IP assignment and authenticated port

Jouni Malinen j at w1.fi
Tue Feb 3 07:32:29 EST 2015


On Tue, Feb 03, 2015 at 02:57:37PM +0530, Sarah Thomas wrote:
> Where DHCP is blocked before 802.1x.
> 
> But then the only question , what is socket for receiving dhcp braodcast
> message for?
> 
> Thats after authentication is done?

No, that is ten year old implementation(*) of an alternative way for
detecting if a device is connected to the wired port in a case where
there is no proper support for the authorized/unauthorized port concept
in a wired switch. I would not expect such device to be used in a real
end user product, i.e., the Ethernet ports on a switch should really be
able to indicate events on when the link goes up or down and those could
be used to trigger EAPOL operations.

I guess this DHCP-trigger is fine for testing and experimentation
purposes and even something like a port behind which there are multiple
devices which then get blocked somehow based on MAC address (e.g.,
dynamic ebtables rules), but none of that should really be considered
secure.

(*)
http://w1.fi/cgit/hostap-history/commit/?id=7bca4e8dfd76d92724f46149db7b1b1b2098c928

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list