[RADIATOR] EAP Forcing outer identity to match inner identity
Johnson, Neil M
neil-johnson at uiowa.edu
Thu Nov 11 11:15:02 CST 2010
We need to be able to track the real user name for DMCA and other security purposes.
Our current RADIUS (Steel-Belted Radius) server returns a class attribute to the NAS with the user's inner identity encrypted. The RADIUS server is smart enough to decrypt the class attribute when it gets returned in the accounting record from NAS and substitute it to for the outer identity.
Microsoft NPS uses the outer identity for the username when authenticating, in effect forcing it be the same as the inner identity, you can work around this but then the user can over ride the out identity.
There is a script in the goodies directory "eap_anon_hook.pl" that will tracks the users inner identity, but I'm having trouble getting it working with SQL Server.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-johnson at uiowa.edu
From: Stephen A. Felicetti [mailto:stephen.felicetti at fccc.edu]
Sent: Thursday, November 11, 2010 10:49 AM
To: radiator at open.com.au; Johnson, Neil M
Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner identity
If I understand you correctly....are you looking to associate a user directly to a device they own (pda, laptop, etc).?
If so, I think the challenge would be how to control whether the outer identity can be changed by the user. If I were a bad guy, I'd just impersonate someone else, and just change the outer identity as appropriate. If I were a good guy and needed to attach to the network on someone else's device, I would just enter my information as appropriate. Either way, I wouldn't take it as a reliable indicator of who is using what.
Having said that, I'm sorry to say that I wouldn't know how to do it without research.
-Steve
On Nov 11, 2010, at 11:31 AM, Johnson, Neil M wrote:
Because I want to make sure that the RADIUS accounting logs reflect the user's real identity for forensic purposes.
-Neil
--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-johnson at uiowa.edu<mailto:neil-johnson at uiowa.edu>
> -----Original Message-----
> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> Sent: Thursday, November 11, 2010 10:25 AM
> To: Johnson, Neil M
> Cc: radiator at open.com.au<mailto:radiator at open.com.au>
> Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner
> identity
>
> Hi,
> > Does anyone have suggestion on how to reject a user if there outer
> identity doesn't match their inner identity ?
>
> why should it? thats why the outerid can be anonymous (granted,
> Windows have only
> just added that feature in Vista and 7 - but anonymous outer ID has
> been in most
> EAP clients for a long time.) by enforcing this you force people to
> put their real
> ID into the open outer id and thus tell remote places who they are.
> that shouldnt
> be the concern of the remote site - the home site cares because they
> are the ones
> that authenticate you and validate you.
>
> alan
_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101111/e0342dba/attachment-0001.html
More information about the radiator
mailing list