-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 15:34 -0700 06/01/2006, David Morton wrote: >Unfortunately it is the design of PEAP (and TTLS) to offer separate >inner and outer identities.
A little Googling seems to reveal that Radiator has a hook that requires the inner and outer identities to be identical. Steel Belted RADIUS has a section in the manual called "Tunneled Accounting", which sounds very promising. We'll look into this and report anything back to the list. ============ >Tunneled accounting allows Steel-BeltedRadius to pass user identity >information to accounting processes without exposing user identities to a >RAS or AP that should not see them. When tunneled accounting is enabled, >RADIUS attributes are encrypted and encapsulated in a Class attribute. If >the information for a Class attribute exceeds the attribute payload size >(253 octets), Steel-BeltedRadius returns more than one Class attribute for a >user. >The tunneled accounting transaction sequence is: >1 The Steel-BeltedRadius server acting as the tunnel endpoint for EAP/TTLS >or EAP/PEAP encrypts a user's inner User-Name and Class attributes when it >authenticates the user. 2 The server returns the encrypted information to >the RAS or AP encapsulated in a Class attribute in the outer Access-Accept >message. The RAS or AP associates this encapsulated identity attribute with >the user, and echoes the encapsulated identity attribute whenever it >generates an accounting request for the user. 3 When Steel-BeltedRadius >receives an accounting request from a RAS or Access Point, it scans the >request for an encapsulated identity attribute. 4 If Steel-BeltedRadius >finds an encapsulated identity attribute, it de-encapsulates and decrypts >the attributes to reconstitute the original inner User-Name and Class >attributes. 5 Steel-BeltedRadius substitutes the decrypted attributes for >the ones returned from the RAS or AP. 6 Steel-BeltedRadius processes the >accounting request locally or forwards the accounting request through the >proxy to its intended target. >To implement tunneled accounting, you must configure the classmap.ini file >to specify how attributes should be presented, and you must configure the >spi.ini file to specify the keys that are used to encrypt and decrypt >users' identity information. The classmap.ini file and the file are >described in the Steel-BeltedRadius Reference Guide. ================= -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRH9u9w5UB5zJHgFjEQIMMQCgtmhQ3zMLI90szw4lw51fEhO84uIAn2Z3 MGCS8Oeza8zlAWaI7gi2DaNX =oPHK -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
