Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

hi


>>> If the realm is stripped away, wouldn't this work just
>> fine as long  > as you just verify the User-Name against the
>> certificate and ignore  > the EAP identity?>> e.g., but then you
>> propose to not verify the equality of all THREE fields.
>
>
> Yes. As we have discussed the important point is to verify that the
> User-Name used for authorization (and accounting) corresponds to the
> certificate used for authentication. The EAP identity shouldn't
> really matter if the User-Name is used directly for this
> verification.

ok, so we would agree at:

use some handler id_equality(..., ...) for the verification of the 
equality of User-Name and the certified identity. make this handler 
configurable in radius.conf. provide common radius variables and in 
particular the realm suffixes and the configured realms to the handler 
in some form. (the best would be to provide the standard handler in this 
form, so everybody could modify the actual metrics).

something like that?


ciao
artur

--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 20 november 2002 19:16
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)

>  > If the realm is stripped away, wouldn't this work just 
> fine as long  > as you just verify the User-Name against the 
> certificate and ignore  > the EAP identity?
> 
> e.g., but then you propose to not verify the equality of all 
> THREE fields.

Yes. As we have discussed the important point is to verify that the User-Name used for 
authorization (and accounting) corresponds to the certificate used for authentication. 
The EAP identity shouldn't really matter if the User-Name is used directly for this 
verification. 

I think verifying that the User-Name matches the EAP identity is more of a sanity 
check that can be ignored, without affecting security, if that simplifies the 
scenarios you are thinking about.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

hi Lars


> I think the primary purpose is to allow the user to select a
> certificate other than the one associated with the currently logged
> in windows user. This makes perfect sense.

no, i'm sorry it doesn't :) i can take a certificate of "lars" and use 
the name "artur", windows has no problem with it whichsoever. 
additionally, one user can have a plenty of certificates which are all 
usable under the same login as long as he knows the private key 
password. under windows you can indeed choose the certificate, too, but 
in some other place...


> The option to specify an EAP identity other than the one that
> corresponds to the certificate only seems to makes sense in some
> environments, for instance if you assume that all clients with valid
> certificates are implicitly authorized.

usually, since you know the private key, you are good or at least you 
can be supposed to be the owner of that certificate.

basically, Lars, of course you are right :) we have to be aware that the 
proven identity is the certified identity. so, the proving server is the 
only one which can map this to whichever User-Name in a secure way. i.e. 
all the clients on the way UP should blindly copy and the proving server 
only can modify on the DOWNlink, if it thinks that it's ok.

the only point are the realms and all this stuff.

e.g. in my environment here, i use a common PKI between two 
universities. so basically, i can let verify my cert both at the local 
radius server and at the remote radius server. when i use an identity 
from the remote university, i can use the local server too. but, i can 
add @remote_univ in the windows XP window and the request will be 
proxied. that's a nice feature to have... we currently use "normal" 
certificates, i.e. we certify the Full Names and include the mail 
addresses, too. in that way, the domain name is included but Windows 
uses the Name part, not the email part (for what i've seen till now).


>> an example: when you are certifying users in your closed domain,
>> you could have certified users like "lars", "artur", etc., why not,
>> it's your domain, so you don't care.

> Using such names in the certificates is obviously a bad idea :-)

s. above. it's true, that's a big problem in the certification anyway or 
 more generally in the security: which is the concerned identity? i bet 
that the user@realm isn't the best for the most applications. that's the 
problem. and nobody can afford three parallel PKIs today (the most 
people can't afford a stand-alone one...)


> If the realm is stripped away, wouldn't this work just fine as long
> as you just verify the User-Name against the certificate and ignore
> the EAP identity?

e.g., but then you propose to not verify the equality of all THREE fields.


> I guess that would work at least for the scenario you described
> above. An alternative would be to by default require that the
> User-Name matches exactly, but allow the server configuration to
> instead specify an external program/script to do the comparison. That
> way you can handle all kind of weird cases but it is up to the server
> administrator to specify the exact rules for equality.

ouch, no external scripts :) but that's a nice idea to let the admin 
specify the equality rule and the included attributes (if he takes in 
consideration User-Name, eap-id and the cert or just two of those, 
etc.). I can perfectly live with it.


ciao

artur



--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 20 november 2002 17:15
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)

> i agree with that too, but why does this box exist in Windows then? i
> personally tend to think (and so I used it in that way some 
> times during 
> the test phase), that it exists in order to add a realm to the name.

