EAP bypass

Alan DeKok aland at deployingradius.com
Sun Oct 19 20:10:36 CEST 2008


Danny Paul wrote:
> I'm not sure you grasped what I was after 

  Yes, I understood.  This kind of request has come up before on this list.

  For *wireless*, it's impossible, because the supplicant && NAS use
encryption keys derived from the EAP-TLS exchange.  No exchange means no
keys.

  For wired... maybe it works.  But it's an accident, and may change
from switch revision to revision.

> Yes, the switch would be "wide open" for the day - but that's better than completely shut down in management's opinion.

  Or, you could put procedures in place to warn you about expiring
certificates.

> Oh yes, most gear does, and we're implementing that as well - however, the "guest vlan" or "auth-fail vlan" will have limited access to network resources so that doesn't help us out of this bind.

  "guest vlan" is just a name.  If your network is so bad that all of
the certificates have expired, making the "guest vlan" the same as the
"normal vlan" isn't a problem.

> But hey, if it's impossible then it's impossible. This being open source software I can change that myself, I suppose.

  Er... no.

  For wireless authentication, it's impossible because it's...
impossible.  See cryptographic research for the current meaning of
"impossible" as it pertains to the encryption protocols used here.

  Alan DeKok.



More information about the Freeradius-Users mailing list