[RADIATOR] EAP Forcing outer identity to match inner identity

Stephen A. Felicetti stephen.felicetti at fccc.edu
Thu Nov 11 10:48:44 CST 2010


If I understand you correctly….are you looking to associate a user directly to a device they own (pda, laptop, etc).?

If so, I think the challenge would be how to control whether the outer identity can be changed by the user.  If I were a bad guy, I'd just impersonate someone else, and just change the outer identity as appropriate. If I were a good guy and needed to attach to the network on someone else's device, I would just enter my information as appropriate. Either way, I wouldn't take it as a reliable indicator of who is using what.

Having said that, I'm sorry to say that I wouldn't know how to do it without research.

-Steve


On Nov 11, 2010, at 11:31 AM, Johnson, Neil M wrote:

Because I want to make sure that the RADIUS accounting logs reflect the user's real identity for forensic purposes.

-Neil


--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-johnson at uiowa.edu


> -----Original Message-----
> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> Sent: Thursday, November 11, 2010 10:25 AM
> To: Johnson, Neil M
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner
> identity
>
> Hi,
> > Does anyone have suggestion on how to reject a user if there outer
> identity doesn't match their inner identity ?
>
> why should it?  thats why the outerid can be anonymous (granted,
> Windows have only
> just added that feature in Vista and 7 - but anonymous outer ID has
> been in most
> EAP clients for a long time.)   by enforcing this you force people to
> put their real
> ID into the open outer id and thus tell remote places who they are.
> that shouldnt
> be the concern of the remote site - the home site cares because they
> are the ones
> that authenticate you and validate you.
>
> alan
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101111/4dca5070/attachment.html 


More information about the radiator mailing list