And when using certificates, TTLS and PEAP are problematic. There's an "outer" User-Name, and an "inner" User-Name. Which one do you use? You can send a User-Name back in an Access-Accept, but you need to send the inner one, as the outer is often "anonymous". But if you do that, everyone else on the network can see that inner username... which was previously hidden in a TLS tunnel.
It's not nice.
well, that's not _that_ bad. the main issue with the user privacy is to protect it on the public (often wireless) link, that is on the outer side of the NAS. what happens between the NAS and the radius server can be protected from "listeners" by other means: IPsec, dedicated VLANs, etc.
ciao artur
-- Artur Hecker artur[at]hecker.info
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
