Question about in FR 3

Scott Armitage S.P.Armitage at
Tue Jul 8 15:02:38 CEST 2014

On 8 Jul 2014, at 13:54, Alan DeKok <aland at> wrote:

> Stefan Paetow wrote:
>> Alan, 
>> Would you want to throw the User-Name out even if no CUI was generated? Because that's certainly the current behaviour (and bolloxed up some testing here).
>  Yes.  Because the CUI is supposed to be an opaque user identifier.
> The User-Name is a non-opaque user identifier.
>  So... handing out User-Name means that you've just told everyone who
> the user is.  Which means the secrecy added by CUI is pointless.

The outer-identity was seen in the first instance anyway when the client initiated its eap conversation.  True the inner identity shouldn’t be leaked, but that is the case whether a CUI is present or not.
Surely the User-Name in the Access-Accept should be the original outer-identity.  

Scott Armitage

More information about the Freeradius-Users mailing list