EAP bypass
Arran Cudbard-Bell
a.cudbard-bell at sussex.ac.uk
Sat Oct 18 17:07:27 CEST 2008
Alan DeKok wrote:
> Danny Paul wrote:
>
>> My management would like a way to force authorization to
>> succeed even if EAP has actually failed.
>>
>
> This is impossible. It is *designed* to be impossible. If it was
> possible, malicious networks could tell users that "authentication
> succeeded", and then attack the users.
>
> You need to look at your NAS documentation for something like
> "fallback VLAN" support. Some NASes have the ability to put users into
> special VLANs in some circumstances.
>
If this is a wired port then just force an Access-Accept, yes it breaks
the RFC but if your NAS doesn't inspect the contents of the EAP-Message
then it'll work.
> In any case, the solution is much more complicated than just changing
> the FreeRADIUS configuration (which won't do anything)
>
Thanks,
Arran
More information about the Freeradius-Users
mailing list