chargeable user identity in eduroam l.
Skip this Video
Download Presentation
Chargeable-User-Identity in eduroam

Loading in 2 Seconds...

play fullscreen
1 / 5

Chargeable-User-Identity in eduroam - PowerPoint PPT Presentation

  • Uploaded on

Chargeable-User-Identity in eduroam. The problem. Current eduroam setup provides per-realm granularity The consequences if a guest misbehaves the SP can only black-list the entire realm

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Chargeable-User-Identity in eduroam' - vonda

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the problem
The problem
  • Current eduroam setup provides per-realm granularity
  • The consequences
    • if a guest misbehaves the SP can only black-listthe entire realm
    • if someone uses theguest access to set up a full-time Internet link the SP may become suspicious about the eduroam idea and may want to turn on some quota system to defend against that kind of overuse (this may be a local-level problem but we might provide a universal solution)
    • in case of incidents locating the correct entries in the logs may be complicated by the fact that the SP logs will just show anonymous user
possible solution chargeable user identity cui attribute
Possible solution: Chargeable-User-Identity (CUI) attribute
  • defined in RFC 4372 (pointed out by Jochem van Dieten)
  • meant to carry a value which is unique to a user (perhaps only for some period of time)
  • CUI in action
    • request – send the CUI attribute with a NUL value
    • reply – send the user identifier in the CUI
    • the NAS accounting should be based on CUI rather the User-Name (probably currently not implemented by anybody)
tests and implementation
Tests and implementation
  • CUI request implemented in FreeRadius v. 2
  • CUI response implemented in FreeRadius v. 1 and 2 (runs in production service in Toruń) – currently a fixed value per user is returned
  • CUI proxying tested for FreeRadius v. 1 and 2, Radiator, RadSec proxy
  • testing tool – a patch to eapol_test from wpa_supplicant 0.6.2 capable of sending goth NUL and non-NUL CUI and displaying the response
so now what
So now what....
  • We are happy to provide all information on server setup, eapol_test patch etc.
  • Questions, issues
    • Test pilot (volunteers)?
    • How permanent should the CUI be?
    • Recommendation for SA5 participants?
    • Add a subchapter to Roaming CookBook?