A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Mar 26 16:50:45 CET 2014


> To prevent identity spoofing in other dependent systems and make
> identity privacy explicit, I think it would be a very sensible default
> to make FreeRADIUS mandate that the user portion of the EAP
> outer-identity must be "anonymous" where the EAP outer-identity and
> inner-identity do not resolve to the same discrete user.

if you are the authenticator - ie the end RADIUS server and can see
the inner and outer then you *could* do that - if you are just a remote proxy
you'd never know...and thus cant enforce.

however this is a bad idea...its not about 'spoofing' - its about anonymity.
and the correct value should be NULL - ie '@realm.com' - as per the NAI spec.

anyway, other technologies such as moonshot have already decreed anonymity
for the outerID with blank userID and only realm populated...so if you enforce
outer=inner your RADIUS server can never be used with moonshot (GSS-EAP)


More information about the Freeradius-Users mailing list