WARNING: Outer and inner identities are the same. User privacy is compromised.
I have a clean Freeradius install v. 3.0.14, and so far just made a few config modifications and generated new certificates. My test user is added to users (.../raddb/users). My task is to set up WPA enterprise. I'm testing with my iPhone, and it seems to work fine. But in the 'log' (radiusd -X output) the following message appears: (35) Virtual server inner-tunnel received request (35) EAP-Message = 0x027000061a03 (35) FreeRADIUS-Proxied-To = 127.0.0.1 (35) User-Name = "byod" (35) State = 0x9197e30a90e7f90d1e18c9ac6236626c (35) WARNING: Outer and inner identities are the same. User privacy is compromised. (35) server inner-tunnel { (35) session-state: No cached attributes (35) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (35) authorize { (35) policy filter_username { (35) This seems kind of bad, any ideas?
On Jun 4, 2017, at 7:46 AM, Håvard Steen <haavardsteen@gmail.com> wrote:
I have a clean Freeradius install v. 3.0.14, and so far just made a few config modifications and generated new certificates. My test user is added to users (.../raddb/users).
My task is to set up WPA enterprise. I'm testing with my iPhone, and it seems to work fine. But in the 'log' (radiusd -X output) the following message appears: ...
This seems kind of bad, any ideas?
It's WARMING. In general, the outer identity is set to "anonymous". Alan DeKok.
On 4 June 2017 12:46:59 BST, "Håvard Steen" <haavardsteen@gmail.com> wrote:
I have a clean Freeradius install v. 3.0.14, and so far just made a few config modifications and generated new certificates. My test user is added to users (.../raddb/users).
My task is to set up WPA enterprise. I'm testing with my iPhone, and it seems to work fine. But in the 'log' (radiusd -X output) the following
message appears:
(35) Virtual server inner-tunnel received request (35) EAP-Message = 0x027000061a03 (35) FreeRADIUS-Proxied-To = 127.0.0.1 (35) User-Name = "byod" (35) State = 0x9197e30a90e7f90d1e18c9ac6236626c (35) WARNING: Outer and inner identities are the same. User privacy is
compromised. (35) server inner-tunnel { (35) session-state: No cached attributes (35) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (35) authorize { (35) policy filter_username { (35)
This seems kind of bad, any ideas?
It's a warning to tell you that you are using the real identity for the anonymous identity, so your usernames are easy to find out, e.g. when proxying or by sniffing the network. -- Matthew
its a warning that you might be interested in - as it says '"WARNING: Outer and inner identities are the same. User privacy is compromised." - so, if the outer, readable by others on the transit, identity is the same as the inner (securely tunnelled attribute), then since the inner ID *is* the ID for authentication, then the outer ID contains that same value and thus others will know the real userID of the user. now, you may not care about privacy/anonymity of the user at remote locations...if you do then you should care about this warning and ensure that the outer ID is eg just @realm rather than userid@realm - or, second best anonymous@realm for the outerID alan On 4 June 2017 at 12:46, Håvard Steen <haavardsteen@gmail.com> wrote:
I have a clean Freeradius install v. 3.0.14, and so far just made a few config modifications and generated new certificates. My test user is added to users (.../raddb/users).
My task is to set up WPA enterprise. I'm testing with my iPhone, and it seems to work fine. But in the 'log' (radiusd -X output) the following message appears:
(35) Virtual server inner-tunnel received request (35) EAP-Message = 0x027000061a03 (35) FreeRADIUS-Proxied-To = 127.0.0.1 (35) User-Name = "byod" (35) State = 0x9197e30a90e7f90d1e18c9ac6236626c (35) WARNING: Outer and inner identities are the same. User privacy is compromised. (35) server inner-tunnel { (35) session-state: No cached attributes (35) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (35) authorize { (35) policy filter_username { (35)
This seems kind of bad, any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
Håvard Steen -
Matthew Newton