EAP bypass

Anders Holm anders.holm at sysadmin.ie
Mon Oct 20 13:17:45 CEST 2008 

Eating humble pie for a day would reset the admins expectations on how  
to handle customer expectations to a reasonable level I'd think...

Sent from my iPhone

On 19 Oct 2008, at 18:49, "Danny Paul" <JDPAUL at gocolumbiamo.com> wrote:

>>  This is impossible.  It is *designed* to be impossible.  If it was
>> possible, malicious networks could tell users that "authentication
>> succeeded", and then attack the users.
>
> I'm not sure you grasped what I was after - imagine a 802.1x wired  
> switch, supplicants and RADIUS server configured for EAP-TLS. This  
> works fine until the clumsy network administrator forgets to renew  
> the certificates for each of his supplicants and they all expire on  
> the same day. On that particular day, instead of spending hours  
> getting new certificates issued, I'd rather change something in the  
> RADIUS server config file to send out access-accept messages to  
> every request. My users would be functional for the day while I go  
> about generating new certificates one at a time.
>
> Yes, the switch would be "wide open" for the day - but that's better  
> than completely shut down in management's opinion.
>
>>  You need to look at your NAS documentation for something like
>> "fallback VLAN" support.  Some NASes have the ability to put users  
>> into
>> special VLANs in some circumstances.
>
> Oh yes, most gear does, and we're implementing that as well -  
> however, the "guest vlan" or "auth-fail vlan" will have limited  
> access to network resources so that doesn't help us out of this bind.
>
>>  In any case, the solution is much more complicated than just  
>> changing
>> the FreeRADIUS configuration (which won't do anything)
>
> I would imagine that one could write a module that did nothing but  
> authorize absolutely anything, compelling the server to send an  
> Access-Accept message no matter what. In conjunction with the  
> situation described above - in the rare chance that I needed to use  
> it, I could change my config file for the day, then change it back  
> once my problems were solved.
>
> But hey, if it's impossible then it's impossible. This being open  
> source software I can change that myself, I suppose.
>
>>
>>  Alan DeKok.
>
> Thank you, I thoroughly appreciate your work on this project
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list