Re: accepting clients with expired certificates
Norbert Wegener wrote:
> freeradius now sends a Message-Authenticator with value 0x00:
...
> but there seems to be a problem on the other end, as eapol_test shows:
>
> STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending
> request, round trip time 0.05 sec
> RADIUS packet matching with station
> could not extract EAP-Message from RADIUS message
Yes. As I said, the supplicant may not like it if you don't complete
the whole TLS conversation.
At the minimum, you'll need to send an EAP Success packet inside of
the EAP-Message attribute. But don't expect that to work.
If the client certificate has expired, the odds are that the client
*cannot* be authenticated, even with the sacrifice of small animals, and
the sprinkling of their leavings in graveyards at midnight...
Alan DeKok.
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.