I think the primary purpose is to allow the user to select a certificate other than 
the one associated with the currently logged in windows user. This makes perfect 
sense. 

The option to specify an EAP identity other than the one that corresponds to the 
certificate only seems to makes sense in some environments, for instance if you assume 
that all clients with valid certificates are implicitly authorized.

> an example: when you are certifying users in your closed domain, you
> could have certified users like "lars", "artur", etc., why not, it's 
> your domain, so you don't care.

Using such names in the certificates is obviously a bad idea :-)

> then, one day, you expand and your
> domain gets a second part, with a complete another 
> architecture. so, you 
> would like the radius server in the second part simply forward the 
> request to the original domain, right? (you bet that 
> re-certification is 
> NOT wanted). so with the current approach, you simply type in windows 
> XP: use another name for this connection: windows proposes 
> "artur", you 
> add "@old_site" or something similiar and here we go, the 
> radius server 
> forwards to the old site and everything works (with the new server 
> stripping the realm away, e.g. or having reconfigured the server at 
> old_site).
> 
> if you verify that, then you have a problem. it won't work.

If the realm is stripped away, wouldn't this work just fine as long as you just verify 
the User-Name against the certificate and ignore the EAP identity?

> i would tend to think, that the certificate has to be seen as the
> authentication method and the only reliable information. now 
> of course 

Yes.

> you are right that is has to be bound to the User-Name, since the
> authorization happens with that one later... 

Yes.

> perhaps we have
> to define 
> rules for equality of User-Name and the certified identity. one 
> reasonable way for equality would be to take into consideration the 
> defined realms and suffixes in the radius.conf (proxy.conf).

Maybe.

> i.e., if e.g. in the radius.conf you've defined a suffix "@", and a
> realm "old_site1", then freeradius should consider the 
> certified "kevin" 
> and the User-Name "kevin@old_site1" as being the same, except 
> of course 
> it knows "kevin" locally. just an idea, which probably has bugs.
> 
> what do you think?

I guess that would work at least for the scenario you described above. An alternative 
would be to by default require that the User-Name matches exactly, but allow the 
server configuration to instead specify an external program/script to do the 
comparison. That way you can handle all kind of weird cases but it is up to the server 
administrator to specify the exact rules for equality.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

hi Lars

> What wierd way are you refering to? Is it the "Use a different user
> name for the connection" check box you are talking about or something
> else?

yes, exactly.


>> so we probably shouldn't verify that...
>
>
> But if you don't verify that the User-Name (or EAP identity, if you
> have already verified that the User-Name and EAP identity is the
> same) corresponds to the certificate then any authorization or
> accounting is basically meaningless.

i agree with that too, but why does this box exist in Windows then? i 
personally tend to think (and so I used it in that way some times during 
the test phase), that it exists in order to add a realm to the name.

an example: when you are certifying users in your closed domain, you 
could have certified users like "lars", "artur", etc., why not, it's 
your domain, so you don't care. then, one day, you expand and your 
domain gets a second part, with a complete another architecture. so, you 
would like the radius server in the second part simply forward the 
request to the original domain, right? (you bet that re-certification is 
NOT wanted). so with the current approach, you simply type in windows 
XP: use another name for this connection: windows proposes "artur", you 
add "@old_site" or something similiar and here we go, the radius server 
forwards to the old site and everything works (with the new server 
stripping the realm away, e.g. or having reconfigured the server at 
old_site).

if you verify that, then you have a problem. it won't work.

i would tend to think, that the certificate has to be seen as the 
authentication method and the only reliable information. now of course 
you are right that is has to be bound to the User-Name, since the 
authorization happens with that one later... perhaps we have to define 
rules for equality of User-Name and the certified identity. one 
reasonable way for equality would be to take into consideration the 
defined realms and suffixes in the radius.conf (proxy.conf).

i.e., if e.g. in the radius.conf you've defined a suffix "@", and a 
realm "old_site1", then freeradius should consider the certified "kevin" 
and the User-Name "kevin@old_site1" as being the same, except of course 
it knows "kevin" locally. just an idea, which probably has bugs.

what do you think?


ciao

artur




--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 20 november 2002 14:51
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)

> so you want the rlm_eap_tls to check if eap_id = certified identity, 
> right? sounds very reasonable for me, but in some weird way, 
> Windows XP 
> gives the possibility to use a certificate and explicitely 
> type in some 
> name which has to be put in eap_identity then.

