(RADIATOR) Question about outer identities.

[Terry Simons]

Hi everybody,

I have some questions about the handling of outer identities, and some 
feature requests (If they aren't already implemented...)

I know that TTLS and PEAP allow the use of the "anonymous" outer 
identity (where the outer identity is anonymous at realm, for identity 
hiding).

Radiator, though, doesn't seem to be checking that outer == inner || 
outer == anonymous at utah.edu.  In other words, it is possible to do 
something like:

joe at utah.edu for the outer identity, and bob at utah.edu for the inner 
identity, and most authenticators will end up sending an accounting 
record for "joe at utah.edu" because that's all the authenticator really 
knows about (Unless your authenticator supports a reply-attribute with 
the username, but that's not really relevant to this conversation...)

So basically what I want to know is:

1) Is there a way to force Radiator to make sure that the outer 
identity is one of "anonymous at realm" OR "user at realm" (where user at realm 
is identical to the inner, or at least the "user" portion of the inner 
and outer match...)

2) Is there a way to force Radiator to NOT allow anonymous in the outer 
identity?  (This is something we are considering to help with 
accounting problems...)

Also, what does the "EAPAnonymous %0" directive do?  I can't find any 
references in the documentation to it.  It seems like, from what I 
gather, it uses the inner identity when handled by a TunnelledByPEAP = 
1 handler... is that correct, or am I way off base? ;-)

And finally, I found a typo in one of the goodies files... not a big 
deal, but I figured I would mention it.

File: eap_peap_tls.cfg
Line: 188
"tehre" should be "there"

- Terry

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.