(RADIATOR) anonymous at myabc.com

Rogier Krieger rkrieger at gmail.com
Mon Oct 9 10:19:50 CDT 2006


More as a side-note, to show why 'anonymous@' isn't necessarily evil.

On 10/9/06, Jeff Wolfe <wolfe at ems.psu.edu> wrote:
> [...] most TTLS supplicants automatically set the outer
> identity to "anonymous".

Supplicants do so to aid end-user privacy. This is most useful in
roaming agreements that serve a (potentially vast) number of different
realms. The outer identity is only used in determining where a request
should be routed to.

In this scenario - or not to impede future implementations - one can
probably best see the 'anonymous' username as a special occurrence of
a random string being only meaningful to humans.

An intermediary does not usually know what usernames are valid for
foreign realms. Neither can it decrypt the inner identity, barring
administrator incompetence. All the intermediary has to do is properly
forward (foreign) requests.

When dealing with accounting, either bill all accounting requests of a
foreign realm to the roaming partner, or look into the goodies
directory for eap_anon_hook.pl and eap_ttls.cfg.

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list