Revisiting June 4, 2017 thread, "WARNING: Outer and inner identities are the same."
Forgive me. I have the same issue as mentioned in the June 4, 2017 archived thread. It seems to me the issue is explained but not how to fix it. Question: Which file must be edited and in which manner to eliminate this warning about user privacy being compromised due to the same outer and inner identities? Details: 3.0.15 FreeRADIUS build, in a lab environment. My only edits are to add a user, add a client, and make fresh certificates. The NAS is an Aruba 7005 wireless controller. Authentication succeeds if I configure the client not to validate the certificate, but I see this in the freeradius -X output: (7) authenticate { (7) eap: Expiring EAP session with state 0xf00edcbdf607c57b (7) eap: Finished EAP session with state 0xf00edcbdf607c57b (7) eap: Previous EAP request found for state 0xf00edcbdf607c57b, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - guest123 (7) eap_peap: Got inner identity 'guest123' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0209000d016775657374313233 (7) eap_peap: Setting User-Name to guest123 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0209000d016775657374313233 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "guest123" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0209000d016775657374313233 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "guest123" (7) WARNING: Outer and inner identities are the same. User privacy is compromised.
On Dec 20, 2017, at 2:18 PM, David Hendricks <dahendricks1@gmail.com> wrote:
Forgive me. I have the same issue as mentioned in the June 4, 2017 archived thread. It seems to me the issue is explained but not how to fix it.
Question: Which file must be edited and in which manner to eliminate this warning about user privacy being compromised due to the same outer and inner identities?
You don't. Both inner and outer identities are supplied by the user who is authenticating. You can't (or at least shouldn't) edit them on the server. The warning is there to indicate that the client MAY be misconfigured. The solution is to fix the client, or failing that, ignore the warning. Alan DeKok.
I see. I notice that a Samsung phone gives a login option for "Anonymous identity" that doesn't seem to be provided for a Microsoft client. So we need to get on Microsoft, right? On Wed, Dec 20, 2017 at 2:31 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 20, 2017, at 2:18 PM, David Hendricks <dahendricks1@gmail.com> wrote:
Forgive me. I have the same issue as mentioned in the June 4, 2017
archived
thread. It seems to me the issue is explained but not how to fix it.
Question: Which file must be edited and in which manner to eliminate this warning about user privacy being compromised due to the same outer and inner identities?
You don't.
Both inner and outer identities are supplied by the user who is authenticating. You can't (or at least shouldn't) edit them on the server.
The warning is there to indicate that the client MAY be misconfigured. The solution is to fix the client, or failing that, ignore the warning.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Dec 20, 2017, at 2:18 PM, David Hendricks <dahendricks1@gmail.com> wrote:
Forgive me. I have the same issue as mentioned in the June 4, 2017
archived
thread. It seems to me the issue is explained but not how to fix it.
Question: Which file must be edited and in which manner to eliminate this warning about user privacy being compromised due to the same outer and inner identities?
You don't.
Both inner and outer identities are supplied by the user who is authenticating. You can't (or at least shouldn't) edit them on the server.
The warning is there to indicate that the client MAY be misconfigured. The solution is to fix the client, or failing that, ignore the warning.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
MS clients can anonymize the username portion via the "Identity Privacy" checkbox. The problem is getting that and other critical settings onto the client in unmanaged settings. MS and Android really need to be pressured into allowing installation of Apple's mobileconfig files (and Apple into enhancing the mobileconfig a bit and restoring the UI for use cases where mobileconfigs won't work). Apple beat them to the punch, they should just admit it. But there's too much corporate pride in the way. They could all provide their own formats that don't rely on an onerously complicated business suite (AD GPO, or "G Suite" in Google's case) but I'm not holding my breath for that. Best case I can actually vidualize happening is that .11u eventually gets bells and whistles that solve all our problems, once all the WIFi devices that choke up on long beacons are cutting the bare feet of 6 year old Ghanan scrap harvesters. ________________________________________ From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org> on behalf of David Hendricks <dahendricks1@gmail.com> Sent: Wednesday, December 20, 2017 2:40 PM To: FreeRadius users mailing list Subject: Re: Revisiting June 4, 2017 thread, "WARNING: Outer and inner identities are the same." I see. I notice that a Samsung phone gives a login option for "Anonymous identity" that doesn't seem to be provided for a Microsoft client. So we need to get on Microsoft, right? On Wed, Dec 20, 2017 at 2:31 PM, Alan DeKok <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There's an XML format that is being worked on to hopefully become an IETF standard with RFC etc. Just waiting for the players to all come to the table and agree :) alan On 20 Dec 2017 8:11 pm, "Brian Julin" <BJulin@clarku.edu> wrote: > > MS clients can anonymize the username portion via the "Identity Privacy" > checkbox. > > The problem is getting that and other critical settings onto the client in > unmanaged > settings. MS and Android really need to be pressured into allowing > installation of > Apple's mobileconfig files (and Apple into enhancing the mobileconfig a > bit and restoring > the UI for use cases where mobileconfigs won't work). Apple beat them to > the punch, > they should just admit it. > > But there's too much corporate pride in the way. They could all provide > their own > formats that don't rely on an onerously complicated business suite (AD > GPO, or "G Suite" > in Google's case) but I'm not holding my breath for that. > > Best case I can actually vidualize happening is that .11u eventually gets > bells and whistles > that solve all our problems, once all the WIFi devices that choke up on > long beacons > are cutting the bare feet of 6 year old Ghanan scrap harvesters. > > ________________________________________ > From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu@lists. > freeradius.org> on behalf of David Hendricks <dahendricks1@gmail.com> > Sent: Wednesday, December 20, 2017 2:40 PM > To: FreeRadius users mailing list > Subject: Re: Revisiting June 4, 2017 thread, "WARNING: Outer and inner > identities are the same." > > I see. I notice that a Samsung phone gives a login option for "Anonymous > identity" that doesn't seem to be provided for a Microsoft client. So we > need to get on Microsoft, right? > > On Wed, Dec 20, 2017 at 2:31 PM, Alan DeKok <aland@deployingradius.com> > wrote: > > > On Dec 20, 2017, at 2:18 PM, David Hendricks <dahendricks1@gmail.com> > > wrote: > > > > > > Forgive me. I have the same issue as mentioned in the June 4, 2017 > > archived > > > thread. It seems to me the issue is explained but not how to fix it. > > > > > > Question: Which file must be edited and in which manner to eliminate > this > > > warning about user privacy being compromised due to the same outer and > > > inner identities? > > > > You don't. > > > > Both inner and outer identities are supplied by the user who is > > authenticating. You can't (or at least shouldn't) edit them on the > server. > > > > The warning is there to indicate that the client MAY be misconfigured. > > The solution is to fix the client, or failing that, ignore the warning. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
Brian Julin -
David Hendricks