On Jul 30, 2021, at 10:31 PM, Jason Healy <jhealy@logn.net> wrote:
Newbie EAP-TLS question here; we've been using FreeRADIUS for a long time with PEAP-MSCHAPv2 and are trying to make the switch to pure certificate-based auth. Here's the warning I'm getting:
WARNING: Outer and inner identities are the same. User privacy is compromised.
You can ignore that for EAP-TLS.
I couldn't find much about this on the list archives (just one post with an unspecified EAP type and non-anonymous ids). I understand that this is a problem with tunneled EAP types (because the outer request isn't secure), but I wasn't sure about EAP-TLS; it doesn't really have an inner/outer, right?
Yes.
I have a test cert deployed (both real-world client and eapol_test) that is validating on FreeRADIUS. We're using "@suffieldacademy.org" as the anonymized user id, which I believe is the IETF recommendation (anonymous@suffieldacademy.org being the second choice).
In the FreeRADIUS config we are ignoring the user id and just relying on the certificate details to authorize the user. We are updating the User-Name attribute in the "check-eap-tls" virtual server, so the cert details are used in the User-Name that is reported back to the NAS. However, the warning is still there (before the virtual "check-eap-tls"), so that doesn't seem to be the way to quiet the message.
So my questions are:
1) Is this warning an issue for EAP-TLS, or is it a harmless side effect of my using an anonymous user id in the request?
It's a side effect of running the virtual server for certificates checks. Alan DeKok.