Normalising the User-Name AVP in an Access-Accept

Brian Julin BJulin at clarku.edu
Thu Apr 18 17:41:32 CEST 2013



> Nick Lowe wrote:
> So, a compliant NAS that is able to treat the User-Name AVP as being
> authoritative would get to see the real, inner identity and in a
> normalised form.

As an aside to the mechanics of this, if you do this, test your NAS under
simulated user load.  We found that our Cisco WLC equipment didn't like
that and leaked internal resources, which eventually ran out.  We were
adding some additional information to the username, so we had many more
differences between the outer and inner IDs, and even so it took a few
days for the problem to come to a head.

This should be fixed in latest software, but we haven't re-tested that yet.

It also wouldn't hurt to sniff the resulting EAPOL and any associated packets
to ensure the NAS hasn't figured out some vendor-specific way to leak
that inner identity to the wire/wifi, and of course review your security
expectations between the AS and NAS.







More information about the Freeradius-Users mailing list