Chargeable-User-Identity in eduroam. The problem. Current eduroam setup provides per-realm granularity The consequences if a guest misbehaves the SP can only black-list the entire realm
Chargeable-User-Identity in eduroam
An Image/Link below is provided (as is) to download presentation
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Current eduroam setup provides per-realm granularity
if a guest misbehaves the SP can only black-listthe entire realm
if someone uses theguest access to set up a full-time Internet link the SP may become suspicious about the eduroam idea and may want to turn on some quota system to defend against that kind of overuse (this may be a local-level problem but we might provide a universal solution)
in case of incidents locating the correct entries in the logs may be complicated by the fact that the SP logs will just show anonymous user
Possible solution: Chargeable-User-Identity (CUI) attribute
defined in RFC 4372 (pointed out by Jochem van Dieten)
meant to carry a value which is unique to a user (perhaps only for some period of time)
CUI in action
request – send the CUI attribute with a NUL value
reply – send the user identifier in the CUI
the NAS accounting should be based on CUI rather the User-Name (probably currently not implemented by anybody)
Tests and implementation
CUI request implemented in FreeRadius v. 2
CUI response implemented in FreeRadius v. 1 and 2 (runs in production service in Toruń) – currently a fixed value per user is returned
CUI proxying tested for FreeRadius v. 1 and 2, Radiator, RadSec proxy
testing tool – a patch to eapol_test from wpa_supplicant 0.6.2 capable of sending goth NUL and non-NUL CUI and displaying the response
So now what....
We are happy to provide all information on server setup, eapol_test patch etc.