Normalising the User-Name AVP in an Access-Accept

Wilco Baan Hofman wilco at baanhofman.nl
Fri Apr 19 09:33:16 CEST 2013


On Thu, 2013-04-18 at 16:54 +0100, Nick Lowe wrote:

> Agreed, the main concern for me would be leakage via wireless.
> 
> I see the main purpose of identity privacy with PKI EAPs being to
> protect the identity from being trivially snooped by an outsider.
> 
> With federations, I think it would be perfectly reasonable to expect
> and require the real identity be returned back to the host
> institution. (I expect others will, perhaps, disagree here though!?
> :P)

I disagree, I return an anonymous override for our realm in
Access-Accept to all our outward facing RADIUS servers, because that is
transferred in plaintext.

I also see no need to know all usernames from everybody who's roaming to
us. 

Regards,

Wilco Baan Hofman



More information about the Freeradius-Users mailing list