Question on anonymous identity

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Mon Jan 11 08:17:28 CET 2016


Hi Alan

Thanks for your answer, you convinced me that it's not yet the right
time to enforce anonymous identities yet. :-)

I tried to get my hands on some devices I don't own and did a quick
check in the limited time to verify from what I remembered.

Am 07.01.2016 um 15:23 schrieb Alan DeKok:
[...]
>   If they don't, they're broken.

So far I haven't yet found a device that didn't have any means of
setting an anonymous identity. (I remembered some crippled Android
devices a couple of years ago) However on some platforms it's somewhere
between difficult and nearly impossible without jumping through several
loopholes.

Apple iOS 9 still doesn't allow users to set all EAP options, only if
configured through a .mobileconfig

Windows Phone (8.1): It's so often-seen one, but it exists. Configuring
an anonymous identity or CA/common names in the UI on a real Windows
Phone I've had my hands on: Not available on the UI, same as with iOS.

In contrast to Apple's way I haven't found a compareable documentation
how a config file woud look like, but only how it can be provisioned via
MS System Center products... (maybe I'm wrong here, so bare with me)

[...]
>  If the vendor doesn't *default* to anonymous outer identities, please also tell the list.

In case of iOS (9.2) for example when it isn't explicitely configured
via a .mobileconfig to use an anonymous identity I haven't seen the
device not sending the user name in FreeRADIUS debug mode. If it is
configured by a .mobileconfig I can see the configured anonymous
identity first, then the user name in the inner-tunnel phase.

Maybe iOS behaves differently if a realm is appended to the user name,
this setup I checkd against verified AD samaccountname without a realm.
i.e. eduroam mandates to append a realm from what I found.

-- Mathieu



More information about the Freeradius-Users mailing list