Gah, my message bounced owing to change of email address... Arran wrote:
Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS attribute... Inner identity is encoded in the EAP message, and is pulled out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ?
Correct.
And it's standard practice to leave the outer identity as anonymous, as the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to
be able to extract the User-Name string and write it into the Access-Request packet ?
Nope; see RFC 3579 for the gory details: "the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute" The use of "anonymous" is simply to preserve privacy; it's not a technical requirement of any EAP method (that I know of). An interesting tangent: note that "end-user identity hiding" is simply a "requirement" of RFC 4017 ("EAP Method Requirements for Wireless LANs"), which I think is a shame.
So although the NAS must send an EAP-Identity-Request when the client
connects it's not required to understand the EAP-Identity-Response ?
For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device. josh.