June 19, 2010 at 12:34 am #42447
I use EAP-TLS in Zeroshell to authenticate wireless clients to my network, sometimes I need to block access to some of them so I disable 802.1X Access in user properties and most wifi supplicants works as it should and cannot login until I enable 802.1X Access again… but If I use Odyssey Client Manager, it stills login even If I delete the user from Zeroshell, I tried every way to block it from inside Zeroshell with no luck, Odyssey still connects, the only way to stop it is to delele the certificate I install in the windows machine I use to login (I export and install a PKCS file I get from Zeroshell to install both the certificate and private key in my windows machine).
Is this a bug? shouldn’t disabling 802.1X Access must prevent any attempt to successfully login to any supplicant?June 19, 2010 at 10:16 am #50464
Maybe Odyssey is using another way to connect on the ZS. EAP-TLS will use both server and clients keys to connect and is password-less if I remember well, so if you disable the certificates for that user he will not be allowed to connect, unless there is a backdoor.June 19, 2010 at 1:29 pm #50465
No. revoking certificate, deleting it, even deleting user inside zeroshell doesn’t help, Odyssey still logins OK using EAP-TLS.
btw, I’m using WPA2-AES Enterprise in my access point and my Odyssey suplicant is ccnfigured to only login that way.
Here’s what I get, remember TLS-User is deleted in Zeroshell
Login OK: [TLS-User] (from client D-Link port 0 cli 00-1D-92-XX-XX-XX)
I’ve reinstalled Zeroshell from scratch and used the default CA, created new user, installed certificate in my windows machine, Odyssey loginsOK, deleted user(hence certificate) in Zeroshell and Odyssey still logins OK.June 20, 2010 at 10:15 am #50466
What about doing the install from scratch and try to connect with Odyssey without creating the user? I suspect that either Odyssey logs in with another way, or there is a bug in the web interface that doesn’t actually delete the users.June 23, 2010 at 1:41 pm #50467
Did what you suggested (with a fresh install where I only activated radius service and added Ap client to list, no, It doesn’t stop it from entering, so Zeroshell doesn’t filter clients correctly once a certificate generated from zeroshell is installed in a PC (tried revoking/deleting/recreating admin certificate and root CA certificate also / restarting radius service).
Yes, Odyssey is a pretty complex supplicant that has many features, one of them is skipping ZS security.June 23, 2010 at 2:45 pm #50468
Then all you can do it report the bug in the appropriate section in this forum.
You must be logged in to reply to this topic.