One point you might have missed is that 802.1x occurs at layer 2 (in Ethernet frames with a distinct Ethertype), hence does not reply on IP or IP addresses. So the "normal" way of using 802.1x is to not accept anything else than 802.1x frames until the user is authenticated, and thus DHCP addresses are only handed out once this is done.
In a perfect world where everybody uses 802.1x and has proper credentials, this would be enough.
In the real world where you need to accommodate non-802.1x users, you need to be able to hand out DHCP addresses before 802.1x succeeds (or if 802.1x fails within a reasonable amount of time) so that the user can get access to a captive portal to get information/subscribe/login/whatever (using e.g. NoCatAuth).
Now, integrating DHCP with another auth system shouldn't be too difficult with a little bit of code...
Jacques.
At 05:53 17/12/2002, Jon Baer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > As most authentication is actually software based, password is > obviously still the easiest method, followed by x.509 certificates > (some of these can incur a cost, unless you use a free certificate > provider such as CACert.org)Nice plug ;-) While trying to figure out the 802.1x scheme I still have yet to discover something in regards to public wireless service ... first and foremost is the actual scope of a WAP owner, I have seen that they are primarily based on the amount of clients they must attend to. For example a single NYCWireless node owner with say 10 max clients per day (you can never guess this number since it will probably climb everyday more WiFi cards are sold) ... but in basic small authentication models, which are not complex, it seems there is little inexpensive solutions for AAA. For example Id still like to find out where I could do simple authentication with say very timely DHCP leases. I asked the question a long time ago on what TMobile was configured with and I was told NoCat but Im not sure. But is there a way to dynamically change DHCP leases *with* an authentication like 802.1x. Or am I missing something. For example say my cousins laptop would like to connect, yet I allocate the time to 30 minutes, but it can be used incrementally till it timesout based on a given ID: ID/user: 1234567890 Pass: MD5 Timetable: 12 minutes remaining for this ID Is there a simple solution for this? (With or without involving Radius or another AS) - - Jon -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPf6tw0Hb24uaDK9HEQI+lwCZAYgFYuW4CAiB834xHCNWfygLuPcAn0lv awXixEbYg/4Kn3/tAz/oCK+r =ax5G -----END PGP SIGNATURE----- -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
-- Jacques Caron, IP Sector Technologies Join the discussion on public WLAN open global roaming: http://lists.ipsector.com/listinfo/openroaming -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
