Hi,
Alternatively the 'smart server-end' could just send an Access-Accept :)
ah..but then things get logged and you have a session...and most likely then
a local address at the visited site and you'll then have to
use a VPN etc. with the nefarious way, all traffic is transmitted via the
home
#
# Make Reply-Message RFC3748 2.6.5 compliant
#
*
#
# Make Reply-Message RFC3579 2.6.5 compliant
#
Odd that the mime encoded GPG sig validates ok, but the in-line one
doesn't... I wonder what's going on there.
signature.asc
Description: OpenPGP digital
Arran Cudbard-Bell wrote:
This isn't actually mandated anywhere though is it? This is just random
vendor specific behaviour ?
IIRC, there's a suggestion to do this, but the actual cut-off number
is vendor-specific.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi,
IIRC, there's a suggestion to do this, but the actual cut-off number
is vendor-specific.
..and i guess this cutoff is reported as an EAP failure and therefore kit
configured to block/deny access will mean the eg the 3rd tunnel creation
will be the last for some time
alan
-
List
On 8/6/09 11:27, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
IIRC, there's a suggestion to do this, but the actual cut-off number
is vendor-specific.
..and i guess this cutoff is reported as an EAP failure and therefore kit
configured to block/deny access will mean the eg the 3rd tunnel creation
a.l.m.bu...@lboro.ac.uk wrote:
could reply messages be used with some smart server-end code to provide
a data communication channel? ie user A has code that attempts to use EAP
with special username coding...the remote server is designed
to throw responses in EAP messages...which the modified
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Faillike a Reject doesn't carry attributes, so a Reply would have to be turned
hi,
ome useful information...however, people will be far more
likely to read your email if you send it as plain text
rather than HTML.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 8/6/09 13:26, David Mitton wrote:
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply
attribute comes in the Accept or Reject message, which will be carrying
the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
On 8/6/09 13:26, David Mitton wrote:
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply
attribute comes in the Accept or Reject message, which will be carrying
the EAP Success or
Hi,
on the client can then extract? this could tunnel traffic through
an 802.1X restricted network? in fact, is the inner EAP traffic limited
at all? once the authentication outer layer is started i should be
able to just keep throwing data back/forward through that tube?
Wait are you
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
Alexander Clouter wrote:
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use
Hi,
on the client can then extract? this could tunnel traffic through
an 802.1X restricted network? in fact, is the inner EAP traffic limited
at all? once the authentication outer layer is started i should be
able to just keep throwing data back/forward through that tube?
Wait are
Alexander Clouter wrote:
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
Alexander Clouter wrote:
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
... hmm that's pretty standard behaviour. We don't require FQUNs
either. Though I have no idea why you still insist on using user files
for policies. There's this new fangled policy language you know :P
We *demand* it as otherwise
Arran Cudbard-Bell wrote:
There's no reason why you couldn't tunnel IPv4 so long as the packets
had a valid EAP header prepended to them. Send your EAP start, send the
identity response... then you can pretty much do whatever you like, so
long as it has a valid EAP header and the end server is
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
There's no reason why you couldn't tunnel IPv4 so long as the packets
had a valid EAP header prepended to them. Send your EAP start, send the
identity response... then you can pretty much do whatever you like, so
long as it has a valid EAP
Hi,
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune'
together and
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm game. Meanwhile I keep meaning to glue 'exec'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alexander Clouter wrote:
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few supplicants
display the contents to the user, and the server doesn't support their
generation.
Arran
--
Arran Cudbard-Bell
Hi,
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the
supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few
supplicants display the contents to the user, and the server doesn't support
their generation.
which is why rather useful
2009/6/5 a.l.m.bu...@lboro.ac.uk:
Hi,
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the
supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few
supplicants display the contents to the user, and the server doesn't support
their
Hi,
Does file attrs.access_reject has to with you are talking about?
in a way - that file lists the attributes that are allowed
to pass after an access reject - you still have to set eg the Reply-Message
*or some other VSA* to let the remote site know
alan
-
List info/subscribe/unsubscribe?
On 5/6/09 15:21, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few supplicants
display the contents to the user, and the server doesn't support
2009/6/5 a.l.m.bu...@lboro.ac.uk:
Hi,
Does file attrs.access_reject has to with you are talking about?
in a way - that file lists the attributes that are allowed
to pass after an access reject - you still have to set eg the Reply-Message
*or some other VSA* to let the remote site know
On 5/6/09 16:18, Sergio Belkin wrote:
2009/6/5a.l.m.bu...@lboro.ac.uk:
Hi,
Does file attrs.access_reject has to with you are talking about?
in a way - that file lists the attributes that are allowed
to pass after an access reject - you still have to set eg the Reply-Message
*or some other
Hi,
No they can't. Reply-Messages are prohibited in packets containing
EAP-Message attributes.
really? well...I guess if you believe in RFC 3579 and hope that everyone
read section 2.2 of that - invalid packet discussion then you'd
hope so... however, I see tonnes of packets proxied through
On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No they can't. Reply-Messages are prohibited in packets containing EAP-Message
attributes.
really? well...I guess if you believe in RFC 3579 and hope that everyone
read section 2.2 of that - invalid packet discussion then you'd
hope so...
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No they can't. Reply-Messages are prohibited in packets containing
EAP-Message attributes.
really? well...I guess if you believe in RFC 3579 and hope that everyone
read section 2.2 of
31 matches
Mail list logo
