EAP module will no longer accept realmless identities by default

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Apr 29 19:41:02 CEST 2021

	#  require_identity_realm:: Require the the EAP Identity provided contains
	#  a realm.
	#  If `require_identity_realm` is `nai`, the EAP identity provided must
	#  end with `@<label0>.<label1>[.<labelN>]`, i.e. an '@' followed by at least
	#  two DNS labels.
	#  If `require_identity_realm` is `yes`, the EAP identity provided must
	#  either match the NAI format described above, or a `Stripped-User-Domain`
	#  attribute must be present in the request list.
	#  This validation mode is intended to be user where Windows machine
	#  authentication is intermixed with user authentication.
	#  If `require_identity_realm` is `no`, no identity format checks are performed.
	#  It is NOT recommended to use this value.  Future security standards will
	#  key off the NAI realm to validate the certificate we (the EAP server) present.
	#  If you do not require an NAI realm be present in the EAP identity string,
	#  your users will not be able to take advantage of this added security when
	#  it is added by OS and device vendors.
#	require_identity_realm = nai

A new configuration item has been added to the EAP module, which, by default
will prevent users from authenticating unless they provide an NAI style realm in the
EAP identity string, e.g. foo at example.org.

This will likely be backported to the v3.0.x branch, though the default value will
likely be "no" to avoid point release breakages.


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210429/11bd7b06/attachment.sig>

More information about the Freeradius-Users mailing list