What wierd way are you refering to? Is it the "Use a different user name for the 
connection" check box you are talking about or something else?

> so we probably shouldn't verify that...

But if you don't verify that the User-Name (or EAP identity, if you have already 
verified that the User-Name and EAP identity is the same) corresponds to the 
certificate then any authorization or accounting is basically meaningless.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

:)

Lars Viklund wrote:
> Promise that it "must" is a bit strong :-) However, I would say that
> a NAS that doesn't do this is broken.

so, you are stating the same :)) well, i would say, the first Radius 
client MUST do so, because otherwise what could it probably put inside 
of User-Name and why?


>> i believe it, too. i just have some doubts in the situation
>> mentioned in my previous mail. i could be wrong, though :) but you
>> still should prove it.
>
> Yes, but note that just adding this check will not close the hole we
> discussed previously since the rlm_eap_tls module currently doesn't
> seem to check the EAP identity.

so you want the rlm_eap_tls to check if eap_id = certified identity, 
right? sounds very reasonable for me, but in some weird way, Windows XP 
gives the possibility to use a certificate and explicitely type in some 
name which has to be put in eap_identity then.

so we probably shouldn't verify that...


ciao
artur


--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute? (to Artur and lars)

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 

> James Xie wrote:
> > Hi, Can I say both of you premise that NAS(radius client) must set 
> > User-Name value to eap-id? I see in FreeRadius that the username to
> 
> i can't speak for Lars, but i would say yes, that's what is 
> dictated by the standard. the ap must set the User-Name to 
> eap-id since it is the first instance to create a Radius 
> packet. all packets before are NOT radius.

Promise that it "must" is a bit strong :-) However, I would say that a NAS that 
doesn't do this is broken.

> > used authorize is set to User-Name attibute value. If 
> User-Name value 
> > is null then eap-id is set to it. Now if NAS sends a packet to 
> > FreeRadius whose User-Name attibute is not same as eap-id, 
> then there 
> > will be a logic bug. So I beleive that it make sense to let rlm_eap 
> > module to check consistency between User-Name and eap-id.
> 
> i believe it, too. i just have some doubts in the situation 
> mentioned in my previous mail. i could be wrong, though :) 
> but you still should prove it.

Yes, but note that just adding this check will not close the hole we discussed 
previously since the rlm_eap_tls module currently doesn't seem to check the EAP 
identity.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[Artur Hecker]

James Xie wrote:
> Hi, Can I say both of you premise that NAS(radius client) must set
> User-Name value to eap-id? I see in FreeRadius that the username to

i can't speak for Lars, but i would say yes, that's what is dictated by
the standard. the ap must set the User-Name to eap-id since it is the
first instance to create a Radius packet. all packets before are NOT radius.


> used authorize is set to User-Name attibute value. If User-Name value
> is null then eap-id is set to it. Now if NAS sends a packet to
> FreeRadius whose User-Name attibute is not same as eap-id, then there
> will be a logic bug. So I beleive that it make sense to let rlm_eap
> module to check consistency between User-Name and eap-id.

i believe it, too. i just have some doubts in the situation mentioned in
my previous mail. i could be wrong, though :) but you still should prove it.


ciao
artur




-- 
Artur Hecker Groupe Acc¨¨s et Mobilit¨¦
hecker[at]enst[dot]fr D¨¦partement Informatique et R¨¦seaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute?

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 19 november 2002 20:27
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?

> i only wanted to say, that the certified identity could be e.g. 
> [EMAIL PROTECTED] so, the eap-id would carry [EMAIL PROTECTED] each AP 
> should basically put this value into User-Name, so it would be 
> [EMAIL PROTECTED] again. We could verify that for both 
> authentication and 
> authorization the three fields are the same, certificate = eap-id = 
> User-Name.

Right. I don't think it is standardized how to check that the identity/user-name 
corresponds to the certificate, so one would probably just base the check on what Win 
XP does.
 
> now the server receiving the request from the AP happens to be in 
> visited.com. so it has to proxy the request to the home.com radius 
> server. it could happen, that home.com (being some huge ISP) 
> demands a 
> stripped user-name, i.e. simply kevin. so the server at visited.com 
> would strip it, but in the User-Name only, since the 
> EAP-Message is not 
> considered when proxying. Now home.com, when running 
> freeradius, would 
> state that the three attributes mentioned before are *not* 
> the same and 
> would reject, right? or did i misget your point?

