Normalising the User-Name AVP in an Access-Accept

Nick Lowe nick.lowe at gmail.com
Thu Apr 18 18:37:23 CEST 2013 

> So which id are you talking about?
> if its the outer and the user has configured the machine correctly, all you're going to see is @realm - not much use other than "it's that institution"
> if its the inner then o.k. you've got a realm from the outer user-name and a userid from the inner but any accounting will be dumped locally.
> if its the inner and you've got a realm then you've got your userid to hand over and all the accounting should go back to the home institution
>
> … or have I got that wrong?
> Rgds
> A

I am primarily interested in returning the inner identity normalised
as username at realm in the User-Name AVP in Access-Accepts for
authentication performed internally so that the Aerohive APs we have
are able to work with the real identity rather than the anonymous
outer. This is important for us to get the new L7 application
visibility features in HiveOS 6.0 working properly and have some
value.

Additionally, for internal authentication, users can get away with
simply using username, realm\username or username at realm in the inner
and, at present, the Aerohive APs treat the same user as being
discrete users where the identity is supplied in a different format. I
want to sort this somehow... (I am, however, loathed to mandate that
the identity be supplied as username at realm to begin with as it will
break existing configuration. This for authentication not on an
eduroam SSID.)

For eduroam in general, it would be far less of an issue as users are
always forced to use the fully qualified username at realm (often
anonymous at realm) but I would be interested in a method to get an
anonymised unique id for the user from the home institution. (Is that
personal data at that point? In the case of abuse, you would still
have to go back to the home institution and know nothing about the
user as you do not have their real identity.)

Thinking about things, I think an appropriate compromise for Eduroam,
therefore, would be to mandate the return an anonymised unique id with
realm for each user in the User-Name AVP in the Access-Accept.
Thoughts?

Nick

More information about the Freeradius-Users mailing list