Jan Rafaj jr-freeradius at cedric.unob.cz
Wed Mar 26 18:42:01 CET 2014

>> Nick Lowe wrote:

>> 1. The EAP terminating RADIUS server returns the User-Name attribute
>> with the client?s real identity AND that the NASes support processing
>> this attribute.
> Alan DeKok wrote:

>  Which is a good idea.  But as Arran pointed out, CUI is arguably the
> better choice.


>> 2. The EAP terminating RADIUS server else mandates that the EAP
>> outer-identity and EAP inner-identity resolve to the same discrete
>> user, prohibiting the use of anonymous EAP outer-identities.
>  That will NEVER happen.  Never, never, never.  It's a terrible idea.

Here I dare to respectfully disagree (at least for the moment being :).

There needs to be a way for (EDUROAM terminology used) the Service
Provider to block a particular roaming identity access to their NAS, 
should such a need occur (and not a whole realm), in a timely fashion.
For roaming users, SPs are typically exposed only to the outer identity 
through accounting of their local RADIUS server that the roaming identity 
uses for proxying.

For me, it has two outcomes: it would require all EDUROAM IdPs to either
a) mandate use of CUI (preferrably, but I cannot somehow recall how a
    third party could check whether particular IdP provides CUI on their
    terminating RADIUS server(s), or
b) mandate same inner and outer identity, as suggested by Nick.
    AFAIK, some EDUROAM IdPs (that do not implement CUI) actually do this
    as a favor for any other EDUROAM participating SP so that (based on the
    outter identity of abusive roaming user gathered from local NAS
    accounting) they can immediately:
    1) identify the roaming abuser, and
    2) lock him/her out on their proxying RADIUS until his/her home
       IdP takes an action

IIRC, there is a nice document describing the problem from SP sysadmin
perspective (see paragraph 2.1):


With kind regards,

Jan Rafaj

More information about the Freeradius-Users mailing list