[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RADIUS User-Name versus EAP Identity

To: Bernard Aboba <Bernard_Aboba@hotmail.com>
Subject: Re: RADIUS User-Name versus EAP Identity
From: Alan DeKok <aland@deployingradius.com>
Date: Fri, 17 Oct 2008 16:47:28 +0200
Cc: radiusext@ops.ietf.org
In-reply-to: <BLU137-DAV75D724C414A181A19BC4293360@phx.gbl>
References: <48F36CC4.8010103@deployingradius.com> <BLU137-DAV75D724C414A181A19BC4293360@phx.gbl>
User-agent: Thunderbird 2.0.0.17 (X11/20080925)

Bernard Aboba wrote:
> So RFC 3579 does require the User-Name field and EAP-Response/Identity
> fields to be identical at the NAS originating the Access-Request.  

  Most RADIUS servers seem to enforce this.

> However, after that it is possible that RADIUS proxies will modify the
> User-Name attribute, so that by the time the RADIUS Access-Request
> arrives at the RADIUS server, the EAP-Response/Identity and User-Name
> Attribute will no longer match.

  This is causing problems in real-world pre-deployment systems.

  Maybe a solution would be to require that implementations ignore the
contents of the EAP-Response/Identity field.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: RADIUS User-Name versus EAP Identity
  - From: "Bernard Aboba" <Bernard_Aboba@hotmail.com>

References:
- RE: RADIUS User-Name versus EAP Identity
  - From: "Bernard Aboba" <Bernard_Aboba@hotmail.com>

Prev by Date: Re: Review of draft-tiwari-radext-tunnel-type-02.txt
Next by Date: RE: RADIUS User-Name versus EAP Identity
Previous by thread: RE: RADIUS User-Name versus EAP Identity
Next by thread: RE: RADIUS User-Name versus EAP Identity
Index(es):
- Date
- Thread