Normalising the User-Name AVP in an Access-Accept
Wilco Baan Hofman
wilco at baanhofman.nl
Fri Apr 19 09:33:16 CEST 2013
On Thu, 2013-04-18 at 16:54 +0100, Nick Lowe wrote:
> Agreed, the main concern for me would be leakage via wireless.
>
> I see the main purpose of identity privacy with PKI EAPs being to
> protect the identity from being trivially snooped by an outsider.
>
> With federations, I think it would be perfectly reasonable to expect
> and require the real identity be returned back to the host
> institution. (I expect others will, perhaps, disagree here though!?
> :P)
I disagree, I return an anonymous override for our realm in
Access-Accept to all our outward facing RADIUS servers, because that is
transferred in plaintext.
I also see no need to know all usernames from everybody who's roaming to
us.
Regards,
Wilco Baan Hofman
More information about the Freeradius-Users
mailing list