[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue: Treatment of null Identity Response

To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: Re: Issue: Treatment of null Identity Response
From: Jari Arkko <jari.arkko@piuha.net>
Date: Tue, 13 Dec 2005 15:31:40 +0200
Cc: Pasi.Eronen@nokia.com, radiusext@ops.ietf.org
In-reply-to: <BAY106-F22DD0A3997EB932AB4D30A93390@phx.gbl>
References: <BAY106-F22DD0A3997EB932AB4D30A93390@phx.gbl>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

What we are seeing in implementations in the field is a mix of a) andc), with the behavior in case c) ranging all over the map. Inparticular, some implementations are treating a nullEAP-Response/Identity as a privacy NAI (no userid or realm).


Oh boy. Hmm... lets think about this some further. RFC 4282 has
another approach to privacy NAI, and one which works better with
roaming and other AAA routing arrangements. So I think we should
discourage that the use of empty EAP-Response/Identity for
privacy purposes.

What I think remains is two real cases. The first case is simply
failure, and all we are debating is whether the failure occurs
in the client who never responds, the NAS who dislikes the
response, or in AAA that can't route or authenticate the
user. Here my preference would be to fail as late as possible.
That is, have clients respond with empty identity, have
NASes forward the request to AAA etc. I think it is clear
that empty User-Name should not be used, but here we
still have the question of whether to omit it altogether or
or to use Calling-Station-Id as User-Name. I'd be in favor
of the latter, given the RFC 3579 text.

The second case is a legitimate attempt to use provide
no User-Name, complemented with, e.g., some MAC-address
based directory of users. This appears to not work in
roaming, which to me says that we should discourage
such behaviour. But we can still allow it... the proposed
approach would be same as for the above case, i.e., use
Calling-Station-Id as the User-Name and let the AAA handle
it.

Documenting this: this seems mostly a RFC 3579/4005 problem.
Unless we are developing a bis for them, we could talk about
the issue in the issues & fixes draft. The text should indicate
rules for EAP client and NAS behaviour, and explain the
implications of particular usage (e.g. limitations in roaming).

--Jari


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Issue: Treatment of null Identity Response
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

References:
- Re: Issue: Treatment of null Identity Response
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

Prev by Date: Re: RADEXT Issue 148 Item 6
Next by Date: Re: Issue: Treatment of null Identity Response
Previous by thread: Re: Issue: Treatment of null Identity Response
Next by thread: Re: Issue: Treatment of null Identity Response
Index(es):
- Date
- Thread