On Jul 23, 2025, at 7:50 PM, Alexander Clouter <[email protected]> wrote: >> But to your point, yes, the home server should send a >> Chargeable-User-Identity. > > For EAP-PPT this is not even possible as it would be completely decoupled > from the user.
I would wave my hands vigorously, and say that's the problem of the IdP. If the roaming federation requires CUI (e.g. OpenRoaming), then it's up to the IdP to follow those requirements. So it would have to find some way to generate a CUI, and associate it with a user. > For other EAP methods the IdP knows the user connecting so it is simply > policy on how Chargeable-User-Identity is formed if at all. > > With EAP-PPT, the IdP has no idea who is connecting and has nothing to so > cannot create this even if they wanted. I suspect that's a solvable problem. The packets contain a static MAC address, for example. Another one is for roaming federations to simply ban EAP-PPT, if that method is unable to satisfy their security / regulatory requirements. Alan DeKok. _______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
