IP assignment and authenticated port

[Sarah Thomas]

Hi ,

  Final understanding - DHCP broadcast messages are not accepted by the
switch till the port is authenticated. Only after the port is
authenticated, broadcast message will be accepted , for which DHCP reply
message holding the IP address for the client will come.  Please correct
the understanding if its wrong.

Thanks everyone for the clarification.


Thanks,
Sarah.

On Tue, Feb 3, 2015 at 6:02 PM, Jouni Malinen <j at w1.fi> wrote:

> On Tue, Feb 03, 2015 at 02:57:37PM +0530, Sarah Thomas wrote:
> > Where DHCP is blocked before 802.1x.
> >
> > But then the only question , what is socket for receiving dhcp braodcast
> > message for?
> >
> > Thats after authentication is done?
>
> No, that is ten year old implementation(*) of an alternative way for
> detecting if a device is connected to the wired port in a case where
> there is no proper support for the authorized/unauthorized port concept
> in a wired switch. I would not expect such device to be used in a real
> end user product, i.e., the Ethernet ports on a switch should really be
> able to indicate events on when the link goes up or down and those could
> be used to trigger EAPOL operations.
>
> I guess this DHCP-trigger is fine for testing and experimentation
> purposes and even something like a port behind which there are multiple
> devices which then get blocked somehow based on MAC address (e.g.,
> dynamic ebtables rules), but none of that should really be considered
> secure.
>
> (*)
>
> http://w1.fi/cgit/hostap-history/commit/?id=7bca4e8dfd76d92724f46149db7b1b1b2098c928
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150204/1ab28810/attachment.htm>