We need to be able to track the real user name for DMCA and other security purposes.
Our current RADIUS (Steel-Belted Radius) server returns a class attribute to the NAS with the user's inner identity encrypted. The RADIUS server is smart enough to decrypt the class attribute when it gets returned in the accounting record from NAS and substitute it to for the outer identity. Microsoft NPS uses the outer identity for the username when authenticating, in effect forcing it be the same as the inner identity, you can work around this but then the user can over ride the out identity. There is a script in the goodies directory "eap_anon_hook.pl" that will tracks the users inner identity, but I'm having trouble getting it working with SQL Server. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 [email protected] From: Stephen A. Felicetti [mailto:[email protected]] Sent: Thursday, November 11, 2010 10:49 AM To: [email protected]; Johnson, Neil M Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner identity If I understand you correctly....are you looking to associate a user directly to a device they own (pda, laptop, etc).? If so, I think the challenge would be how to control whether the outer identity can be changed by the user. If I were a bad guy, I'd just impersonate someone else, and just change the outer identity as appropriate. If I were a good guy and needed to attach to the network on someone else's device, I would just enter my information as appropriate. Either way, I wouldn't take it as a reliable indicator of who is using what. Having said that, I'm sorry to say that I wouldn't know how to do it without research. -Steve On Nov 11, 2010, at 11:31 AM, Johnson, Neil M wrote: Because I want to make sure that the RADIUS accounting logs reflect the user's real identity for forensic purposes. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 [email protected]<mailto:[email protected]> > -----Original Message----- > From: Alan Buxey [mailto:[email protected]] > Sent: Thursday, November 11, 2010 10:25 AM > To: Johnson, Neil M > Cc: [email protected]<mailto:[email protected]> > Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner > identity > > Hi, > > Does anyone have suggestion on how to reject a user if there outer > identity doesn't match their inner identity ? > > why should it? thats why the outerid can be anonymous (granted, > Windows have only > just added that feature in Vista and 7 - but anonymous outer ID has > been in most > EAP clients for a long time.) by enforcing this you force people to > put their real > ID into the open outer id and thus tell remote places who they are. > that shouldnt > be the concern of the remote site - the home site cares because they > are the ones > that authenticate you and validate you. > > alan _______________________________________________ radiator mailing list [email protected]<mailto:[email protected]> http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
