OpenBSD Journal

DHCP server with 802.1x?

Contributed by jose on from the controlled-access dept.

Billy writes: "Does anyone know of a DHCP server with support for 802.1x auth, which runs under OpenBSD?"

(Comments are closed)

  1. By grey () on

    I'm unsure if there's much to be found regarding 802.1X outside of proprietary vendors such as MS (with XP or higher) Cisco and Enterasys. The pdf linked ( was found through a bit of googling, but its reference to dhcpd is minimal at best. I've had a chance to get a product demo from an enterasys engineer of some of their 802.1X management software, but it's all dependant on their hardware, as well as MS clients. While it seemed pretty interesting, especially for managing a windows oriented network, I haven't seen much else out there regarding 802.1X and would be curious to hear the result.

    Sorry that's not too helpful.

  2. By jose () on

    not sure if this will build on openbsd, but it could be a start:

    other links:

  3. By Jakob Schlyter () on

    dhcpd doesn't interact with 802.1x since 1x authentication is performed even before you get an IP address.

    what you need on the server side is usually a 1x-aware RADIUS server that talks to the switch/wifi-ap which performs the actual 1x authentication against the client (aka supplicant).

    1. By Gernot Schmied () on

      To be more precise you need a RADIUS Server that supports EAP (Extensible Authentication Protocol) which is true for most up-to-date open source RADIUS implementations such as FreeRADIUS. It is a chain supplicant--authenticator--AAA_Server and currently only works with RADIUS. The nice thing about open1x Xsupplicant is it can act as both a supplicant AND authenticator.


  4. By Dom De Vitto () on

    802.1x is a protocol for authentication *prior* to the node getting access to the network layer.

    e.g. on ethernet, the switch can't prevent you transmitting, but it can tag the port as 'unauthenticated' and either not forwrd trafic to/from it until it's had a valid .1x frame, or put the segment into a specified VLAN.

    .1x is nothing to do with IP, and so nothing to do with DHCP.
    .1x is bearly anything to do with ethernet/wireless, as it's designed to (try) to prevent the device using the media before authentication.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]