Banning users in a nice way...

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Fri Jun 29 10:43:52 CEST 2007


Hi,

> Oh and by broken I mean windows XP type broken, as in will only attempt 
> TLS authentication broken... and sends the username and password a user 
> logged into the machine with by default broken... and so can never work 
> out of the box broken.

FWIW, an unconfigured Windows XP box will not send anything on EAP-TLS 
for either wired or wireless either - as it needs to have a private
certificate or smartcard. both of which are absent. only if you
do a quick change of that default entry to make it PEAP will the next
broken bits appear (use windows login/password for authentication etc)

no. the only sane way is to provide an open wifi connection which 
is a walled garden under which they can read onfig docs or install
a nice configurator program to set their wifi up properly

> and were assuming people running linux are clever enough to setup x 
> supplicant without support :)

if they can get their wifi drivers compiled and running, configuring
wpa_supplicant is easy! PS dont forget folks that wpa_supplicant
also works on the wired interfaces on linux too....so dot1x on wired
is 'trivial' with linux

alan



More information about the Freeradius-Users mailing list