On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails
What we are trying to do is to accept the very first Access Request
Sorry, I don't think that's possible. If the WiMAX client is only capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete TLS negotiation and completion. I assume it's impossible for you to enable EAP-TLS for some reason?
I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message
If you do that, the WiMAX client will basically see this: client: EAP-TLS: TLS client hello server: EAP-Success <no data> ...and the client will assume something has gone wrong, because it was expecting a TLS packet back. This is what I mean when I say you can't interfere with the outer tunnel - it's *designed* that way to be secure and prevent interference. HOWEVER - possibly the WiMAX client is dumb, and will do this: client: EAP-TLS: TLS client hello server: EAP-Success <no data> client: Ok, that's fine If so it's insecure, but it will solve your problem. Try this in sites-enabled/default: authorize { # Put any comparison you like here if (Calling-Station-Id == "the_wimax_mac?") { update control { Auth-Type := Accept } } } ...but I doubt it will work.