Re: Inner identities, privacy, and roaming termination

[Alan DeKok <aland@deployingradius.com>]

Bernard Aboba wrote:
> In EDUROAM, an attack has been identified that involves use of two
> distinct realms within an EAP method
> supporting privacy (such as EAP-TTLSv0):
> http://www.cesnet.cz/doc/techzpravy/2008/incorrect-eap-termination-in-eduroam/

  I will note that version 2.0 of FreeRADIUS doesn't have this issue.
The functionality was originally added to support separation of the TLS
side of EAP from traditional RADIUS.  i.e. Placing a modern server
upstream from a legacy server, to enable support for EAP, when the
legacy server doesn't support EAP.

> It would appear that this attack can be addressed by adding a check on
> the part of a home
> RADIUS server in order to require that the inner and outer identities
> share a realm.   If the
> realms are allowed to differ, then it would appear to be necessary for
> at least the inner realm
> to be provided to the NAS somehow.  This could be within a CUI attribute
> or a User-Name
> attribute.  The question is whether an EAP-Peer-Id attribute might also
> be useful. 

  Some deployments *require* that the realms differ, IIRC.  e.g. outer
"anonymous" and inner "user@example.com".

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>