EAP bypass
Danny Paul
JDPAUL at GoColumbiaMO.com
Mon Oct 20 17:28:34 CEST 2008
> That would be supplicant-dependent, right? For example the Intel
> supplicant which I tried some time ago had a very solid opinion about
> what was going on and I couldn't use the net "just like that". OTOH,
> there is this peculiarity in the IEEE 802.1X standard itself that
> basically says the supplicant tries three times to authenticate with
> EAP-Identity, and after that shall "assume that the port is open". Maybe
> that's what happens.
Well that is true, I guess I'm only familiar with Windows supplicants.
>
> Anyway, it is a *very* bad idea to rely on such behaviour. I suggest a
> bucket of cold water into the face of the guy's management. An
> authentication server is used to authenticate users, not to
> non-authenticate users.
Once again, we're not relying on it - this is an emergency procedure, to be used in emergencies only. We're talking about availability as a component of security here. There is nothing wrong with a documented, tested plan for an emergency situation.
>
> Greetings,
>
> Stefan Winter
More information about the Freeradius-Users
mailing list