When authenticating users via our FreeRadius service, I've got acces to the EAP inner-tunnel User-Name attribute, so I can check that its a valid format e.g.<userid>@york.ac.uk, or block access for individual users. With the eduroam network, the correct way to configure your client machine is to have your "realm" as the outer User-Name ( @york.ac.k in our case) and use your real userid in the inner-tunnel. The outer User-Name is therefor only "routing" information if you are at a remote site so you don;t need to have the user component bit before the "@".
While you should be able to use the chargeable-user-identity to disconnect offending users at remote sites, sometimes its good to control access using the inner-tunnel User-Name.
Can't see any way of generating Roles or setting up enforcement policies based upon inner-tunnel User-Name attribute. Is this possible?
Rgds
A