How to kick a user based on NAI

khali singh khali3620 at gmail.com
Sat Aug 9 13:22:17 EDT 2014


Thanks. Got it!


On Wed, Jul 30, 2014 at 2:46 PM, Stefan Winter <stefan.winter at restena.lu>
wrote:

> Hi,
>
> > I want to kick out some users on a particular realm while try and
> > authenticate others. This done on the basis of the NAI. For example
> > abc at example.com <mailto:abc at example.com> is allowed while
> > xyz at example.com <mailto:xyz at example.com> is not allowed to authenticate.
>
> Forget it: almost all common EAP methods allow to forge an outer
> identity which does NOT match the actual login.
>
> That is, your bad user xyz at example.com would simply use abc at example.com
> as its anonymous outer identity.
>
> In EAP, the NAS/AP never learns the identity of the user; only of the
> realm with some high degree of certainty.
>
> Only the RADIUS server can make that decision.
>
> Get over it :-)
>
> Greetings,
>
> Stefan Winter
>
> >
> > I want to make this decision as early as possible, so I thought the
> > eap_method_init is the right place. But that does not seem to work. If I
> > do data->state=FAILURE and return NULL in the buildREquest then the
> > middleboxes such as freeRadius that proxy the request think I am dead
> > and stop forwarding even when abc at example.com <mailto:abc at example.com>
> > tries to connect. How to overcome this.
> >
> > Thanks Jouni and the list for the very fast responses.
> > Khali
> >
> >
> > _______________________________________________
> > HostAP mailing list
> > HostAP at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140809/b2039f52/attachment.htm>


More information about the HostAP mailing list