Question on anonymous identity
Hi, A question surfaced recently while I was reworking a configuration: By building 3.0 from source I saw that the upcoming 3.0.11 will be actively logging that anonymous identities should be used* to protect identities. I'm not with eduroam, but try to keep an eye on what participating institutions and others recommend. I see they generally tell users to set one (where possible). The profile data from cat.eduroam.org also contains one. We always recommended students to set an anonymous identity and profiles/config tools given to them would set it for them, but it wasn't actively enforced. If the device wasn't configured for sending an anonymous identity it would still let the device in, if inner-tunnel authentication and authorization requirements passed.** So, what is the current take: Would you / Do you (recommend) enforcing the use of an anonymous identity, resulting in Access-Reject? Do most enduser wireless devices finally support setting an anonymous identity these days? Thanks in advance Mathieu * https://github.com/FreeRADIUS/freeradius-server/commit/ec5cb167dd1de6d3c8e75...
On Jan 7, 2016, at 1:11 AM, Mathieu Simon (Lists) <matsimon.lists@simweb.ch> wrote:
By building 3.0 from source I saw that the upcoming 3.0.11 will be actively logging that anonymous identities should be used* to protect identities.
The server will print warning messages in debug mode. It won't log anything to the log files.
So, what is the current take: Would you / Do you (recommend) enforcing the use of an anonymous identity, resulting in Access-Reject?
I do not recommend *enforcing* the use of an anonymous outer identities... until such time as you can be sure it will have minimal impact. As the author of RFC 7542, I believe that all *new* users should use anonymous outer identities. There are good reasons for it, and there are few reasons for using non-anonymous outer identities.
Do most enduser wireless devices finally support setting an anonymous identity these days?
If they don't, they're broken. If you find one which doesn't support outer identities, send a message to the list with the vendor / product / etc. We will publicly shame them. In most cases, I have contacts at the vendor, and can bug them to fix it. If the vendor doesn't *default* to anonymous outer identities, please also tell the list. Alan DeKok.
Hi Alan Thanks for your answer, you convinced me that it's not yet the right time to enforce anonymous identities yet. :-) I tried to get my hands on some devices I don't own and did a quick check in the limited time to verify from what I remembered. Am 07.01.2016 um 15:23 schrieb Alan DeKok: [...]
If they don't, they're broken.
So far I haven't yet found a device that didn't have any means of setting an anonymous identity. (I remembered some crippled Android devices a couple of years ago) However on some platforms it's somewhere between difficult and nearly impossible without jumping through several loopholes. Apple iOS 9 still doesn't allow users to set all EAP options, only if configured through a .mobileconfig Windows Phone (8.1): It's so often-seen one, but it exists. Configuring an anonymous identity or CA/common names in the UI on a real Windows Phone I've had my hands on: Not available on the UI, same as with iOS. In contrast to Apple's way I haven't found a compareable documentation how a config file woud look like, but only how it can be provisioned via MS System Center products... (maybe I'm wrong here, so bare with me) [...]
If the vendor doesn't *default* to anonymous outer identities, please also tell the list.
In case of iOS (9.2) for example when it isn't explicitely configured via a .mobileconfig to use an anonymous identity I haven't seen the device not sending the user name in FreeRADIUS debug mode. If it is configured by a .mobileconfig I can see the configured anonymous identity first, then the user name in the inner-tunnel phase. Maybe iOS behaves differently if a realm is appended to the user name, this setup I checkd against verified AD samaccountname without a realm. i.e. eduroam mandates to append a realm from what I found. -- Mathieu
Hi,
Windows Phone (8.1): It's so often-seen one, but it exists. Configuring an anonymous identity or CA/common names in the UI on a real Windows Phone I've had my hands on: Not available on the UI, same as with iOS.
In contrast to Apple's way I haven't found a compareable documentation how a config file woud look like, but only how it can be provisioned via MS System Center products... (maybe I'm wrong here, so bare with me)
As much as I know, the config format is pretty much identical to the Windows Desktop versions: https://msdn.microsoft.com/en-us/library/windows/desktop/ms706965%28v=vs.85%... But the catch here is that the config file will only be *accepted* by the phone when the device is actually in MDM managed mode. I.e. "just" sending the config file to an unmanaged device will make it do nothing :-( That situation may have changed recently... I'd be very happy to be told I'm wrong :-) eduroam CAT and https://802.1x-config.org could be equipped with a matching module in no time... Greetings, Stefan Winter
[...]
If the vendor doesn't *default* to anonymous outer identities, please also tell the list.
In case of iOS (9.2) for example when it isn't explicitely configured via a .mobileconfig to use an anonymous identity I haven't seen the device not sending the user name in FreeRADIUS debug mode. If it is configured by a .mobileconfig I can see the configured anonymous identity first, then the user name in the inner-tunnel phase.
Maybe iOS behaves differently if a realm is appended to the user name, this setup I checkd against verified AD samaccountname without a realm. i.e. eduroam mandates to append a realm from what I found.
-- Mathieu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi, Am 11.01.2016 um 08:59 schrieb Stefan Winter:
As much as I know, the config format is pretty much identical to the Windows Desktop versions:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms706965%28v=vs.85%...
Aha, ok at least some traces and technically not that bad (at least no new format invented)
But the catch here is that the config file will only be *accepted* by the phone when the device is actually in MDM managed mode. I.e. "just" sending the config file to an unmanaged device will make it do nothing :-(
Ouch, that's really unfortunate and the end result is what I found: Use an MS configuration suite or MDM solution like Intune or the mentioned System Center Config Manager or you can't set these options.
That situation may have changed recently... I'd be very happy to be told I'm wrong :-) eduroam CAT and https://802.1x-config.org could be equipped with a matching module in no time...
I haven't yet had my hands on a WP 10 device recently. Can't tell unfortunately. -- Mathieu
participants (3)
-
Alan DeKok -
Mathieu Simon (Lists) -
Stefan Winter