EAP bypass

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Sun Oct 19 20:08:02 CEST 2008


Hi,

> I would think that would work, I just don't know how to do that! It's really easy to create a module that returns "ok" or "handled" but, despite hours of pouring through the unlange manpages and documentation on rlm_example, rlm_perl, and rlm_exec, I cannot seem to create a module that will compel the RADIUS server to send back an Access-Accept. Mr. DeKok  says this is impossible, and he would probably be the one to know. I'll keep investigating another way around this and update the list if I find anything. In the mean time, if anyone else thinks of something, please let me know.

you can use eg the Users file to send an accept - however, the 'impossible'
bit didnt refer to FreeRADIUS - but to the end equipment and the EAP
specification. dumb and/or broken NAS devices can receive a basic
accept message...but anything that has even an ounce of security
will expect the full EAP transaction to occur (cert checks, challenge
response etc) not just a 'yep, alls okay, come on in!' message.

imagine if you went to a shop and your credit card was just accepted
without the PIN (or swipe + signature for those non-PIN places)
would you feel comfortable? you shouldnt..and neither should your OS

so, whilst you could do crazy things like accept by default, the
NAS or the end device might - and should, ignore and reject
that when EAP is involved

it'd be better to just change the VLAN settings so guest/fail
have full access for the day

alan



More information about the Freeradius-Users mailing list