eap-peap username/password problem
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Mon Jun 8 14:00:39 CEST 2009
On 8/6/09 12:49, devesh gade wrote:
> hi alan,
>
>>Windows caches the EAPOL credentials for that network after
>>a successful connection.
> Thanks for confirming,I had thought so.
>
> I would like to inform you that i am working on the server side and not
> the client side.Hence it is not feasible to change the registry entry of
> every client.
>
>> you could have a logout script that wipes the EAPOL stuff..
> is there any way to write this logout script at the server side and
> execute it at the client?
> Also,is there any other way so that the client is asked his
> username/password every time he tries to connect to the network?
> Is there any change to be made to the eap.conf file in the tls{}
> cache{} section so that this problem may be solved?
No. That section has absolutely nothing to do with credential caching. As stated it controls *session* caching which is something completely different, and should only be enabled to allow rapid
re-authentication.
Nothing you can do server side will stop the supplicant using cached credentials, other than issuing a reject every other authentication attempt (and this only works with windows, and not reliably);
or using an OTP system like the RSA SecurID tokens.
Arran
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
More information about the Freeradius-Users
mailing list