[RADIATOR] EAP Forcing outer identity to match inner identity

Caporossi, Stephen G. capoross at musc.edu
Thu Nov 11 11:36:35 CST 2010


We use the eap_acct_username script (in the goodies directory) instead of
eap_anon_hook. Place it in the Handler TunneledBy as a post processing
hook. It works like a charm for ttls and peap.

I think hiding the outer identity is a good thing.

Steve



On 11/11/10 12:15 PM, "Johnson, Neil M" <neil-johnson at uiowa.edu> wrote:

>We need to be able to track the real user name for DMCA and other
>security purposes.
> 
>Our current RADIUS (Steel-Belted Radius) server returns a class attribute
>to the NAS with the user¹s inner identity encrypted.  The RADIUS server
>is smart enough to decrypt the class attribute when it gets returned in
>the accounting record from NAS and substitute it to for the outer
>identity.
> 
>Microsoft NPS uses the outer identity for the username when
>authenticating, in effect forcing it be the same as the inner identity,
>you can  work around this but then the user can over ride the out
>identity.
> 
>There is a script in the goodies directory ³eap_anon_hook.pl² that will
>tracks the users inner identity, but I¹m having trouble getting it
>working with SQL Server.
> 
>-Neil
> 
>-- 
>Neil Johnson
>Network Engineer
>Information Technology Services
>The University of Iowa
>319 384-0938
>neil-johnson at uiowa.edu
>
> 
>From: Stephen A. Felicetti [mailto:stephen.felicetti at fccc.edu]
>Sent: Thursday, November 11, 2010 10:49 AM
>To: radiator at open.com.au; Johnson, Neil M
>Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner identity
>
>
> 
>If I understand you correctlyŠ.are you looking to associate a user
>directly to a device they own (pda, laptop, etc).?
>
> 
>
>If so, I think the challenge would be how to control whether the outer
>identity can be changed by the user.  If I were a bad guy, I'd just
>impersonate someone else, and just change the outer identity as
>appropriate. If I were a good guy and needed to attach to the network on
>someone else's device, I would just enter my information as appropriate.
>Either way, I wouldn't take it as a reliable indicator of who is using
>what.
>
> 
>
>Having said that, I'm sorry to say that I wouldn't know how to do it
>without research.
>
> 
>
>-Steve
>
> 
>
>
>
>
>
> 
>On Nov 11, 2010, at 11:31 AM, Johnson, Neil M wrote:
>
> 
>Because I want to make sure that the RADIUS accounting logs reflect the
>user's real identity for forensic purposes.
>
>-Neil
>
>
>--
>Neil Johnson
>Network Engineer
>Information Technology Services
>The University of Iowa
>319 384-0938
>neil-johnson at uiowa.edu
>
>
>> -----Original Message-----
>> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
>> Sent: Thursday, November 11, 2010 10:25 AM
>> To: Johnson, Neil M
>> Cc: radiator at open.com.au
>> Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner
>> identity
>>
>> Hi,
>> > Does anyone have suggestion on how to reject a user if there outer
>> identity doesn't match their inner identity ?
>>
>> why should it?  thats why the outerid can be anonymous (granted,
>> Windows have only
>> just added that feature in Vista and 7 - but anonymous outer ID has
>> been in most
>> EAP clients for a long time.)   by enforcing this you force people to
>> put their real
>> ID into the open outer id and thus tell remote places who they are.
>> that shouldnt
>> be the concern of the remote site - the home site cares because they
>> are the ones
>> that authenticate you and validate you.
>>
>> alan
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator
>
>
> 



More information about the radiator mailing list