-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> For wired... maybe it works. But it's an accident, and may change > from switch revision to revision. Just re-read RFC 3579, it should always work (I was surprised too). RFC 3579: 2.6.3. Conflicting Messages The NAS MUST make its access control decision based solely on the RADIUS Packet Type (Access-Accept/Access-Reject). The access control decision MUST NOT be based on the contents of the EAP packet encapsulated in one or more EAP-Message attributes, if present. ... If the NAS receives an Access-Accept with an encapsulated EAP Failure, it will grant access to the peer. However, on receiving an EAP Failure, the peer will be lead to believe that it failed authentication. If no EAP-Message attribute is included within an Access-Accept or Access-Reject, then the peer may not be informed as to the outcome of the authentication, while the NAS will take action to allow or deny access. The current default behaviour for Windows and Mac OSX is not to block traffic on the interface even if authentication fails. > >> Yes, the switch would be "wide open" for the day - but that's better than >> completely shut down in management's opinion. > > Or, you could put procedures in place to warn you about expiring > certificates. > >> Oh yes, most gear does, and we're implementing that as well - however, the >> "guest vlan" or "auth-fail vlan" will have limited access to network >> resources so that doesn't help us out of this bind. > > "guest vlan" is just a name. If your network is so bad that all of > the certificates have expired, making the "guest vlan" the same as the > "normal vlan" isn't a problem. > >> But hey, if it's impossible then it's impossible. This being open source >> software I can change that myself, I suppose. > > Er... no. > > For wireless authentication, it's impossible because it's... > impossible. See cryptographic research for the current meaning of > "impossible" as it pertains to the encryption protocols used here. Yeah the dynamic keying won't work... This will only ever work on wired connections. Regards, Arran - -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj8lIYACgkQcaklux5oVKInaQCffhGv8yPKtkh72uYoKZPdzKn2 bvcAoIDpp7cI1hxALo+xFwRvoxkI1aNp =rFsD -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
