How to kick a user based on NAI
Sat Aug 9 10:22:17 PDT 2014
Thanks. Got it!
On Wed, Jul 30, 2014 at 2:46 PM, Stefan Winter <stefan.winter at restena.lu>
> > I want to kick out some users on a particular realm while try and
> > authenticate others. This done on the basis of the NAI. For example
> > abc at example.com <mailto:abc at example.com> is allowed while
> > xyz at example.com <mailto:xyz at example.com> is not allowed to authenticate.
> Forget it: almost all common EAP methods allow to forge an outer
> identity which does NOT match the actual login.
> That is, your bad user xyz at example.com would simply use abc at example.com
> as its anonymous outer identity.
> In EAP, the NAS/AP never learns the identity of the user; only of the
> realm with some high degree of certainty.
> Only the RADIUS server can make that decision.
> Get over it :-)
> Stefan Winter
> > I want to make this decision as early as possible, so I thought the
> > eap_method_init is the right place. But that does not seem to work. If I
> > do data->state=FAILURE and return NULL in the buildREquest then the
> > middleboxes such as freeRadius that proxy the request think I am dead
> > and stop forwarding even when abc at example.com <mailto:abc at example.com>
> > tries to connect. How to overcome this.
> > Thanks Jouni and the list for the very fast responses.
> > Khali
> > _______________________________________________
> > HostAP mailing list
> > HostAP at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> Tel: +352 424409 1
> Fax: +352 422473
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
> HostAP mailing list
> HostAP at lists.shmoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Hostap