I'm getting ready to implement EAP-TLS for 802.1x port authentication. Everything works great in my testing environment and I'm very happy with it. However, before we roll it out into production, I must write a set of recovery procedures. In these procedures I need to include a section on the (admittedly very rare) chance that authentications start failing across the board for some reason - for example, if we accidently let a bunch of the user certificates expire, all of those machines will fail port-authentication until the certificates are replaced. My management would like a way to force authorization to succeed even if EAP has actually failed. My thought is to use a module that really does nothing but authenticate and authorize everything it sees. I've investigated the rlm_always, rlm_exec and rlm_perl modules but I can't seem to figure out how to do anything but report "handled" or "ok." This does not seem to result in an Access-Accept message being sent. Any suggestions? I'm using the latest FreeRadius 2 - the config files are unchanged except for the eap.conf (to specify the Root cert and server cert) and I am using a sparse sites-enabled file: client x.x.x.x { secret = secret server = EAP_Server } server EAP_Server { authorize { eap } authenticate { eap }