Normalising the User-Name AVP in an Access-Accept
p.mayers at imperial.ac.uk
Thu Apr 18 17:21:11 CEST 2013
On 18/04/13 16:06, Nick Lowe wrote:
> Thanks, Alan!
> I have got a feature request with Aerohive, our wireless vendor, to
> support treating the User-Name AVP as being authoritative which they
> are being pretty receptive and responsive to.
> (I think RADIUS clients need to stop treating the outer identity as
> being authoritative if and where a User-Name is returned in the
> Access-Accept now that TLS based EAPs are the norm and we should have
> far more of an aggressive push to get vendors to implement this.)
IME it's fairly widely supported (but not exclusively, of course)
> It would be great if, rather than manually having to create mappings
> and rewrite the identity, having successfully performed authentication
> FreeRADIUS were able to inherently spit out the identity in a
> normalised form knowing the username and the realm. (Perhaps I am not
> thinking things through here properly though for the general case
I think the problem is that there's no generally "right" answer.
For example: if you are part of a roaming federation and your users use
anonymous outer ID, you want to preserve that anonymity (or possibly
fall foul of data protection legislation, depending on whether a
username is "personal data").
More information about the Freeradius-Users