hi
>>> If the realm is stripped away, wouldn't this work just
>> fine as long > as you just verify the User-Name against the
>> certificate and ignore > the EAP identity?>> e.g., but then you
>> propose to not verify the equality of all THREE fields.
>
>
> Yes. As we have discussed the importan
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 20 november 2002 19:16
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)
> > If the realm is stripped away, wouldn't this work just
> fine as long > as
hi Lars
> I think the primary purpose is to allow the user to select a
> certificate other than the one associated with the currently logged
> in windows user. This makes perfect sense.
no, i'm sorry it doesn't :) i can take a certificate of "lars" and use
the name "artur", windows has no probl
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 20 november 2002 17:15
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)
> i agree with that too, but why does this box exist in Windows then? i
> personally tend to think
hi Lars
> What wierd way are you refering to? Is it the "Use a different user
> name for the connection" check box you are talking about or something
> else?
yes, exactly.
>> so we probably shouldn't verify that...
>
>
> But if you don't verify that the User-Name (or EAP identity, if you
> have
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 20 november 2002 14:51
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute? (to Artur and lars)
> so you want the rlm_eap_tls to check if eap_id = certified identity,
> right? sounds very reas
:)
Lars Viklund wrote:
> Promise that it "must" is a bit strong :-) However, I would say that
> a NAS that doesn't do this is broken.
so, you are stating the same :)) well, i would say, the first Radius
client MUST do so, because otherwise what could it probably put inside
of User-Name and why?
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> James Xie wrote:
> > Hi, Can I say both of you premise that NAS(radius client) must set
> > User-Name value to eap-id? I see in FreeRadius that the username to
>
> i can't speak for Lars, but i would say yes, that's what is
> dictated by the s
James Xie wrote:
> Hi, Can I say both of you premise that NAS(radius client) must set
> User-Name value to eap-id? I see in FreeRadius that the username to
i can't speak for Lars, but i would say yes, that's what is dictated by
the standard. the ap must set the User-Name to eap-id since it is th
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 19 november 2002 20:27
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
> i only wanted to say, that the certified identity could be e.g.
> [EMAIL PROTECTED] so, the eap-id would carry [EMA
Hi,
Can I say both of you premise that NAS(radius client) must set User-Name value to
eap-id? I see in FreeRadius that the username to used authorize is set to User-Name
attibute value. If User-Name value is null then eap-id is set to it. Now if NAS sends
a packet to FreeRadius whose User-Name
to the original question: the two fields should be the same, that's now
verified.
to Lars:
since the draft and the standard basically state the same, let's refer
to the standard :) but that's not the point...
i only wanted to say, that the certified identity could be e.g.
[EMAIL PROTECTED] so,
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 19 november 2002 18:49
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
>
>
> Lars,
>
> in the IEEE Std 802.1X-2001 there is the following:
>
>
> D.3.1 User-Nam
Lars,
in the IEEE Std 802.1X-2001 there is the following:
D.3.1 User-Name
In IEEE Std 802.1X-2001, the supplicant typically provides its
identity via an EAP-Response/Identity message. Where available, the
supplicant identity is included in the User-Name attribute and included
in th
> From: Artur Hecker [mailto:[EMAIL PROTECTED]]
> Sent: den 19 november 2002 16:37
> To: [EMAIL PROTECTED]
> Subject: Re: eap_identity or username attribute?
>
>
> shouldn't those two be always set to the same? i can't
> remember, but i think that i read so
shouldn't those two be always set to the same? i can't remember, but i
think that i read something like this in the "Usage of RADIUS with IEEE
802.1X" recommendations once...
try to take a look.
James Xie wrote:
> HI,
> I am debuging EAP-TLS module. Who can tell me FreeRadius should use which
>
16 matches
Mail list logo