[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Inner identities, privacy, and roaming termination
Bernard Aboba wrote:
> In EDUROAM, an attack has been identified that involves use of two
> distinct realms within an EAP method
> supporting privacy (such as EAP-TTLSv0):
I will note that version 2.0 of FreeRADIUS doesn't have this issue.
The functionality was originally added to support separation of the TLS
side of EAP from traditional RADIUS. i.e. Placing a modern server
upstream from a legacy server, to enable support for EAP, when the
legacy server doesn't support EAP.
> It would appear that this attack can be addressed by adding a check on
> the part of a home
> RADIUS server in order to require that the inner and outer identities
> share a realm. If the
> realms are allowed to differ, then it would appear to be necessary for
> at least the inner realm
> to be provided to the NAS somehow. This could be within a CUI attribute
> or a User-Name
> attribute. The question is whether an EAP-Peer-Id attribute might also
> be useful.
Some deployments *require* that the realms differ, IIRC. e.g. outer
"anonymous" and inner "email@example.com".
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.