EAP bypass

Stefan Winter stefan.winter at restena.lu
Tue Oct 21 07:48:01 CEST 2008


Hi,

>> That would be supplicant-dependent, right? For example the Intel
>> supplicant which I tried some time ago had a very solid opinion abou
> Well that is true, I guess I'm only familiar with Windows supplicants.
>   

The Intel supplciant *is* for Windows. It comes coupled with Centrino
chipsets and is a lot more usable than the *built-in* supplicant that
comes with the OS. I say this just to make you aware that you may be
badly advised if you do your non-conformance tests only against the
XP/Vista built-in supplicant. Unless your corporate environment is
locked down so that it prevents this supplicant from being installed,
you should be very careful about the assumptions you have about your
end-users equipment. Do you have any other devices that need network
access? How about PDAs? SymbianOS, maybe even some freaky Linux users?

>> Anyway, it is a *very* bad idea to rely on such behaviour. I suggest a
>> bucket of cold water into the face of the guy's management. An
>> authentication server is used to authenticate users, not to
>> non-authenticate users.
>>     
>
> Once again, we're not relying on it - this is an emergency procedure, to be used in emergencies only. We're talking about availability as a component of security here. There is nothing wrong with a documented, tested plan for an emergency situation.
>   

As you wish.

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




More information about the Freeradius-Users mailing list