Question about cui.post-auth in FR 3
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Jul 9 08:43:39 CEST 2014
Hi,
> Yes. Because the CUI is supposed to be an opaque user identifier.
> The User-Name is a non-opaque user identifier.
>
> So... handing out User-Name means that you've just told everyone who
> the user is. Which means the secrecy added by CUI is pointless.
its not about 'handing out' the User-Name...the current stuff now strips the User-Name
from the outerID - thats the outerID that has already been seen by the visited
site or anyone along the proxy path - i would never proscribe putting the innerID
into the outerID...the server never did that unless you told it to - but suddenly
removing the User-Name from the outerID means that many RADIUS servers no longer
have a key element that they use for local RADIUS accounting - anonymousID is
one thin...but totally blank with no idea of realm etc is quite another. these
sites dont support CUI , know about it or care :(
alan
More information about the Freeradius-Users
mailing list