EAP bypass

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Mon Oct 20 16:24:06 CEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>   For wired... maybe it works.  But it's an accident, and may change
> from switch revision to revision.

Just re-read RFC 3579, it should always work (I was surprised too).

RFC 3579:

2.6.3.  Conflicting Messages

   The NAS MUST make its access control decision based solely on the
   RADIUS Packet Type (Access-Accept/Access-Reject).  The access control
   decision MUST NOT be based on the contents of the EAP packet
   encapsulated in one or more EAP-Message attributes, if present.

...

   If the NAS receives an Access-Accept with an encapsulated EAP
   Failure, it will grant access to the peer.  However, on receiving an
   EAP Failure, the peer will be lead to believe that it failed
   authentication.  If no EAP-Message attribute is included within an
   Access-Accept or Access-Reject, then the peer may not be informed as
   to the outcome of the authentication, while the NAS will take action
   to allow or deny access.

The current default behaviour for Windows and Mac OSX is not to block
traffic on the interface even if authentication fails.


> 
>> Yes, the switch would be "wide open" for the day - but that's better than completely shut down in management's opinion.
> 
>   Or, you could put procedures in place to warn you about expiring
> certificates.
> 
>> Oh yes, most gear does, and we're implementing that as well - however, the "guest vlan" or "auth-fail vlan" will have limited access to network resources so that doesn't help us out of this bind.
> 
>   "guest vlan" is just a name.  If your network is so bad that all of
> the certificates have expired, making the "guest vlan" the same as the
> "normal vlan" isn't a problem.
> 
>> But hey, if it's impossible then it's impossible. This being open source software I can change that myself, I suppose.
> 
>   Er... no.
> 
>   For wireless authentication, it's impossible because it's...
> impossible.  See cryptographic research for the current meaning of
> "impossible" as it pertains to the encryption protocols used here.

Yeah the dynamic keying won't work... This will only ever work on wired
connections.

Regards,
Arran

- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj8lIYACgkQcaklux5oVKInaQCffhGv8yPKtkh72uYoKZPdzKn2
bvcAoIDpp7cI1hxALo+xFwRvoxkI1aNp
=rFsD
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list