> From: Artur Hecker [mailto:[EMAIL PROTECTED]] > Sent: den 19 november 2002 18:49 > To: [EMAIL PROTECTED] > Subject: Re: eap_identity or username attribute? > > > Lars, > > in the IEEE Std 802.1X-2001 there is the following: > > > D.3.1 User-Name > In IEEE Std 802.1X-2001, the supplicant typically > provides its > identity via an EAP-Response/Identity message. Where > available, the > supplicant identity is included in the User-Name attribute > and included > in the RADIUS Access-Request and Access-Reply messages as > specified in > IETF RFC 2865. > Alternatively, where Service-Type = Call Check, the User-Name > attribute > contains the Calling-Station-ID value, which is set to the Supplicant > MAC address.
This is basically the same text as in the congdon ID. > > I think the critical point is that the rlm_eap_tls module should > > verify that the User-Name, that is used for authorization, > corresponds > > to the client certificate used for authentication. It looks like it > > doesn't do this currently. > > spontaneously, i would agree with that but we should > definitely verify > it for the case of proxying. Notably the stripping of realms could > provoke enormous problems here, don't you think? (since the realms > syntax is completely free, this includes every modification > of User-Name > whatsoever). I'm not quite sure I understand what the problem is. I would say that the rlm_eap_tls module has to check that the User-Name/EAP-Identity corresponds to the client certificate (this is a SHOULD in RFC 2716). Otherwise there is little point in authorizing at all. > additionally, the "Alternatively...." part of the citation > above could > be a problem, too. I don't really think it makes sense to use EAP-TLS with Service-Type = Call Check, so I'm not sure this is a problem. > nothing to do with the topic, but since everybody is talking > about this > draft: after all it's still a draft, and perhaps it will > never become an > RFC, what do you think? > > we have to follow the 802.1X norm. and also here i have some doubts > about the proxying. I don't think there are any contradictions between Std 802.1X and the congdon ID. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html