Hi,
If I wanted to do a DoS attack, I would simply submit valid-looking (but non-existent) realms, or indeed invalid usernames at valid realms, which would force the proxying all the way through to the end server for that realm.
well, HOPEFULLY you wouldnt be able to do that as any sane site will have a maximum number of EAP attempts within a threshold time after which your requests are blocked locally by the NAS - I believe that Cisco, for example, has 3 attempts and you're blocked for 60s by default. from looking at logs, however, a LOT of sites dont have such mitigation turned on and we see continous attempts with a duff username - even though we send REJECT back (duff clients or NAS - however, with mitigation on the NAS these requests arent a problem) the biggest problem comes from remote RADIUS servers that dont respond.......
In that case though, I would be inclined to write a validation regexp which fully matches the ABNF in RFC 2486.
as said..and Stefan points out - this isnt as useful as then sites/systems that are okay with, e.g. underscores or some 'illegal character' couldnt just comment that bit out. after all, this is an OPTION. its there for people to use IF THEY WANT, noones forcing you to use it - just like all the other options in the policy.conf provided...it would just be very very useful to have there by default :-) alan