Re: [radext] Basic question about user-name attribute
Stefan Winter <stefan.winter@restena.lu> Mon, 12 November 2018 12:20 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B20A0130DFC for <radext@ietfa.amsl.com>; Mon, 12 Nov 2018 04:20:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eT3r5-0rj48D for <radext@ietfa.amsl.com>; Mon, 12 Nov 2018 04:19:58 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [158.64.1.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB09F130E01 for <radext@ietf.org>; Mon, 12 Nov 2018 04:19:57 -0800 (PST)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 0876943968; Mon, 12 Nov 2018 13:19:56 +0100 (CET)
To: Alan DeKok <aland@deployingradius.com>, Fadi Bushnaq <zardoss@gmail.com>
Cc: radext@ietf.org
References: <CALSGxMPXsNXWOS8V+GHVg7h-QR0NausRczdHV_T-bDUu-TKukA@mail.gmail.com> <AF579236-EAFC-4151-9C59-F246761916BA@deployingradius.com>
From: Stefan Winter <stefan.winter@restena.lu>
Organization: RESTENA
Message-ID: <e47b75fc-a526-edb6-e2dc-01dda00220df@restena.lu>
Date: Mon, 12 Nov 2018 13:19:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <AF579236-EAFC-4151-9C59-F246761916BA@deployingradius.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/7XBQ-Pn1zmhcfz9ByLehWPmRJfQ>
Subject: Re: [radext] Basic question about user-name attribute
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 12:20:01 -0000
Hello,
> I suspect that the intention was for the values to be identical. Since the RFC doesn't say that, they're allowed to be different.
>
> In practice, people do send Access-Accepts where the User-Name is different than the one in the Access-Request.
This is especially relevant for EAP authentications. The User-Name in
the request could be an identifier supporting identity privacy
("anonymous@realm", "@realm", etc.), while the actual username inside
the EAP method is different from that.
It sometimes happens that RADIUS administrators are rude to their users
in that they send back the actual username in the Accept while the user
was trying to maintain his privacy when connecting.
>From what I've seen in the field, this is sometimes used in interplay
with Accounting-Request: if the session that was being authenticated
contains a User-Name in the Accept, that User-Name is sometimes used as
the User-Name for subsequent Accounting-Requests for the same session.
Nothing in the RFCs forbids either of these practices.
Greetings,
Stefan Winter
- [radext] Basic question about user-name attribute Fadi Bushnaq
- Re: [radext] Basic question about user-name attri… Alan DeKok
- Re: [radext] Basic question about user-name attri… Stefan Winter
- Re: [radext] Basic question about user-name attri… Alan DeKok