How to kick a user based on NAI
Stefan Winter
stefan.winter at restena.lu
Wed Jul 30 07:46:51 EDT 2014
Hi,
> I want to kick out some users on a particular realm while try and
> authenticate others. This done on the basis of the NAI. For example
> abc at example.com <mailto:abc at example.com> is allowed while
> xyz at example.com <mailto:xyz at example.com> is not allowed to authenticate.
Forget it: almost all common EAP methods allow to forge an outer
identity which does NOT match the actual login.
That is, your bad user xyz at example.com would simply use abc at example.com
as its anonymous outer identity.
In EAP, the NAS/AP never learns the identity of the user; only of the
realm with some high degree of certainty.
Only the RADIUS server can make that decision.
Get over it :-)
Greetings,
Stefan Winter
>
> I want to make this decision as early as possible, so I thought the
> eap_method_init is the right place. But that does not seem to work. If I
> do data->state=FAILURE and return NULL in the buildREquest then the
> middleboxes such as freeRadius that proxy the request think I am dead
> and stop forwarding even when abc at example.com <mailto:abc at example.com>
> tries to connect. How to overcome this.
>
> Thanks Jouni and the list for the very fast responses.
> Khali
>
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140730/3043bb70/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140730/3043bb70/attachment.pgp>
More information about the HostAP
mailing list