change username/password takes no effect for 802.1x wifi clients
I'm running a freeradius to authorize user access on wifi network(EAP). everything works well, I input my username and password I can then login via 802.1x then surf. However if I change the username/password in mods-config/files/authorize, then restart radiusd, I can still surf the internet using the old username/password, no relogin required, until I logoff the wifi network, and relogin again, now I need supply the new username/password. How to force a re-login(via 802.1x) whenever I change username/password in freeradius? Is there a way to do it on freeradius side, or I just restart wifi network whenever I restart radiusd? Thanks,
On 25/10/2020 18:40, X Xiao wrote:
However if I change the username/password in mods-config/files/authorize, then restart radiusd, I can still surf the internet using the old username/password, no relogin required, until I logoff the wifi network, and relogin again, now I need supply the new username/password.
Sure. That's the same as if you're logged into pretty much any system and change your password - you only authenticate when you first connect.
How to force a re-login(via 802.1x) whenever I change username/password in freeradius? Is there a way to do it on freeradius side, or I just restart wifi network whenever I restart radiusd?
If your NAS supports CoA then you can send a CoA disconnect packet to kick the user off and force re-authentication. Sadly most NAS documentation is pretty lacking when CoA is concerned, so it might involve some guesswork. Otherwise you'll need to find some other way to kick the user off (though restarting the whole wireless network sounds a bit drastic). -- Matthew
participants (2)
-
Matthew Newton -
X Xiao