feature request Additional attributes for user profiles

  • 1
  • Idea
  • Updated 5 months ago

I would like to do a feature request to add additional attributes for user profiles. At this moment you can only use Radius Attibute, client OS type, client mac adres, client location and schedule. In most cases Radius Attribute will do the trick, but I would like to request if you can add the fields username and realm. The username must be a "equal" field and realm should be a "contain" field zo that I can build specific user profiles with less dependancy of the radius server it will give me more control and options.

Photo of Sven de Ridder

Sven de Ridder

  • 1 Post
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2487 Posts
  • 449 Reply Likes
Hi Sven,

I like your thinking, but that could not work securely as a general feature due to EAP identity privacy, otherwise known as anonymous EAP outer identities.

Only the RADIUS server that terminates the EAP is privy to the real identity, the inner identity, when a client authenticates via 802.1X and a TLS-based EAP type.

The user portion of an identity can often be spoofed and a realm can, in protocol although not typically in practice, differ between the inner identity and the outer identity.

This therefore could easily give the impression of a useful feature but it would be security vulnerable in deployments where it allowed incorrect user profile and/or VLAN assignment to occur based on a client supplied value that is unchecked and unauthenticated.

The RADIUS server therefore needs to instruct the AP what to do with user profile and VLAN assignment via attributes in the Access-Accept as it performs the authorisation.