Difan Zhao wrote:
However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well?
No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly.
If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do.
If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a "success" back anyway?
That's not the way PEAP works. So no, it's impossible.
If the laptop is configured to use MD5, then I think it's even easier to make this happen...?
It's still impossible.
I apologize if I got any EAP/Radius theory totally wrong...
The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see "failed" on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it...
<shrug> That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok.