Force the client to use one specific EAP method

Wed Apr 19 14:58:28 CEST 2017

First, let me thank you for the explanations so far.

Maybe I found a "solution".

The Access-Challenge packet contains an EAP Request in which it is specified the EAP method that the supplicant should use.
So I was thinking that maybe I could edit the EAP Request with an EAP method of my choosing, using for instance scapy.
Of course the client could still NAK it and reply with another EAP method.

By the way, which could be the exact reason for a client to NAK the suggested EAP method? Shouldn't the supplicant support almost all the EAP methods suggested from the server?

Luca

________________________________
From: Freeradius-Users <freeradius-users-bounces+sfire=hotmail.it at lists.freeradius.org> on behalf of Matthew Newton <mcn4 at leicester.ac.uk>
Sent: Wednesday, April 12, 2017 6:59 PM
To: FreeRadius users mailing list
Subject: Re: Force the client to use one specific EAP method

On Wed, Apr 12, 2017 at 02:00:40PM +0000, LUCA wrote:
> >You've already done that by limiting the EAP methods on the
> >server. If the device can't connect now then it's device
> >configuration as you said.
>
> Yes, now the device can't connect because it does try to use one
> method no longer configured on the server.

Right. Configure the device.

> But there is no way, during the negotiation process, to make the
> server tell the client to use one specific EAP method?

I'm really not sure how many times we have to say that the choice
of EAP method is up to the device, not FreeRADIUS.

There is no amount of poking or prodding FreeRADIUS that will fix
this.

> Yes, definitely not manually configured devices.
> I'm trying to leave the configuration tool as last option.
> As I already said it would be impractical.
> Without mentioning the massive disservice this will bring in the first few weeks.

It sounds like you don't like the answer you're getting. Sorry. If
you invent a better way I'm sure everyone else will be quite happy
to know.

Until then, you have two options

1. configure FreeRADIUS to use the type of auth that the devices
   want to use;

2. reconfigure the devices.

Matthew

--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS -- users' list info<http://www.freeradius.org/list/users.html>
www.freeradius.org
Users' List Information. The freeradius-users mailing list is for users of the FreeRADIUS server not Cistron's server! There are a few house-rules to which we'd like ...