> As an aside to the mechanics of this, if you do this, test your NAS under > simulated user load. We found that our Cisco WLC equipment didn't like > that and leaked internal resources, which eventually ran out. We were > adding some additional information to the username, so we had many more > differences between the outer and inner IDs, and even so it took a few > days for the problem to come to a head.
Interesting! Thanks for the heads up. > This should be fixed in latest software, but we haven't re-tested that yet. > > It also wouldn't hurt to sniff the resulting EAPOL and any associated packets > to ensure the NAS hasn't figured out some vendor-specific way to leak > that inner identity to the wire/wifi, and of course review your security > expectations between the AS and NAS. Agreed, the main concern for me would be leakage via wireless. I see the main purpose of identity privacy with PKI EAPs being to protect the identity from being trivially snooped by an outsider. With federations, I think it would be perfectly reasonable to expect and require the real identity be returned back to the host institution. (I expect others will, perhaps, disagree here though!? :P) Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html