Nick Lowe wrote:
1. The EAP terminating RADIUS server returns the User-Name attribute with the client?s real identity AND that the NASes support processing this attribute.
Alan DeKok wrote:
Which is a good idea. But as Arran pointed out, CUI is arguably the better choice.
Agreed.
2. The EAP terminating RADIUS server else mandates that the EAP outer-identity and EAP inner-identity resolve to the same discrete user, prohibiting the use of anonymous EAP outer-identities.
That will NEVER happen. Never, never, never. It's a terrible idea.
Here I dare to respectfully disagree (at least for the moment being :). There needs to be a way for (EDUROAM terminology used) the Service Provider to block a particular roaming identity access to their NAS, should such a need occur (and not a whole realm), in a timely fashion. For roaming users, SPs are typically exposed only to the outer identity through accounting of their local RADIUS server that the roaming identity uses for proxying. For me, it has two outcomes: it would require all EDUROAM IdPs to either a) mandate use of CUI (preferrably, but I cannot somehow recall how a third party could check whether particular IdP provides CUI on their terminating RADIUS server(s), or b) mandate same inner and outer identity, as suggested by Nick. AFAIK, some EDUROAM IdPs (that do not implement CUI) actually do this as a favor for any other EDUROAM participating SP so that (based on the outter identity of abusive roaming user gathered from local NAS accounting) they can immediately: 1) identify the roaming abuser, and 2) lock him/her out on their proxying RADIUS until his/her home IdP takes an action IIRC, there is a nice document describing the problem from SP sysadmin perspective (see paragraph 2.1): https://www.eduroam.org/downloads/docs/GN2-08-243-DJ5-4-1-2_Advanced_Technol... With kind regards, Jan Rafaj