terminating EAP tunnels, proxy and realms

[Josh Howlett]

Gah, my message bounced owing to change of email address...

Arran wrote:
> Can you clear something up for me with inner/outer identity. 
> The outer identity is in the User-Name attribute , it's a standard 
> RADIUS attribute... Inner identity is encoded in the EAP message, and 
> is pulled out by the EAP module prior to internal proxying and set as 
> the User-Name attribute (which should overwrite the User-Name 
> attribute in the request) ?

Correct.

> And it's standard practice to leave the outer identity as anonymous, 
> as the only communication between the NAS and the Supplicant is EAP 
> based when using EAPOL, and so the NAS would have to understand EAP to

> be able to extract  the User-Name string and write it into the 
> Access-Request packet ?

Nope; see RFC 3579 for the gory details:

"the NAS MUST copy the contents of the Type-Data field of the
EAP-Response/Identity received from the peer into the User-Name
attribute"

The use of "anonymous" is simply to preserve privacy; it's not a
technical requirement of any EAP method (that I know of).

An interesting tangent: note that "end-user identity hiding" is simply a
"requirement" of RFC 4017 ("EAP Method Requirements for Wireless LANs"),
which I think is a shame.

> So although the NAS  must send an EAP-Identity-Request when the client

> connects it's not required to understand the EAP-Identity-Response ?

For the reason given above, it *does* need to understand the
EAP-Identity-Response. But that's about it! The NAS is a pretty dumb
device.

josh.