On Sat, Oct 18, 2008 at 04:07:27PM +0100, Arran Cudbard-Bell wrote:
Alan DeKok wrote:
Danny Paul wrote:
My management would like a way to force authorization to succeed even if EAP has actually failed.
This is impossible. It is *designed* to be impossible. If it was possible, malicious networks could tell users that "authentication succeeded", and then attack the users.
You need to look at your NAS documentation for something like "fallback VLAN" support. Some NASes have the ability to put users into special VLANs in some circumstances.
If this is a wired port then just force an Access-Accept, yes it breaks the RFC but if your NAS doesn't inspect the contents of the EAP-Message then it'll work.
Are you sure? Won't the supplicant barf because mutual authentication doesn't succeed?