Today Sam asked a question about the EAP end-points with respect to
dhcp-auth proposal.
The answers we got were either not clear or not accurate.
It is not true that EAP authenticator is always on the DHCP server. In
Figure 5 of their I-D, EAP authenticator and DHCP relay are co-located in
NAS:
(HGW) (NAS) (AAA) (DHCP)
DHCP Client AAA Client RADIUS Server DHCP Server
AAA Client
DHCPDISCOVER ------->
(w/DHCP-auth-proto EAP)
<------- DHCPEAP
(w/EAP Message)
DHCPEAP ------->
(w/EAP Message)
RADIUS Access-Request ------->
(w/EAP Message)
<-------- RADIUS
Access-Accept (w/EAP Message)
(Access-Reject (w/EAP Message)
if unsuccessful)
(DHCP messages continue normally from
this point forward if successful)
DHCPDISCOVER ------------------------------>
(w/RADIUS attributes suboption)
<----------------------------- DHCPOFFER
<------- DHCPOFFER (w/EAP Success Message)
(w/yiaddr)
DHCPREQUEST ------->
<------- DHCPACK
Figure 5: Message Flow with new message and a DHCP relay
As for EAP peer and DHCP client, we never got a clear acknowledgement that
it may be on a device sitting behind the CPE (HGW) at home, like a PC. It
has to be so because:
- There are clear DSLF requirements for that [e.g., IPAuth-9 Should be
simple to implement on client (PC or CPE)],
- Replacing PPPoE means doing that on the home PCs as well, and
- The I-D clearly states "The DHCP Client resides either on a home network
device or the HGW,..."
Alper
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
