On Fri, 2014-07-18 at 08:38 +0000, Stefan Paetow wrote:
> Otherwise you could have a miscreant running a dodgy RADIUS server and obtain not only the inner usernames but their passwords as well from anyone attempting to log into that service (but that's already the problem today anyway) :-/
This is due to how RADIUS uses TLS. We're never going to be able to fix
that. If you don't set a trust anchor, the supplicant will always send
its credentials.
> So if a noop == reject forces the suffix module to abandon any authn without terminating EAP tunnels, then that's good enough.
It won't do that - it will just stop the server wasting resources.
Correct supplicant configuration prevents incorrect termination of
tunnels.
--
Regards,
Adam Bishop
Systems Development Specialist
gpg: 0x6609D460
t: +44 (0)1235 822 245
xmpp: [log in to unmask]
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|