Force "Accept" to authentication

Phil Mayers p.mayers at imperial.ac.uk
Fri May 27 18:32:10 CEST 2011


On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
>
> Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so the authentication fails
>
> What we are trying to do is to accept the very first Access Request

Sorry, I don't think that's possible. If the WiMAX client is only 
capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete 
TLS negotiation and completion.

I assume it's impossible for you to enable EAP-TLS for some reason?

>
> I am thinking just to set authentication type on the Server as a user id /password and allow any user, so we can answer with accept on very first message

If you do that, the WiMAX client will basically see this:

client: EAP-TLS: TLS client hello
server: EAP-Success <no data>

...and the client will assume something has gone wrong, because it was 
expecting a TLS packet back. This is what I mean when I say you can't 
interfere with the outer tunnel - it's *designed* that way to be secure 
and prevent interference.

HOWEVER - possibly the WiMAX client is dumb, and will do this:

client: EAP-TLS: TLS client hello
server: EAP-Success <no data>
client: Ok, that's fine

If so it's insecure, but it will solve your problem.

Try this in sites-enabled/default:

authorize {
   # Put any comparison you like here
   if (Calling-Station-Id == "the_wimax_mac?") {
     update control {
       Auth-Type := Accept
     }
   }
}

...but I doubt it will work.



More information about the Freeradius-Users mailing list