Stefan Winter wrote:
The thing about anonymous outer identity is that it doesn't matter what you put in there. If your real name is "iamcool" and your password is "evencooler" you can happily send "foobar" as Identity. Authentication will only depend on what's inside the tunneled PAP request. Most supplicants allow to specify the outer identity to your liking. That said, there is one exception: if you are using roaming, the realm part of the username must be the correct one, otherwise the request can't be routed to the correct server.
"Most supplicants". So there's a chance that a supplicant might not do so? Is the Identity in the EAP-Message in the first packet always the same as the User-name i see in all packets? I'm searching through my dell wireless wlan card utility and i'm pretty sure i can't hide it. Are dell breaking any rfcs or other standards that i can take them up on? This is quite worrying for me as it seems to make the setup quite insecure instead of making it more secure as i had originally hoped. Perhaps a shared key and a captive portal would provide better security. I understand the weakness, but i dont see that it would be weaker than a shared key alone and has the advantage of not allowing the username to be read by any arbitrary person. Thanks for the further explanation of the RADIUS protocol - i think i will take your advice about the configuration files and leave well enough alone:) John