For your case 1): depends. If there actually is a user cert on the client's box and its CN does not contain an @, same as above applies. If their CN does contain an @, well, then you are pretty much lost. Shouldn't be many though.
No certs on users boxes, completely vanilla installs... Well as vanilla as a students laptop can be ... vanilla + Azureus + Kazza + Spyware
Not that I can think of. You shouldn't be able to coax a supplicant >onto a network by munging authentication (this is a *good* thing). josh.
Yes it is I suppose :) This is what I suspected... I was planning on just sending an Access-Accept EAP packet and seeing what happened. But i'm guessing even if it did work (due to microsoft supplicant being horribly broken) it would go against quite a few RFCs, and wouldn't really make a good case study for JRS ;) Thanks for both your replys :) -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900