> Nick Lowe wrote: > So, a compliant NAS that is able to treat the User-Name AVP as being > authoritative would get to see the real, inner identity and in a > normalised form.
As an aside to the mechanics of this, if you do this, test your NAS under simulated user load. We found that our Cisco WLC equipment didn't like that and leaked internal resources, which eventually ran out. We were adding some additional information to the username, so we had many more differences between the outer and inner IDs, and even so it took a few days for the problem to come to a head. This should be fixed in latest software, but we haven't re-tested that yet. It also wouldn't hurt to sniff the resulting EAPOL and any associated packets to ensure the NAS hasn't figured out some vendor-specific way to leak that inner identity to the wire/wifi, and of course review your security expectations between the AS and NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
