> So which id are you talking about? > if its the outer and the user has configured the machine correctly, all > you're going to see is @realm - not much use other than "it's that > institution" > if its the inner then o.k. you've got a realm from the outer user-name and a > userid from the inner but any accounting will be dumped locally. > if its the inner and you've got a realm then you've got your userid to hand > over and all the accounting should go back to the home institution > > … or have I got that wrong? > Rgds > A
I am primarily interested in returning the inner identity normalised as username@realm in the User-Name AVP in Access-Accepts for authentication performed internally so that the Aerohive APs we have are able to work with the real identity rather than the anonymous outer. This is important for us to get the new L7 application visibility features in HiveOS 6.0 working properly and have some value. Additionally, for internal authentication, users can get away with simply using username, realm\username or username@realm in the inner and, at present, the Aerohive APs treat the same user as being discrete users where the identity is supplied in a different format. I want to sort this somehow... (I am, however, loathed to mandate that the identity be supplied as username@realm to begin with as it will break existing configuration. This for authentication not on an eduroam SSID.) For eduroam in general, it would be far less of an issue as users are always forced to use the fully qualified username@realm (often anonymous@realm) but I would be interested in a method to get an anonymised unique id for the user from the home institution. (Is that personal data at that point? In the case of abuse, you would still have to go back to the home institution and know nothing about the user as you do not have their real identity.) Thinking about things, I think an appropriate compromise for Eduroam, therefore, would be to mandate the return an anonymised unique id with realm for each user in the User-Name AVP in the Access-Accept. Thoughts? Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
