Normalising the User-Name AVP in an Access-Accept
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Apr 18 18:17:38 CEST 2013
>
> Agreed, the main concern for me would be leakage via wireless.
>
> I see the main purpose of identity privacy with PKI EAPs being to
> protect the identity from being trivially snooped by an outsider.
>
> With federations, I think it would be perfectly reasonable to expect
> and require the real identity be returned back to the host
> institution. (I expect others will, perhaps, disagree here though!?
> :P)
Eduroam visited ORPS and home server ORPS should support CUI. Where the NAS at the visited site lacks support for CUI, and the NAS supports setting values for attributes associated with a session, a globally and temporarily unique identifier should be set (via Access-Accept/COA/SNMP) and then associated with the CUI provided by the home server.
Some NAS include the Acct-Session-ID in Access-Requests, in which case the Acct-Session-ID can be associated with the CUI instead.
For support calls the ID on the NAS can be mapped to the CUI, which can in turn be provided to the home institution.
-Arran
More information about the Freeradius-Users
mailing list