(RADIATOR) Question about outer identities.

Mike McCauley mikem at open.com.au
Sun Aug 22 17:44:14 CDT 2004


Hello Terry,

On Friday 20 August 2004 14:02, Terry Simons wrote:
> Hi everybody,
>
> I have some questions about the handling of outer identities, and some
> feature requests (If they aren't already implemented...)
>
> I know that TTLS and PEAP allow the use of the "anonymous" outer
> identity (where the outer identity is anonymous at realm, for identity
> hiding).
>
> Radiator, though, doesn't seem to be checking that outer == inner ||
> outer == anonymous at utah.edu.  In other words, it is possible to do
> something like:
>
> joe at utah.edu for the outer identity, and bob at utah.edu for the inner
> identity, and most authenticators will end up sending an accounting
> record for "joe at utah.edu" because that's all the authenticator really
> knows about (Unless your authenticator supports a reply-attribute with
> the username, but that's not really relevant to this conversation...)

We believe that is a useful feature for some people, and that it is not 
prohibited by the spec.

>
> So basically what I want to know is:
>
> 1) Is there a way to force Radiator to make sure that the outer
> identity is one of "anonymous at realm" OR "user at realm" (where user at realm
> is identical to the inner, or at least the "user" portion of the inner
> and outer match...)

There is no built-in way to force this.

>
> 2) Is there a way to force Radiator to NOT allow anonymous in the outer
> identity?  (This is something we are considering to help with
> accounting problems...)
Several, which I will leave to Hugh to outline.


>
> Also, what does the "EAPAnonymous %0" directive do?  I can't find any
> references in the documentation to it.  It seems like, from what I
> gather, it uses the inner identity when handled by a TunnelledByPEAP =
> 1 handler... is that correct, or am I way off base? ;-)
EAPAnonymous specifies how the Radius User-Name will be constructed for the 
inner requests for TTLS and PEAP. It defaults to 'anonymous', but can be set 
to almost anything, including %0, which means 'the EAP identity used for the 
inner requests'.

Up until recently, the only doc for this was in the example config files. The 
next release will have complete docs for this parameter.

>
> And finally, I found a typo in one of the goodies files... not a big
> deal, but I figured I would mention it.

Fixed for the next release. Thanks.

>
> File: eap_peap_tls.cfg
> Line: 188
> "tehre" should be "there"
>
> - Terry
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list