Blue Light
Space shortcuts
Child pages
  • General information

Versions Compared

Old Version 9

changes.mady.by.user Dyuman

Saved on

compared with

New Version 10

changes.mady.by.user Dyuman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the case of an Access-Accept, the wifi router now allows the supplicant to join the network, or, in the case of Access-Reject, will not. Once the NAS has granted access, for 802.1X/RADIUS/authentication server, the job is done, and the supplicant becomes part of the 192.168.254.0/24 network's broadcast domain. The authentication server, can specify attributes in replying packet to give the NAS additional instructions, for example, it might request the NAS to place the newly connected supplicant in a specific VLAN, or it might specify for how long the supplicant is allowed to remain connected, or  It can now initiate a DHCP request for an IP address or any other action as may be appropriate. The authentication server is able to log that the user connected along with information from attributes the NAS might have sent, generally this includes the MAC address of the supplicant, MAC address of the NAS, username (if authentication was done by username/password) and more depending on the NAS model.

EAP and RADIUS are both general purpose protocols that take care of communication. They have support for a great variety of features or different methods that can be encapsulated there-in to perform authentication (e.g. it is possible to use different protocols that authenticate the user using a username and password, or using client certificates, or even SIM cards), but it is still up to the supplicant, NAS and authentication server implementations to choose which ones they support or not (even different NASes have been seen to send MAC addresses in different format, e.g. TP-Link Archer C20 sends 01-23-45-67-89-AB, while TP-Link TD-W8968 sends 0123456789ab. TP-Link TL-WR740N, in the case of the NAS MAC address, sends 01-23-45-67-89-AB:SSID, where SSID is the configured wireless SSID). In fact, EAP is only EAP, being a tunneling protocol inside which a suitable protocol for performing authentication needs to be used. This makes it possible to have , gives flexibility in usable authentication protocols whilst maintaining compatibility with any without requiring specific support for that protocol by the NAS, as long as the authentication protocol it is supported by both the supplicant and authentication server.

...