> That would be supplicant-dependent, right? For example the Intel > supplicant which I tried some time ago had a very solid opinion about > what was going on and I couldn't use the net "just like that". OTOH, > there is this peculiarity in the IEEE 802.1X standard itself that > basically says the supplicant tries three times to authenticate with > EAP-Identity, and after that shall "assume that the port is open". Maybe > that's what happens.
Well that is true, I guess I'm only familiar with Windows supplicants. > > Anyway, it is a *very* bad idea to rely on such behaviour. I suggest a > bucket of cold water into the face of the guy's management. An > authentication server is used to authenticate users, not to > non-authenticate users. Once again, we're not relying on it - this is an emergency procedure, to be used in emergencies only. We're talking about availability as a component of security here. There is nothing wrong with a documented, tested plan for an emergency situation. > > Greetings, > > Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
