EAP bypass
Stefan Winter
stefan.winter at restena.lu
Mon Oct 20 17:18:50 CEST 2008
Hi,
> The supplicant will barf, and yet, the machine will not ignore the wide open network port.
>
That would be supplicant-dependent, right? For example the Intel
supplicant which I tried some time ago had a very solid opinion about
what was going on and I couldn't use the net "just like that". OTOH,
there is this peculiarity in the IEEE 802.1X standard itself that
basically says the supplicant tries three times to authenticate with
EAP-Identity, and after that shall "assume that the port is open". Maybe
that's what happens.
Anyway, it is a *very* bad idea to rely on such behaviour. I suggest a
bucket of cold water into the face of the guy's management. An
authentication server is used to authenticate users, not to
non-authenticate users.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
More information about the Freeradius-Users
mailing list