Klaas wrote:
> Possibly. In the Netherlands most universities are in such a 'roaming
> consortium' to provide guest access to eachothers wireless LANs based
> on 802.1X+RADIUS. Some universities want to know the real identity of
> a user in case of abuse. The alternative is to agree on a logging
> format so that abuse can be tracked down by contacting the home
> organisation of the user, but this may be difficult (many log entries
> for
> anonymous@university-a.nl) and requires in any case a lot of coordination.
> And a bit further along the road, possibly the visited institution wants
> to do more advance authorisation based on the identity of the user (did
> he complete math101, is he a staff member etc.)
Bernard wrote:
Can this particular scenario be handled by the attributes that exist (User-Name, Class) or are being discussed (Billable-Identity)?
Lothar writes:
I would think yes, e.g. by combining all 3 of them, the privacy requesting NAI "anonymous@university-a.nl" with a privacy granting "Billable identity" issued by a trusted party (the home university), combined with Class attribute which by some bilateral agreement between participating universities could use the Class attribute to communicate membership in a certain group, such as university-staff-member or advanced-student-of-mathematics.
I would however suggest to be very careful with the name of the "billable-identity" attribute - after all these students probably do not receive a bill at all, therefor the notion of "billable identity" may be misleading. I think we are really talking about a "privacy-protected-identity", which - when present - is used instead of the NAI for all kinds of purposes normally the NAI is used for, including billing, re-authorization, abuse tracking etc. Simply because the NAI is not unique and in this case appears to only serve the routing of the initial access request to the home network and back. Of course the home network MUST be able to assert and resolve the privacy-protected-identity to the true identity of the user.
And the notion of "logging format" leads me to the suggestion, that if the logging is not done via RADIUS accounting, than it must include the "privacy-protected-identity" otherwise there would be no way to track down the true identity of an abusive user.
I guess at the end of the day, the one key application for this new RADIUS attribute sofar called either "billable-identity"- or "alius-username" seems to be federated identity management (with privacy). Is anybody seeing a different application for this new attribute ?
Regards, Lothar