Normalising the User-Name AVP in an Access-Accept

Wilco Baan Hofman wilco at
Fri Apr 19 09:33:16 CEST 2013

On Thu, 2013-04-18 at 16:54 +0100, Nick Lowe wrote:

> Agreed, the main concern for me would be leakage via wireless.
> I see the main purpose of identity privacy with PKI EAPs being to
> protect the identity from being trivially snooped by an outsider.
> With federations, I think it would be perfectly reasonable to expect
> and require the real identity be returned back to the host
> institution. (I expect others will, perhaps, disagree here though!?
> :P)

I disagree, I return an anonymous override for our realm in
Access-Accept to all our outward facing RADIUS servers, because that is
transferred in plaintext.

I also see no need to know all usernames from everybody who's roaming to


Wilco Baan Hofman

More information about the Freeradius-Users mailing list