Normalising the User-Name AVP in an Access-Accept
Nick Lowe
nick.lowe at gmail.com
Thu Apr 18 17:54:23 CEST 2013
> As an aside to the mechanics of this, if you do this, test your NAS under
> simulated user load. We found that our Cisco WLC equipment didn't like
> that and leaked internal resources, which eventually ran out. We were
> adding some additional information to the username, so we had many more
> differences between the outer and inner IDs, and even so it took a few
> days for the problem to come to a head.
Interesting! Thanks for the heads up.
> This should be fixed in latest software, but we haven't re-tested that yet.
>
> It also wouldn't hurt to sniff the resulting EAPOL and any associated packets
> to ensure the NAS hasn't figured out some vendor-specific way to leak
> that inner identity to the wire/wifi, and of course review your security
> expectations between the AS and NAS.
Agreed, the main concern for me would be leakage via wireless.
I see the main purpose of identity privacy with PKI EAPs being to
protect the identity from being trivially snooped by an outsider.
With federations, I think it would be perfectly reasonable to expect
and require the real identity be returned back to the host
institution. (I expect others will, perhaps, disagree here though!?
:P)
Nick
More information about the Freeradius-Users
mailing list