Conditional EAP Type Acceptance

Alan DeKok aland at deployingradius.com
Tue Nov 26 23:46:52 CET 2019


On Nov 26, 2019, at 1:58 PM, Mike DiBella <mike at dibella.net> wrote:
> 
> The vulnerability I'm trying to control is the gap where unmanaged devices are converted to managed devices between guest account password rotations.
> 
> The supplicants on these devices have already made the guest account credentials part of the saved preferred network information.  MDM cannot erase that, only the user can "forget" the network on the device itself.   When these devices enroll in MDM, they will receive the certificate for EAP-TLS, but the device can continue to use the saved guest credentials until the password is rotated, subverting the compliance check.
> 
> Rejecting PEAP authentication when the device is found in the managed device directory will encourage users of these devices to "forget" the network and use the certificate instead.

  Then you can add something in the "post-auth" section:

	if (users mac address was found && EAP-Type == PEAP) {
		reject
	}

  Alan DeKok.




More information about the Freeradius-Users mailing list