On 8 Jul 2014, at 13:54, Alan DeKok <aland@deployingradius.com> wrote:
Stefan Paetow wrote:
Alan,
Would you want to throw the User-Name out even if no CUI was generated? Because that's certainly the current behaviour (and bolloxed up some testing here).
Yes. Because the CUI is supposed to be an opaque user identifier. The User-Name is a non-opaque user identifier.
So... handing out User-Name means that you've just told everyone who the user is. Which means the secrecy added by CUI is pointless.
The outer-identity was seen in the first instance anyway when the client initiated its eap conversation. True the inner identity shouldn’t be leaked, but that is the case whether a CUI is present or not. Surely the User-Name in the Access-Accept should be the original outer-identity. Scott Armitage