Is it possible to configure NPS to return the User-Name AVP in the Access-Accept to cope with anonymous outer identities?
Where 802.1X authentication is taking place and a anonymous outer identity has been used (meaning that it differs from the inner identity) with a TLS based EAP, such as PEAP, it should be possible to return the inner identity used in the Access-Accept for
the NAS to use so that it works with the 'real' identity.
Use of the User-Name AVP also provides the RADIUS server the ability to always return a users identity normalised for the NAS to use. (For example, where domain\user is supplied by a user, the RADIUS server can always respond with user@fqdn.)
As increasing numbers of features are being implemented in switches and access points, such as L7 application visibility and control, it is imperative that such devices work with an accurate identity that cannot be spoofed and is consistent for a discrete
user.
If this is not possible today, how would one go about making a design change request to Microsoft to accomplish this? Is this an oversight? Competing RADIUS servers such as FreeRADIUS and Radiator have this ability when configured
For reference, this is RADIUS standard behaviour.
RFC 2865 states in Section 5.1:
[The User-Name AVP] MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session.
RFC 3579 states in Section 3:
The User-Name attribute within the Access-Accept packet need not be the same as the User-Name attribute in the Access-Request.
Furthermore, where federated authentication has taken place, such as in eduroam, and a User-Name AVP has not been returned in the Access-Accept yet a Chargeable-User-Identity has after being requested, it should be possible to configure the RADIUS implementation
to add a User-Name AVP set to cui@realm to the Access-Accept it sends on to the NAS so that it gets an identity that identifies the user with a constant identifier.
Is support for Chargeable-User-Identity (RFC 4372) ever planned for NPS?
See:
https://community.ja.net/library/janet-services-documentation/chargeable-user-identity-eduroam-freeradius-implementation