Josh Howlett wrote:
Gah, my message bounced owing to change of email address...
Arran wrote:
Can you clear something up for me with inner/outer identity. The outer identity is in the User-Name attribute , it's a standard RADIUS attribute... Inner identity is encoded in the EAP message, and is pulled out by the EAP module prior to internal proxying and set as the User-Name attribute (which should overwrite the User-Name attribute in the request) ?
Correct.
And it's standard practice to leave the outer identity as anonymous, as the only communication between the NAS and the Supplicant is EAP based when using EAPOL, and so the NAS would have to understand EAP to
be able to extract the User-Name string and write it into the Access-Request packet ?
Nope; see RFC 3579 for the gory details:
"the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute"
See thats what I suspected, else how could the User-Name attribute be populated in the access requests... And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone. Unless I missed something ?
The use of "anonymous" is simply to preserve privacy; it's not a technical requirement of any EAP method (that I know of).
An interesting tangent: note that "end-user identity hiding" is simply a "requirement" of RFC 4017 ("EAP Method Requirements for Wireless LANs"), which I think is a shame.
So although the NAS must send an EAP-Identity-Request when the client
connects it's not required to understand the EAP-Identity-Response ?
For the reason given above, it *does* need to understand the EAP-Identity-Response. But that's about it! The NAS is a pretty dumb device.
josh.
Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity. So FreeRADIUS will copy all the attributes from the last attribute request into the internally proxied request, and base the reply to the NAS, on the attributes coming back as the result of the internal proxy. I have to do it like this else I get lots of duplicate reply attributes and things overwriting other things when they shouldn't. PEAP seems to work ok, but all the other TTLS tests break. Trying to track down what the issue is... I'll post some debug traces when i've moved the latest CVS to our "production" server. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900