I see your point, but I just don't think it makes sense to demand a stripped User-Name 
when using certificates for authentication.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute? (to Artur and lars)

[James Xie]

Hi,
Can I say both of you premise that NAS(radius client) must set User-Name value to 
eap-id? I see in FreeRadius that the username to used authorize is set to User-Name 
attibute value. If User-Name value is null then eap-id is set to it. Now if NAS sends 
a packet to FreeRadius whose User-Name attibute is not same as eap-id, then there will 
be a logic bug. So I beleive that it make sense to let rlm_eap module to check 
consistency between User-Name and eap-id.

.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

Re: eap_identity or username attribute?

[Artur Hecker]

to the original question: the two fields should be the same, that's now
verified.

to Lars:

since the draft and the standard basically state the same, let's refer
to the standard :) but that's not the point...

i only wanted to say, that the certified identity could be e.g. 
[EMAIL PROTECTED] so, the eap-id would carry [EMAIL PROTECTED] each AP 
should basically put this value into User-Name, so it would be 
[EMAIL PROTECTED] again. We could verify that for both authentication and 
authorization the three fields are the same, certificate = eap-id = 
User-Name.

now the server receiving the request from the AP happens to be in 
visited.com. so it has to proxy the request to the home.com radius 
server. it could happen, that home.com (being some huge ISP) demands a 
stripped user-name, i.e. simply kevin. so the server at visited.com 
would strip it, but in the User-Name only, since the EAP-Message is not 
considered when proxying. Now home.com, when running freeradius, would 
state that the three attributes mentioned before are *not* the same and 
would reject, right? or did i misget your point?

well, i see, that there are work-arounds for it (do not use stripping 
:)). perhaps one could find better examples, i don't know.

what i'm saying is that we should be sure about demanding this equality. 
 as already said, otherwise, i would agree with everything you said, 
especially that there is no point in those three being completely 
different. the problem is only the realm part (is kevin = 
[EMAIL PROTECTED]?), perhaps.


> I don't really think it makes sense to use EAP-TLS with Service-Type
> = Call Check, so I'm not sure this is a problem.

that i don't know, i'm not using that. if you are sure about this point, 
ok, let's forget this one.


> I don't think there are any contradictions between Std 802.1X and the
> congdon ID.

one more point for the standard, right? :-)


ciao

artur


--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute?

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 19 november 2002 18:49
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
> 
> 
> Lars,
> 
> in the IEEE Std 802.1X-2001 there is the following:
> 
> 
> D.3.1 User-Name
> In  IEEE  Std  802.1X-2001,  the  supplicant  typically  
> provides  its 
> identity  via  an  EAP-Response/Identity message. Where 
> available, the 
> supplicant identity is included in the User-Name attribute 
> and included 
> in the RADIUS Access-Request and Access-Reply messages as 
> specified in 
> IETF RFC 2865.
> Alternatively, where Service-Type = Call Check, the User-Name 
> attribute 
> contains the Calling-Station-ID value, which is set to the Supplicant 
> MAC address.

This is basically the same text as in the congdon ID.
 
> > I think the critical point is that the rlm_eap_tls module should 
> > verify that the User-Name, that is used for authorization, 
> corresponds 
> > to the client certificate used for authentication. It looks like it 
> > doesn't do this currently.
> 
> spontaneously, i would agree with that but we should 
> definitely verify 
> it for the case of proxying. Notably the stripping of realms could 
> provoke enormous problems here, don't you think? (since the realms 
> syntax is completely free, this includes every modification 
> of User-Name 
> whatsoever).

I'm not quite sure I understand what the problem is. I would say that the rlm_eap_tls 
module has to check that the User-Name/EAP-Identity corresponds to the client 
certificate (this is a SHOULD in RFC 2716). Otherwise there is little point in 
authorizing at all.

> additionally, the "Alternatively" part of the citation 
> above could 
> be a problem, too.

I don't really think it makes sense to use EAP-TLS with Service-Type = Call Check, so 
I'm not sure this is a problem.
 
