Question about cui.post-auth in FR 3
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Jul 9 12:42:43 CEST 2014
Hi,
> In FR 3.0.x prior to my query (and Alan D's fix), if you called 'cui' in default's post-auth (please note, *not* cui-inner, which still functions as advertised), User-Name was stripped regardless of whether a CUI was generated in the outer Access-Accept or not. IMO that was wrong. If anything, if it didn't generate a CUI, it should leave the User-Name well alone (which it does now).
yes, that is wrong - and I dont know where that came from as we have the older stuff here and
it didnt do that
> The fix Alan D has put in place means that *only* if a CUI exists in the outer Access-Accept, will User-Name be stripped.
..and that is wrong too IMHO - CUI isnt anonymous - CUI is an identifier that cannot be
influenced by the end user so can be trusted by a visited site to be something that will
mark the same person no matter what client (or change to CSI they do ) they use or change to their outerID that they do
alan
More information about the Freeradius-Users
mailing list