Query: auth server bahaviour when presented with unknown user certs (EAP-TLS)

[Soh Kam Yung]

Hello all,

I'm in the process to helping to design a front-end to wpa_supplicant
and I have a question about the behaviour of authentication servers
when presented with unrecognised user certificates under EAP-TLS.

Suppose I have a device with two or more user certificates which are
used to join two or more different EAP-TLS networks.  When I am
requested to join a EAP-TLS network, I will try to join by passing the
user certificates one by one to the server using wpa_supplicant (i.e.
change the "private_key" and "private_key_password" parameters in each
join attempt) until it succeeds or until I run out of user
certificates.

What I would like to know is how do authentication servers behave when
presented with unrecognised user certificates?  Do they just log the
failed attempts and let the device continue to try to join the
network?

Can an authentication server be setup in a 'paranoid' mode such that
too many failures will result in the device being permanently blocked
from joining until allowed to by an administrator?

I have access to only one EAP-TLS network for testing (which does not
block repeated failed attempts) so I do not know the usual behaviour
of authentication servers in actual environments.

Can anybody with more experience in this area provide some
information?  The result may affect how my front-end will have to
handle user certificates.

Regards,
Kam-Yung
-- 
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)