I'm getting ready to implement EAP-TLS for 802.1x port authentication.
Everything works great in my testing environment and I'm very happy with it.
However, before we roll it out into production, I must write a set of recovery
procedures. In these procedures I need to include a section on the (admittedly
very rare) chance that authentications start failing across the board for some
reason - for example, if we accidently let a bunch of the user certificates
expire, all of those machines will fail port-authentication until the
certificates are replaced. My management would like a way to force
authorization to succeed even if EAP has actually failed.
My thought is to use a module that really does nothing but authenticate and
authorize everything it sees. I've investigated the rlm_always, rlm_exec and
rlm_perl modules but I can't seem to figure out how to do anything but report
"handled" or "ok." This does not seem to result in an Access-Accept message
being sent.
Any suggestions?
I'm using the latest FreeRadius 2 - the config files are unchanged except for
the eap.conf (to specify the Root cert and server cert) and I am using a sparse
sites-enabled file:
client x.x.x.x {
secret = secret
server = EAP_Server
}
server EAP_Server {
authorize {
eap
}
authenticate {
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
