IP-Address

Nick Lowe nick.lowe at gmail.com
Wed Mar 26 16:41:48 CET 2014


Sure, you would definitely want a list of approved user portions of
outer identities and for this to be configurable. Who knows, somebody
might have a real user called anonymous!
I meant from a default configuration perspective, mandating that the
user portion must be "anonymous" or resolve to the same discrete user.

On Wed, Mar 26, 2014 at 11:14 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 26/03/14 14:33, Nick Lowe wrote:
>>
>> To prevent identity spoofing in other dependent systems and make
>> identity privacy explicit, I think it would be a very sensible default
>> to make FreeRADIUS mandate that the user portion of the EAP
>> outer-identity must be "anonymous" where the EAP outer-identity and
>> inner-identity do not resolve to the same discrete user.
>
>
> Well, the *default config* might mandate that by having a policy. But fairly
> obviously it shouldn't be hard-coded anywhere.
>
> FWIW I've seen lots of variations of a generic name as anonymous outer, not
> just the empty string or "anonymous".
>
> Trusting the outer ID is always wrong.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list