Hello,
I'm currently trying to figure out what would happen if a AAA roaming
consortium (802.1X based, using EAP and RADIUS) were to use IDNs in its
NAIs, i.e. a user name like [EMAIL PROTECTED]
I was kindof expecting to see UTF-8 encoded User-Name attributes showing
up at the RADIUS server, since RFC2865 defines User-Name to be UTF-8.
I got an encoding of ü ::= 0xfc, which hinted that the supplicant was
not using UTF-8 but some locale (I expect it to be either ISO-8859-15 or
Windows-1252, not that this matters).
I was kindof expecting to witness a bug in the supplicant because it
should have encoded the EAP-Response/Identity as UTF-8.
Taking a look at RFC3748, I noticed the following text in 5.1 Identity:
This field MAY contain a displayable message in the Request,
containing UTF-8 encoded ISO 10646 characters [RFC2279]. Where
the Request contains a null, only the portion of the field prior
to the null is displayed. If the Identity is unknown, the
Identity Response field should be zero bytes in length. The
Identity Response field MUST NOT be null terminated. In all
cases, the length of the Type-Data field is derived from the
Length field of the Request/Response packet.
It struck me that according to this clause, the supplicant in principle
has the option of encoding the EAP-Response/Identity to its liking,
since this clause only defines displayable messages in
EAP-*Request*/Identity to be UTF-8 encoded.
What troubles me even more is that RADIUS (or Diameter, for that matter)
requires UTF-8 encoding in the User-Name attribute, and that 802.1X
authenticators are required to literally copy EAP-Identity into the
User-Name attribute, even if it is not necessarily UTF-8. That would
mark an incompatibility within IEEE 802.1X.
I seriously hope that I overlooked something, or that I have a language
problem and this UTF-8 half-sentence should span over more than the
displayable message in the Request, and would be happy if someone could
clear this up. If the issue stands, it is a bit uneasy... making the
encoding in the response undefined means that the auth traffic can look
different depending on OS, locale, ... . In any case, out of two
supplicants I tried, both did indeed *not* use UTF-8, so I wouldn't be
the only one confused. This makes adding IDN NAIs somewhat difficult.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
