eap-tls with valid and fake certificates.
Alan DeKok
aland at deployingradius.com
Fri Jan 17 13:29:32 CET 2020
On Jan 17, 2020, at 6:06 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
>
>> It's not possible. If the device doesn't present a valid certificate,
>> it won't authenticate. You can't force an "Accept" with EAP methods.
>
> Really? Couldn't you branch the processing based on the outer ID?
It's impossible.
You *can* send back an Access-Accept. That Access-Accept can contain an EAP Success packet.
But... you *can't* send back correctly formatted MS-MPPE keys. Those keys *must* match between the NAS / AP and the supplicant. If they don't match, the user can't get online. The *only* way to calculate those keys is to perform the full EAP transaction.
Alan DeKok.
More information about the Freeradius-Users
mailing list