Jan Rafaj wrote:
There needs to be a way for (EDUROAM terminology used) the Service Provider to block a particular roaming identity access to their NAS, should such a need occur (and not a whole realm), in a timely fashion. For roaming users, SPs are typically exposed only to the outer identity through accounting of their local RADIUS server that the roaming identity uses for proxying.
That requirement conflicts with everyone *else's* requirement that the outer ID be anonymized.
For me, it has two outcomes: it would require all EDUROAM IdPs to either a) mandate use of CUI (preferrably, but I cannot somehow recall how a third party could check whether particular IdP provides CUI on their terminating RADIUS server(s),
It can't.
b) mandate same inner and outer identity, as suggested by Nick. AFAIK, some EDUROAM IdPs (that do not implement CUI) actually do this as a favor for any other EDUROAM participating SP so that (based on the outter identity of abusive roaming user gathered from local NAS accounting) they can immediately: 1) identify the roaming abuser, and 2) lock him/her out on their proxying RADIUS until his/her home IdP takes an action
That's definitely useful. But not needed for everyone else. Alan DeKok.