[RADIATOR] EAP Forcing outer identity to match inner identity

Hugh Irvine hugh at open.com.au
Thu Nov 11 13:12:01 CST 2010


Hello Neil -

The way to do this is to either return the real username in the access accept (or a Class attribute), or use the accounting hook.

Many NAS devices will use the User-Name returned in the access accept for subsequent accounting records for the session.

All NAS devices should return the Class attribute in the accounting requests for the session.

If using the accounting hook, what you are trying to do is store the real username when returning the access accept, then replace the User-Name in the accounting requests for the session with the stored username from the database.

regards

Hugh


On 12 Nov 2010, at 03:31, Johnson, Neil M wrote:

> Because I want to make sure that the RADIUS accounting logs reflect the user's real identity for forensic purposes.
> 
> -Neil
> 
> 
> -- 
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> 319 384-0938
> neil-johnson at uiowa.edu 
> 
> 
>> -----Original Message-----
>> From: Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
>> Sent: Thursday, November 11, 2010 10:25 AM
>> To: Johnson, Neil M
>> Cc: radiator at open.com.au
>> Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner
>> identity
>> 
>> Hi,
>>> Does anyone have suggestion on how to reject a user if there outer
>> identity doesn't match their inner identity ?
>> 
>> why should it?  thats why the outerid can be anonymous (granted,
>> Windows have only
>> just added that feature in Vista and 7 - but anonymous outer ID has
>> been in most
>> EAP clients for a long time.)   by enforcing this you force people to
>> put their real
>> ID into the open outer id and thus tell remote places who they are.
>> that shouldnt
>> be the concern of the remote site - the home site cares because they
>> are the ones
>> that authenticate you and validate you.
>> 
>> alan
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.






More information about the radiator mailing list