28 Aug
2007
28 Aug
'07
8:55 a.m.
Norbert Wegener wrote:
If the client's certificate is expired, eap/tls will, of course, fail. In this case a guest vlan shall be assigned to the client.
I'm not sure that's good enough. The client may not believe it was successfully authenticated until the TLS session is properly finished.
Having a module, that adds the needed radius-attributes seems to work, if an additional Auth-Type += Accept is added. Doing this, the eap-tls is short-circuited and may result in a:
Incoming RADIUS packet did not have correct Message-Authenticator - dropped message on the client side.
Try adding a Message-Authenticator to the reply. Any value will do, as it will be re-calculated when the packet is sent. Alan DeKok.