Force "Accept" to authentication

[Lubenski, Zeev [GCS]]

Phil

Thanks a lot will give it a try

Regards
Zeev

-----Original Message-----
From: freeradius-users-bounces+zlubensk=lgsinnovations.com at lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations.com at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Friday, May 27, 2011 11:32 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Force "Accept" to authentication

On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
>
> Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails
>
> What we are trying to do is to accept the very first Access Request

Sorry, I don't think that's possible. If the WiMAX client is only 
capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete 
TLS negotiation and completion.

I assume it's impossible for you to enable EAP-TLS for some reason?

>
> I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message

If you do that, the WiMAX client will basically see this:

client: EAP-TLS: TLS client hello
server: EAP-Success <no data>

...and the client will assume something has gone wrong, because it was 
expecting a TLS packet back. This is what I mean when I say you can't 
interfere with the outer tunnel - it's *designed* that way to be secure 
and prevent interference.

HOWEVER - possibly the WiMAX client is dumb, and will do this:

client: EAP-TLS: TLS client hello
server: EAP-Success <no data>
client: Ok, that's fine

If so it's insecure, but it will solve your problem.

Try this in sites-enabled/default:

authorize {
   # Put any comparison you like here
   if (Calling-Station-Id == "the_wimax_mac?") {
     update control {
       Auth-Type := Accept
     }
   }
}

...but I doubt it will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html