<div dir="ltr">Thanks. Got it! <br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 30, 2014 at 2:46 PM, Stefan Winter <span dir="ltr"><<a href="mailto:stefan.winter@restena.lu" target="_blank">stefan.winter@restena.lu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div class=""><br>
> I want to kick out some users on a particular realm while try and<br>
> authenticate others. This done on the basis of the NAI. For example<br>
</div>> <a href="mailto:abc@example.com">abc@example.com</a> <mailto:<a href="mailto:abc@example.com">abc@example.com</a>> is allowed while<br>
> <a href="mailto:xyz@example.com">xyz@example.com</a> <mailto:<a href="mailto:xyz@example.com">xyz@example.com</a>> is not allowed to authenticate.<br>
<br>
Forget it: almost all common EAP methods allow to forge an outer<br>
identity which does NOT match the actual login.<br>
<br>
That is, your bad user <a href="mailto:xyz@example.com">xyz@example.com</a> would simply use <a href="mailto:abc@example.com">abc@example.com</a><br>
as its anonymous outer identity.<br>
<br>
In EAP, the NAS/AP never learns the identity of the user; only of the<br>
realm with some high degree of certainty.<br>
<br>
Only the RADIUS server can make that decision.<br>
<br>
Get over it :-)<br>
<br>
Greetings,<br>
<br>
Stefan Winter<br>
<div class=""><br>
><br>
> I want to make this decision as early as possible, so I thought the<br>
> eap_method_init is the right place. But that does not seem to work. If I<br>
> do data->state=FAILURE and return NULL in the buildREquest then the<br>
> middleboxes such as freeRadius that proxy the request think I am dead<br>
</div>> and stop forwarding even when <a href="mailto:abc@example.com">abc@example.com</a> <mailto:<a href="mailto:abc@example.com">abc@example.com</a>><br>
<div class="">> tries to connect. How to overcome this.<br>
><br>
> Thanks Jouni and the list for the very fast responses.<br>
> Khali<br>
><br>
><br>
</div>> _______________________________________________<br>
> HostAP mailing list<br>
> <a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
> <a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
><br>
<br>
<br>
--<br>
Stefan WINTER<br>
Ingenieur de Recherche<br>
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et<br>
de la Recherche<br>
6, rue Richard Coudenhove-Kalergi<br>
L-1359 Luxembourg<br>
<br>
Tel: <a href="tel:%2B352%20424409%201" value="+3524244091">+352 424409 1</a><br>
Fax: <a href="tel:%2B352%20422473" value="+352422473">+352 422473</a><br>
<br>
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the<br>
recipient's key is known to me<br>
<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66</a><br>
<br>_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
<br></blockquote></div><br></div>