Question about in FR 3

A.L.M.Buxey at A.L.M.Buxey at
Wed Jul 9 08:43:39 CEST 2014


>   Yes.  Because the CUI is supposed to be an opaque user identifier.
> The User-Name is a non-opaque user identifier.
>   So... handing out User-Name means that you've just told everyone who
> the user is.  Which means the secrecy added by CUI is pointless.

its not about 'handing out' the User-Name...the current stuff now strips the User-Name
from the outerID - thats the outerID that has already been seen by the visited
site or anyone along the proxy path - i would never proscribe putting the innerID
into the outerID...the server never did that unless you told it to - but suddenly
removing the User-Name from the outerID means that many RADIUS servers no longer
have a key element that they use for local RADIUS accounting - anonymousID is
one thin...but totally blank with no idea of realm etc is quite another. these
sites dont support CUI , know about it or care :(


More information about the Freeradius-Users mailing list