to the original question: the two fields should be the same, that's now
verified.
to Lars:
since the draft and the standard basically state the same, let's refer
to the standard :) but that's not the point...
i only wanted to say, that the certified identity could be e.g. [EMAIL PROTECTED] so, the eap-id would carry [EMAIL PROTECTED] each AP should basically put this value into User-Name, so it would be [EMAIL PROTECTED] again. We could verify that for both authentication and authorization the three fields are the same, certificate = eap-id = User-Name.
now the server receiving the request from the AP happens to be in visited.com. so it has to proxy the request to the home.com radius server. it could happen, that home.com (being some huge ISP) demands a stripped user-name, i.e. simply kevin. so the server at visited.com would strip it, but in the User-Name only, since the EAP-Message is not considered when proxying. Now home.com, when running freeradius, would state that the three attributes mentioned before are *not* the same and would reject, right? or did i misget your point?
well, i see, that there are work-arounds for it (do not use stripping :)). perhaps one could find better examples, i don't know.
what i'm saying is that we should be sure about demanding this equality. as already said, otherwise, i would agree with everything you said, especially that there is no point in those three being completely different. the problem is only the realm part (is kevin = [EMAIL PROTECTED]?), perhaps.
> I don't really think it makes sense to use EAP-TLS with Service-Type
> = Call Check, so I'm not sure this is a problem.
that i don't know, i'm not using that. if you are sure about this point, ok, let's forget this one.
> I don't think there are any contradictions between Std 802.1X and the
> congdon ID.
one more point for the standard, right? :-)
ciao
artur
--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- eap_identity or username attribute? James Xie
- Re: eap_identity or username attribute? Artur Hecker
- RE: eap_identity or username attribute? Lars Viklund
- Re: eap_identity or username attribute? Artur Hecker
- RE: eap_identity or username attribute? Lars Viklund
- RE: eap_identity or username attribute? Artur Hecker
- RE: eap_identity or username attribute? Lars Viklund
