There is a lot of advice out there that email addresses are not identifiers. Even Internet2 has a document explaining why email is not an appropriate user identifier.
What does this mean for RADIUS, especially since RFC 7542 allows using email addresses as identifiers? Speaking as the author of RFC 7542, I think I can help you.
The short answer is that an email address at my organization is not a valid identifier at your organization. For the simple reason that my organization controls the mapping between the person (or people!) and the email address (or addresses!) that they use, and you don’t. Since you don’t control this mapping, you have no idea who is behind an email address.
As such, email addresses are best used for contacting users. But user identies at your site must be controlled by you. Any email address(es) or physical addresses for a user should be additional fields associated with the user identity. Other fields could be ones like login credentials, telephine number, billing information, rate plan, etc. That separation allows the user identity to remain constant while other information about the user changes.
Relationship to RFC 7542 Network Access Identifier (NAI)
If I agree that email addresses are not user identifiers, then why does RFC 7542 allow them to be used as identifiers?
The answer is that the NAI is defined for routing inside of an AAA system. That is, when a user logs into your site (e.g. a visited network as with eduroam), that identifier is used to route your login request to the home network. That home network knows who you are, and knows the association between the email address and the person. The home network then authenticates you (or not), and returns success / fail to the visited network.
This routing means that the user identity at my organization is never validated by your organization. Instead, the two organizations trust each other (via RADIUS proxying). My organization can vouch for my user at your organization, and the same goes in reverse. There is no need for your organization to know anything about the person behind the email address. The address is just used as a routing label, not a personal identifier!
GPDR and Privacy
Is it a good idea, then to use an email address for network access, such as with eduroam?
No.
The network access identifier should contain domain routing information, such as @example.com. There is no need for it to contain user identifiers, such as bob@example.com. When the NAI contains identifying information for a particular user, then there are major impacys on user privacy, including General Data Protection Regulation (GPDR) issues.
That is, there is no need for the visited network (or any proxy) to identify a particular user. Even worse, when proxying is done via RADIUS/UDP, then pretty much anyone can see who is accessing the network, which networks they are accessing, what devices they are using to access the network, etc. We have written extensively on RADIUS insecurity, and we are working at the IETF to formally deprecate RADIUS/UDP.
We understand that some RADIUS servers (or one in particular) do not permit anonymous NAIs. We understand why people use that server, it’s simple, cheap, and it mostly works. But we cannot in all good conscience recommend this practice.
Email addresses are not identifiers
In conclusion, email addresses are not primary user identifiers, and should never be used as such.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
RADIUS Insecurity
RADIUS is almost thirty years old, and uses cryptography based on
MD5. Given that MD5 has been broken for over a decade, what are the
implications for RADIUS? Why is RADIUS still using MD5?
TP-Link Investigation Highlights IT Hardware Risks
Concerns that the People’s Republic of China could exploit Chinese-built networking and communications equipment to attack North American businesses and infrastructure are making news again.