On Nov 14, 2018, at 1:34 PM, Jim Schaad <i...@augustcellars.com> wrote: >> The only way to provide the real identity back to the NAS would be sending it >> back as the IETF User-Name in the Access-Accept with the assumption that >> the NAS would honor it. > > My first response to this would be - what happens as an attacker I supply one > name in the outer and validate using a different (and correct) inner name.
That happens all of the time. Users are inventive with methods of avoiding payment. > This is going to make the administrator's life miserable since they are > going to be looking at the wrong name and not have any ability to recognize > that that is the problem. The better solution (and one implemented by most people), is have the authentication server check for this situation. And, reject authentications that have mismatched identities. For some discussion of this subject, see: https://tools.ietf.org/html/rfc7542#section-4.2 It would help for the Security Considerations section of the EAP-TLS 1.3 document to have additional discussion and clarifications of this topic. It should at least note that the inner and outer identities can be different, and reference Section 4.2 of RFC 7542. For an implementation of inner/outer identity checks, see: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/policy.d/filter#L111 It's not perfect, but it seems to work well in practice. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
