Difan Zhao wrote: > However if you can fool the NAS to let it believe that the device is > authenticated, will the switch also send an EAP success message to the > laptop to fool him as well?
No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. > If the laptop is configured to use PEAP and to validate certificate, > then you are right, there is nothing we can do. > > If the laptop is configured not to validate the certificate, then when > the Server (freeradiusd) sends a challenge in the TLS tunnel and > received a hashed reply, can it be configured to simply send a "success" > back anyway? That's not the way PEAP works. So no, it's impossible. > If the laptop is configured to use MD5, then I think it's even easier to > make this happen...? It's still impossible. > I apologize if I got any EAP/Radius theory totally wrong... > > The company I work for serves hotels. They want their staff to be put in > right VLAN for admin management purpose while guests put in guest VLAN. > Now my setup is pissing some guests off because they don't like to see > "failed" on their laptops. It's kind of important... I will really > appreciate if you can come up with a solution for it... <shrug> That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html