Question about cui.post-auth in FR 3
Scott Armitage
S.P.Armitage at lboro.ac.uk
Tue Jul 8 15:02:38 CEST 2014
On 8 Jul 2014, at 13:54, Alan DeKok <aland at deployingradius.com> wrote:
> Stefan Paetow wrote:
>> Alan,
>>
>> Would you want to throw the User-Name out even if no CUI was generated? Because that's certainly the current behaviour (and bolloxed up some testing here).
>
> Yes. Because the CUI is supposed to be an opaque user identifier.
> The User-Name is a non-opaque user identifier.
>
> So... handing out User-Name means that you've just told everyone who
> the user is. Which means the secrecy added by CUI is pointless.
>
The outer-identity was seen in the first instance anyway when the client initiated its eap conversation. True the inner identity shouldn’t be leaked, but that is the case whether a CUI is present or not.
Surely the User-Name in the Access-Accept should be the original outer-identity.
Scott Armitage
More information about the Freeradius-Users
mailing list