Not rejecting rejected users

[Franks Andy (RLZ) IT Systems Engineer]

Thanks Alan,
  I am toying with a nasty hacky way of making my own reject control
variable, capturing the outputs of each of the modules and forcing them
to be ok, then testing for the "reject" at the end and dealing with
likewise. The extreme controller we're using allows pushing of roles
with built in firewall rules via the filter-id attribute so I'm playing
with that too.
I'll find out I guess, but the peap thing - we tend to send mac auth
alongside, so test whether a machine passes tests with that and push the
vlan there. I was hoping I could test the output of the eap auth module
and still force it to be ok but we'll see.
Thanks again
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: 24 July 2014 21:54
To: FreeRadius users mailing list
Subject: Re: Not rejecting rejected users

Hi,

>    clients, when the radius sends a reject packet to the NAS, all is
well and
>    the client gets rejected. On wireless however, especially with
windows XP
>    machines, the machine will constantly retry connection to the SSID.

whats the cause of the reject? incorrect password? you can use the
MSCHAPv2 retry method
if its PEAP - the client will geta  prompt to reenter their
credentials...otherwise the client
will just keep on trying and trying and trying....

with wireless 802.1X you cannt reject and give them another vlan like
you can with wired (*)
the key required for the WPA2enterproise part is done in the
access-accept . with wired you have
guest/fail vlan options (not with MACSEC though). 

alan

(*) some vendors have really interesting/nasty non-interopt kludges to
get their APs to
do some 'nasty things' in some cases.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html