EAP bypass

Stefan Winter stefan.winter at restena.lu
Tue Oct 21 07:50:53 CEST 2008


Hi,

> Cisco 2950 switch has an "auth fail" vlan option. If port authentication fails, the port is marked authorized and put in the configured auth-fail vlan as opposed to the default vlan or remaining in an unauthorized state. For Windows XP SP2, if authentication fails, the user is notified - however, network communications across that vlan works fine.
>   

So, what means "port authentication fails"? An Access-Reject? Well what
you were trying to do was send an Access-Accept no matter what, which is
for an authenticator a reason to count it as success, and will
subsequently not put a user in a auth fail VLAN.

> Additionally, consider this: a packet capture reveals that, even after authentication has failed, Windows XP SP2 will send out DHCP requests.  Evidently the supplicant is somehow decoupled from the other processes involved in bringing up a network interface.
>   

SP3? Vista? Nokia N95? iPhone 3G? Make a list of stuff to test...

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




More information about the Freeradius-Users mailing list