I have setup authentication against AD according to:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
This works as expected.
If the client's certificate is expired, eap/tls will, of course, fail.
In this case a guest vlan shall be assigned to the client.
Having a module, that adds the needed radius-attributes seems to work,
if an additional Auth-Type += Accept is added.
Doing this, the eap-tls is short-circuited and may result in a:
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
message
on the client side.
Is this acceptable?
What would be the best way to handle a situation like that?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
