Phil Thanks a lot will give it a try
Regards Zeev -----Original Message----- From: freeradius-users-bounces+zlubensk=lgsinnovations....@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations....@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, May 27, 2011 11:32 AM To: freeradius-users@lists.freeradius.org Subject: Re: Force "Accept" to authentication On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote: > > Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so > the authentication fails > > What we are trying to do is to accept the very first Access Request Sorry, I don't think that's possible. If the WiMAX client is only capable of EAP-TLS, you must do EAP-TLS. And EAP-TLS requires a complete TLS negotiation and completion. I assume it's impossible for you to enable EAP-TLS for some reason? > > I am thinking just to set authentication type on the Server as a user id > /password and allow any user, so we can answer with accept on very first > message If you do that, the WiMAX client will basically see this: client: EAP-TLS: TLS client hello server: EAP-Success <no data> ...and the client will assume something has gone wrong, because it was expecting a TLS packet back. This is what I mean when I say you can't interfere with the outer tunnel - it's *designed* that way to be secure and prevent interference. HOWEVER - possibly the WiMAX client is dumb, and will do this: client: EAP-TLS: TLS client hello server: EAP-Success <no data> client: Ok, that's fine If so it's insecure, but it will solve your problem. Try this in sites-enabled/default: authorize { # Put any comparison you like here if (Calling-Station-Id == "the_wimax_mac?") { update control { Auth-Type := Accept } } } ...but I doubt it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html