hi Lars
> What wierd way are you refering to? Is it the "Use a different user
> name for the connection" check box you are talking about or something
> else?
yes, exactly.
>> so we probably shouldn't verify that...
>
>
> But if you don't verify that the User-Name (or EAP identity, if you
> have already verified that the User-Name and EAP identity is the
> same) corresponds to the certificate then any authorization or
> accounting is basically meaningless.
i agree with that too, but why does this box exist in Windows then? i
personally tend to think (and so I used it in that way some times during
the test phase), that it exists in order to add a realm to the name.
an example: when you are certifying users in your closed domain, you
could have certified users like "lars", "artur", etc., why not, it's
your domain, so you don't care. then, one day, you expand and your
domain gets a second part, with a complete another architecture. so, you
would like the radius server in the second part simply forward the
request to the original domain, right? (you bet that re-certification is
NOT wanted). so with the current approach, you simply type in windows
XP: use another name for this connection: windows proposes "artur", you
add "@old_site" or something similiar and here we go, the radius server
forwards to the old site and everything works (with the new server
stripping the realm away, e.g. or having reconfigured the server at
old_site).
if you verify that, then you have a problem. it won't work.
i would tend to think, that the certificate has to be seen as the
authentication method and the only reliable information. now of course
you are right that is has to be bound to the User-Name, since the
authorization happens with that one later... perhaps we have to define
rules for equality of User-Name and the certified identity. one
reasonable way for equality would be to take into consideration the
defined realms and suffixes in the radius.conf (proxy.conf).
i.e., if e.g. in the radius.conf you've defined a suffix "@", and a
realm "old_site1", then freeradius should consider the certified "kevin"
and the User-Name "kevin@old_site1" as being the same, except of course
it knows "kevin" locally. just an idea, which probably has bugs.
what do you think?
ciao
artur
--
Artur Hecker Groupe Acc�s et Mobilit�
hecker[at]enst[dot]fr D�partement Informatique et R�seaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: eap_identity or username attribute? (to Artur and lars) James Xie
- Re: eap_identity or username attribute? (to Artur and la... Artur Hecker
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
