:-) These days, if you do not have access control, people look at you
like you were an alien. However, everybody agrees that the security
problems come once you let people in... and NAC is mostly nonsense.
artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
