How to kick a user based on NAI

Stefan Winter stefan.winter
Wed Jul 30 04:46:51 PDT 2014


> I want to kick out some users on a particular realm while try and
> authenticate others. This done on the basis of the NAI. For example
> abc at <mailto:abc at> is allowed while
> xyz at <mailto:xyz at> is not allowed to authenticate. 

Forget it: almost all common EAP methods allow to forge an outer
identity which does NOT match the actual login.

That is, your bad user xyz at would simply use abc at
as its anonymous outer identity.

In EAP, the NAS/AP never learns the identity of the user; only of the
realm with some high degree of certainty.

Only the RADIUS server can make that decision.

Get over it :-)


Stefan Winter

> I want to make this decision as early as possible, so I thought the
> eap_method_init is the right place. But that does not seem to work. If I
> do data->state=FAILURE and return NULL in the buildREquest then the
> middleboxes such as freeRadius that proxy the request think I am dead
> and stop forwarding even when abc at <mailto:abc at>
> tries to connect. How to overcome this.
> Thanks Jouni and the list for the very fast responses.
> Khali
> _______________________________________________
> HostAP mailing list
> HostAP at

Ingenieur de Recherche
Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Hostap mailing list