Force "Accept" to authentication
Phil Mayers
p.mayers at imperial.ac.uk
Fri May 27 18:32:10 CEST 2011
On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
>
> Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails
>
> What we are trying to do is to accept the very first Access Request
Sorry, I don't think that's possible. If the WiMAX client is only
capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete
TLS negotiation and completion.
I assume it's impossible for you to enable EAP-TLS for some reason?
>
> I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message
If you do that, the WiMAX client will basically see this:
client: EAP-TLS: TLS client hello
server: EAP-Success <no data>
...and the client will assume something has gone wrong, because it was
expecting a TLS packet back. This is what I mean when I say you can't
interfere with the outer tunnel - it's *designed* that way to be secure
and prevent interference.
HOWEVER - possibly the WiMAX client is dumb, and will do this:
client: EAP-TLS: TLS client hello
server: EAP-Success <no data>
client: Ok, that's fine
If so it's insecure, but it will solve your problem.
Try this in sites-enabled/default:
authorize {
# Put any comparison you like here
if (Calling-Station-Id == "the_wimax_mac?") {
update control {
Auth-Type := Accept
}
}
}
...but I doubt it will work.
More information about the Freeradius-Users
mailing list