Question about in FR 3

A.L.M.Buxey at A.L.M.Buxey at
Wed Jul 9 12:42:43 CEST 2014


> In FR 3.0.x prior to my query (and Alan D's fix), if you called 'cui' in default's post-auth (please note, *not* cui-inner, which still functions as advertised), User-Name was stripped regardless of whether a CUI was generated in the outer Access-Accept or not. IMO that was wrong. If anything, if it didn't generate a CUI, it should leave the User-Name well alone (which it does now).

yes, that is wrong - and I dont know where that came from as we have the older stuff here and
it didnt do that

> The fix Alan D has put in place means that *only* if a CUI exists in the outer Access-Accept, will User-Name be stripped. 

..and that is wrong too IMHO  - CUI isnt anonymous - CUI is an identifier that cannot be
influenced by the end user so can be trusted by a visited site to be something that will
mark the same person no matter what client (or change to CSI they do ) they use or change to their outerID that they do


More information about the Freeradius-Users mailing list