Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Alan, Thank you for quick reply! However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? If the laptop is configured to use MD5, then I think it's even easier to make this happen...? I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 4:43 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Uh... Guess you are right... I thought it was something easy but looks like it's not! I will let the hotel know that there is nothing we can do. I guess the hotel will give up after I tell them that I have consulted with the programmer lol. BTW this Freeradius is awesome program. Very flexible and I like it a lot! Your support is also very much appreciated! Thanks a lot Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 5:47 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html