Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

hi


 If the realm is stripped away, wouldn't this work just
 fine as long   as you just verify the User-Name against the
 certificate and ignore   the EAP identity? e.g., but then you
 propose to not verify the equality of all THREE fields.


 Yes. As we have discussed the important point is to verify that the
 User-Name used for authorization (and accounting) corresponds to the
 certificate used for authentication. The EAP identity shouldn't
 really matter if the User-Name is used directly for this
 verification.

ok, so we would agree at:

use some handler id_equality(..., ...) for the verification of the 
equality of User-Name and the certified identity. make this handler 
configurable in radius.conf. provide common radius variables and in 
particular the realm suffixes and the configured realms to the handler 
in some form. (the best would be to provide the standard handler in this 
form, so everybody could modify the actual metrics).

something like that?


ciao
artur

--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

James Xie wrote:
 Hi, Can I say both of you premise that NAS(radius client) must set
 User-Name value to eap-id? I see in FreeRadius that the username to

i can't speak for Lars, but i would say yes, that's what is dictated by
the standard. the ap must set the User-Name to eap-id since it is the
first instance to create a Radius packet. all packets before are NOT radius.


 used authorize is set to User-Name attibute value. If User-Name value
 is null then eap-id is set to it. Now if NAS sends a packet to
 FreeRadius whose User-Name attibute is not same as eap-id, then there
 will be a logic bug. So I beleive that it make sense to let rlm_eap
 module to check consistency between User-Name and eap-id.

i believe it, too. i just have some doubts in the situation mentioned in
my previous mail. i could be wrong, though :) but you still should prove it.


ciao
artur




-- 
Artur Hecker Groupe Acc¨¨s et Mobilit¨¦
hecker[at]enst[dot]fr D¨¦partement Informatique et R¨¦seaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

 From: Artur Hecker [mailto:[EMAIL PROTECTED]] 

 James Xie wrote:
  Hi, Can I say both of you premise that NAS(radius client) must set 
  User-Name value to eap-id? I see in FreeRadius that the username to
 
 i can't speak for Lars, but i would say yes, that's what is 
 dictated by the standard. the ap must set the User-Name to 
 eap-id since it is the first instance to create a Radius 
 packet. all packets before are NOT radius.

Promise that it must is a bit strong :-) However, I would say that a NAS that 
doesn't do this is broken.

  used authorize is set to User-Name attibute value. If 
 User-Name value 
  is null then eap-id is set to it. Now if NAS sends a packet to 
  FreeRadius whose User-Name attibute is not same as eap-id, 
 then there 
  will be a logic bug. So I beleive that it make sense to let rlm_eap 
  module to check consistency between User-Name and eap-id.
 
 i believe it, too. i just have some doubts in the situation 
 mentioned in my previous mail. i could be wrong, though :) 
 but you still should prove it.

Yes, but note that just adding this check will not close the hole we discussed 
previously since the rlm_eap_tls module currently doesn't seem to check the EAP 
identity.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

:)

Lars Viklund wrote:
 Promise that it must is a bit strong :-) However, I would say that
 a NAS that doesn't do this is broken.

so, you are stating the same :)) well, i would say, the first Radius 
client MUST do so, because otherwise what could it probably put inside 
of User-Name and why?


 i believe it, too. i just have some doubts in the situation
 mentioned in my previous mail. i could be wrong, though :) but you
 still should prove it.

 Yes, but note that just adding this check will not close the hole we
 discussed previously since the rlm_eap_tls module currently doesn't
 seem to check the EAP identity.

so you want the rlm_eap_tls to check if eap_id = certified identity, 
right? sounds very reasonable for me, but in some weird way, Windows XP 
gives the possibility to use a certificate and explicitely type in some 
name which has to be put in eap_identity then.

so we probably shouldn't verify that...


ciao
artur


--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

 From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
 Sent: den 20 november 2002 14:51
 To: [EMAIL PROTECTED]
 Subject: Re: eap_identity or username attribute? (to Artur and lars)

 so you want the rlm_eap_tls to check if eap_id = certified identity, 
 right? sounds very reasonable for me, but in some weird way, 
 Windows XP 
 gives the possibility to use a certificate and explicitely 
 type in some 
 name which has to be put in eap_identity then.

What wierd way are you refering to? Is it the Use a different user name for the 
connection check box you are talking about or something else?

 so we probably shouldn't verify that...

