On Nov 14, 2018, at 9:48 AM, Cappalli, Tim (Aruba Security) <t...@hpe.com> wrote: > > The question was asked about making it anonymous NAI mandatory in the > Identity Response. That is what my comments were targeted to.
OK. For me, I would be fine with making the anonymous NAI mandatory. I just don't see any end-user benefit to exposing their identities. And there are benefits to privacy. > In terms of infrastructure, logging into a wireless controller, switch or NMS > and seeing hundreds of "anonym...@enterprise.co" makes an administrator's > life miserable. Most folks in a large enterprise responsible for > troubleshooting end user access do not have access to the EAP server. If I were hard-nosed, I would say that's an internal management issue, and not a standards issue. But I get your point, and there are ways to address this (see below). > The only way to provide the real identity back to the NAS would be sending it > back as the IETF User-Name in the Access-Accept with the assumption that the > NAS would honor it. All NASes that I'm aware of support this. i.e. where the User-Name in Access-Accept is *not* the same as the one in the Access-Request. This question came up recently on RADEXT. The thread is here: https://www.ietf.org/mail-archive/web/radext/current/msg10079.html In short, it is possible (and is widely used) to return the *inner* EAP-TLS identity in the *outer* RADIUS Access-Accept. That breaks user anonymity, but it definitely works. My $0.02 is that we *should* mandate anonymous outer identities. Enterprises which are OK with breaking user privacy can return a different User-Name in the Access-Accept. Other systems can use another method to track user identities across a session. In a related note, RFC 4372 defines a "Chargable-User-Identity" which is intended to be used as an anonymized user identity in roaming situations. In practice, it's only really supported in WiMAX and in some 3G situations. Most enterprise equipment does not support it, which makes it inapplicable here. Never the less, something similar could be done with User-Name in the Access-Accept. And, it should be supported by all enterprise equipment. It may be useful to discuss these topics in a "best practices" document for EAP and user anonymity. If the WG thinks it's useful, I could write it. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
