Question: How do I forcibly accept all rest requests??

Alan DeKok aland at deployingradius.com
Wed Mar 31 01:47:02 CEST 2010


Difan Zhao wrote:
> However if you can fool the NAS to let it believe that the device is
> authenticated, will the switch also send an EAP success message to the
> laptop to fool him as well?

  No.  Even if it does, the laptop will ignore it.  There is no
substitute for running the authentication protocol correctly.

> If the laptop is configured to use PEAP and to validate certificate,
> then you are right, there is nothing we can do.
> 
> If the laptop is configured not to validate the certificate, then when
> the Server (freeradiusd) sends a challenge in the TLS tunnel and
> received a hashed reply, can it be configured to simply send a "success"
> back anyway?

  That's not the way PEAP works.  So no, it's impossible.

> If the laptop is configured to use MD5, then I think it's even easier to
> make this happen...?

  It's still impossible.

> I apologize if I got any EAP/Radius theory totally wrong...
> 
> The company I work for serves hotels. They want their staff to be put in
> right VLAN for admin management purpose while guests put in guest VLAN.
> Now my setup is pissing some guests off because they don't like to see
> "failed" on their laptops. It's kind of important... I will really
> appreciate if you can come up with a solution for it... 

  <shrug>  That's the way networks work.

  And you expect me to come up with a solution (for free) that you're
charging for?

  Alan DeKok.




More information about the Freeradius-Users mailing list