What does this mean for RADIUS, especially since RFC 7542 allows using email addresses as identifiers? Speaking as the author of RFC 7542, I think I can help you.
The short answer is that an email address at my organization is not a valid identifier at your organization. For the simple reason that my organization controls the mapping between the person (or people!) and the email address (or addresses!) that they use, and you don’t. Since you don’t control this mapping, you have no idea who is behind an email address.
As such, email addresses are best used for contacting users. But user identies at your site must be controlled by you. Any email address(es) or physical addresses for a user should be additional fields associated with the user identity. Other fields could be ones like login credentials, telephine number, billing information, rate plan, etc. That separation allows the user identity to remain constant while other information about the user changes.
Relationship to RFC 7542 Network Access Identifier (NAI)
If I agree that email addresses are not user identifiers, then why does RFC 7542 allow them to be used as identifiers?
The answer is that the NAI is defined for routing inside of an AAA system. That is, when a user logs into your site (e.g. a visited network as with eduroam), that identifier is used to route your login request to the home network. That home network knows who you are, and knows the association between the email address and the person. The home network then authenticates you (or not), and returns success / fail to the visited network.
This routing means that the user identity at my organization is never validated by your organization. Instead, the two organizations trust each other (via RADIUS proxying). My organization can vouch for my user at your organization, and the same goes in reverse. There is no need for your organization to know anything about the person behind the email address. The address is just used as a routing label, not a personal identifier!
GPDR and Privacy
Is it a good idea, then to use an email address for network access, such as with eduroam?
The network access identifier should contain domain routing information, such as
@example.com. There is no need for it to contain user identifiers, such as
firstname.lastname@example.org. When the NAI contains identifying information for a particular user, then there are major impacys on user privacy, including General Data Protection Regulation (GPDR) issues.
That is, there is no need for the visited network (or any proxy) to identify a particular user. Even worse, when proxying is done via RADIUS/UDP, then pretty much anyone can see who is accessing the network, which networks they are accessing, what devices they are using to access the network, etc. We have written extensively on RADIUS insecurity, and we are working at the IETF to formally deprecate RADIUS/UDP.
We understand that some RADIUS servers (or one in particular) do not permit anonymous NAIs. We understand why people use that server, it’s simple, cheap, and it mostly works. But we cannot in all good conscience recommend this practice.
Email addresses are not identifiers
In conclusion, email addresses are not primary user identifiers, and should never be used as such.
Need more help?
Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.