'EAP module will no longer accept realmless identities by default'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    EAP module will no longer accept realmless identities by default
From:       Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date:       2021-04-29 17:41:02
Message-ID: 36CA1959-A26D-4E78-B68A-7E09CA3F4270 () freeradius ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


	#
	#  require_identity_realm:: Require the the EAP Identity provided contains
	#  a realm.
	#
	#  If `require_identity_realm` is `nai`, the EAP identity provided must
	#  end with `@<label0>.<label1>[.<labelN>]`, i.e. an '@' followed by at least
	#  two DNS labels.
	#
	#  If `require_identity_realm` is `yes`, the EAP identity provided must
	#  either match the NAI format described above, or a `Stripped-User-Domain`
	#  attribute must be present in the request list.
	#  This validation mode is intended to be user where Windows machine
	#  authentication is intermixed with user authentication.
	#
	#  If `require_identity_realm` is `no`, no identity format checks are performed.
	#  It is NOT recommended to use this value.  Future security standards will
	#  key off the NAI realm to validate the certificate we (the EAP server) present.
	#  If you do not require an NAI realm be present in the EAP identity string,
	#  your users will not be able to take advantage of this added security when
	#  it is added by OS and device vendors.
	#
#	require_identity_realm = nai

A new configuration item has been added to the EAP module, which, by default
will prevent users from authenticating unless they provide an NAI style realm in the
EAP identity string, e.g. foo@example.org.

This will likely be backported to the v3.0.x branch, though the default value will
likely be "no" to avoid point release breakages.

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE6VbEmJeQrF8361hu/6TVgp+218oFAmCK764ACgkQ/6TVgp+2
18ryCQ/9H5Cmwxb0y0dt8cgHM8lCoiYYIG9Vbcs0LmLlHbfbDHEzk1qc8qfYajs2
/k6xQqiEnHOoaxvF6IvOYAVAWhZWJco/tqBmnEfNr7HgN8t+H/WWcBNqre0Yew4b
53O5PF83CHVES22XL69pSt26TbMxlA6UBNq0eBxKB+qz/wv0gQ6V7AP3eehOswNv
NvAZx4NN3S6rKIxbUbQec8gl6elUFrD8kDD245rbrS3R/qY8FI41IzxkXUHpySgj
ipxDZk8FI48ikT6llLuhJ4nLmdlMlzSlRXZrmnUni2k0eFiaVSa9e31wSKW3drh5
Vo5Uyfs3HNUn1ObrddN57R0uupLmQajwlxNVAmQdOQWvTCPE30gyizgrurXjBo2b
iTKf4JmFzxA82asY98euvzIAwmBHNbX8jA8dXo4STTYs9sJIXN2CT4E+S2SQJTqD
n7XqHMJIN2dJj5rRfJ66w4YkyHi7bEd/pM8wcDQlqjLWw8e/4sbU58FKQsFnFwB5
MVO9jKklSwtnFoXRA4bA/V4dBbd7LztRf13l0+lVYxiMfObOPbwoRRZhirVoHqNW
VPFKEuo6sHeZTaUq6xUAe4RrUBkYflvBeDQvJruZcwS3XIxVPutFz1Wy57zHP2K6
lNryD6RaYdeXThpRO+JlwVk4mnDTzobjZte1WdfnDfZr0esTY7A=
=W9UG
-----END PGP SIGNATURE-----

[Attachment #6 (text/plain)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic