EAP bypass

Danny Paul JDPAUL at GoColumbiaMO.com
Sun Oct 19 19:49:30 CEST 2008


>   This is impossible.  It is *designed* to be impossible.  If it was
> possible, malicious networks could tell users that "authentication
> succeeded", and then attack the users.

I'm not sure you grasped what I was after - imagine a 802.1x wired switch, supplicants and RADIUS server configured for EAP-TLS. This works fine until the clumsy network administrator forgets to renew the certificates for each of his supplicants and they all expire on the same day. On that particular day, instead of spending hours getting new certificates issued, I'd rather change something in the RADIUS server config file to send out access-accept messages to every request. My users would be functional for the day while I go about generating new certificates one at a time. 

Yes, the switch would be "wide open" for the day - but that's better than completely shut down in management's opinion.

>   You need to look at your NAS documentation for something like
> "fallback VLAN" support.  Some NASes have the ability to put users into
> special VLANs in some circumstances.

Oh yes, most gear does, and we're implementing that as well - however, the "guest vlan" or "auth-fail vlan" will have limited access to network resources so that doesn't help us out of this bind.

>   In any case, the solution is much more complicated than just changing
> the FreeRADIUS configuration (which won't do anything)

I would imagine that one could write a module that did nothing but authorize absolutely anything, compelling the server to send an Access-Accept message no matter what. In conjunction with the situation described above - in the rare chance that I needed to use it, I could change my config file for the day, then change it back once my problems were solved.

But hey, if it's impossible then it's impossible. This being open source software I can change that myself, I suppose.

> 
>   Alan DeKok.

Thank you, I thoroughly appreciate your work on this project





More information about the Freeradius-Users mailing list