EAP-TLS, anonymous user ids, "WARNING: Outer and inner identities are the same"
Alan DeKok
aland at deployingradius.com
Sat Jul 31 14:03:09 CEST 2021
On Jul 30, 2021, at 10:31 PM, Jason Healy <jhealy at logn.net> wrote:
>
> Newbie EAP-TLS question here; we've been using FreeRADIUS for a long time with PEAP-MSCHAPv2 and are trying to make the switch to pure certificate-based auth. Here's the warning I'm getting:
>
> WARNING: Outer and inner identities are the same. User privacy is compromised.
You can ignore that for EAP-TLS.
> I couldn't find much about this on the list archives (just one post with an unspecified EAP type and non-anonymous ids). I understand that this is a problem with tunneled EAP types (because the outer request isn't secure), but I wasn't sure about EAP-TLS; it doesn't really have an inner/outer, right?
Yes.
> I have a test cert deployed (both real-world client and eapol_test) that is validating on FreeRADIUS. We're using "@suffieldacademy.org" as the anonymized user id, which I believe is the IETF recommendation (anonymous at suffieldacademy.org being the second choice).
>
> In the FreeRADIUS config we are ignoring the user id and just relying on the certificate details to authorize the user. We are updating the User-Name attribute in the "check-eap-tls" virtual server, so the cert details are used in the User-Name that is reported back to the NAS. However, the warning is still there (before the virtual "check-eap-tls"), so that doesn't seem to be the way to quiet the message.
>
> So my questions are:
>
> 1) Is this warning an issue for EAP-TLS, or is it a harmless side effect of my using an anonymous user id in the request?
It's a side effect of running the virtual server for certificates checks.
Alan DeKok.
More information about the Freeradius-Users
mailing list