Password Policy - Expired Password - mschap
Garber, Neal
Neal.Garber at energyeast.com
Thu Aug 12 21:50:50 CEST 2010
> Understanding the security risks... is there an example of
> setting Post-Auth-Type REJECT {...} to override the reject
> force the response to Auth-Accept?
If you want to change all REJECTs to ACCEPT so that authentication always succeeds, then you are effectively eliminating the requirement for 802.1x authentication for network connectivity. If it's not required, why not just turn off port security on your switches? If it is required, why would you want to do the above?
It seems that what you really want is the ability to change the expired password via MSCHAP which isn't currently supported in FreeRADIUS (as I said in a previous post). If you are going to write a patch, develop one to provide this functionality..
More information about the Freeradius-Users
mailing list