But if you don't verify that the User-Name (or EAP identity, if you have already 
verified that the User-Name and EAP identity is the same) corresponds to the 
certificate then any authorization or accounting is basically meaningless.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

hi Lars

 What wierd way are you refering to? Is it the Use a different user
 name for the connection check box you are talking about or something
 else?

yes, exactly.


 so we probably shouldn't verify that...


 But if you don't verify that the User-Name (or EAP identity, if you
 have already verified that the User-Name and EAP identity is the
 same) corresponds to the certificate then any authorization or
 accounting is basically meaningless.

i agree with that too, but why does this box exist in Windows then? i 
personally tend to think (and so I used it in that way some times during 
the test phase), that it exists in order to add a realm to the name.

an example: when you are certifying users in your closed domain, you 
could have certified users like lars, artur, etc., why not, it's 
your domain, so you don't care. then, one day, you expand and your 
domain gets a second part, with a complete another architecture. so, you 
would like the radius server in the second part simply forward the 
request to the original domain, right? (you bet that re-certification is 
NOT wanted). so with the current approach, you simply type in windows 
XP: use another name for this connection: windows proposes artur, you 
add @old_site or something similiar and here we go, the radius server 
forwards to the old site and everything works (with the new server 
stripping the realm away, e.g. or having reconfigured the server at 
old_site).

if you verify that, then you have a problem. it won't work.

i would tend to think, that the certificate has to be seen as the 
authentication method and the only reliable information. now of course 
you are right that is has to be bound to the User-Name, since the 
authorization happens with that one later... perhaps we have to define 
rules for equality of User-Name and the certified identity. one 
reasonable way for equality would be to take into consideration the 
defined realms and suffixes in the radius.conf (proxy.conf).

i.e., if e.g. in the radius.conf you've defined a suffix @, and a 
realm old_site1, then freeradius should consider the certified kevin 
and the User-Name kevin@old_site1 as being the same, except of course 
it knows kevin locally. just an idea, which probably has bugs.

what do you think?


ciao

artur




--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

 From: Artur Hecker [mailto:[EMAIL PROTECTED]]
 Sent: den 20 november 2002 17:15
 To: [EMAIL PROTECTED]
 Subject: Re: eap_identity or username attribute? (to Artur and lars)

 i agree with that too, but why does this box exist in Windows then? i
 personally tend to think (and so I used it in that way some 
 times during 
 the test phase), that it exists in order to add a realm to the name.

I think the primary purpose is to allow the user to select a certificate other than 
the one associated with the currently logged in windows user. This makes perfect 
sense. 

The option to specify an EAP identity other than the one that corresponds to the 
certificate only seems to makes sense in some environments, for instance if you assume 
that all clients with valid certificates are implicitly authorized.

 an example: when you are certifying users in your closed domain, you
 could have certified users like lars, artur, etc., why not, it's 
 your domain, so you don't care.

Using such names in the certificates is obviously a bad idea :-)

 then, one day, you expand and your
 domain gets a second part, with a complete another 
 architecture. so, you 
 would like the radius server in the second part simply forward the 
 request to the original domain, right? (you bet that 
 re-certification is 
 NOT wanted). so with the current approach, you simply type in windows 
 XP: use another name for this connection: windows proposes 
 artur, you 
 add @old_site or something similiar and here we go, the 
 radius server 
 forwards to the old site and everything works (with the new server 
 stripping the realm away, e.g. or having reconfigured the server at 
 old_site).
 
 if you verify that, then you have a problem. it won't work.

If the realm is stripped away, wouldn't this work just fine as long as you just verify 
the User-Name against the certificate and ignore the EAP identity?

 i would tend to think, that the certificate has to be seen as the
 authentication method and the only reliable information. now 
 of course 

Yes.

 you are right that is has to be bound to the User-Name, since the
 authorization happens with that one later... 

Yes.

 perhaps we have
 to define 
 rules for equality of User-Name and the certified identity. one 
 reasonable way for equality would be to take into consideration the 
 defined realms and suffixes in the radius.conf (proxy.conf).

Maybe.

 i.e., if e.g. in the radius.conf you've defined a suffix @, and a
 realm old_site1, then freeradius should consider the 
 certified kevin 
 and the User-Name kevin@old_site1 as being the same, except 
 of course 
 it knows kevin locally. just an idea, which probably has bugs.
 
 what do you think?