> nothing to do with the topic, but since everybody is talking 
> about this 
> draft: after all it's still a draft, and perhaps it will 
> never become an 
> RFC, what do you think?
> 
> we have to follow the 802.1X norm. and also here i have some doubts 
> about the proxying.

I don't think there are any contradictions between Std 802.1X and the congdon ID.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute?

[Artur Hecker]

Lars,

in the IEEE Std 802.1X-2001 there is the following:


D.3.1 User-Name
In  IEEE  Std  802.1X-2001,  the  supplicant  typically  provides  its 
identity  via  an  EAP-Response/Identity message. Where available, the 
supplicant identity is included in the User-Name attribute and included 
in the RADIUS Access-Request and Access-Reply messages as specified in 
IETF RFC 2865.
Alternatively, where Service-Type = Call Check, the User-Name attribute 
contains the Calling-Station-ID value, which is set to the Supplicant 
MAC address.


I think the critical point is that the rlm_eap_tls module should verify
that the User-Name, that is used for authorization, corresponds to the 
client certificate used for authentication. It looks like it doesn't do 
this currently.

spontaneously, i would agree with that but we should definitely verify 
it for the case of proxying. Notably the stripping of realms could 
provoke enormous problems here, don't you think? (since the realms 
syntax is completely free, this includes every modification of User-Name 
whatsoever).

additionally, the "Alternatively" part of the citation above could 
be a problem, too.


The congdon ID specifies that the User-Name should be the EAP identity.
It would perhaps make sense to have the rlm_eap module verify that the 
User-Name matches the EAP identity also, although this isn't critical 
unless the rlm_eap_tls module matches the identity, rather than the 
User-Name, against the certificate.

nothing to do with the topic, but since everybody is talking about this 
draft: after all it's still a draft, and perhaps it will never become an 
RFC, what do you think?

we have to follow the 802.1X norm. and also here i have some doubts 
about the proxying.


ciao
artur



--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr		  Département Informatique et Réseaux
+33 1 45 81 7507		46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr   ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap_identity or username attribute?

[Lars Viklund]

> From: Artur Hecker [mailto:[EMAIL PROTECTED]] 
> Sent: den 19 november 2002 16:37
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
> 
> 
> shouldn't those two be always set to the same? i can't 
> remember, but i think that i read something like this in the 
> "Usage of RADIUS with IEEE 802.1X" recommendations once...
> 
> try to take a look.
> 
> 
> James Xie wrote:
> > HI,
> > I am debuging EAP-TLS module. Who can tell me FreeRadius should use 
> > which value(eap_identity and username attribute of radius 
> packet) to 
> > authorize the supplicant? Now I am using rlm_sql module to 
> authorize 
> > the supplicant. Must I set username in database to eap_identity? If 
> > not, is there a safe hole? Thanks!

I think the critical point is that the rlm_eap_tls module should verify
that the User-Name, that is used for authorization, corresponds to the 
client certificate used for authentication. It looks like it doesn't do 
this currently.

The congdon ID specifies that the User-Name should be the EAP identity.
It would perhaps make sense to have the rlm_eap module verify that the 
User-Name matches the EAP identity also, although this isn't critical 
unless the rlm_eap_tls module matches the identity, rather than the 
User-Name, against the certificate.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap_identity or username attribute?

[Artur Hecker]

shouldn't those two be always set to the same? i can't remember, but i
think that i read something like this in the "Usage of RADIUS with IEEE
802.1X" recommendations once...

try to take a look.


James Xie wrote:
> HI,
> I am debuging EAP-TLS module. Who can tell me FreeRadius should use which 
>value(eap_identity and username attribute of radius packet) to authorize the 
>supplicant? Now I am
> using rlm_sql module to authorize the supplicant. Must I set username in database to 
>eap_identity? If not, is there a safe hole? Thanks! 


-- 
Artur Hecker Groupe Acc¨¨s et Mobilit¨¦
hecker[at]enst[dot]fr D¨¦partement Informatique et R¨¦seaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap_identity or username attribute?

[James Xie]

HI,
I am debuging EAP-TLS module. Who can tell me FreeRadius should use which 
value(eap_identity and username attribute of radius packet) to authorize the 
supplicant? Now I am
using rlm_sql module to authorize the supplicant. Must I set username in database to 
eap_identity? If not, is there a safe hole? Thanks! 

â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·ž­§bºÊ+ƒùb²ßî±êì†Ù¥