EAP bypass
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 20 10:46:24 CEST 2008
On Sat, Oct 18, 2008 at 04:07:27PM +0100, Arran Cudbard-Bell wrote:
>Alan DeKok wrote:
>> Danny Paul wrote:
>>
>>> My management would like a way to force authorization to
>>> succeed even if EAP has actually failed.
>>>
>>
>> This is impossible. It is *designed* to be impossible. If it was
>> possible, malicious networks could tell users that "authentication
>> succeeded", and then attack the users.
>>
>> You need to look at your NAS documentation for something like
>> "fallback VLAN" support. Some NASes have the ability to put users into
>> special VLANs in some circumstances.
>>
>If this is a wired port then just force an Access-Accept, yes it breaks
>the RFC but if your NAS doesn't inspect the contents of the EAP-Message
>then it'll work.
Are you sure? Won't the supplicant barf because mutual authentication
doesn't succeed?
More information about the Freeradius-Users
mailing list