I guess that would work at least for the scenario you described above. An alternative 
would be to by default require that the User-Name matches exactly, but allow the 
server configuration to instead specify an external program/script to do the 
comparison. That way you can handle all kind of weird cases but it is up to the server 
administrator to specify the exact rules for equality.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

hi Lars


 I think the primary purpose is to allow the user to select a
 certificate other than the one associated with the currently logged
 in windows user. This makes perfect sense.

no, i'm sorry it doesn't :) i can take a certificate of lars and use 
the name artur, windows has no problem with it whichsoever. 
additionally, one user can have a plenty of certificates which are all 
usable under the same login as long as he knows the private key 
password. under windows you can indeed choose the certificate, too, but 
in some other place...


 The option to specify an EAP identity other than the one that
 corresponds to the certificate only seems to makes sense in some
 environments, for instance if you assume that all clients with valid
 certificates are implicitly authorized.

usually, since you know the private key, you are good or at least you 
can be supposed to be the owner of that certificate.

basically, Lars, of course you are right :) we have to be aware that the 
proven identity is the certified identity. so, the proving server is the 
only one which can map this to whichever User-Name in a secure way. i.e. 
all the clients on the way UP should blindly copy and the proving server 
only can modify on the DOWNlink, if it thinks that it's ok.

the only point are the realms and all this stuff.

e.g. in my environment here, i use a common PKI between two 
universities. so basically, i can let verify my cert both at the local 
radius server and at the remote radius server. when i use an identity 
from the remote university, i can use the local server too. but, i can 
add @remote_univ in the windows XP window and the request will be 
proxied. that's a nice feature to have... we currently use normal 
certificates, i.e. we certify the Full Names and include the mail 
addresses, too. in that way, the domain name is included but Windows 
uses the Name part, not the email part (for what i've seen till now).


 an example: when you are certifying users in your closed domain,
 you could have certified users like lars, artur, etc., why not,
 it's your domain, so you don't care.

 Using such names in the certificates is obviously a bad idea :-)

s. above. it's true, that's a big problem in the certification anyway or 
 more generally in the security: which is the concerned identity? i bet 
that the user@realm isn't the best for the most applications. that's the 
problem. and nobody can afford three parallel PKIs today (the most 
people can't afford a stand-alone one...)


 If the realm is stripped away, wouldn't this work just fine as long
 as you just verify the User-Name against the certificate and ignore
 the EAP identity?

e.g., but then you propose to not verify the equality of all THREE fields.


 I guess that would work at least for the scenario you described
 above. An alternative would be to by default require that the
 User-Name matches exactly, but allow the server configuration to
 instead specify an external program/script to do the comparison. That
 way you can handle all kind of weird cases but it is up to the server
 administrator to specify the exact rules for equality.

ouch, no external scripts :) but that's a nice idea to let the admin 
specify the equality rule and the included attributes (if he takes in 
consideration User-Name, eap-id and the cert or just two of those, 
etc.). I can perfectly live with it.


ciao

artur



--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

 From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
 Sent: den 20 november 2002 19:16
 To: [EMAIL PROTECTED]
 Subject: Re: eap_identity or username attribute? (to Artur and lars)

   If the realm is stripped away, wouldn't this work just 
 fine as long   as you just verify the User-Name against the 
 certificate and ignore   the EAP identity?
 
 e.g., but then you propose to not verify the equality of all 
 THREE fields.

Yes. As we have discussed the important point is to verify that the User-Name used for 
authorization (and accounting) corresponds to the certificate used for authentication. 
The EAP identity shouldn't really matter if the User-Name is used directly for this 
verification. 

I think verifying that the User-Name matches the EAP identity is more of a sanity 
check that can be ignored, without affecting security, if that simplifies the 
scenarios you are thinking about.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[James Xie]

Hi,
Can I say both of you premise that NAS(radius client) must set User-Name value to 
eap-id? I see in FreeRadius that the username to used authorize is set to User-Name 
attibute value. If User-Name value is null then eap-id is set to it. Now if NAS sends 
a packet to FreeRadius whose User-Name attibute is not same as eap-id, then there will 
be a logic bug. So I beleive that it make sense to let rlm_eap module to check 
consistency between User-Name and eap-id.

.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš