Jason Wittlin-Cohen wrote:
When authenticating via PEAP or TTLS with an anonymous identity, the log shows both the anonymous identity and the real identity tunneled through the TLS tunnel. However, when TLS session resumption (caching) is enabled, only the anonymous identity is logged. This is presumably due to the fact that the user is not actually sending the real ID and password through the tunnel; rather the saved session is being used. However, being that the tunneled username is still available, and obtained from the cache, it should be available to log. Is this the intended behavior?
The server hasn't been updated to log the cached user name.
It would seem that logging authentication attempts would be more useful if the real username was provided in addition to the anonymous identity.
Yes. As always, patches are welcome. Alan DeKok.