IETF Logo Mail Archive

Re: [radext] Review of draft-winter-radext-populating-eapidentity-01

Alan DeKok <aland@deployingradius.com> Fri, 24 July 2015 10:51 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A9A1A8AC0 for <radext@ietfa.amsl.com>; Fri, 24 Jul 2015 03:51:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEUm2q0A2Ybl for <radext@ietfa.amsl.com>; Fri, 24 Jul 2015 03:51:35 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [195.154.231.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5866A1A8AB6 for <radext@ietf.org>; Fri, 24 Jul 2015 03:51:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 3DB1422404A2; Fri, 24 Jul 2015 12:51:04 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJt1vqK7J-0a; Fri, 24 Jul 2015 12:51:03 +0200 (CEST)
Received: from [192.168.2.14] (bas1-ottawa11-1176122299.dsl.bell.ca [70.26.51.187]) by power.freeradius.org (Postfix) with ESMTPSA id 92C842240203; Fri, 24 Jul 2015 12:51:02 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <tsl615czgxp.fsf@mit.edu>
Date: Fri, 24 Jul 2015 06:51:10 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCD31EEF-6AA0-431F-9F6E-0F6348C1D0C5@deployingradius.com>
References: <11856_1427820628_551AD054_11856_4576_1_6B7134B31289DC4FAF731D844122B36EEF6888@PEXCVZYM13.corporate.adroot.infra.ftgroup> <tsllhid84gm.fsf@mit.edu> <BLU181-W6B49664DD504DDAF5CC9F93F40@phx.gbl> <30317_1427824394_551ADF0A_30317_14370_1_6B7134B31289DC4FAF731D844122B36EEF74CD@PEXCVZYM13.corporate.adroot.infra.ftgroup> <BLU181-W86B005505E6468F75180593F40@phx.gbl> <tsl4mp182ku.fsf@mit.edu> <BA6CBD09-148F-4F8C-9B81-8A4A88B64287@deployingradius.com> <BLU406-EAS343D630A63D85F897C0EC8793F40@phx.gbl> <14078_1427880628_551BBAB4_14078_5155_1_6B7134B31289DC4FAF731D844122B36EF0B91F@PEXCVZYM13.corporate.adroot.infra.ftgroup> <190D3355-0BB7-48D5-BEA2-55773E9BD785@deployingradius.com> <24001_1437383629_55ACBBCD_24001_3716_1_6B7134B31289DC4FAF731D844122B36E01CC9ED3@OPEXCLILM43.corporate.adroot.infra.ftgroup> <BLU181-W94C6FC52C2E3CD666F631A93850@phx.gbl> <55AE9EDF.9000105@restena.lu> <BLU406-EAS346AF21C878460C2F9BC0F93840@phx.gbl> <tsl615czgxp.fsf@mit.edu>
To: Sam Hartman <hartmans@painless-security.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/uJXi9QWNIj-Q0GrgYsaISFrEojo>
Cc: Aboba Bernard <bernard_aboba@hotmail.com>, Winter Stefan <stefan.winter@restena.lu>, "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Review of draft-winter-radext-populating-eapidentity-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 10:51:38 -0000

  Sam and I had extensive conversations about it this week.  I think his summary below is critical to get everyone talking about the same thing.

  We also need to discuss where these identities are derived from.  For example, wpa_supplicant allows you to configure the outer identity, and the inner identity, though it gives them different names.  I can't see where the method-specific identify is configured.

  From looking at the code, the method-specific identity is just a copy of the inner identity.

  This process is different in windows.  The inner and outer identities can be configured via the 802.1X GUI.  The method-specific identify cannot be configured.  And it is NOT the same as the inner identity.  Instead, some (essentially magic) process is used to transform one into the other.  In typical cases, the inner identity "user@example.com" gets transformed to an EAP-MSCHAPv2 identity "EXAMPLE\user".

  I would suggest that such processes should be discouraged.  It is difficult enough to analyze the security of EAP without introducing 3 potentially unrelated identities.

  What does it mean when the inner identity is "user@example.com", and the method identity is "CORP/bob"  ?  Who is being authenticated here?

  I don't think anyone knows.

  In the case of Windows, it would be good for an EAP server to check via an API that "user@example.com" gets transformed to "EXAMPLE\user".  The server can then verify that the method identity, while opaque, is transformationally equivalent to the inner identity.  This verification would likely prevent some attacks.

On Jul 22, 2015, at 5:21 AM, Sam Hartman <hartmans@painless-security.com> wrote:
> ONe thing to clarify in this document is which identities are we talking
> about.  There are:
> 
> * The outer identity carried in an EAP response in RADIUS/Diameter.  I
>  know we're talking about that one.  That's the primary point of the
>  document.
> 
> * The Inner identity (if you have a tunnel method) often carried in an
>  EAP response/identity in the tunnel.  You could argue this one is
>  either in or out of scope.  You could argue this is an internal
>  identifier of the tunnel method.
> 
> * The method specific identifier of the EAP method within the tunnel.
>  In case of password authentication in something like TEAP this
>  identity may be carried and the classic inner identity may not.  I
>  think this identity is clearly out of scope for this document.
> 
> --Sam
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email