EAP bypass

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 20 10:47:07 CEST 2008


On Sun, Oct 19, 2008 at 12:49:30PM -0500, Danny Paul wrote:
>>   This is impossible.  It is *designed* to be impossible.  If it was
>> possible, malicious networks could tell users that "authentication
>> succeeded", and then attack the users.
>
>I'm not sure you grasped what I was after - imagine a 802.1x wired 
>switch, supplicants and RADIUS server configured for EAP-TLS. This 
>works fine until the clumsy network administrator forgets to renew the 
>certificates for each of his supplicants and they all expire on the 
>same day. On that particular day, instead of spending hours getting new 

Set the clock on your server backwards.



More information about the Freeradius-Users mailing list