Question: How do I forcibly accept all rest requests??

Difan Zhao difan.zhao at guest-tek.com
Wed Mar 31 01:35:16 CEST 2010


Alan, 

Thank you for quick reply!

However if you can fool the NAS to let it believe that the device is
authenticated, will the switch also send an EAP success message to the
laptop to fool him as well?

If the laptop is configured to use PEAP and to validate certificate,
then you are right, there is nothing we can do.

If the laptop is configured not to validate the certificate, then when
the Server (freeradiusd) sends a challenge in the TLS tunnel and
received a hashed reply, can it be configured to simply send a "success"
back anyway?

If the laptop is configured to use MD5, then I think it's even easier to
make this happen...?

I apologize if I got any EAP/Radius theory totally wrong...

The company I work for serves hotels. They want their staff to be put in
right VLAN for admin management purpose while guests put in guest VLAN.
Now my setup is pissing some guests off because they don't like to see
"failed" on their laptops. It's kind of important... I will really
appreciate if you can come up with a solution for it... 

Thank you!

Guest-tek, Difan Zhao
difan.zhao at guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-----Original Message-----
From:
freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Tuesday, March 30, 2010 4:43 PM
To: FreeRadius users mailing list
Subject: Re: Question: How do I forcibly accept all rest requests??

Difan Zhao wrote:
> So I want to make all rest devices to be authenticated. It will be
even better if I can assign them to a specific VLAN. I was reading
./sites-avaliable/default and I found that "forcibly accept the user
(Auth-Type := Accept)". Where do I put it? I tried:
> 
> post-auth {
> 		Post-Auth-Type REJECT {
> #            	attr_filter.access_reject
> 			Auth-Type := Accept
>         	}
> }

  It's too late to over-ride the reject at that point.

  And I doubt that this will prevent the icon from appearing on their
desktop.  The icon means that the *PC* believes it wasn't authenticated.
 The config above tells the *NAS* to allow them in, but does not
convince the *PC* that it has been authenticated.

  There is no substitute for running the authentication protocol
correctly.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list