eap-tls with valid and fake certificates.

Alan DeKok aland at deployingradius.com
Fri Jan 17 13:29:32 CET 2020

On Jan 17, 2020, at 6:06 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
>> It's not possible. If the device doesn't present a valid certificate,
>> it won't authenticate. You can't force an "Accept" with EAP methods.
> Really? Couldn't you branch the processing based on the outer ID?

  It's impossible.

  You *can* send back an Access-Accept.  That Access-Accept can contain an EAP Success packet.

  But... you *can't* send back correctly formatted MS-MPPE keys.  Those keys *must* match between the NAS / AP and the supplicant.  If they don't match, the user can't get online.  The *only* way to calculate those keys is to perform the full EAP transaction.

  Alan DeKok.

More information about the Freeradius-Users mailing list