17 Jan
2020
17 Jan
'20
7:29 a.m.
On Jan 17, 2020, at 6:06 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods.
Really? Couldn't you branch the processing based on the outer ID?
It's impossible. You *can* send back an Access-Accept. That Access-Accept can contain an EAP Success packet. But... you *can't* send back correctly formatted MS-MPPE keys. Those keys *must* match between the NAS / AP and the supplicant. If they don't match, the user can't get online. The *only* way to calculate those keys is to perform the full EAP transaction. Alan DeKok.