EAP bypass

Danny Paul JDPAUL at GoColumbiaMO.com
Mon Oct 20 18:06:14 CEST 2008


 
> Well... a sane supplicant, be it on a wireless or wired port, will
> maintain its EAP state machine, and will alert the user if the state
> machine was violated, right? So if the NAS gets and sends on a
> EAPoL-Success out of order, client gear will yell. Or did I get you wrong?

My experience was as follows:

Cisco 2950 switch has an "auth fail" vlan option. If port authentication fails, the port is marked authorized and put in the configured auth-fail vlan as opposed to the default vlan or remaining in an unauthorized state. For Windows XP SP2, if authentication fails, the user is notified - however, network communications across that vlan works fine.

Additionally, consider this: a packet capture reveals that, even after authentication has failed, Windows XP SP2 will send out DHCP requests.  Evidently the supplicant is somehow decoupled from the other processes involved in bringing up a network interface.





More information about the Freeradius-Users mailing list