EAP-TTLS Anonymos Outer Identity
Hi All, If I'm not mistaken this is set on the client side, however, how would I make it so that the anonymous username is sent as the outer identity and the real username is then sent as the inner identity? The server is functioning fine as it is, the TTLS tunnel gets initiated and by the looks of it the username and password are tunnelled within the tunnel and authenticated by PAP/MD5. Kind regards, Connor
On 10/09/2024 12:28, Connor Herring wrote:
If I'm not mistaken this is set on the client side, however, how would I make it so that the anonymous username is sent as the outer identity and the real username is then sent as the inner identity? The server is functioning fine as it is, the TTLS tunnel gets initiated and by the looks of it the username and password are tunnelled within the tunnel and authenticated by PAP/MD5.
Supplicants generally have two boxes, one to enter "identity" and the other to enter "anonymous identity". Identity goes inside the tunnel (e.g. "user@realm"), anonymous identity (e.g. "@realm") goes in the outer. It's fully set by the client device, it can't be forced from the server. If there is no separate anonymous identity setting, then it can't be changed and both will be the same. -- Matthew
Hi Matthew, I had a hunch it may be client side so thank you for confirming. How would you make the server react in the correct way to that though? Or could you at least point me in the right direction? For example if I attempt on Windows I can set both of these things but whenever I actually attempt the authentication the server just states that the login was incorrect. Kind regards, Connor On Tue, Sep 10, 2024 at 12:32 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 10/09/2024 12:28, Connor Herring wrote:
If I'm not mistaken this is set on the client side, however, how would I make it so that the anonymous username is sent as the outer identity and the real username is then sent as the inner identity? The server is functioning fine as it is, the TTLS tunnel gets initiated and by the looks of it the username and password are tunnelled within the tunnel and authenticated by PAP/MD5.
Supplicants generally have two boxes, one to enter "identity" and the other to enter "anonymous identity". Identity goes inside the tunnel (e.g. "user@realm"), anonymous identity (e.g. "@realm") goes in the outer.
It's fully set by the client device, it can't be forced from the server. If there is no separate anonymous identity setting, then it can't be changed and both will be the same.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Matthew, Please disregard this as PEBCAK! It seems that my anonymous identity had a realm in it that the server didn't like so I imagine my Authorise section isn't setup to handle it. Thank you though. Kind regards, Connor On Tue, Sep 10, 2024 at 12:39 PM Connor Herring <connorrjherring@gmail.com> wrote:
Hi Matthew,
I had a hunch it may be client side so thank you for confirming. How would you make the server react in the correct way to that though? Or could you at least point me in the right direction?
For example if I attempt on Windows I can set both of these things but whenever I actually attempt the authentication the server just states that the login was incorrect.
Kind regards,
Connor
On Tue, Sep 10, 2024 at 12:32 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 10/09/2024 12:28, Connor Herring wrote:
If I'm not mistaken this is set on the client side, however, how would I make it so that the anonymous username is sent as the outer identity and the real username is then sent as the inner identity? The server is functioning fine as it is, the TTLS tunnel gets initiated and by the looks of it the username and password are tunnelled within the tunnel and authenticated by PAP/MD5.
Supplicants generally have two boxes, one to enter "identity" and the other to enter "anonymous identity". Identity goes inside the tunnel (e.g. "user@realm"), anonymous identity (e.g. "@realm") goes in the outer.
It's fully set by the client device, it can't be forced from the server. If there is no separate anonymous identity setting, then it can't be changed and both will be the same.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Connor Herring -
Matthew Newton