accepting clients with expired certificates
Alan DeKok
aland at deployingradius.com
Tue Aug 28 14:55:00 CEST 2007
Norbert Wegener wrote:
> If the client's certificate is expired, eap/tls will, of course, fail.
> In this case a guest vlan shall be assigned to the client.
I'm not sure that's good enough. The client may not believe it was
successfully authenticated until the TLS session is properly finished.
> Having a module, that adds the needed radius-attributes seems to work,
> if an additional Auth-Type += Accept is added.
> Doing this, the eap-tls is short-circuited and may result in a:
>
> Incoming RADIUS packet did not have correct Message-Authenticator - dropped
> message
> on the client side.
Try adding a Message-Authenticator to the reply. Any value will do,
as it will be re-calculated when the packet is sent.
Alan DeKok.
More information about the Freeradius-Users
mailing list