Normalising the User-Name AVP in an Access-Accept
nick.lowe at gmail.com
Thu Apr 18 17:54:23 CEST 2013
> As an aside to the mechanics of this, if you do this, test your NAS under
> simulated user load. We found that our Cisco WLC equipment didn't like
> that and leaked internal resources, which eventually ran out. We were
> adding some additional information to the username, so we had many more
> differences between the outer and inner IDs, and even so it took a few
> days for the problem to come to a head.
Interesting! Thanks for the heads up.
> This should be fixed in latest software, but we haven't re-tested that yet.
> It also wouldn't hurt to sniff the resulting EAPOL and any associated packets
> to ensure the NAS hasn't figured out some vendor-specific way to leak
> that inner identity to the wire/wifi, and of course review your security
> expectations between the AS and NAS.
Agreed, the main concern for me would be leakage via wireless.
I see the main purpose of identity privacy with PKI EAPs being to
protect the identity from being trivially snooped by an outsider.
With federations, I think it would be perfectly reasonable to expect
and require the real identity be returned back to the host
institution. (I expect others will, perhaps, disagree here though!?
More information about the Freeradius-Users