Accounting Packets and Anonymous Identity
p.mayers at imperial.ac.uk
Sun Feb 5 14:14:16 CET 2017
On 05/02/17 11:12, Brian Candler wrote:
> It can be argued that using the outer identity in accounting packets is
> reasonable behaviour. After all, the whole reason the client chose
> "anonymous" was so that a network sniffer could not see their real
> identity. If the NAS included the real identity in accounting packets,
> then a sniffer would see it.
Sort of. There are really two use-cases AFAICT:
1. "anonymous" in the EAP packet on the wired/wireless LAN to hide your
identity from passive sniffers outside the network e.g. someone sitting
in the same coffee shop with a wifi sniffer.
2. "anonymous" in the RADIUS packets and accounting to hide your
identity from the NAS (the latter particularly in a federated network
like eduroam where SP and IdP are different entities)
I don't think "anonymous" was ever really intended to protect against
sniffing of the accounting packets between NAS & radius server - if you
have attacks at that level, you have bigger problems and should be using
IPSec or RADSEC.
More information about the Freeradius-Users