> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> James Xie wrote: > > Hi, Can I say both of you premise that NAS(radius client) must set > > User-Name value to eap-id? I see in FreeRadius that the username to > > i can't speak for Lars, but i would say yes, that's what is > dictated by the standard. the ap must set the User-Name to > eap-id since it is the first instance to create a Radius > packet. all packets before are NOT radius. Promise that it "must" is a bit strong :-) However, I would say that a NAS that doesn't do this is broken. > > used authorize is set to User-Name attibute value. If > User-Name value > > is null then eap-id is set to it. Now if NAS sends a packet to > > FreeRadius whose User-Name attibute is not same as eap-id, > then there > > will be a logic bug. So I beleive that it make sense to let rlm_eap > > module to check consistency between User-Name and eap-id. > > i believe it, too. i just have some doubts in the situation > mentioned in my previous mail. i could be wrong, though :) > but you still should prove it. Yes, but note that just adding this check will not close the hole we discussed previously since the rlm_eap_tls module currently doesn't seem to check the EAP identity. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html