Force the client to use one specific EAP method

LUCA sfire at hotmail.it
Wed Apr 12 14:06:26 CEST 2017 

Hi Stefan,

thank you for the reply.


>Why the effort? The client can initially *suggest* whatever it likes.
>The server will NAK it and tell the client what EAP method to use instead.

Exactly, after the client *suggest* which method would like to use, anyway to make the server tell the client to use one specific EAP method instead?


>So, what's the win in writing complicated things on the supplicant?

Well, unfortunately it was the only and impractical idea I came up with.



>One of the few things which work very nicely in EAP is the method auto-negotiation. :-)

Yes but for what I'm trying to accomplish I really need to address the negotiation to one specific method :-)



Luca

________________________________
From: Freeradius-Users <freeradius-users-bounces+sfire=hotmail.it at lists.freeradius.org> on behalf of Stefan Winter <stefan.winter at restena.lu>
Sent: Wednesday, April 12, 2017 1:28 PM
To: FreeRadius users mailing list
Subject: Re: Force the client to use one specific EAP method

Hi,

> As Matthew suggested, I've removed the configurations for the others EAP methods, indeed now they don't work anymore.
>
> But, as Matthew already said, the clients will always choose whatever method they want to use or in the most cases the chosen method is the one set on the supplicant configuration file.
>
> I thought of making a script that would change the 802.1x configuration of the supplicant, but then every client should download and run the script, which is no practical at all.
>
> So, any other workaround that you're aware of?
>
> I was wondering if adding a realm could help somehow.

Why the effort? The client can initially *suggest* whatever it likes.
The server will NAK it and tell the client what EAP method to use instead.

This is one round-trip. It happens automatically in the background, no
UI or disruption involved.

So, what's the win in writing complicated things on the supplicant?

One of the few things which work very nicely in EAP is the method
auto-negotiation. :-)

Stefan


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

More information about the Freeradius-Users mailing list