Alan DeKok aland at deployingradius.com
Wed Mar 26 19:15:32 CET 2014

Jan Rafaj wrote:
> There needs to be a way for (EDUROAM terminology used) the Service
> Provider to block a particular roaming identity access to their NAS,
> should such a need occur (and not a whole realm), in a timely fashion.
> For roaming users, SPs are typically exposed only to the outer identity
> through accounting of their local RADIUS server that the roaming
> identity uses for proxying.

  That requirement conflicts with everyone *else's* requirement that the
outer ID be anonymized.

> For me, it has two outcomes: it would require all EDUROAM IdPs to either
> a) mandate use of CUI (preferrably, but I cannot somehow recall how a
>    third party could check whether particular IdP provides CUI on their
>    terminating RADIUS server(s),

  It can't.

> b) mandate same inner and outer identity, as suggested by Nick.
>    AFAIK, some EDUROAM IdPs (that do not implement CUI) actually do this
>    as a favor for any other EDUROAM participating SP so that (based on the
>    outter identity of abusive roaming user gathered from local NAS
>    accounting) they can immediately:
>    1) identify the roaming abuser, and
>    2) lock him/her out on their proxying RADIUS until his/her home
>       IdP takes an action

  That's definitely useful.  But not needed for everyone else.

  Alan DeKok.

More information about the Freeradius-Users mailing list