[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Chargeable-User-Identity



David,
user blacklisting based on and observed misbehaviour is just one of the use cases for CUI in eduroam, but there are more.

1. Timely reaction to incidents - if something happens the visited institution may have to react at once, by blocking the particular user. Going to the home institution and blocking the user there may be the next step, but this always takes time. Without CUI the visited site would have to block an entire realm until the incident is resolved.

2. Long-time associations. This is actually the case that got me started on this subject. eduroam has been created to enable user mobility and casual guest access. Now suppose we have two eduroam institutions in one city. A student of institution A may set up a permanent wireless link to the network of institution B.This is not the kind of guest access that most of educational institutions will find desirable. If the user keeps changing the MAC address then institution B will have a difficulty spotting the actual problem. With CUI in place it is possible to employ some QoS and limit the bandwidth after so many bytes transferred. No need to track the user or contact the home institution, just apply and automatic policy.

3. Promoting the user access rights. A positive example, for a change. Suppose we gave an official guest at the university and we want to provide him with some extra services. CUI will allow us to place the user in a special VLAN and allow printing, for instance. This is a lot easier then creating a local account and setting up the user access based on that.

4. Guest usage statistics. This is probably self-explanatory.

All these cases require a reasonably long-life CUI, actually we think of a permanent one (but changing from one visited institution to another).


David B. Nelson writes:
Stefan Winter writes...


The user would be banned throughout the (potentially
huge) roaming infrastructure, since the home AAA's
decision is a global one. If other access networks in the infrastructure do allow peer-to-peer traffic, it would be unjust to Reject the user from the home AAA side.

Unjust?  Well, that's a moral judgment.  Banning the user from *all*
networks in the consortium would certainly be an effective "punishment" to
incent the potentially errant user to carefully follow the rules of *any*
network that they choose to visit.

Indeed, but please observe that eduroam is a global project. Accessing a certain WWW site could be regarded unacceptable in one country, but quite OK in another. We do not want to place the home site administrator in a position where he has to take moral judgements whether to ban a user from entire eduroam or not. It really is a lot easier to allow the local site admin to block the user. Of course, it the user breakes the local law then this is another case, but then the law enforcement agencies should come in and it will be up to them to reach the home institution of the user in order to obtain the actual identity.

Greetings

Tomasz Wolniewicz




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>