Danny Paul wrote: > I'm not sure you grasped what I was after Yes, I understood. This kind of request has come up before on this list.
For *wireless*, it's impossible, because the supplicant && NAS use encryption keys derived from the EAP-TLS exchange. No exchange means no keys. For wired... maybe it works. But it's an accident, and may change from switch revision to revision. > Yes, the switch would be "wide open" for the day - but that's better than > completely shut down in management's opinion. Or, you could put procedures in place to warn you about expiring certificates. > Oh yes, most gear does, and we're implementing that as well - however, the > "guest vlan" or "auth-fail vlan" will have limited access to network > resources so that doesn't help us out of this bind. "guest vlan" is just a name. If your network is so bad that all of the certificates have expired, making the "guest vlan" the same as the "normal vlan" isn't a problem. > But hey, if it's impossible then it's impossible. This being open source > software I can change that myself, I suppose. Er... no. For wireless authentication, it's impossible because it's... impossible. See cryptographic research for the current meaning of "impossible" as it pertains to the encryption protocols used here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
