Some authentication methods such as PEAP, EAP-TTLS, EAP-SIM and EAP-AKA can hide a user’s true identity from servers outside of the user’s home network. In these cases the User-Name AVP has an anonymous or generic value which is sufficient for routing requests to the appropriate home network but insufficient for identifying the individual user. There are valid reasons for protecting a user’s identity in roaming applications. But access and intermediate networks also have a need to distinguish roaming users and groups of users in order to fulfill business requirements such as billing reconciliation and simultaneous session control. The Chargeable User Identity (CUI) AVP defined in RFC 4372 provides a user alias for a period of time.
The CUI AVP is a string type attribute. A RADIUS client can request a CUI from the home network’s RADIUS server by including a CUI AVP whose value is a single NUL character. This is often referred to as a NUL CUI. The string value of the CUI AVP returned in the Access-Accept by the home server represents the chargeable identity of the user or perhaps a group to which the user belongs. Thereafter, the RADIUS client includes the CUI AVP in all of its Accounting-Requests. The format of the CUI string is implementation dependent. The RAD-Series RADIUS Server is very flexible in how the CUI gets formatted.
- The CUI AVP can be configured as a fixed attribute in the user’s profile
- The CUI AVP can be generated and inserted as part of an advanced policy
- The CUI AVP can be generated in a proprietary format in an SDK developed plug-in module
- The CUI AVP can be generated by the RAD-Series Server by encrypting the user’s true Network Access Identifier (NAI)
Unless the CUI AVP needs to be parsed by an accounting server, option 4 can be used in most applications.
The RAD-Series Server will generate a CUI AVP and insert it in the Access-Accept if
- The RAD-Series Server is acting as the home server
- A NUL CUI AVP is present in the Access-Request
- A non-NUL AVP has not already been added from the user profile, an advanced policy, an SDK developed plug-in or some other source
The generated CUI is a one-way hash encryption. It changes weekly and whenever the (optionally configurable) encryption key changes. This makes each CUI temporary as recommended in
If a CUI is not requested then any CUI provided by a user profile, advanced policy or SDK plug-in will NOT be returned in the Access-Accept.
If a non-NUL CUI is present the Access-Request then that CUI will be returned in the Access-Accept.
The RAD-Series Server acting as a proxy server will forward CUI AVPs in Access-Requests.
The RAD-Series Server removes any NUL CUI AVP from Access-Accepts regardless of whether it is acting as a proxy server or a home server.