Adding 802.1x features to a switch driver

[Jouni Malinen]

On Tue, Aug 15, 2006 at 09:49:03PM +0200, Stefan Rompf wrote:

> I've been possibly wrong. I thought EAPOL frames could only be sent to the 
> assigned group address (making the reauthentication request visible for all 
> stations on the VLAN), but it seems it can also be unicasted.

IEEE Std 802.1X-2004 has two options for EAPOL frame destination address
based on whether the Authenticator knows the individual MAC address of
the Supplicant. In IEEE 802.11, this address is indeed known (from
association), so unicast addressing is used. In IEEE 802.3, the
Authenticator does not normally know the address of the Supplicant and
the PAE group address is used. However, this group address is from a
group that is not forwarded by MAC bridges, so it is expected to only be
visible in one port. That's why the switch driver would need to provide
support for directing frames to individual ports for this to work..

Using unicast frames in wired IEEE 802.3 network may be against the
standard, so there is no guarantee that all Supplicant implementations
would accept frames sent to that address. In addition, the Authenticator
would not be able to send out unicast EAP-Request/Identity before
receiving something from the Supplicant (e.g., EAPOL-Start) since the
individual address of the Supplicant is not known.

-- 
Jouni Malinen                                            PGP id EFC895FA