If a client(supplicant) configure to perform EAP-TLS authentication connects with a switch which doesn't requires authentication.
How can supplicant determine that authentication is not required and go ahead without authentication?
Asked
Active
Viewed 98 times
1 Answers
1
This can be done in two ways, based on whether machine IP is statically configured or dynamically configured.
If machine is configured for DHCP than a client can initiate the DHCP DISCOVER and wait for response from switch (authenticator). If a DHCP offer is received at client side than switch doesn't supports authentication and client can go ahead with further communication. If authentication is supported then switch will trigger the EAP request (identity) to the client (supplicant), so that the client can complete authentication. This can delay authentication by a few seconds depending upon the how fast switch sends EAP request on getting DHCP packets.
In case of statically configured IP, either a server can be configured so client server can communicate to check whether they have IP connectivity or not. For this approach, we need to make sure availability of the server. Alternatively, a client can send EAPOL start and wait for 30 seconds to check whether the switch asks for EAP request(identity) or not.
Jens Erat
- 23,446
- 12
- 72
- 96
proudengineer
- 21
- 8