IP-Address

Nick Lowe nick.lowe at gmail.com
Wed Mar 26 17:34:22 CET 2014


Sure, I do mean only at the EAP terminating RADIUS server. And, yup,
agreed a null/empty user portion should be acceptable too. It's
actually better in many ways as it cannot collide with any genuine
username as anonymous could - but pragmatically I think both null and
"anonymous" would be needed by default.

Nick

On Wed, Mar 26, 2014 at 11:50 PM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> To prevent identity spoofing in other dependent systems and make
>> identity privacy explicit, I think it would be a very sensible default
>> to make FreeRADIUS mandate that the user portion of the EAP
>> outer-identity must be "anonymous" where the EAP outer-identity and
>> inner-identity do not resolve to the same discrete user.
>
> if you are the authenticator - ie the end RADIUS server and can see
> the inner and outer then you *could* do that - if you are just a remote proxy
> you'd never know...and thus cant enforce.
>
> however this is a bad idea...its not about 'spoofing' - its about anonymity.
> and the correct value should be NULL - ie '@realm.com' - as per the NAI spec.
>
> anyway, other technologies such as moonshot have already decreed anonymity
> for the outerID with blank userID and only realm populated...so if you enforce
> outer=inner your RADIUS server can never be used with moonshot (GSS-EAP)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list