Gregory Sloop <gregs@sloop.net> wrote:
I have a EAP-MSCAPv2 WPA-Enterprise setup working so that's good. I get warnings about "Outer and inner identities are the same," however.
This only affects user privacy, not the integrity or encryption of the session. Basically it lets a passive attacker map MAC addresses to usernames, nothing more. This can only be fixed on the client side, by specifying a different outer ID. For MS you enable "identity privacy" and type in a fake username like "anon" and it appends the @realm to that in the outer session. Other OSes let you set the whole outer identity. Good luck getting your users to care :-). (Unless you are popping the outer identity out of the inner tunnel in a weird way that causes it to be sent back over the wire. You may want to do this to let the NAS show you the real username, but it should be done on the final RADIUS packet which does not go over the air in PEAP, not on previous packets. If you are worried you might be doing this, configure a client with a different outer ID as described above and then sniff the EAP packets and search them for the inner username. It should not appear in plaintext.)