On Wed, Oct 10, 2007 at 04:16:16PM -0700, Bernard Aboba wrote: > >I'm wondering if it can work over wired networks where a > >non-forwardable multicast address is used as the destination MAC > >address of EAPoL frames. > > IEEE 802.11i supports 802.1X pre-authentication, in which another Ethertype > is used, and 802.1X frames are sent to a unicast destination, forwarded by > as many switches as necessary.
This 802.1X usage is specific to IEEE 802.11i pre-authentication where 802.1X exchanged over the wired port of the target AP is used for controlling wireless ports of the AP. I don't think we can make it applicable to DSL simply because of different usage. I believe there would be lots of corner cases to tackle with if we define an extention to 802.1X that can generally work across multiple LAN segments. > > Scenarios involving forwarding of multicast frames are typically limited to > situations in which the switch terminating IEEE 802.1X is one hop away, and > the forwarding switch acts as a TPMR for 802.1X traffic. For example, a > wired VOIP phone might have a switch port, but does not act as a RADIUS > client, so it forwards 802.1X traffic to a switch at the wall-port. I think that two port MAC relay is not applicable to DSL especially in bridge mode where multiple Supplicants may exist. > > >How two Supplicants attached to such a > >switch can run 802.1X where one Supplicant may receive EAPoL frames > >intended to be received by the other one? > > Typically the 802.1X forwarder will not send the 802.1X frames to all > ports, just to the switch one hop deeper in the network. That way other > supplicants should not get confused. > I believe downlink Supplicants directly attached to a switch with more than two ports still get confused, while the direct uplink Authenticator would not get confused. Yoshihiro Ohba _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
