On Jul 23, 2025, at 11:26 AM, Alexander Clouter <[email protected]> wrote: > For where topological information (eg. IP address assignment) is deemed to be > within scope.
I would argue that IP address assignment should not be in scope. That would go down the path of replacing DHCP, which seems a bit much to do. > Only spit balling but maybe there is something we can instead do to extend > the TLS binding to carry over to the DHCP. > > This would then no longer be limited to TEAP, you could maybe even retrofit > it to EAP-(T)TLS. TTLS would need to define a TTLS-specific attribute but sure. > My thinking is the DHCP client would then include an attribute to the server > saying "I expect something binding here tied back to the TLS session of my > EAP dance" and the DHCP server would include it as an option in the response. > The client decide what to do in the presence (or non-presence) of it based on > a local policy. Hmm... I'll have to think about that. > With this, you could now do topological (eg. IP) assignment and support DHCP > snooping. > > With the proposal TEAP options approach, there would need to be some > additionally special OOB protocol between the switchport and your policy > server to communicate these DHCP assignments and make DHCP snooping work in > practice. Of course the other option is to leave this at "use this only for > assigning the WPAD server" :) Yes, it would be useful to send these options in the final Access-Accept, too. Alan DeKok. _______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
