# # require_identity_realm:: Require the the EAP Identity provided contains # a realm. # # If `require_identity_realm` is `nai`, the EAP identity provided must # end with `@<label0>.<label1>[.<labelN>]`, i.e. an '@' followed by at least # two DNS labels. # # If `require_identity_realm` is `yes`, the EAP identity provided must # either match the NAI format described above, or a `Stripped-User-Domain` # attribute must be present in the request list. # This validation mode is intended to be user where Windows machine # authentication is intermixed with user authentication. # # If `require_identity_realm` is `no`, no identity format checks are performed. # It is NOT recommended to use this value. Future security standards will # key off the NAI realm to validate the certificate we (the EAP server) present. # If you do not require an NAI realm be present in the EAP identity string, # your users will not be able to take advantage of this added security when # it is added by OS and device vendors. # # require_identity_realm = nai A new configuration item has been added to the EAP module, which, by default will prevent users from authenticating unless they provide an NAI style realm in the EAP identity string, e.g. foo@example.org. This will likely be backported to the v3.0.x branch, though the default value will likely be "no" to avoid point release breakages. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2