Is it possible to configure NPS to return the normalised, inner identity of a client in the User-Name AVP of an Access-Accept to cope with anonymous outer identities?
Where 802.1X authentication takes place and an anonymous outer identity is used (meaning that it differs from the inner identity) with a TLS based EAP, such as PEAP, it should be possible to return the inner identity in the Access-Accept so that the NAS has the ability to work with the 'real' identity of the user. Can NPS do this? How would this be configured?
The User-Name AVP of an Access-Accept also provides a RADIUS server the ability to return a users' identity normalised. (For example, where domain\user is supplied by a user, the RADIUS server can always respond with user@fqdn.) Can NPS do this? How would this be configured?
Increasing numbers of features are being implemented in switches and access points, such as L7 application visibility and control, so it is a significant operational concern that such devices work with an accurate identity, one that cannot be spoofed with
an anonymous outer identity and is consistent for a discrete user.
If this is not possible today, how would one go about making a design change request to Microsoft to accomplish this or talk to the development team? Is this an oversight? Competing RADIUS servers such as FreeRADIUS and Radiator have this ability when configured.
For reference, this is RADIUS standard behaviour.
RFC 2865 states in Section 5.1:
[The User-Name AVP] MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session.
RFC 3579 states in Section 3:
The User-Name attribute within the Access-Accept packet need not be the same as the User-Name attribute in the Access-Request.
Furthermore, where federated authentication has taken place, such as in eduroam, and a User-Name AVP has not been returned in the Access-Accept yet a Chargeable-User-Identity has after being requested, it should be possible to configure the RADIUS implementation to add a User-Name AVP set to cui@realm to the Access-Accept it sends on to the NAS so that it gets an identity that identifies the user with a constant identifier.
Is support for Chargeable-User-Identity (RFC 4372) support ever planned for NPS?
See:
Thanks!
Nick