Re: [radext] Basic question about user-name attribute
Alan DeKok <aland@deployingradius.com> Mon, 12 November 2018 12:30 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6019E130E14 for <radext@ietfa.amsl.com>; Mon, 12 Nov 2018 04:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWJncgopRloI for <radext@ietfa.amsl.com>; Mon, 12 Nov 2018 04:30:54 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id DB6CB130E0E for <radext@ietf.org>; Mon, 12 Nov 2018 04:30:53 -0800 (PST)
Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id D0A6F4BD; Mon, 12 Nov 2018 12:30:52 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <e47b75fc-a526-edb6-e2dc-01dda00220df@restena.lu>
Date: Mon, 12 Nov 2018 07:30:51 -0500
Cc: Fadi Bushnaq <zardoss@gmail.com>, radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <95F65DC7-9CED-4899-B97F-C6FCD248A454@deployingradius.com>
References: <CALSGxMPXsNXWOS8V+GHVg7h-QR0NausRczdHV_T-bDUu-TKukA@mail.gmail.com> <AF579236-EAFC-4151-9C59-F246761916BA@deployingradius.com> <e47b75fc-a526-edb6-e2dc-01dda00220df@restena.lu>
To: Winter Stefan <stefan.winter@restena.lu>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/IgSYrJO18SJ07JhE0ZPt4wUYZHg>
Subject: Re: [radext] Basic question about user-name attribute
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 12:30:56 -0000
On Nov 12, 2018, at 7:19 AM, Stefan Winter <stefan.winter@restena.lu> wrote: > It sometimes happens that RADIUS administrators are rude to their users > in that they send back the actual username in the Accept while the user > was trying to maintain his privacy when connecting. That happens a lot, unfortunately. The reality is that it's just too useful in most situations to have a "real" name for the users session. The Chargeable-User-Identifier was created to address that issue. But most NASes don't support it. >> From what I've seen in the field, this is sometimes used in interplay > with Accounting-Request: if the session that was being authenticated > contains a User-Name in the Accept, that User-Name is sometimes used as > the User-Name for subsequent Accounting-Requests for the same session. That is the behaviour suggested by RFC 2865 Section 5.1, about User-Name It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session. Without that practice, EAP would have users log in with anonymized User-Names, and then all of the Accounting-Request packets would contain the same anonymized User-Name. Since most wireless NASes set "NAS-Port = 0", it becomes difficult to distinguish user sessions from one another. In hindsight, what RADIUS *should* have supported was the ability for the server to send an Acct-Session-Id in the Access-Accept. The NAS could then use that in subsequent accounting packets. Anonymity would be preserved, *and* servers wouldn't have to deal with broken NASes that re-use Acct-Session-Id after a reboot. I suppose a similar approach could be taken with the User-Name attribute. But doing so would take not changing not only the server software, but changing databases and business practices by the administrators. That's a difficult proposition. > Nothing in the RFCs forbids either of these practices. The text in RFC 2865 *could* be interpreted to mean that the User-Name in Access-Accept can be anything. i.e. unrelated to the User-Name in the Access-Request. Alan DeKok.
- [radext] Basic question about user-name attribute Fadi Bushnaq
- Re: [radext] Basic question about user-name attri… Alan DeKok
- Re: [radext] Basic question about user-name attri… Stefan Winter
- Re: [radext] Basic question about user-name attri… Alan DeKok