Bernard Aboba wrote:
In EDUROAM, an attack has been identified that involves use of two
distinct realms within an EAP method
supporting privacy (such as EAP-TTLSv0):
http://www.cesnet.cz/doc/techzpravy/2008/incorrect-eap-termination-in-eduroam/
I will note that version 2.0 of FreeRADIUS doesn't have this issue.
The functionality was originally added to support separation of the TLS
side of EAP from traditional RADIUS. i.e. Placing a modern server
upstream from a legacy server, to enable support for EAP, when the
legacy server doesn't support EAP.
It would appear that this attack can be addressed by adding a check on
the part of a home
RADIUS server in order to require that the inner and outer identities
share a realm. If the
realms are allowed to differ, then it would appear to be necessary for
at least the inner realm
to be provided to the NAS somehow. This could be within a CUI attribute
or a User-Name
attribute. The question is whether an EAP-Peer-Id attribute might also
be useful.
Some deployments *require* that the realms differ, IIRC. e.g. outer
"anonymous" and inner "user@example.com".
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>