EAP bypass

[Danny Paul]

I'm getting ready to implement EAP-TLS for 802.1x port authentication. Everything works great in my testing environment and I'm very happy with it. However, before we roll it out into production, I must write a set of recovery procedures. In these procedures I need to include a section on the (admittedly very rare) chance that authentications start failing across the board for some reason - for example, if we accidently let a bunch of the user certificates expire, all of those machines will fail port-authentication until the certificates are replaced. My management would like a way to force authorization to succeed even if EAP has actually failed.

My thought is to use a module that really does nothing but authenticate and authorize everything it sees. I've investigated the rlm_always, rlm_exec and rlm_perl modules but I can't seem to figure out how to do anything but report "handled" or "ok." This does not seem to result in an Access-Accept message being sent.

Any suggestions?

I'm using the latest FreeRadius 2 - the config files are unchanged except for the eap.conf (to specify the Root cert and server cert) and I am using a sparse sites-enabled file:

client x.x.x.x {
  secret = secret
  server = EAP_Server
}

server EAP_Server {

authorize {
 eap
}

authenticate {
 eap
}