We use the eap_acct_username script (in the goodies directory) instead of eap_anon_hook. Place it in the Handler TunneledBy as a post processing hook. It works like a charm for ttls and peap.
I think hiding the outer identity is a good thing. Steve On 11/11/10 12:15 PM, "Johnson, Neil M" <[email protected]> wrote: >We need to be able to track the real user name for DMCA and other >security purposes. > >Our current RADIUS (Steel-Belted Radius) server returns a class attribute >to the NAS with the user¹s inner identity encrypted. The RADIUS server >is smart enough to decrypt the class attribute when it gets returned in >the accounting record from NAS and substitute it to for the outer >identity. > >Microsoft NPS uses the outer identity for the username when >authenticating, in effect forcing it be the same as the inner identity, >you can work around this but then the user can over ride the out >identity. > >There is a script in the goodies directory ³eap_anon_hook.pl² that will >tracks the users inner identity, but I¹m having trouble getting it >working with SQL Server. > >-Neil > >-- >Neil Johnson >Network Engineer >Information Technology Services >The University of Iowa >319 384-0938 >[email protected] > > >From: Stephen A. Felicetti [mailto:[email protected]] >Sent: Thursday, November 11, 2010 10:49 AM >To: [email protected]; Johnson, Neil M >Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner identity > > > >If I understand you correctlyŠ.are you looking to associate a user >directly to a device they own (pda, laptop, etc).? > > > >If so, I think the challenge would be how to control whether the outer >identity can be changed by the user. If I were a bad guy, I'd just >impersonate someone else, and just change the outer identity as >appropriate. If I were a good guy and needed to attach to the network on >someone else's device, I would just enter my information as appropriate. >Either way, I wouldn't take it as a reliable indicator of who is using >what. > > > >Having said that, I'm sorry to say that I wouldn't know how to do it >without research. > > > >-Steve > > > > > > > > >On Nov 11, 2010, at 11:31 AM, Johnson, Neil M wrote: > > >Because I want to make sure that the RADIUS accounting logs reflect the >user's real identity for forensic purposes. > >-Neil > > >-- >Neil Johnson >Network Engineer >Information Technology Services >The University of Iowa >319 384-0938 >[email protected] > > >> -----Original Message----- >> From: Alan Buxey [mailto:[email protected]] >> Sent: Thursday, November 11, 2010 10:25 AM >> To: Johnson, Neil M >> Cc: [email protected] >> Subject: Re: [RADIATOR] EAP Forcing outer identity to match inner >> identity >> >> Hi, >> > Does anyone have suggestion on how to reject a user if there outer >> identity doesn't match their inner identity ? >> >> why should it? thats why the outerid can be anonymous (granted, >> Windows have only >> just added that feature in Vista and 7 - but anonymous outer ID has >> been in most >> EAP clients for a long time.) by enforcing this you force people to >> put their real >> ID into the open outer id and thus tell remote places who they are. >> that shouldnt >> be the concern of the remote site - the home site cares because they >> are the ones >> that authenticate you and validate you. >> >> alan >_______________________________________________ >radiator mailing list >[email protected] >http://www.open.com.au/mailman/listinfo/radiator > > > _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
